Updated documentation based upon recent developments

doc/README.html

@@ -181,14 +181,14 @@ in the following section to go ahead with the exploiting.</LI>
 <H2><A NAME="ss1.3">1.3</A> <A HREF="#toc1.3">Techniques</A>
 </H2>
 
-<P>sqlmap implements two techniques to exploit a SQL injection vulnerability:</P>
+<P>sqlmap implements three techniques to exploit a SQL injection
+vulnerability:</P>
 <P>
 <UL>
-<LI><B>Blind SQL injection</B>, also known as <B>Inferential Blind SQL
+<LI><B>Inferential Blind SQL injection</B>: sqlmap appends to the
-injection</B> in this implementation: sqlmap appends to the affected
+affected parameter in the HTTP request, a syntatically valid SQL statement
-parameter in the HTTP request, a syntatically valid SQL statement string
+string containing a <CODE>SELECT</CODE> sub-statement, or any other SQL
-containing a <CODE>SELECT</CODE> sub-statement, or any other SQL statement
+statement whose the user want to retrieve the output.
-whose the user want to retrieve the output.
 For each HTTP response, by making a comparison based upon HTML page
 content hashes, or string matches, with the original request, the tool
 determines the output value of the statement character by character.
@@ -196,13 +196,13 @@ The bisection algorithm implemented in sqlmap to perform this technique
 is able to fetch each output character with at maximum seven HTTP
 requests.
 This is sqlmap default SQL injection technique.</LI>
-<LI><B>Inband SQL injection</B>, also known as <B>Full UNION query SQL
+<LI><B>UNION query (inband) SQL injection</B>, also known as <B>Full
-injection</B>: sqlmap appends to the affected parameter in the HTTP
+UNION query SQL injection</B>: sqlmap appends to the affected parameter
-request, a syntatically valid SQL statement string starting with a
+in the HTTP request, a syntatically valid SQL statement string starting
-<CODE>UNION ALL SELECT</CODE>. This techique is useful if the web application
+with a <CODE>UNION ALL SELECT</CODE>. This techique is useful if the web
-page passes the output of the <CODE>SELECT</CODE> statement to a <CODE>for</CODE>
+application page passes the output of the <CODE>SELECT</CODE> statement to a
-cycle, or similar, so that each line of the query output is printed on the
+<CODE>for</CODE> cycle, or similar, so that each line of the query output is
-page content.
+printed on the page content.
 sqlmap is also able to exploit <B>Partial UNION query SQL injection</B>
 vulnerabilities which occur when the output of the statement is not cycled
 in a for construct whereas only the first entry output is displayed.
@@ -210,6 +210,15 @@ This technique is much faster if the target url is affected by because
 in a single HTTP response it returns the whole query output or a entry
 per each response within the page content.
 This SQL injection technique is an alternative to the first one.</LI>
+<LI><B>Stacked queries support</B>, also known as <B>multiple
+statements support</B>: sqlmap tests if the web application supports
+stacked queries then, in case it does support, it appends to the affected
+parameter in the HTTP request, a semi-colon (<CODE>;</CODE>) followed by the
+SQL statement to be executed. This technique is useful if to run SQL
+statements other than <CODE>SELECT</CODE> like, for instance, <EM>data
+definition</EM> or <EM>data manipulation</EM> statements possibly leading
+to file system read and write access and operating system command
+execution depending on the underlying back-end database management system.</LI>
 </UL>
 </P>
 <P>It is strongly recommended to run at least once sqlmap with the
@@ -241,16 +250,17 @@ database management system name if you already know it. sqlmap is also able
 to fingerprint the web server operating system, the web application
 technology and, in some circumstances, the back-end DBMS operating system.
 </LI>
-<LI>Full support for two SQL injection techniques: <B>blind SQL
+<LI>Full support for three SQL injection techniques: <B> inferential
-injection</B> and <B>inband SQL injection</B>. sqlmap can also test for
+blind SQL injection</B>, <B>UNION query (inband) SQL injection</B> and
-<B>Time based blind SQL injection</B>.
+<B>stacked queries (multiple statements) support</B>. sqlmap can also
+test for <B>time based blind SQL injection</B>.
 </LI>
 <LI>Options to retrieve on all four back-end database management system
 <B>banner</B>, <B>current user</B>, <B>current database</B>,
 enumerate <B>users</B>, <B>users password hashes</B>, <B>users
 privileges</B>, <B>databases</B>, <B>tables</B>, <B>columns</B>,
 dump <B>tables entries</B>, dump <B>whole database management
-system</B> and run your <B>own SQL <CODE>SELECT</CODE> statement</B>.
+system</B> and run your <B>own SQL statement</B>.
 </LI>
 <LI>If the back-end database management system is MySQL it is also
 possible to <B>read a specific file content</B> from the ile system and,
@@ -460,7 +470,7 @@ Options:
   Enumeration:
     These options can be used to enumerate the back-end database
     management system information, structure and data contained in the
-    tables. Moreover you can run your own SQL SELECT queries.
+    tables. Moreover you can run your own SQL statements.
 
     -b, --banner        Retrieve DBMS banner
     --current-user      Retrieve DBMS current user
@@ -481,7 +491,7 @@ Options:
     --exclude-sysdbs    Exclude DBMS system databases when enumerating tables
     --start=LIMITSTART  First table entry to dump
     --stop=LIMITSTOP    Last table entry to dump
-    --sql-query=QUERY   SQL SELECT query to be executed
+    --sql-query=QUERY   SQL statement to be executed
     --sql-shell         Prompt for an interactive SQL shell
 
   File system access:
@@ -3406,7 +3416,7 @@ considered a system database because some database administrators use it
 as a users' database.</P>
 
 
-<H3>Run your own SQL SELECT statement</H3>
+<H3>Run your own SQL statement</H3>
 
 <P>Options: <CODE>--sql-query</CODE> and <CODE>--sql-shell</CODE></P>
 

doc/README.sgml

@@ -138,14 +138,14 @@ in the following section to go ahead with the exploiting.
 <sect1>Techniques
 
 <p>
-sqlmap implements two techniques to exploit a SQL injection vulnerability:
+sqlmap implements three techniques to exploit a SQL injection
+vulnerability:
 
 <itemize>
-<item><bf>Blind SQL injection</bf>, also known as <bf>Inferential Blind SQL
+<item><bf>Inferential Blind SQL injection</bf>: sqlmap appends to the
-injection</bf> in this implementation: sqlmap appends to the affected
+affected parameter in the HTTP request, a syntatically valid SQL statement
-parameter in the HTTP request, a syntatically valid SQL statement string
+string containing a <tt>SELECT</tt> sub-statement, or any other SQL
-containing a <tt>SELECT</tt> sub-statement, or any other SQL statement
+statement whose the user want to retrieve the output.
-whose the user want to retrieve the output.
 For each HTTP response, by making a comparison based upon HTML page
 content hashes, or string matches, with the original request, the tool
 determines the output value of the statement character by character.
@@ -153,13 +153,13 @@ The bisection algorithm implemented in sqlmap to perform this technique
 is able to fetch each output character with at maximum seven HTTP
 requests.
 This is sqlmap default SQL injection technique.
-<item><bf>Inband SQL injection</bf>, also known as <bf>Full UNION query SQL
+<item><bf>UNION query (inband) SQL injection</bf>, also known as <bf>Full
-injection</bf>: sqlmap appends to the affected parameter in the HTTP
+UNION query SQL injection</bf>: sqlmap appends to the affected parameter
-request, a syntatically valid SQL statement string starting with a
+in the HTTP request, a syntatically valid SQL statement string starting
-<tt>UNION ALL SELECT</tt>. This techique is useful if the web application
+with a <tt>UNION ALL SELECT</tt>. This techique is useful if the web
-page passes the output of the <tt>SELECT</tt> statement to a <tt>for</tt>
+application page passes the output of the <tt>SELECT</tt> statement to a
-cycle, or similar, so that each line of the query output is printed on the
+<tt>for</tt> cycle, or similar, so that each line of the query output is
-page content.
+printed on the page content.
 sqlmap is also able to exploit <bf>Partial UNION query SQL injection</bf>
 vulnerabilities which occur when the output of the statement is not cycled
 in a for construct whereas only the first entry output is displayed.
@@ -167,6 +167,15 @@ This technique is much faster if the target url is affected by because
 in a single HTTP response it returns the whole query output or a entry
 per each response within the page content.
 This SQL injection technique is an alternative to the first one.
+<item><bf>Stacked queries support</bf>, also known as <bf>multiple
+statements support</bf>: sqlmap tests if the web application supports
+stacked queries then, in case it does support, it appends to the affected
+parameter in the HTTP request, a semi-colon (<tt>;</tt>) followed by the
+SQL statement to be executed. This technique is useful if to run SQL
+statements other than <tt>SELECT</tt> like, for instance, <em>data
+definition</em> or <em>data manipulation</em> statements possibly leading
+to file system read and write access and operating system command
+execution depending on the underlying back-end database management system.
 </itemize>
 
 It is strongly recommended to run at least once sqlmap with the
@@ -199,16 +208,17 @@ database management system name if you already know it. sqlmap is also able
 to fingerprint the web server operating system, the web application
 technology and, in some circumstances, the back-end DBMS operating system.
 
-<item>Full support for two SQL injection techniques: <bf>blind SQL
+<item>Full support for three SQL injection techniques: <bf> inferential
-injection</bf> and <bf>inband SQL injection</bf>. sqlmap can also test for
+blind SQL injection</bf>, <bf>UNION query (inband) SQL injection</bf> and
-<bf>Time based blind SQL injection</bf>.
+<bf>stacked queries (multiple statements) support</bf>. sqlmap can also
+test for <bf>time based blind SQL injection</bf>.
 
 <item>Options to retrieve on all four back-end database management system
 <bf>banner</bf>, <bf>current user</bf>, <bf>current database</bf>,
 enumerate <bf>users</bf>, <bf>users password hashes</bf>, <bf>users
 privileges</bf>, <bf>databases</bf>, <bf>tables</bf>, <bf>columns</bf>,
 dump <bf>tables entries</bf>, dump <bf>whole database management
-system</bf> and run your <bf>own SQL <tt>SELECT</tt> statement</bf>.
+system</bf> and run your <bf>own SQL statement</bf>.
 
 <item>If the back-end database management system is MySQL it is also
 possible to <bf>read a specific file content</bf> from the ile system and,
@@ -416,7 +426,7 @@ Options:
   Enumeration:
     These options can be used to enumerate the back-end database
     management system information, structure and data contained in the
-    tables. Moreover you can run your own SQL SELECT queries.
+    tables. Moreover you can run your own SQL statements.
 
     -b, --banner        Retrieve DBMS banner
     --current-user      Retrieve DBMS current user
@@ -437,7 +447,7 @@ Options:
     --exclude-sysdbs    Exclude DBMS system databases when enumerating tables
     --start=LIMITSTART  First table entry to dump
     --stop=LIMITSTOP    Last table entry to dump
-    --sql-query=QUERY   SQL SELECT query to be executed
+    --sql-query=QUERY   SQL statement to be executed
     --sql-shell         Prompt for an interactive SQL shell
 
   File system access:
@@ -3310,7 +3320,9 @@ considered a system database because some database administrators use it
 as a users' database.
 
 
-<sect2>Run your own SQL SELECT statement
+<sect2>Run your own SQL statement
+
+<!-- TODO: improve -->
 
 <p>
 Options: <tt>--sql-query</tt> and <tt>--sql-shell</tt>

doc/THANKS

@@ -116,6 +116,10 @@ Sven Schluter <sschlueter@netzwerk.cc>
     for providing with a patch for waiting a number of seconds between
     each HTTP request
 
+Sumit Siddharth <sid@notsosecure.com>
+    for providing me with ideas on the implementation on a couple of
+    features
+
 M Simkin <mlsimkin@cox.net>
     for suggesting a feature