Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SQLmap unable to extract keys from Apache Derby database when server is calling .lowercase() #5879

Closed
pgoncalvesgit opened this issue Mar 26, 2025 · 1 comment
Closed

SQLmap unable to extract keys from Apache Derby database when server is calling .lowercase() #5879

pgoncalvesgit opened this issue Mar 26, 2025 · 1 comment
Labels
bug report

Comments

@pgoncalvesgit
Copy link

To clarify the problem, before moving into the bug itself, let's start with the details. There is a public example that can be used. It is worth noting, although the server is vulnerable on purpose, I do not think this is so farfetched from reality to be disregarded and the only odd thing here, in my opinion, is the use of Apache Derby.

The server in question is testfire, and the vulnerability is within the the login, both on the username and the password. An example request is as follows:

POST /doLogin HTTP/1.1
Host: demo.testfire.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: application/x-www-form-urlencoded
Content-Length: 43
Origin: https://demo.testfire.net
DNT: 1
Connection: keep-alive
Referer: https://demo.testfire.net/login.jsp
Cookie: JSESSIONID=B4CC827C1B3455A447A4EF15F8E2B5BE
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i

uid=tempUser&passw=tempPass&btnSubmit=Login

Describe the bug

To Reproduce

  1. Run 'sqlmap.py -r temp.req --level 5 --risk 3 --technique BEUSTQ --dbs'
  2. Accept everything sqlmap throws at you
  3. See that the schemas returned are all A's

Expected behavior
See the actual schema names.

Screenshots

Image

Running environment:

  • sqlmap version [e.g. 1.7.2.12#dev]
  • Installation method [from source]
  • Operating system: [e.g. MacBook 15.3.2]
  • Python version [e.g. 3.11.2]

Target details:

  • DBMS [e.g. Apache Derby]
  • SQLi techniques found by sqlmap [e.g. boolean-based blind]
  • Turns the payload to full lowercase
  • It has the following schemas:
Image

Additional context

The problem appears because the server has a Lower case function call on the parameter and then the SQLi appears, which basically causes sqlmap to mess up the binary search through the database schemas. To explain it throughly, sqlmap payload (for Apache Derby) does a check for ... > char, so when char is @, because it's the last ascii number equivelent before 'A' and 'S' > @, it works. However, when the char is between 'A' and 'Z', it will not work since it turns into lowercase, and 'S' > 'a' no longer works.

From what I could research, there is no way to do ascii to char conversion or anything like that, so I think implementing the --hex compatibility with Apache Derby is out of the question. Maybe I am wrong. Got some other ideas, but feels like it would be more of an hack.
@stamparm
Copy link
Member

really case specific. that's why there is automatic char escaping going on (e.g. 'a' -> CHR(97)) in DBMSes where supported. not sure that i can help you here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug report
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stamparm @pgoncalvesgit