Invalid requests for HSQLDB when trying to enumerate tables (--tables option)

[Antoine-BL]

Describe the bug
sqlmap is unable to retrieve the table names for any database when it should be able to.

From what I can tell, the requests it is trying are not valid HSQLDB. A contributing factor could be that it doesn't detect the right version of HSQLDB (>2.0 <= 2.3) when it actually is 2.6.0.

I attached the traffic.txt at the bottom of this issue. In it, the last request contains the following SQL:
antoine2' AND ASCII(SUBSTR((SELECT IFNULL(CAST(COUNT(table_name) AS LONGVARCHAR),CHAR(32)) FROM INFORMATION_SCHEMA.SYSTEM_TABLES WHERE table_schem=CHAR(65)||CHAR(78)||CHAR(84)||CHAR(79)||CHAR(73)||CHAR(78)||CHAR(69)),2,1))>9

As you can see, this fails to run on the server and an error message is returned. This is because it is trying to SUBSTR() a COUNT() query. This fails because of a datatype mismatch. SUBSTR only works on strings in HSQLDB. I got it to work manually by adding a SUBSTR(CAST([SELECT QUERY HERE] AS VARCHAR(1000)), 1, 1)

I screwed up in my verifications, but it seems to work when I input the query directly into the database. In theory counting the tables should be possible.

To Reproduce

1. Run Webgoat server 8.2.2
2. Log in to Webgoat
3. Intercept a request for the register page of the SQL Injection (advanced) challenge no. 5
4. Save the request to a file
5. Run the following command: python3 .\sqlmap.py -r request.txt --string "please try to register with a different username" -p username_reg --thread=10 --technique=B --dbms="HSQLDB" -D "antoine" -t traffic.txt --level=5 --risk=3 --tables
   Expected behavior
   sqlmap should be able to retrieve the number of tables and the table names in this context. It should do so by trying valid requests with boolean blind sql injection.

Screenshots

Running environment:

• sqlmap version 1.5.9
• Installation method Download from git releases
• Operating system: Windows 10
• Python version 3.9.2

Target details:

• DBMS: HSQLDB 2.6.0
• SQLi techniques found by sqlmap: Boolean
• WAF/IPS No
• Relevant console output:

Additional context
Traffic.txt:
traffic.txt
Example request.txt:
request.txt

P.S.: Your tool is pretty flipping epic

[Antoine-BL]

Update: It seems to be a collation issue. I put -D "antoine" but the request tries to do table_schem='ANTOINE' which fails. I couldn't find any options in the wiki to force the schema to be lowercase either.

[Antoine-BL]

Yeah, it is definitely caused by sqlmap using database names in all-caps. I tried to table-dump a database schema that was only digits and the table dump worked. Here's a side by side. It fails to get the number of tables in antoine but gets succeeds for 123456. Both schemas are identical.

And another traffic file.
traffic.txt

[stamparm]

seems that in case of HSQLDB, it is little fuzzy whether the identifier names should be case-sensitive or case-insensitive (e.g. link). will turn it off for HSQLDB this moment

[Ly4j]

I have the same problem, how can I solve it？