Some more fixes and adjustments before 0.6.1 release.

This commit is contained in:
Bernardo Damele 2008-10-17 15:26:43 +00:00
parent 1f3ffc8ef7
commit 016118ce7a
5 changed files with 28 additions and 34 deletions

View File

@ -2,7 +2,7 @@ sqlmap (0.6.1-1) stable; urgency=low
* Major bug fix to blind SQL injection bisection algorithm to handle an * Major bug fix to blind SQL injection bisection algorithm to handle an
exception; exception;
* Written a Metasploit 3 auxiliary module to run sqlmap; * Added a Metasploit 3 auxiliary module to run sqlmap;
* Implemented possibility to test for and inject also on LIKE * Implemented possibility to test for and inject also on LIKE
statements; statements;
* Implemented --start and --stop options to set the first and the last * Implemented --start and --stop options to set the first and the last

View File

@ -32,43 +32,42 @@ msf auxiliary(wmap_sqlmap) > show options
Module options: Module options:
Name Current Setting Required Description Name Current Setting Required Description
---- --------------- -------- ----------- ---- --------------- -------- -----------
BATCH true yes Never ask for user input, use the default behaviour BATCH true yes Never ask for user input, use the default behaviour
DATA no The data string to be sent through POST BODY no The data string to be sent through POST
METHOD GET yes HTTP Method METHOD GET yes HTTP Method
OPTS --dbs --current-user no The sqlmap options to use OPTS --dbs --current-user no The sqlmap options to use
PATH /sqlmap/mysql/get_int.php yes The path/file to test for SQL injection PATH /sqlmap/mysql/get_int.php yes The path/file to test for SQL injection
Proxies no Use a proxy chain Proxies no Use a proxy chain
QUERY id=1 no HTTP GET query QUERY id=1 no HTTP GET query
RHOSTS 192.168.1.121 yes The target address range or CIDR identifier RHOSTS 192.168.1.121 yes The target address range or CIDR identifier
RPORT 80 yes The target port RPORT 80 yes The target port
SQLMAP_PATH /home/inquis/software/sqlmap/trunk/sqlmap/sqlmap.py yes The sqlmap >= 0.6.1 full path SQLMAP_PATH /home/inquis/software/sqlmap/trunk/sqlmap/sqlmap.py yes The sqlmap >= 0.6.1 full path
SSL false no Use SSL SSL false no Use SSL
THREADS 1 yes The number of concurrent threads THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host VHOST no HTTP server virtual host
msf auxiliary(wmap_sqlmap) > run msf auxiliary(wmap_sqlmap) > run
[*] exec: /home/inquis/software/sqlmap/trunk/sqlmap/sqlmap.py -u 'http://192.168.1.121/sqlmap/mysql/get_int.php?id=1' --method GET --dbs --current-user --batch [*] exec: /home/inquis/software/sqlmap/trunk/sqlmap/sqlmap.py -u 'http://192.168.1.121:80//sqlmap/mysql/get_int.php?id=1' --method GET --dbs --current-user --batch
SQLMAP: SQLMAP:
SQLMAP: sqlmap/0.6.1 coded by Bernardo Damele A. G. <bernardo.damele@gmail.com> SQLMAP: sqlmap/0.6.1 coded by Bernardo Damele A. G. <bernardo.damele@gmail.com>
SQLMAP: and Daniele Bellucci <daniele.bellucci@gmail.com> SQLMAP: and Daniele Bellucci <daniele.bellucci@gmail.com>
SQLMAP: SQLMAP:
SQLMAP: [*] starting at: 01:31:41 SQLMAP: [*] starting at: 16:23:19
SQLMAP: SQLMAP:
SQLMAP: [01:31:42] [WARNING] User-Agent parameter 'User-Agent' is not dynamic SQLMAP: [16:23:20] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
SQLMAP: back-end DBMS: MySQL >= 5.0.0 SQLMAP: back-end DBMS: MySQL >= 5.0.0
SQLMAP: SQLMAP:
SQLMAP: current user: 'testuser@localhost' SQLMAP: current user: 'testuser@localhost'
SQLMAP: SQLMAP:
SQLMAP: available databases [4]: SQLMAP: available databases [3]:
SQLMAP: [*] information_schema SQLMAP: [*] information_schema
SQLMAP: [*] mysql SQLMAP: [*] mysql
SQLMAP: [*] privatedb
SQLMAP: [*] test SQLMAP: [*] test
SQLMAP: SQLMAP:
SQLMAP: SQLMAP:
SQLMAP: [*] shutting down at: 01:31:44 SQLMAP: [*] shutting down at: 16:23:21
SQLMAP: SQLMAP:
[*] Auxiliary module execution completed [*] Auxiliary module execution completed
msf auxiliary(wmap_sqlmap) > msf auxiliary(wmap_sqlmap) >

View File

@ -39,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary
OptString.new('METHOD', [ true, "HTTP Method", 'GET' ]), OptString.new('METHOD', [ true, "HTTP Method", 'GET' ]),
OptString.new('PATH', [ true, "The path/file to test for SQL injection", 'index.php' ]), OptString.new('PATH', [ true, "The path/file to test for SQL injection", 'index.php' ]),
OptString.new('QUERY', [ false, "HTTP GET query", 'id=1' ]), OptString.new('QUERY', [ false, "HTTP GET query", 'id=1' ]),
OptString.new('DATA', [ false, "The data string to be sent through POST", '' ]), OptString.new('BODY', [ false, "The data string to be sent through POST", '' ]),
OptString.new('OPTS', [ false, "The sqlmap options to use", ' ' ]), OptString.new('OPTS', [ false, "The sqlmap options to use", ' ' ]),
OptPath.new('SQLMAP_PATH', [ true, "The sqlmap >= 0.6.1 full path ", '/sqlmap/sqlmap.py' ]), OptPath.new('SQLMAP_PATH', [ true, "The sqlmap >= 0.6.1 full path ", '/sqlmap/sqlmap.py' ]),
OptBool.new('BATCH', [ true, "Never ask for user input, use the default behaviour", 'true' ]) OptBool.new('BATCH', [ true, "Never ask for user input, use the default behaviour", 'true' ])
@ -56,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary
return return
end end
data = datastore['DATA'] data = datastore['BODY']
method = datastore['METHOD'].upcase method = datastore['METHOD'].upcase
sqlmap_url = (datastore['SSL'] ? "https" : "http") sqlmap_url = (datastore['SSL'] ? "https" : "http")

View File

@ -98,9 +98,12 @@ class Connect:
requestMsg += " HTTP/1.1" requestMsg += " HTTP/1.1"
if cookie:
cookie = urlencode(cookie).replace("%%", "%")
try: try:
# Perform HTTP request # Perform HTTP request
headers = forgeHeaders(urlencode(cookie).replace("%%", "%"), ua) headers = forgeHeaders(cookie, ua)
req = urllib2.Request(url, post, headers) req = urllib2.Request(url, post, headers)
conn = urllib2.urlopen(req) conn = urllib2.urlopen(req)

View File

@ -2,15 +2,7 @@
# Target URL. # Target URL.
# Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2 # Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2
url = http://127.0.0.1/sqlmap/mysql/get_int.php?id=1 url =
#url = http://127.0.0.1/sqlmap/mysql/get_brackets.php?id=1
#url = http://127.0.0.1/sqlmap/mysql/get_str_like.php?id=1
#url = http://127.0.0.1/sqlmap/mysql/get_str_like_par.php?id=1
#url = http://127.0.0.1/sqlmap/mysql/get_str_like_par2.php?id=1
#url = http://127.0.0.1/sqlmap/mysql/get_str_like_par3.php?id=1
#url = http://127.0.0.1/sqlmap/mysql/get_dstr_like_par.php?id=1
#url = http://127.0.0.1/sqlmap/mysql/get_dstr_like_par2.php?id=1
#url = http://127.0.0.1/sqlmap/mysql/get_int_str.php?id=1&name=luther
# Rather than providing a target url, let Google return target # Rather than providing a target url, let Google return target
# hosts as result of your Google dork expression. For a list of Google # hosts as result of your Google dork expression. For a list of Google