Hello, i know this is not a bug but a particular issue. I have found an injection point in a server using sqlmap. I ran the command several times with flush-session and the injection point is always on the same query type.
Verbose mode shows a lot of 403 errors but for the specific test it's not forbidden and leads to mysql injection which i could manually validate.
(A line of mysql error is shown on the webpage).
Issue is that the target seems to be protected by cloudflare. After the injection is found, when i run sqlmap, it does skip tests instantly and exits without being able to retrieve any datas.
I tried using tampers but in most cases, the requests to retrieve the datas are still forbiden.
In other tamper combinations, some data extraction seems to go on but the results seem corrupt.

So why is sqlmap able to detect an injection point and validate it each time, but then is unable to extract datas ?

Also, after the injection is found, when reruning sqlmap, it's unable to fingerprint the database if specified. Not using --dbms option allows it to find the correct database application.

I actually was able to retrieve the current database and current user with proper switches and tampers.
But I can't list tables.