Single column enumeration (-C) broken for Firebird backend #4613
Comments
|
@ptitdoc i can't reproduce this with any technique. Additionally, it is very strange that the "meta" database name
|
|
Closed this down. Please give more details as I am not able to reproduce this "problem" based on given information |
|
p.s. i was able to reproduce this with |
|
p.p.s. with the latest revision |
|
Hello, I confirm that I never added FIREBIRD_MASTERDB explicitely. Also, the database name was only added for the COUNT query (the one counting the number of rows in the columns). I also use successfully |
ProblemI just observed the same problem with sqlmap version For example, the following fails: sqlmap -r sqli_request.txt --batch --level=5 --risk=3 --dump --threads=10 --technique=B --dbms=firebird -T 'USERS' -C 'EMAIL' --no-castWhile the following works: sqlmap -r sqli_request.txt --batch --level=5 --risk=3 --technique=B --dbms=firebird --no-cast --sql-query 'SELECT EMAIL FROM USERS' The number of entries is determined correctly in both cases. ExplanationAs for the differences recorded with Success (i.e., actual values): GET /endpoint/sqliparam=003224925897' OR NOT ASCII_VAL(SUBSTRING((SELECT EMAIL FROM USERS ROWS 3 TO 3) FROM 1 FOR 1))>112 AND 'eltm' LIKE 'eltm&... HTTP/1.1Failure (i.e., values are NULL): GET /endpoint/sqliparam=003224925897' OR NOT (SELECT COUNT(EMAIL) FROM FIREBIRD_MASTERDB.USERS)>0 AND 'azEw' LIKE 'azEw&... HTTP/1.1Difference is WorkaroundTo work around the issue, you can place OP's tamper script in your distribution's respective tamper script folder and tell sqlmap to use it. For example, on Arch: $ cat /opt/sqlmap/tamper/firebirdfix.py
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL
def tamper(payload, **kwargs):
retVal = payload.replace("FIREBIRD_MASTERDB.","")
return retValNext, use the $ sqlmap -r sqli_request.txt --batch --level=5 --risk=3 --dump --threads=10 --technique=B --dbms=firebird -T 'USERS' -C 'EMAIL' --no-cast --drop-set-cookie --tamper=firebirdfix.py@stamparm You might want to take a look at this, as you indicated it should have been fixed for a while now (regression?). |
|
@ret2src I've pushed a related patch, but I am not sure that it will solve the problem. Thing is that I am not able to reproduce this in any way. Tried with different techniques and different options, on Firebird, and I am always getting proper results |
|
Maybe it's related to the version? In my case, the affected system ran Firebird 2.5.7 |
|
in my case, it is |
Describe the bug
When using sqlmap against a firebird backend, the -C options does not work properly.
When counting the number of items in the column, the select request appends the database name FIREBIRD_MASTERDB to the column name, which does not exists in a firebird context.
The consequence is that sqlmap shows all rows as NULL.
To Reproduce
Expected behavior
sqmap should have a positive count of rows and start enumerating all rows.
Running environment:
Target details:
Additional context
This problem can be avoided by retrieving the data using a select query.
It is also possible to write a tamper script to clear the invalid database name in all requests:
The text was updated successfully, but these errors were encountered: