What's the problem (or question)?
In case I'm using randomcase tamper script because there is a WAF killing all requests containing full lowercase or full uppercase SQL keywords, all keywords are welled converted to random case except the last check used for DBMS fingerprinting:
[00:11:19] [PAYLOAD] a" And LAST_INSERT_ROWID()=LAST_INSERT_ROWID()-- UhNZ
...
user=a%22%20And%20LAST_INSERT_ROWID%28%29%3DLAST_INSERT_ROWID%28%29--%20UhNZ&pass=b
So because there is a full uppercase INSERT that was not random cased, I have sqlmap telling me
[00:11:19] [WARNING] the back-end DBMS is not SQLite
[00:11:19] [CRITICAL] sqlmap was not able to fingerprint the back-end database management system
even if I used dbms=sqlite. Forcing the dbms with --dbms= is not skipping dbms fingerprinting and there is no --skip-dbms-fingerprinting.
I know the backend (I'm managing the DB).
Do you have an idea for a solution?
- process ALL payloads through the tamper script (no exception for
LAST_INSERT_ROWID)
- or add a
--skip-dbms-fingerprinting switch
How can we reproduce the issue?
- Create a SQLite database and a vulnerable web app
- Put a pseudo-WAF in the web app that replace all full-uppercase or full-lowercase sqlite keywords with a blanck
- launch sqlmap with
randomcase tamper script (working without the WAF) and --dbms=sqlite
What are the running context details?
- Installation method :
pacman -S from Manjaro community repository
- Client OS : Manjaro (up-to-date rolling release)
- Program version :
1.2.10#stable
- Target DBMS : SQLIte 3
- Detected WAF/IDS/IPS protection : as I said before
- Results of manual target assessment : manually using
a" And LaST_InSeRT_RoWId()=LaST_InSeRT_RoWId()-- UhNZ instead of a" And LAST_INSERT_ROWID()=LAST_INSERT_ROWID()-- UhNZ works perfectly.
What's the problem (or question)?
In case I'm using
randomcasetamper script because there is a WAF killing all requests containing full lowercase or full uppercase SQL keywords, all keywords are welled converted to random case except the last check used for DBMS fingerprinting:So because there is a full uppercase
INSERTthat was not random cased, I have sqlmap telling meeven if I used
dbms=sqlite. Forcing the dbms with--dbms=is not skipping dbms fingerprinting and there is no--skip-dbms-fingerprinting.I know the backend (I'm managing the DB).
Do you have an idea for a solution?
LAST_INSERT_ROWID)--skip-dbms-fingerprintingswitchHow can we reproduce the issue?
randomcasetamper script (working without the WAF) and--dbms=sqliteWhat are the running context details?
pacman -Sfrom Manjaro community repository1.2.10#stablea" And LaST_InSeRT_RoWId()=LaST_InSeRT_RoWId()-- UhNZinstead ofa" And LAST_INSERT_ROWID()=LAST_INSERT_ROWID()-- UhNZworks perfectly.