0

I run this command python sqlmap.py -u https://acme.com/post.php --data "id=1" --tamper="between,randomcase,space2comment" -v 3 --random-agent --dbs but SQLMap only returns information_schema database.

Is there something wrong (if so, is there anything I can do to circumvent it ?) or the database really only has 1 database ?

maximillian1
  • 48
  • 4

1 Answers1

0

it is unlikely that the web application you are testing only has the one database as information_schema is read-only metadata.

you can dump some of the views in there to find out if there are other databases that you aren't allowed to see for some reason:

information_schema.schemata is the table (it is really a view) you would want to dump.

edit: can you explain what you are trying to do with your --tamper and --data statements

mcgyver5
  • 6,807
  • 2
  • 24
  • 45
  • The site is behind Cloudflare, hence the "between,randomcase,space2comment" tamper, the "id" is the vulnerable parameter. Also I tried to "inject" (I dont know the correct term) the mysql.innodb_table_stats, and yes it returns another database which is not listed in sqlmap --dbs option. – maximillian1 Jul 27 '20 at 07:46
  • I also tried to do inject another system database which is not listed by --dbs command, I tried to do `-D mysql -T user --columns`, and it does returns some columns. Do you know what configuration caused this kind of behaviour? – maximillian1 Jul 27 '20 at 07:53