Skip to content

On some web pages, sqlmap is unable to enumerate list of tables #4505

New issue
New issue
Closed
Closed
On some web pages, sqlmap is unable to enumerate list of tables#4505
Assignees
stamparm
Labels
awesomebugbug reportnormal
Milestone
1.6
@hasksomatotoian

Description

@hasksomatotoian
hasksomatotoian
opened on Jan 1, 2021

For some web applications, sqlmap returns invalid result when evaluating list of tables. This happens when the web application displays the sqlmap payload at the start of the page. See the attached screenshot.

Steps to reproduce

  1. Start PortSwigger lab Lab: SQL injection UNION attack, determining the number of columns returned by the query
  2. Run sqlmap using command:
    sqlmap -u https://<lab_guid>.web-security-academy.net/filter?category=<category> -D public --tables
  3. You will get following result:
Database: public
[1 table]
+---------------------------------------------------------+
| &apos;||COALESCE(tablename::text,&apos; &apos;)||&apos; |
+---------------------------------------------------------+

Expected behavior

You should get list of tables in the "public" database:

Database: public
[1 table]
+----------+
| products |
+----------+

Screenshots

screenshot

Running environment

  • sqlmap version 1.4.12#stable
  • Installation method: apt-get
  • Operating system: kali
  • Python version: 3.8.7

Target details

  • DBMS: PostgreSQL
  • SQLi techniques found by sqlmap: UNION query
  • WAF/IPS: N/A
  • Relevant console output: see attached file
  • Exception traceback: N/A

Metadata

Metadata

Assignees

Labels

awesomebugbug reportnormal

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions