mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-22 09:36:35 +03:00
Updated documentation based upon recent developments
This commit is contained in:
parent
35708a0b97
commit
374b9ba878
|
@ -181,14 +181,14 @@ in the following section to go ahead with the exploiting.</LI>
|
|||
<H2><A NAME="ss1.3">1.3</A> <A HREF="#toc1.3">Techniques</A>
|
||||
</H2>
|
||||
|
||||
<P>sqlmap implements two techniques to exploit a SQL injection vulnerability:</P>
|
||||
<P>sqlmap implements three techniques to exploit a SQL injection
|
||||
vulnerability:</P>
|
||||
<P>
|
||||
<UL>
|
||||
<LI><B>Blind SQL injection</B>, also known as <B>Inferential Blind SQL
|
||||
injection</B> in this implementation: sqlmap appends to the affected
|
||||
parameter in the HTTP request, a syntatically valid SQL statement string
|
||||
containing a <CODE>SELECT</CODE> sub-statement, or any other SQL statement
|
||||
whose the user want to retrieve the output.
|
||||
<LI><B>Inferential Blind SQL injection</B>: sqlmap appends to the
|
||||
affected parameter in the HTTP request, a syntatically valid SQL statement
|
||||
string containing a <CODE>SELECT</CODE> sub-statement, or any other SQL
|
||||
statement whose the user want to retrieve the output.
|
||||
For each HTTP response, by making a comparison based upon HTML page
|
||||
content hashes, or string matches, with the original request, the tool
|
||||
determines the output value of the statement character by character.
|
||||
|
@ -196,13 +196,13 @@ The bisection algorithm implemented in sqlmap to perform this technique
|
|||
is able to fetch each output character with at maximum seven HTTP
|
||||
requests.
|
||||
This is sqlmap default SQL injection technique.</LI>
|
||||
<LI><B>Inband SQL injection</B>, also known as <B>Full UNION query SQL
|
||||
injection</B>: sqlmap appends to the affected parameter in the HTTP
|
||||
request, a syntatically valid SQL statement string starting with a
|
||||
<CODE>UNION ALL SELECT</CODE>. This techique is useful if the web application
|
||||
page passes the output of the <CODE>SELECT</CODE> statement to a <CODE>for</CODE>
|
||||
cycle, or similar, so that each line of the query output is printed on the
|
||||
page content.
|
||||
<LI><B>UNION query (inband) SQL injection</B>, also known as <B>Full
|
||||
UNION query SQL injection</B>: sqlmap appends to the affected parameter
|
||||
in the HTTP request, a syntatically valid SQL statement string starting
|
||||
with a <CODE>UNION ALL SELECT</CODE>. This techique is useful if the web
|
||||
application page passes the output of the <CODE>SELECT</CODE> statement to a
|
||||
<CODE>for</CODE> cycle, or similar, so that each line of the query output is
|
||||
printed on the page content.
|
||||
sqlmap is also able to exploit <B>Partial UNION query SQL injection</B>
|
||||
vulnerabilities which occur when the output of the statement is not cycled
|
||||
in a for construct whereas only the first entry output is displayed.
|
||||
|
@ -210,6 +210,15 @@ This technique is much faster if the target url is affected by because
|
|||
in a single HTTP response it returns the whole query output or a entry
|
||||
per each response within the page content.
|
||||
This SQL injection technique is an alternative to the first one.</LI>
|
||||
<LI><B>Stacked queries support</B>, also known as <B>multiple
|
||||
statements support</B>: sqlmap tests if the web application supports
|
||||
stacked queries then, in case it does support, it appends to the affected
|
||||
parameter in the HTTP request, a semi-colon (<CODE>;</CODE>) followed by the
|
||||
SQL statement to be executed. This technique is useful if to run SQL
|
||||
statements other than <CODE>SELECT</CODE> like, for instance, <EM>data
|
||||
definition</EM> or <EM>data manipulation</EM> statements possibly leading
|
||||
to file system read and write access and operating system command
|
||||
execution depending on the underlying back-end database management system.</LI>
|
||||
</UL>
|
||||
</P>
|
||||
<P>It is strongly recommended to run at least once sqlmap with the
|
||||
|
@ -241,16 +250,17 @@ database management system name if you already know it. sqlmap is also able
|
|||
to fingerprint the web server operating system, the web application
|
||||
technology and, in some circumstances, the back-end DBMS operating system.
|
||||
</LI>
|
||||
<LI>Full support for two SQL injection techniques: <B>blind SQL
|
||||
injection</B> and <B>inband SQL injection</B>. sqlmap can also test for
|
||||
<B>Time based blind SQL injection</B>.
|
||||
<LI>Full support for three SQL injection techniques: <B> inferential
|
||||
blind SQL injection</B>, <B>UNION query (inband) SQL injection</B> and
|
||||
<B>stacked queries (multiple statements) support</B>. sqlmap can also
|
||||
test for <B>time based blind SQL injection</B>.
|
||||
</LI>
|
||||
<LI>Options to retrieve on all four back-end database management system
|
||||
<B>banner</B>, <B>current user</B>, <B>current database</B>,
|
||||
enumerate <B>users</B>, <B>users password hashes</B>, <B>users
|
||||
privileges</B>, <B>databases</B>, <B>tables</B>, <B>columns</B>,
|
||||
dump <B>tables entries</B>, dump <B>whole database management
|
||||
system</B> and run your <B>own SQL <CODE>SELECT</CODE> statement</B>.
|
||||
system</B> and run your <B>own SQL statement</B>.
|
||||
</LI>
|
||||
<LI>If the back-end database management system is MySQL it is also
|
||||
possible to <B>read a specific file content</B> from the ile system and,
|
||||
|
@ -460,7 +470,7 @@ Options:
|
|||
Enumeration:
|
||||
These options can be used to enumerate the back-end database
|
||||
management system information, structure and data contained in the
|
||||
tables. Moreover you can run your own SQL SELECT queries.
|
||||
tables. Moreover you can run your own SQL statements.
|
||||
|
||||
-b, --banner Retrieve DBMS banner
|
||||
--current-user Retrieve DBMS current user
|
||||
|
@ -481,7 +491,7 @@ Options:
|
|||
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
|
||||
--start=LIMITSTART First table entry to dump
|
||||
--stop=LIMITSTOP Last table entry to dump
|
||||
--sql-query=QUERY SQL SELECT query to be executed
|
||||
--sql-query=QUERY SQL statement to be executed
|
||||
--sql-shell Prompt for an interactive SQL shell
|
||||
|
||||
File system access:
|
||||
|
@ -3406,7 +3416,7 @@ considered a system database because some database administrators use it
|
|||
as a users' database.</P>
|
||||
|
||||
|
||||
<H3>Run your own SQL SELECT statement</H3>
|
||||
<H3>Run your own SQL statement</H3>
|
||||
|
||||
<P>Options: <CODE>--sql-query</CODE> and <CODE>--sql-shell</CODE></P>
|
||||
|
||||
|
|
BIN
doc/README.pdf
BIN
doc/README.pdf
Binary file not shown.
|
@ -138,14 +138,14 @@ in the following section to go ahead with the exploiting.
|
|||
<sect1>Techniques
|
||||
|
||||
<p>
|
||||
sqlmap implements two techniques to exploit a SQL injection vulnerability:
|
||||
sqlmap implements three techniques to exploit a SQL injection
|
||||
vulnerability:
|
||||
|
||||
<itemize>
|
||||
<item><bf>Blind SQL injection</bf>, also known as <bf>Inferential Blind SQL
|
||||
injection</bf> in this implementation: sqlmap appends to the affected
|
||||
parameter in the HTTP request, a syntatically valid SQL statement string
|
||||
containing a <tt>SELECT</tt> sub-statement, or any other SQL statement
|
||||
whose the user want to retrieve the output.
|
||||
<item><bf>Inferential Blind SQL injection</bf>: sqlmap appends to the
|
||||
affected parameter in the HTTP request, a syntatically valid SQL statement
|
||||
string containing a <tt>SELECT</tt> sub-statement, or any other SQL
|
||||
statement whose the user want to retrieve the output.
|
||||
For each HTTP response, by making a comparison based upon HTML page
|
||||
content hashes, or string matches, with the original request, the tool
|
||||
determines the output value of the statement character by character.
|
||||
|
@ -153,13 +153,13 @@ The bisection algorithm implemented in sqlmap to perform this technique
|
|||
is able to fetch each output character with at maximum seven HTTP
|
||||
requests.
|
||||
This is sqlmap default SQL injection technique.
|
||||
<item><bf>Inband SQL injection</bf>, also known as <bf>Full UNION query SQL
|
||||
injection</bf>: sqlmap appends to the affected parameter in the HTTP
|
||||
request, a syntatically valid SQL statement string starting with a
|
||||
<tt>UNION ALL SELECT</tt>. This techique is useful if the web application
|
||||
page passes the output of the <tt>SELECT</tt> statement to a <tt>for</tt>
|
||||
cycle, or similar, so that each line of the query output is printed on the
|
||||
page content.
|
||||
<item><bf>UNION query (inband) SQL injection</bf>, also known as <bf>Full
|
||||
UNION query SQL injection</bf>: sqlmap appends to the affected parameter
|
||||
in the HTTP request, a syntatically valid SQL statement string starting
|
||||
with a <tt>UNION ALL SELECT</tt>. This techique is useful if the web
|
||||
application page passes the output of the <tt>SELECT</tt> statement to a
|
||||
<tt>for</tt> cycle, or similar, so that each line of the query output is
|
||||
printed on the page content.
|
||||
sqlmap is also able to exploit <bf>Partial UNION query SQL injection</bf>
|
||||
vulnerabilities which occur when the output of the statement is not cycled
|
||||
in a for construct whereas only the first entry output is displayed.
|
||||
|
@ -167,6 +167,15 @@ This technique is much faster if the target url is affected by because
|
|||
in a single HTTP response it returns the whole query output or a entry
|
||||
per each response within the page content.
|
||||
This SQL injection technique is an alternative to the first one.
|
||||
<item><bf>Stacked queries support</bf>, also known as <bf>multiple
|
||||
statements support</bf>: sqlmap tests if the web application supports
|
||||
stacked queries then, in case it does support, it appends to the affected
|
||||
parameter in the HTTP request, a semi-colon (<tt>;</tt>) followed by the
|
||||
SQL statement to be executed. This technique is useful if to run SQL
|
||||
statements other than <tt>SELECT</tt> like, for instance, <em>data
|
||||
definition</em> or <em>data manipulation</em> statements possibly leading
|
||||
to file system read and write access and operating system command
|
||||
execution depending on the underlying back-end database management system.
|
||||
</itemize>
|
||||
|
||||
It is strongly recommended to run at least once sqlmap with the
|
||||
|
@ -199,16 +208,17 @@ database management system name if you already know it. sqlmap is also able
|
|||
to fingerprint the web server operating system, the web application
|
||||
technology and, in some circumstances, the back-end DBMS operating system.
|
||||
|
||||
<item>Full support for two SQL injection techniques: <bf>blind SQL
|
||||
injection</bf> and <bf>inband SQL injection</bf>. sqlmap can also test for
|
||||
<bf>Time based blind SQL injection</bf>.
|
||||
<item>Full support for three SQL injection techniques: <bf> inferential
|
||||
blind SQL injection</bf>, <bf>UNION query (inband) SQL injection</bf> and
|
||||
<bf>stacked queries (multiple statements) support</bf>. sqlmap can also
|
||||
test for <bf>time based blind SQL injection</bf>.
|
||||
|
||||
<item>Options to retrieve on all four back-end database management system
|
||||
<bf>banner</bf>, <bf>current user</bf>, <bf>current database</bf>,
|
||||
enumerate <bf>users</bf>, <bf>users password hashes</bf>, <bf>users
|
||||
privileges</bf>, <bf>databases</bf>, <bf>tables</bf>, <bf>columns</bf>,
|
||||
dump <bf>tables entries</bf>, dump <bf>whole database management
|
||||
system</bf> and run your <bf>own SQL <tt>SELECT</tt> statement</bf>.
|
||||
system</bf> and run your <bf>own SQL statement</bf>.
|
||||
|
||||
<item>If the back-end database management system is MySQL it is also
|
||||
possible to <bf>read a specific file content</bf> from the ile system and,
|
||||
|
@ -416,7 +426,7 @@ Options:
|
|||
Enumeration:
|
||||
These options can be used to enumerate the back-end database
|
||||
management system information, structure and data contained in the
|
||||
tables. Moreover you can run your own SQL SELECT queries.
|
||||
tables. Moreover you can run your own SQL statements.
|
||||
|
||||
-b, --banner Retrieve DBMS banner
|
||||
--current-user Retrieve DBMS current user
|
||||
|
@ -437,7 +447,7 @@ Options:
|
|||
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
|
||||
--start=LIMITSTART First table entry to dump
|
||||
--stop=LIMITSTOP Last table entry to dump
|
||||
--sql-query=QUERY SQL SELECT query to be executed
|
||||
--sql-query=QUERY SQL statement to be executed
|
||||
--sql-shell Prompt for an interactive SQL shell
|
||||
|
||||
File system access:
|
||||
|
@ -3310,7 +3320,9 @@ considered a system database because some database administrators use it
|
|||
as a users' database.
|
||||
|
||||
|
||||
<sect2>Run your own SQL SELECT statement
|
||||
<sect2>Run your own SQL statement
|
||||
|
||||
<!-- TODO: improve -->
|
||||
|
||||
<p>
|
||||
Options: <tt>--sql-query</tt> and <tt>--sql-shell</tt>
|
||||
|
|
|
@ -116,6 +116,10 @@ Sven Schluter <sschlueter@netzwerk.cc>
|
|||
for providing with a patch for waiting a number of seconds between
|
||||
each HTTP request
|
||||
|
||||
Sumit Siddharth <sid@notsosecure.com>
|
||||
for providing me with ideas on the implementation on a couple of
|
||||
features
|
||||
|
||||
M Simkin <mlsimkin@cox.net>
|
||||
for suggesting a feature
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user