[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:25:35 /2019-04-03/
[20:25:36] [INFO] testing connection to the target URL [20:25:37] [INFO] checking if the target is protected by some kind of WAF/IPS [20:25:37] [WARNING] heuristic (basic) test shows that GET parameter 'userId' might not be injectable [20:25:37] [INFO] testing for SQL injection on GET parameter 'userId' [20:25:38] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind' [20:25:38] [WARNING] time-based comparison requires larger statistical model, please wait............................ (done) [20:25:52] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind' [20:25:58] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (comment)' [20:26:01] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (comment)' [20:26:04] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' [20:26:10] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)' [20:26:15] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)' [20:26:18] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)' [20:26:21] [INFO] testing 'MySQL <= 5.0.11 AND time-based blind (heavy query)' [20:26:26] [INFO] testing 'MySQL <= 5.0.11 OR time-based blind (heavy query)' [20:26:32] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind' [20:26:37] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)' [20:26:44] [INFO] testing 'MySQL AND time-based blind (ELT)' [20:26:50] [INFO] testing 'MySQL OR time-based blind (ELT)' [20:26:55] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)' [20:27:02] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace' [20:27:03] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)' [20:27:03] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause' [20:27:04] [WARNING] GET parameter 'userId' does not seem to be injectable [20:27:04] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'