Cannot get tables/columns name/length

[acaetano]

What's the problem (or question)?

I'm exploiting an 'OR boolean-based' blind sqli. I was able to retrieve:
banner: 'Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production'
current user: 'XXXXXXX_XX' (obfuscated by me)
current schema (equivalent to database on Oracle): 'XXXXXXX_XX' (same as above)
hostname: None (unfortunately, it wasn't possible even when trying "--no-cast" and "--hex" options)
available databases [1]:
[*] XXXXXXX_XX (it think it was the only one because it is the only schema the application is connected to)

The problem is that i cannot retrieve any table or column info, be it name or length. Here goes the tool info:

==================================
[18:05:00] [INFO] resumed: XXXXXXX_XX
[18:05:00] [WARNING] on Oracle you'll need to use schema names for enumeration as the counterpart to database names on other DBMSes
[18:05:00] [INFO] fetching tables for database: 'XXXXXXX_XX'
[18:05:00] [INFO] fetching number of tables for database 'XXXXXXX_XX'
[18:05:00] [INFO] retrieved:
[18:05:00] [WARNING] unable to retrieve the number of tables for database 'XXXXXXX_XX'
[18:05:00] [ERROR] unable to retrieve the table names for any database
[18:05:00] [INFO] fetched tables: None.USER_TYPES, None.DICTIONARY, None.ALL_USERS, None.TABLE_PRIVILEGE_MAP
[18:05:00] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns
[18:05:00] [INFO] fetching current database
[18:05:00] [INFO] fetching columns for table 'USER_TYPES' in database 'XXXXXXX_XX'
[18:05:00] [INFO] retrieved:
[18:05:01] [ERROR] unable to retrieve the number of columns for table 'USER_TYPES' in database 'XXXXXXX_XX'
[18:05:01] [WARNING] unable to retrieve column names for table 'USER_TYPES' in database 'XXXXXXX_XX'
do you want to use common column existence check? [y/N/q] y
[18:05:06] [INFO] checking column existence using items from '/usr/share/sqlmap/txt/common-columns.txt'
[18:05:06] [INFO] adding words used on web page to the check list
[18:05:06] [INFO] starting 10 threads

[18:05:09] [WARNING] no column(s) found
[18:05:09] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns
[18:05:09] [INFO] fetching current database
[18:05:09] [INFO] fetching columns for table 'DICTIONARY' in database 'XXXXXXX_XX'
[18:05:09] [INFO] retrieved:
[18:05:10] [ERROR] unable to retrieve the number of columns for table 'DICTIONARY' in database 'XXXXXXX_XX'
[18:05:10] [WARNING] unable to retrieve column names for table 'DICTIONARY' in database 'XXXXXXX_XX'
do you want to use common column existence check? [y/N/q] y
[18:05:14] [INFO] checking column existence using items from '/usr/share/sqlmap/txt/common-columns.txt'
[18:05:14] [INFO] adding words used on web page to the check list
[18:05:14] [INFO] starting 10 threads

[18:06:47] [WARNING] no column(s) found
[18:06:47] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns
[18:06:47] [INFO] fetching current database
[18:06:47] [INFO] fetching columns for table 'ALL_USERS' in database 'XXXXXXX_XX'
[18:06:47] [INFO] retrieved:
[18:06:47] [ERROR] unable to retrieve the number of columns for table 'ALL_USERS' in database 'XXXXXXX_XX'
[18:06:47] [WARNING] unable to retrieve column names for table 'ALL_USERS' in database 'XXXXXXX_XX'

==================================

What are the running context details?

I'm using 1.0.12#stable

• Target DBMS (e.g. Microsoft SQL Server):
  Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production

• Detected WAF/IDS/IPS protection (e.g. ModSecurity or unknown):
  No protection whatsoever.

• SQLi techniques found by sqlmap (e.g. error-based and boolean-based blind):
  OR boolean-based blind

• Results of manual target assessment (e.g. found that the payload query=test' AND 4113 IN ((SELECT 'foobar'))-- qKLV works):
  Found that the payload ') or 1=1-- works

Can you help me?

[acaetano]

By the way, prior to that, sqlmap detection mechanism labeled the dbms as "HSQLDB". I only made it flush that because i knew it used Oracle. Maybe it happened because the application uses iBATIS as its data mapper framework, don't know...

Just saying it because you may find it useful in the future.

[acaetano]

I just found out that some queries resulted in syntax errors, as returned by the application. What is strange is that sqlmap was able to get the dbms banner and db schema correctly.

I will try to modify some payloads and see if it gets my problem solved. I will keep you updated.

[stamparm]

Okie dokie

[acaetano]

Manual tests showed that a count query was returning errors when it included a constraint that looks for the table owner, so I modified a single payload on line 278 of xml/queries.xml

from
count="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES WHERE OWNER='%s'"
to
count="SELECT COUNT(TABLE_NAME) FROM SYS.ALL_TABLES"
and to
count="SELECT COUNT(TABLE_NAME) FROM SYS.USER_TABLES"

because, as stated here, "USER_TABLES" describes all tables that are owned by the user, making the WHERE constraint unnecessary.

Before sqlmap could make use of this new payload, it barfed with the following error:

[14:00:51] [ERROR] wrong checksum of file '/usr/share/sqlmap/extra/cloak/cloak.py' detected
[14:00:51] [ERROR] missing file detected '/usr/share/sqlmap/extra/shutils/duplicates.py'
[14:00:51] [ERROR] missing file detected '/usr/share/sqlmap/extra/shutils/pylint.py'
[14:00:51] [ERROR] missing file detected '/usr/share/sqlmap/extra/shutils/regressiontest.py'
[14:00:51] [ERROR] wrong checksum of file '/usr/share/sqlmap/lib/core/convert.py' detected
[14:00:51] [ERROR] wrong checksum of file '/usr/share/sqlmap/lib/core/option.py' detected
[14:00:51] [ERROR] wrong checksum of file '/usr/share/sqlmap/lib/core/settings.py' detected
[14:00:51] [ERROR] wrong checksum of file '/usr/share/sqlmap/sqlmapapi.py' detected
[14:00:51] [ERROR] wrong checksum of file '/usr/share/sqlmap/sqlmap.py' detected
[14:00:51] [CRITICAL] code integrity check failed (turning off automatic issue creation). You should retrieve the latest development version from official GitHub repository at 'https://github.com/sqlmapproject/sqlmap'

Traceback (most recent call last):
File "/usr/bin/sqlmap", line 151, in main
start()
File "/usr/share/sqlmap/lib/controller/controller.py", line 633, in start
action()
File "/usr/share/sqlmap/lib/controller/action.py", line 112, in action
conf.dumper.dbTableColumns(conf.dbmsHandler.getColumns(), CONTENT_TYPE.COLUMNS)
File "/usr/share/sqlmap/plugins/generic/databases.py", line 427, in getColumns
self.getTables()
File "/usr/share/sqlmap/plugins/generic/databases.py", line 311, in getTables
query = rootQuery.blind.count % unsafeSQLIdentificatorNaming(db)
TypeError: not all arguments converted during string formatting

[*] shutting down at 14:00:51

Please, note that xml/queries.xml is not included in the above error, as i had already updated its checksum in txt/checksum.md5

Also note that changing "xml/queries.xml" back to its original state and resetting its md5 hash in "txt/checksum.md5" puts everything back to normal.

[acaetano]

Ok, i got it sorted now. The insertion point has a size limit. I cannot go over 98 chars while injecting. Which leaves us with the question: is there any flag for injection string optimization? I tried --no-escape, but it still goes over the limit.

Either that, or i need some way to change the payload without the error described above...

Can you help me?

[stamparm]

You've noticed properly that --no-escape is a good choice. Except that, there is no way how to make lesser queries, at least not in an automated way. You should asses the target manually in hope that you'll make a shorter query

[acaetano]

aside from that, can you help with the modified payload error? it was really strange to throw so many errors, even after updating checksum.md5...

[stamparm]

Errors are there because you modified the code and that same "modification" of yours caused an exception. You should modify that line "File "/usr/share/sqlmap/plugins/generic/databases.py", line 311" into query = rootQuery.blind.count along with your XML modification (SELECT COUNT(TABLE_NAME) FROM SYS.USER_TABLES).

Just read the error report that caused this mess. It just said that you've removed that %s from the XML, while leaving the ...% unsafeSQLIdentificatorNaming(db)

[acaetano]

Ok, i get it that that line was obvious, but it shouldn't have printed all those missing file/wrong checksum errors that made no sense, as they have nothing to do with the modification that was made.

[stamparm]

It does. Because of those modifications automatic issue creation is suppressed. It would be really problematic for me to fix your modifications in code, right?