sqlmap icon indicating copy to clipboard operation
sqlmap copied to clipboard

Published 20 hours ago verified publisher icon sqlmapproject

Sqlmap Postgres blind SQL injection retrieval problem

Open valenbg1 opened this issue 3 years ago • 2 comments

Describe the bug When running a table dump with sqlmap against a boolean-based SQL injection in a Postgres database, the entry values are al NULL or blank. It is not clear if this problem is specific for this SQLi or the environment. Sqlmap sends the dump queries without using double quotes (") to name the table or columns names. This can be solved by manually inserting the double quotes in the table or column name in the sqlmap parameters:

  • Trying to dump without double quotes (sqlmap -r req1.txt -p ***** --dbms postgres --force-ssl -D ***** -T '"User"' -C '***Email' --dump --stop 1 --threads 10 --fresh-queries):

  • Trying to dump without double quotes (sqlmap -r req1.txt -p ***** --dbms postgres --force-ssl -D ***** -T '"User"' -C '"***Email"' --dump --stop 1 --threads 10 --fresh-queries):

To Reproduce

  1. Run sqlmap against a boolean-based SQLi in Postgres without double quotes in table or column names.
  2. NULL dumps.

Expected behavior Correctly dump database entries.

Running environment:

  • sqlmap version: 1.6.6#stable
  • Installation method: OS package
  • Operating system: Parrot Security
  • Python version: 3.9.10

Target details:

  • DBMS: Postgres.
  • SQLi techniques found by sqlmap: boolean-based and time-based.
  • WAF/IPS: no.

valenbg1 avatar Jul 13 '22 10:07 valenbg1

Postgres without double quotes in table or column names. <- this is not true for all cases. You are having some special name for database, table or column, which sqlmap is not recognizing as "special". I would really need those names to find which one is causing problems.

Also, you could try to deduce which one is causing problems by adding quotes to one by one of those combinations.

stamparm avatar Jul 13 '22 20:07 stamparm

Hi thank you for your answer. Yes you are right, I made some tests using a proxy:

  • Trying to count the entries on table User (-T User): the number of entries could be counted and the requests made by sqlmap introduced double quotes in the table name ("User"). The same behaviour was observed when using -T '"User"'.
  • Trying to count the entries on table Data (-T Data): the number of entries could not be counted and the requests made by sqlmap did not introduce double quotes in the table name. The number of entries could be counted correctly when using -T '"Data"'.
  • Trying to count the entries on table InfoType (-T InfoType): the number of entries could not be counted and the requests made by sqlmap did not introduce double quotes in the table name. The number of entries could be counted correctly when using -T '"InfoType"'.
  • Trying to dump the first entry on the column IT_Description (-C IT_Description, with underscore): the entry could not be dumped and the requests made by sqlmap did not introduce double quotes in the column name. The entry could be dumped correctly when using -C '"IT_Description"'.
  • Trying to count the entries on table migrations (-T migrations): the number of entries could be counted despite the requests made by sqlmap not introducing double quotes in the table name. The number of entries could also be counted when using -T '"migrations"' (the requests including the double quotes in the table name).

Sorry I did close the issue before.

valenbg1 avatar Jul 14 '22 09:07 valenbg1

keyword users is removed from data/txt/keywords.txt for some time, thus, there should be no enclosing of "users" like you did have way back then

stamparm avatar Sep 25 '23 08:09 stamparm