mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-25 11:03:47 +03:00
Updated documentation based upon recent developments
This commit is contained in:
parent
35708a0b97
commit
374b9ba878
|
@ -181,14 +181,14 @@ in the following section to go ahead with the exploiting.</LI>
|
||||||
<H2><A NAME="ss1.3">1.3</A> <A HREF="#toc1.3">Techniques</A>
|
<H2><A NAME="ss1.3">1.3</A> <A HREF="#toc1.3">Techniques</A>
|
||||||
</H2>
|
</H2>
|
||||||
|
|
||||||
<P>sqlmap implements two techniques to exploit a SQL injection vulnerability:</P>
|
<P>sqlmap implements three techniques to exploit a SQL injection
|
||||||
|
vulnerability:</P>
|
||||||
<P>
|
<P>
|
||||||
<UL>
|
<UL>
|
||||||
<LI><B>Blind SQL injection</B>, also known as <B>Inferential Blind SQL
|
<LI><B>Inferential Blind SQL injection</B>: sqlmap appends to the
|
||||||
injection</B> in this implementation: sqlmap appends to the affected
|
affected parameter in the HTTP request, a syntatically valid SQL statement
|
||||||
parameter in the HTTP request, a syntatically valid SQL statement string
|
string containing a <CODE>SELECT</CODE> sub-statement, or any other SQL
|
||||||
containing a <CODE>SELECT</CODE> sub-statement, or any other SQL statement
|
statement whose the user want to retrieve the output.
|
||||||
whose the user want to retrieve the output.
|
|
||||||
For each HTTP response, by making a comparison based upon HTML page
|
For each HTTP response, by making a comparison based upon HTML page
|
||||||
content hashes, or string matches, with the original request, the tool
|
content hashes, or string matches, with the original request, the tool
|
||||||
determines the output value of the statement character by character.
|
determines the output value of the statement character by character.
|
||||||
|
@ -196,13 +196,13 @@ The bisection algorithm implemented in sqlmap to perform this technique
|
||||||
is able to fetch each output character with at maximum seven HTTP
|
is able to fetch each output character with at maximum seven HTTP
|
||||||
requests.
|
requests.
|
||||||
This is sqlmap default SQL injection technique.</LI>
|
This is sqlmap default SQL injection technique.</LI>
|
||||||
<LI><B>Inband SQL injection</B>, also known as <B>Full UNION query SQL
|
<LI><B>UNION query (inband) SQL injection</B>, also known as <B>Full
|
||||||
injection</B>: sqlmap appends to the affected parameter in the HTTP
|
UNION query SQL injection</B>: sqlmap appends to the affected parameter
|
||||||
request, a syntatically valid SQL statement string starting with a
|
in the HTTP request, a syntatically valid SQL statement string starting
|
||||||
<CODE>UNION ALL SELECT</CODE>. This techique is useful if the web application
|
with a <CODE>UNION ALL SELECT</CODE>. This techique is useful if the web
|
||||||
page passes the output of the <CODE>SELECT</CODE> statement to a <CODE>for</CODE>
|
application page passes the output of the <CODE>SELECT</CODE> statement to a
|
||||||
cycle, or similar, so that each line of the query output is printed on the
|
<CODE>for</CODE> cycle, or similar, so that each line of the query output is
|
||||||
page content.
|
printed on the page content.
|
||||||
sqlmap is also able to exploit <B>Partial UNION query SQL injection</B>
|
sqlmap is also able to exploit <B>Partial UNION query SQL injection</B>
|
||||||
vulnerabilities which occur when the output of the statement is not cycled
|
vulnerabilities which occur when the output of the statement is not cycled
|
||||||
in a for construct whereas only the first entry output is displayed.
|
in a for construct whereas only the first entry output is displayed.
|
||||||
|
@ -210,6 +210,15 @@ This technique is much faster if the target url is affected by because
|
||||||
in a single HTTP response it returns the whole query output or a entry
|
in a single HTTP response it returns the whole query output or a entry
|
||||||
per each response within the page content.
|
per each response within the page content.
|
||||||
This SQL injection technique is an alternative to the first one.</LI>
|
This SQL injection technique is an alternative to the first one.</LI>
|
||||||
|
<LI><B>Stacked queries support</B>, also known as <B>multiple
|
||||||
|
statements support</B>: sqlmap tests if the web application supports
|
||||||
|
stacked queries then, in case it does support, it appends to the affected
|
||||||
|
parameter in the HTTP request, a semi-colon (<CODE>;</CODE>) followed by the
|
||||||
|
SQL statement to be executed. This technique is useful if to run SQL
|
||||||
|
statements other than <CODE>SELECT</CODE> like, for instance, <EM>data
|
||||||
|
definition</EM> or <EM>data manipulation</EM> statements possibly leading
|
||||||
|
to file system read and write access and operating system command
|
||||||
|
execution depending on the underlying back-end database management system.</LI>
|
||||||
</UL>
|
</UL>
|
||||||
</P>
|
</P>
|
||||||
<P>It is strongly recommended to run at least once sqlmap with the
|
<P>It is strongly recommended to run at least once sqlmap with the
|
||||||
|
@ -241,16 +250,17 @@ database management system name if you already know it. sqlmap is also able
|
||||||
to fingerprint the web server operating system, the web application
|
to fingerprint the web server operating system, the web application
|
||||||
technology and, in some circumstances, the back-end DBMS operating system.
|
technology and, in some circumstances, the back-end DBMS operating system.
|
||||||
</LI>
|
</LI>
|
||||||
<LI>Full support for two SQL injection techniques: <B>blind SQL
|
<LI>Full support for three SQL injection techniques: <B> inferential
|
||||||
injection</B> and <B>inband SQL injection</B>. sqlmap can also test for
|
blind SQL injection</B>, <B>UNION query (inband) SQL injection</B> and
|
||||||
<B>Time based blind SQL injection</B>.
|
<B>stacked queries (multiple statements) support</B>. sqlmap can also
|
||||||
|
test for <B>time based blind SQL injection</B>.
|
||||||
</LI>
|
</LI>
|
||||||
<LI>Options to retrieve on all four back-end database management system
|
<LI>Options to retrieve on all four back-end database management system
|
||||||
<B>banner</B>, <B>current user</B>, <B>current database</B>,
|
<B>banner</B>, <B>current user</B>, <B>current database</B>,
|
||||||
enumerate <B>users</B>, <B>users password hashes</B>, <B>users
|
enumerate <B>users</B>, <B>users password hashes</B>, <B>users
|
||||||
privileges</B>, <B>databases</B>, <B>tables</B>, <B>columns</B>,
|
privileges</B>, <B>databases</B>, <B>tables</B>, <B>columns</B>,
|
||||||
dump <B>tables entries</B>, dump <B>whole database management
|
dump <B>tables entries</B>, dump <B>whole database management
|
||||||
system</B> and run your <B>own SQL <CODE>SELECT</CODE> statement</B>.
|
system</B> and run your <B>own SQL statement</B>.
|
||||||
</LI>
|
</LI>
|
||||||
<LI>If the back-end database management system is MySQL it is also
|
<LI>If the back-end database management system is MySQL it is also
|
||||||
possible to <B>read a specific file content</B> from the ile system and,
|
possible to <B>read a specific file content</B> from the ile system and,
|
||||||
|
@ -460,7 +470,7 @@ Options:
|
||||||
Enumeration:
|
Enumeration:
|
||||||
These options can be used to enumerate the back-end database
|
These options can be used to enumerate the back-end database
|
||||||
management system information, structure and data contained in the
|
management system information, structure and data contained in the
|
||||||
tables. Moreover you can run your own SQL SELECT queries.
|
tables. Moreover you can run your own SQL statements.
|
||||||
|
|
||||||
-b, --banner Retrieve DBMS banner
|
-b, --banner Retrieve DBMS banner
|
||||||
--current-user Retrieve DBMS current user
|
--current-user Retrieve DBMS current user
|
||||||
|
@ -481,7 +491,7 @@ Options:
|
||||||
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
|
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
|
||||||
--start=LIMITSTART First table entry to dump
|
--start=LIMITSTART First table entry to dump
|
||||||
--stop=LIMITSTOP Last table entry to dump
|
--stop=LIMITSTOP Last table entry to dump
|
||||||
--sql-query=QUERY SQL SELECT query to be executed
|
--sql-query=QUERY SQL statement to be executed
|
||||||
--sql-shell Prompt for an interactive SQL shell
|
--sql-shell Prompt for an interactive SQL shell
|
||||||
|
|
||||||
File system access:
|
File system access:
|
||||||
|
@ -3406,7 +3416,7 @@ considered a system database because some database administrators use it
|
||||||
as a users' database.</P>
|
as a users' database.</P>
|
||||||
|
|
||||||
|
|
||||||
<H3>Run your own SQL SELECT statement</H3>
|
<H3>Run your own SQL statement</H3>
|
||||||
|
|
||||||
<P>Options: <CODE>--sql-query</CODE> and <CODE>--sql-shell</CODE></P>
|
<P>Options: <CODE>--sql-query</CODE> and <CODE>--sql-shell</CODE></P>
|
||||||
|
|
||||||
|
|
BIN
doc/README.pdf
BIN
doc/README.pdf
Binary file not shown.
|
@ -138,14 +138,14 @@ in the following section to go ahead with the exploiting.
|
||||||
<sect1>Techniques
|
<sect1>Techniques
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
sqlmap implements two techniques to exploit a SQL injection vulnerability:
|
sqlmap implements three techniques to exploit a SQL injection
|
||||||
|
vulnerability:
|
||||||
|
|
||||||
<itemize>
|
<itemize>
|
||||||
<item><bf>Blind SQL injection</bf>, also known as <bf>Inferential Blind SQL
|
<item><bf>Inferential Blind SQL injection</bf>: sqlmap appends to the
|
||||||
injection</bf> in this implementation: sqlmap appends to the affected
|
affected parameter in the HTTP request, a syntatically valid SQL statement
|
||||||
parameter in the HTTP request, a syntatically valid SQL statement string
|
string containing a <tt>SELECT</tt> sub-statement, or any other SQL
|
||||||
containing a <tt>SELECT</tt> sub-statement, or any other SQL statement
|
statement whose the user want to retrieve the output.
|
||||||
whose the user want to retrieve the output.
|
|
||||||
For each HTTP response, by making a comparison based upon HTML page
|
For each HTTP response, by making a comparison based upon HTML page
|
||||||
content hashes, or string matches, with the original request, the tool
|
content hashes, or string matches, with the original request, the tool
|
||||||
determines the output value of the statement character by character.
|
determines the output value of the statement character by character.
|
||||||
|
@ -153,13 +153,13 @@ The bisection algorithm implemented in sqlmap to perform this technique
|
||||||
is able to fetch each output character with at maximum seven HTTP
|
is able to fetch each output character with at maximum seven HTTP
|
||||||
requests.
|
requests.
|
||||||
This is sqlmap default SQL injection technique.
|
This is sqlmap default SQL injection technique.
|
||||||
<item><bf>Inband SQL injection</bf>, also known as <bf>Full UNION query SQL
|
<item><bf>UNION query (inband) SQL injection</bf>, also known as <bf>Full
|
||||||
injection</bf>: sqlmap appends to the affected parameter in the HTTP
|
UNION query SQL injection</bf>: sqlmap appends to the affected parameter
|
||||||
request, a syntatically valid SQL statement string starting with a
|
in the HTTP request, a syntatically valid SQL statement string starting
|
||||||
<tt>UNION ALL SELECT</tt>. This techique is useful if the web application
|
with a <tt>UNION ALL SELECT</tt>. This techique is useful if the web
|
||||||
page passes the output of the <tt>SELECT</tt> statement to a <tt>for</tt>
|
application page passes the output of the <tt>SELECT</tt> statement to a
|
||||||
cycle, or similar, so that each line of the query output is printed on the
|
<tt>for</tt> cycle, or similar, so that each line of the query output is
|
||||||
page content.
|
printed on the page content.
|
||||||
sqlmap is also able to exploit <bf>Partial UNION query SQL injection</bf>
|
sqlmap is also able to exploit <bf>Partial UNION query SQL injection</bf>
|
||||||
vulnerabilities which occur when the output of the statement is not cycled
|
vulnerabilities which occur when the output of the statement is not cycled
|
||||||
in a for construct whereas only the first entry output is displayed.
|
in a for construct whereas only the first entry output is displayed.
|
||||||
|
@ -167,6 +167,15 @@ This technique is much faster if the target url is affected by because
|
||||||
in a single HTTP response it returns the whole query output or a entry
|
in a single HTTP response it returns the whole query output or a entry
|
||||||
per each response within the page content.
|
per each response within the page content.
|
||||||
This SQL injection technique is an alternative to the first one.
|
This SQL injection technique is an alternative to the first one.
|
||||||
|
<item><bf>Stacked queries support</bf>, also known as <bf>multiple
|
||||||
|
statements support</bf>: sqlmap tests if the web application supports
|
||||||
|
stacked queries then, in case it does support, it appends to the affected
|
||||||
|
parameter in the HTTP request, a semi-colon (<tt>;</tt>) followed by the
|
||||||
|
SQL statement to be executed. This technique is useful if to run SQL
|
||||||
|
statements other than <tt>SELECT</tt> like, for instance, <em>data
|
||||||
|
definition</em> or <em>data manipulation</em> statements possibly leading
|
||||||
|
to file system read and write access and operating system command
|
||||||
|
execution depending on the underlying back-end database management system.
|
||||||
</itemize>
|
</itemize>
|
||||||
|
|
||||||
It is strongly recommended to run at least once sqlmap with the
|
It is strongly recommended to run at least once sqlmap with the
|
||||||
|
@ -199,16 +208,17 @@ database management system name if you already know it. sqlmap is also able
|
||||||
to fingerprint the web server operating system, the web application
|
to fingerprint the web server operating system, the web application
|
||||||
technology and, in some circumstances, the back-end DBMS operating system.
|
technology and, in some circumstances, the back-end DBMS operating system.
|
||||||
|
|
||||||
<item>Full support for two SQL injection techniques: <bf>blind SQL
|
<item>Full support for three SQL injection techniques: <bf> inferential
|
||||||
injection</bf> and <bf>inband SQL injection</bf>. sqlmap can also test for
|
blind SQL injection</bf>, <bf>UNION query (inband) SQL injection</bf> and
|
||||||
<bf>Time based blind SQL injection</bf>.
|
<bf>stacked queries (multiple statements) support</bf>. sqlmap can also
|
||||||
|
test for <bf>time based blind SQL injection</bf>.
|
||||||
|
|
||||||
<item>Options to retrieve on all four back-end database management system
|
<item>Options to retrieve on all four back-end database management system
|
||||||
<bf>banner</bf>, <bf>current user</bf>, <bf>current database</bf>,
|
<bf>banner</bf>, <bf>current user</bf>, <bf>current database</bf>,
|
||||||
enumerate <bf>users</bf>, <bf>users password hashes</bf>, <bf>users
|
enumerate <bf>users</bf>, <bf>users password hashes</bf>, <bf>users
|
||||||
privileges</bf>, <bf>databases</bf>, <bf>tables</bf>, <bf>columns</bf>,
|
privileges</bf>, <bf>databases</bf>, <bf>tables</bf>, <bf>columns</bf>,
|
||||||
dump <bf>tables entries</bf>, dump <bf>whole database management
|
dump <bf>tables entries</bf>, dump <bf>whole database management
|
||||||
system</bf> and run your <bf>own SQL <tt>SELECT</tt> statement</bf>.
|
system</bf> and run your <bf>own SQL statement</bf>.
|
||||||
|
|
||||||
<item>If the back-end database management system is MySQL it is also
|
<item>If the back-end database management system is MySQL it is also
|
||||||
possible to <bf>read a specific file content</bf> from the ile system and,
|
possible to <bf>read a specific file content</bf> from the ile system and,
|
||||||
|
@ -416,7 +426,7 @@ Options:
|
||||||
Enumeration:
|
Enumeration:
|
||||||
These options can be used to enumerate the back-end database
|
These options can be used to enumerate the back-end database
|
||||||
management system information, structure and data contained in the
|
management system information, structure and data contained in the
|
||||||
tables. Moreover you can run your own SQL SELECT queries.
|
tables. Moreover you can run your own SQL statements.
|
||||||
|
|
||||||
-b, --banner Retrieve DBMS banner
|
-b, --banner Retrieve DBMS banner
|
||||||
--current-user Retrieve DBMS current user
|
--current-user Retrieve DBMS current user
|
||||||
|
@ -437,7 +447,7 @@ Options:
|
||||||
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
|
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
|
||||||
--start=LIMITSTART First table entry to dump
|
--start=LIMITSTART First table entry to dump
|
||||||
--stop=LIMITSTOP Last table entry to dump
|
--stop=LIMITSTOP Last table entry to dump
|
||||||
--sql-query=QUERY SQL SELECT query to be executed
|
--sql-query=QUERY SQL statement to be executed
|
||||||
--sql-shell Prompt for an interactive SQL shell
|
--sql-shell Prompt for an interactive SQL shell
|
||||||
|
|
||||||
File system access:
|
File system access:
|
||||||
|
@ -3310,7 +3320,9 @@ considered a system database because some database administrators use it
|
||||||
as a users' database.
|
as a users' database.
|
||||||
|
|
||||||
|
|
||||||
<sect2>Run your own SQL SELECT statement
|
<sect2>Run your own SQL statement
|
||||||
|
|
||||||
|
<!-- TODO: improve -->
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
Options: <tt>--sql-query</tt> and <tt>--sql-shell</tt>
|
Options: <tt>--sql-query</tt> and <tt>--sql-shell</tt>
|
||||||
|
|
|
@ -116,6 +116,10 @@ Sven Schluter <sschlueter@netzwerk.cc>
|
||||||
for providing with a patch for waiting a number of seconds between
|
for providing with a patch for waiting a number of seconds between
|
||||||
each HTTP request
|
each HTTP request
|
||||||
|
|
||||||
|
Sumit Siddharth <sid@notsosecure.com>
|
||||||
|
for providing me with ideas on the implementation on a couple of
|
||||||
|
features
|
||||||
|
|
||||||
M Simkin <mlsimkin@cox.net>
|
M Simkin <mlsimkin@cox.net>
|
||||||
for suggesting a feature
|
for suggesting a feature
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user