Sqlmap Essentials Academy

Greetings all, I am stuck on the attack tuning portion of sqlmap essentials. Flag and Case # 7 to be exact. I have tried many different flags based on what I read so far in the course. Can someone help me out please? Thank you. The hint is " Try to count the number of columns in the page output, and specify them for sqlmap." How do I go about counting the columns?

When the HTML page is rendered, a certain number of columns is displayed based on the SQL-response. Have a look at the webpage, either all columns are displayed or just a subset (2,3,4,5 of example)…

1 Like

so should I be targeting the columns that are displayed on the website then? I am pretty sure I found that it has 76 columns running sqlmap but adding --union-cols=76 so far has not provided anything new, and is super slow to complete or times out. Thank you for the help!

well I found the flag, I am pretty confused as to why… I just did --batch --dump and that was it. I guess I was just way over complicating it?

At this point, who have to make an educated guess regarding the number of columns used as input parameter for Sqlmap.
Looking at the webpage displaying the results of each query, it suggests the number of columns in the underlying table is less than 10.
When performing a manual SQL-injection, you would have to find that out via trial-and-error (see the module on SQL injections).

The hint didn’t really help.
I didn’t have to use the -union-cols.
Instead when I ran with -T flag7 --batch --dump it complained about I should use --no-cast or-hex. So I tried with --no-cast and it got the flag.

yeah i did that and now it worked lol how would one get it to work with the union-cols?

Heyyo its me again. I was having issues with the #7 problem and wasnt able to figure this out for a solid 5 hours but its actually really easy. the hint is:
“Try to count the number of columns in the page output, and specify them for sqlmap.”
and it actually is that simple.
Go onto your browser and put in your target and case #7, it should look like this…
Use this in your sqlmap command, ie
sqlmap [target]/case7.php?id=1
use the no-cast, dump, risk, and level option to make it much faster for searching
and look at the chart layed out to you on the web page:

id name birthday occupation phone

Super simple, count those, not the letters or characters just how many categories there are, you should be able to count it in one hand. I was really mad at myself for not figuring it out.
You then slap that on to --union-cols=[said number^^^] and you have your string to input for the answer.