Minor improvement to use Python ConfigParser library when --save if specified.

Minor update to the user's manual
2024-11-25 11:03:47 +03:00 · 2009-01-03 22:59:22 +00:00 · 2009-01-03 22:59:22 +00:00 · 9c125a2b57
commit 9c125a2b57
parent 6ff8feb5cf
4 changed files with 28 additions and 25 deletions
--- a/doc/README.html
+++ b/doc/README.html
@ -215,19 +215,14 @@ This SQL injection technique is an alternative to the first one.</LI>
 statements support</B>: sqlmap tests if the web application supports
 stacked queries then, in case it does support, it appends to the affected
 parameter in the HTTP request, a semi-colon (<CODE>;</CODE>) followed by the
-SQL statement to be executed. This technique is useful if to run SQL
+SQL statement to be executed. This technique is useful to run SQL
 statements other than <CODE>SELECT</CODE> like, for instance, <EM>data
 definition</EM> or <EM>data manipulation</EM> statements possibly leading
 to file system read and write access and operating system command
-execution depending on the underlying back-end database management system.</LI>
+execution depending on the underlying back-end database management system
+and the session user privileges.</LI>
 </UL>
 </P>
-<P>It is strongly recommended to run at least once sqlmap with the
-<CODE>--union-test</CODE> option to test if the affected parameter is used
-within a <CODE>for</CODE> cycle, or similar, and in case use
-<CODE>--union-use</CODE> option to exploit this vulnerability because it
-saves a lot of time and it does not weight down the web server log file
-with hundreds of HTTP requests.</P>


 <H2><A NAME="s2">2.</A> <A HREF="#toc2">Features</A></H2>
@ -2008,6 +2003,13 @@ affected by an inband SQL injection.
 In case this vulnerability is exploitable it is strongly recommended to
 use this technique which saves a lot of time.</P>

+<P>It is strongly recommended to run at least once sqlmap with the
+<CODE>--union-test</CODE> option to test if the affected parameter is used
+within a <CODE>for</CODE> cycle, or similar, and in case use
+<CODE>--union-use</CODE> option to exploit this vulnerability because it
+saves a lot of time and it does not weight down the web server log file
+with hundreds of HTTP requests.</P>
+

 <H3>Use the UNION query SQL injection</H3>

--- a/doc/README.pdf
+++ b/doc/README.pdf
--- a/doc/README.sgml
+++ b/doc/README.sgml
@ -172,20 +172,14 @@ This SQL injection technique is an alternative to the first one.
 statements support</bf>: sqlmap tests if the web application supports
 stacked queries then, in case it does support, it appends to the affected
 parameter in the HTTP request, a semi-colon (<tt>;</tt>) followed by the
-SQL statement to be executed. This technique is useful if to run SQL
+SQL statement to be executed. This technique is useful to run SQL
 statements other than <tt>SELECT</tt> like, for instance, <em>data
 definition</em> or <em>data manipulation</em> statements possibly leading
 to file system read and write access and operating system command
-execution depending on the underlying back-end database management system.
+execution depending on the underlying back-end database management system
+and the session user privileges.
 </itemize>

-It is strongly recommended to run at least once sqlmap with the
-<tt>--union-test</tt> option to test if the affected parameter is used
-within a <tt>for</tt> cycle, or similar, and in case use
-<tt>--union-use</tt> option to exploit this vulnerability because it
-saves a lot of time and it does not weight down the web server log file
-with hundreds of HTTP requests.
-

 <sect>Features

@ -1939,6 +1933,14 @@ affected by an inband SQL injection.
 In case this vulnerability is exploitable it is strongly recommended to
 use this technique which saves a lot of time.

+<p>
+It is strongly recommended to run at least once sqlmap with the
+<tt>--union-test</tt> option to test if the affected parameter is used
+within a <tt>for</tt> cycle, or similar, and in case use
+<tt>--union-use</tt> option to exploit this vulnerability because it
+saves a lot of time and it does not weight down the web server log file
+with hundreds of HTTP requests.
+

 <sect2>Use the UNION query SQL injection

--- a/lib/core/option.py
+++ b/lib/core/option.py
@ -34,6 +34,8 @@ import time
 import urllib2
 import urlparse

+from ConfigParser import ConfigParser
+
 from lib.core.common import parseTargetUrl
 from lib.core.common import paths
 from lib.core.common import randomRange
@ -657,6 +659,7 @@ def __saveCmdline():
    debugMsg = "saving command line options on a sqlmap configuration INI file"
    logger.debug(debugMsg)

+    config   = ConfigParser()
    userOpts = {}

    for family in optDict.keys():
@ -667,10 +670,8 @@ def __saveCmdline():
            if option in optionData:
                userOpts[family].append((option, value, optionData[option]))

-    confFP = open(paths.SQLMAP_CONFIG, "w")
-
    for family, optionData in userOpts.items():
-        confFP.write("[%s]\n" % family)
+        config.add_section(family)

        optionData.sort()

@ -691,12 +692,10 @@ def __saveCmdline():
            if isinstance(value, str):
                value = value.replace("\n", "\n ")

-            confFP.write("%s = %s\n" % (option, value))
+            config.set(family, option, value)

-        confFP.write("\n")
-
-    confFP.flush()
-    confFP.close()
+    confFP = open(paths.SQLMAP_CONFIG, "wb")
+    config.write(confFP)

    infoMsg = "saved command line options on '%s' configuration file" % paths.SQLMAP_CONFIG
    logger.info(infoMsg)