[23:05:16] [INFO] testing connection to the target URL [23:05:17] [WARNING] the web server responded with an HTTP error code (400) which could interfere with the results of the tests [23:05:17] [INFO] checking if the target is protected by some kind of WAF/IPS [23:05:18] [INFO] testing if the target URL content is stable [23:05:18] [INFO] target URL content is stable [23:05:18] [INFO] testing if POST parameter 'key' is dynamic [23:05:18] [WARNING] POST parameter 'key' does not appear to be dynamic [23:05:19] [WARNING] heuristic (basic) test shows that POST parameter 'key' might not be injectable [23:05:19] [INFO] testing for SQL injection on POST parameter 'key' [23:05:19] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [23:05:21] [INFO] testing 'Boolean-based blind - Parameter replace (original value)' [23:05:21] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' [23:05:23] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [23:05:25] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)' [23:05:27] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' [23:05:29] [INFO] testing 'Generic inline queries' [23:05:29] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)' [23:05:30] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)' [23:05:33] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)' [23:05:34] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' [23:05:37] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' [23:05:39] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)' [23:05:41] [INFO] testing 'Oracle AND time-based blind' it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to r [23:06:08] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [23:06:11] [WARNING] POST parameter 'key' does not seem to be injectable [23:06:11] [INFO] testing if GET parameter 'tc' is dynamic [23:06:12] [WARNING] GET parameter 'tc' does not appear to be dynamic [23:06:12] [WARNING] heuristic (basic) test shows that GET parameter 'tc' might not be injectable [23:06:12] [INFO] testing for SQL injection on GET parameter 'tc' [23:06:13] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [23:06:14] [INFO] testing 'Boolean-based blind - Parameter replace (original value)' [23:06:15] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' [23:06:16] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause' [23:06:18] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)' [23:06:20] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)' [23:06:22] [INFO] testing 'Generic inline queries' [23:06:22] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)' [23:06:23] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)' [23:06:25] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)' [23:06:27] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' [23:06:29] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind' [23:06:31] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)' [23:06:32] [INFO] testing 'Oracle AND time-based blind' [23:06:34] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns' [23:06:38] [WARNING] GET parameter 'tc' does not seem to be injectable [23:06:38] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent' [23:06:38] [WARNING] HTTP error codes detected during run: 400 (Bad Request) - 153 times