Skip to content

fingerprinting and other non-SELECTable non-string commands appear incompatible with the "boolean-based blind" technique #4244

Closed
Closed
fingerprinting and other non-SELECTable non-string commands appear incompatible with the "boolean-based blind" technique#4244
Labels
unreproducible
@ilatypov

Description

@ilatypov
ilatypov
opened on Jun 25, 2020

Describe the bug
An application under a test has a clear discriminant reaction to the manual injections of ' and 1=1 -- and ' and 1=0 --. Using --technique=B shows POST parameter ... is vulnerable and confirming <DBMS type> but stops dead in the fingerprinting which is not quite necessary but cannot be turned off.

[00:27:33] [CRITICAL] sqlmap was not able to fingerprint the back-end database management system

To Reproduce

  1. Run the above against an app with a SQL injection exposed only via the a discriminant boolean.
  2. See the error message on fingerprinting. See the usage wiki not showing a way to turn it off.

Expected behavior
A way to turn off fingerprinting.

Running environment:

  • sqlmap version: 1.4.6#stable
  • Installation method: homebrew
  • Operating system: MacOS 10.15.5
  • Python version: 2.7.16.

Target details:

  • DBMS: --dbms "IBM DB2".

  • SQLi techniques: --technique=B --test-filter="AND " --prefix="' " --suffix=" --" --ignore-redirects --not-string="/Error.aspx" --drop-set-cookie --flush-session --level=5 --risk=3 --threads=10 --batch --sql-query 'CURRENT SERVER'

  • WAF/IPS: not sure

Additional context
Workaround (without a clear understanding):

--- sqlmap/1.4.6/libexec/lib/controller/action.py.orig	2020-05-31 21:29:53.000000000 -0400
+++ sqlmap/1.4.6/libexec/lib/controller/action.py	2020-06-25 00:29:16.000000000 -0400
@@ -32,7 +32,7 @@
     # system to be able to go ahead with the injection
     setHandler()

-    if not Backend.getDbms() or not conf.dbmsHandler:
+    if not Backend.getDbms() and not conf.dbmsHandler:
         htmlParsed = Format.getErrorParsedDBMSes()

         errMsg = "sqlmap was not able to fingerprint the "
[00:29:49] [INFO] testing IBM DB2
[00:29:49] [INFO] confirming IBM DB2
IBM DB2
[00:29:51] [INFO] fetching SQL query output: 'CURRENT SERVER'
[00:29:51] [INFO] retrieving the length of query output
[00:29:51] [INFO] retrieved: 8
[00:30:01] [INFO] retrieved: XXXXXXXX
CURRENT SERVER: 'XXXXXXXX'
[00:30:01] [INFO] fetched data logged to text files under '/Users/USER/.sqlmap/output/SERVER.TEST'

[*] ending @ 00:30:01 /2020-06-25/

Metadata

Metadata

Assignees

No one assigned

    Labels

    unreproducible

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions