mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-25 02:53:46 +03:00
Minor improvement to use Python ConfigParser library when --save if specified.
Minor update to the user's manual
This commit is contained in:
parent
6ff8feb5cf
commit
9c125a2b57
|
@ -215,19 +215,14 @@ This SQL injection technique is an alternative to the first one.</LI>
|
|||
statements support</B>: sqlmap tests if the web application supports
|
||||
stacked queries then, in case it does support, it appends to the affected
|
||||
parameter in the HTTP request, a semi-colon (<CODE>;</CODE>) followed by the
|
||||
SQL statement to be executed. This technique is useful if to run SQL
|
||||
SQL statement to be executed. This technique is useful to run SQL
|
||||
statements other than <CODE>SELECT</CODE> like, for instance, <EM>data
|
||||
definition</EM> or <EM>data manipulation</EM> statements possibly leading
|
||||
to file system read and write access and operating system command
|
||||
execution depending on the underlying back-end database management system.</LI>
|
||||
execution depending on the underlying back-end database management system
|
||||
and the session user privileges.</LI>
|
||||
</UL>
|
||||
</P>
|
||||
<P>It is strongly recommended to run at least once sqlmap with the
|
||||
<CODE>--union-test</CODE> option to test if the affected parameter is used
|
||||
within a <CODE>for</CODE> cycle, or similar, and in case use
|
||||
<CODE>--union-use</CODE> option to exploit this vulnerability because it
|
||||
saves a lot of time and it does not weight down the web server log file
|
||||
with hundreds of HTTP requests.</P>
|
||||
|
||||
|
||||
<H2><A NAME="s2">2.</A> <A HREF="#toc2">Features</A></H2>
|
||||
|
@ -2008,6 +2003,13 @@ affected by an inband SQL injection.
|
|||
In case this vulnerability is exploitable it is strongly recommended to
|
||||
use this technique which saves a lot of time.</P>
|
||||
|
||||
<P>It is strongly recommended to run at least once sqlmap with the
|
||||
<CODE>--union-test</CODE> option to test if the affected parameter is used
|
||||
within a <CODE>for</CODE> cycle, or similar, and in case use
|
||||
<CODE>--union-use</CODE> option to exploit this vulnerability because it
|
||||
saves a lot of time and it does not weight down the web server log file
|
||||
with hundreds of HTTP requests.</P>
|
||||
|
||||
|
||||
<H3>Use the UNION query SQL injection</H3>
|
||||
|
||||
|
|
BIN
doc/README.pdf
BIN
doc/README.pdf
Binary file not shown.
|
@ -172,20 +172,14 @@ This SQL injection technique is an alternative to the first one.
|
|||
statements support</bf>: sqlmap tests if the web application supports
|
||||
stacked queries then, in case it does support, it appends to the affected
|
||||
parameter in the HTTP request, a semi-colon (<tt>;</tt>) followed by the
|
||||
SQL statement to be executed. This technique is useful if to run SQL
|
||||
SQL statement to be executed. This technique is useful to run SQL
|
||||
statements other than <tt>SELECT</tt> like, for instance, <em>data
|
||||
definition</em> or <em>data manipulation</em> statements possibly leading
|
||||
to file system read and write access and operating system command
|
||||
execution depending on the underlying back-end database management system.
|
||||
execution depending on the underlying back-end database management system
|
||||
and the session user privileges.
|
||||
</itemize>
|
||||
|
||||
It is strongly recommended to run at least once sqlmap with the
|
||||
<tt>--union-test</tt> option to test if the affected parameter is used
|
||||
within a <tt>for</tt> cycle, or similar, and in case use
|
||||
<tt>--union-use</tt> option to exploit this vulnerability because it
|
||||
saves a lot of time and it does not weight down the web server log file
|
||||
with hundreds of HTTP requests.
|
||||
|
||||
|
||||
<sect>Features
|
||||
|
||||
|
@ -1939,6 +1933,14 @@ affected by an inband SQL injection.
|
|||
In case this vulnerability is exploitable it is strongly recommended to
|
||||
use this technique which saves a lot of time.
|
||||
|
||||
<p>
|
||||
It is strongly recommended to run at least once sqlmap with the
|
||||
<tt>--union-test</tt> option to test if the affected parameter is used
|
||||
within a <tt>for</tt> cycle, or similar, and in case use
|
||||
<tt>--union-use</tt> option to exploit this vulnerability because it
|
||||
saves a lot of time and it does not weight down the web server log file
|
||||
with hundreds of HTTP requests.
|
||||
|
||||
|
||||
<sect2>Use the UNION query SQL injection
|
||||
|
||||
|
|
|
@ -34,6 +34,8 @@ import time
|
|||
import urllib2
|
||||
import urlparse
|
||||
|
||||
from ConfigParser import ConfigParser
|
||||
|
||||
from lib.core.common import parseTargetUrl
|
||||
from lib.core.common import paths
|
||||
from lib.core.common import randomRange
|
||||
|
@ -657,6 +659,7 @@ def __saveCmdline():
|
|||
debugMsg = "saving command line options on a sqlmap configuration INI file"
|
||||
logger.debug(debugMsg)
|
||||
|
||||
config = ConfigParser()
|
||||
userOpts = {}
|
||||
|
||||
for family in optDict.keys():
|
||||
|
@ -667,10 +670,8 @@ def __saveCmdline():
|
|||
if option in optionData:
|
||||
userOpts[family].append((option, value, optionData[option]))
|
||||
|
||||
confFP = open(paths.SQLMAP_CONFIG, "w")
|
||||
|
||||
for family, optionData in userOpts.items():
|
||||
confFP.write("[%s]\n" % family)
|
||||
config.add_section(family)
|
||||
|
||||
optionData.sort()
|
||||
|
||||
|
@ -691,12 +692,10 @@ def __saveCmdline():
|
|||
if isinstance(value, str):
|
||||
value = value.replace("\n", "\n ")
|
||||
|
||||
confFP.write("%s = %s\n" % (option, value))
|
||||
config.set(family, option, value)
|
||||
|
||||
confFP.write("\n")
|
||||
|
||||
confFP.flush()
|
||||
confFP.close()
|
||||
confFP = open(paths.SQLMAP_CONFIG, "wb")
|
||||
config.write(confFP)
|
||||
|
||||
infoMsg = "saved command line options on '%s' configuration file" % paths.SQLMAP_CONFIG
|
||||
logger.info(infoMsg)
|
||||
|
|
Loading…
Reference in New Issue
Block a user