diff --git a/doc/README.sgml b/doc/README.sgml index 27d7812db..37bc66363 100644 --- a/doc/README.sgml +++ b/doc/README.sgml @@ -753,7 +753,7 @@ target urls from. Target URL

-Option: -u or --url +Option: -u or --url

To run sqlmap on a single target URL. @@ -920,7 +920,7 @@ These options can be used to specify how to connect to the target url. HTTP method: GET or POST

-Options: --method and --data +Options: --method and --data

By default the HTTP method used to perform HTTP requests is GET, @@ -963,7 +963,7 @@ back-end DBMS: Oracle HTTP Cookie header

-Option: --cookie +Option: --cookie

This feature can be useful in two scenarios: @@ -1077,7 +1077,7 @@ values that you provided? [Y/n] HTTP Referer header

-Option: --referer +Option: --referer

It is possible to fake the HTTP Referer header value with this @@ -1110,7 +1110,7 @@ Connection: close HTTP User-Agent header

-Options: --user-agent and -a +Options: --user-agent and -a

By default sqlmap perform HTTP requests providing the following HTTP @@ -1121,7 +1121,7 @@ sqlmap/0.7 (http://sqlmap.sourceforge.net)

-It is possible to fake it with the --user-agent option. +It is possible to fake it with the --user-agent option.

Example on an Oracle XE 10.2.0.1 target: @@ -1200,10 +1200,10 @@ to force the HTTP User-Agent header with option --user-agent or -a Extra HTTP headers

-Option: --headers +Option: --headers

-It is possible to provide extra HTTP headers by providing --headers +It is possible to provide extra HTTP headers by providing --headers options. Each header must be separated by a newline and it's much easier to provide them from the configuration INI file. Have a look at the sample sqlmap.conf file. @@ -1212,7 +1212,7 @@ to provide them from the configuration INI file. Have a look at the sample HTTP Basic and Digest authentications

-Options: --auth-type and --auth-cred +Options: --auth-type and --auth-cred

These options can be used to specify which HTTP authentication type the @@ -1268,7 +1268,7 @@ Connection: close HTTP proxy

-Option: --proxy +Option: --proxy

It is possible to provide an anonymous HTTP proxy address to pass by the @@ -1309,7 +1309,7 @@ settings. Concurrent HTTP requests

-Option: --threads +Option: --threads

It is possible to specify the number of maximum concurrent HTTP requests @@ -1350,14 +1350,14 @@ with the blind SQL injection bisection algorithm implemented in sqlmap.

Note that the multithreading option is not needed if the target is affected -by an inband SQL injection vulnerability and the --union-use +by an inband SQL injection vulnerability and the --union-use option has been provided. Delay in seconds between each HTTP request

-Option: --delay +Option: --delay

It is possible to specify a number of seconds to wait between each HTTP @@ -1367,7 +1367,7 @@ request. The valid value is a float, for instance 0.5 means half a second. Seconds to wait before timeout connection

-Option: --timeout +Option: --timeout

It is possible to specify a number of seconds to wait before considering @@ -1378,7 +1378,7 @@ the HTTP request timed out. The valid value is a float, for instance Maximum number of retries when the HTTP connection timeouts

-Option: --retries +Option: --retries

It is possible to specify the maximum number of retries when the HTTP @@ -1479,7 +1479,7 @@ back-end DBMS: MySQL >= 5.0.0 Force the database management system name

-Option: --dbms +Option: --dbms

By default sqlmap automatically detects the web application's back-end @@ -1517,7 +1517,7 @@ back-end DBMS: PostgreSQL

-In case you provide --fingerprint together with --dbms, +In case you provide --fingerprint together with --dbms, sqlmap will only perform the extensive fingerprint for the specified database management system, read below for further details. @@ -1531,7 +1531,7 @@ automatically identify it for you. Force the database management system operating system name

-Option: --os +Option: --os

By default sqlmap automatically detects the web application's back-end @@ -1558,7 +1558,7 @@ not know it, let sqlmap automatically identify it for you. Custom injection payload

-Options: --prefix and --postfix +Options: --prefix and --postfix

In some circumstances the vulnerable parameter is exploitable only if the @@ -1622,7 +1622,7 @@ the real world application it is necessary to provide it. Page comparison

-Options: --string and --regexp +Options: --string and --regexp

By default the distinction of a True query by a False one (basic concept @@ -1805,7 +1805,7 @@ user's input. Exclude specific page content

-Options: --excl-str and --excl-reg +Options: --excl-str and --excl-reg

Another way to get around the dynamicity issue explained above is to exclude @@ -1847,7 +1847,7 @@ stability test. Test for stacked queries (multiple statements) support

-Option: --stacked-test +Option: --stacked-test

It is possible to test if the web application technology supports @@ -1911,7 +1911,7 @@ stacked queries support: 'name=luther'; WAITFOR DELAY '0:0:5';-- AND 'wRcBC'= Test for time based blind SQL injection

-Options: --time-test and --time-sec +Options: --time-test and --time-sec

It is possible to test if the target URL is affected by a time based @@ -1979,14 +1979,14 @@ time based blind sql injection payload: 'name=luther'; WAITFOR DELAY '0:0:5';

It is also possible to set the seconds to delay the response by providing -the --time-sec option followed by an integer. By default delay +the --time-sec option followed by an integer. By default delay is set to five seconds. Test for UNION query SQL injection

-Options: --union-test and --union-tech +Options: --union-test and --union-tech

It is possible to test if the target URL is affected by a UNION query @@ -2015,7 +2015,7 @@ NULL, NULL, NULL FROM DUAL-- AND 6558=6558' By default sqlmap uses the NULL bruteforcing technique to detect the number of columns within the original SELECT statement. It is also possible to change it to ORDER BY clause -bruteforcing with the --union-tech option. +bruteforcing with the --union-tech option.

Further details on these techniques can be found It is strongly recommended to run at least once sqlmap with the ---union-test option to test if the affected parameter is used +--union-test option to test if the affected parameter is used within a for cycle, or similar, and in case use ---union-use option to exploit this vulnerability because it +--union-use option to exploit this vulnerability because it saves a lot of time and it does not weight down the web server log file with hundreds of HTTP requests. @@ -2056,12 +2056,12 @@ with hundreds of HTTP requests. Use the UNION query SQL injection

-Option: --union-use +Option: --union-use

-Providing the --union-use parameter, sqlmap will first test if +Providing the --union-use parameter, sqlmap will first test if the target URL is affected by an inband SQL injection -(--union-test) vulnerability then, in case it seems to be +(--union-test) vulnerability then, in case it seems to be vulnerable, it will confirm that the parameter is affected by a Full UNION query SQL injection and use this technique to go ahead with the exploiting. @@ -2228,7 +2228,7 @@ the page content. Extensive database management system fingerprint

-Options: -f or --fingerprint +Options: -f or --fingerprint

By default the web application's back-end database management system @@ -2268,7 +2268,7 @@ system and the web application technology by parsing some HTTP response headers.

If you want to perform an extensive database management system fingerprint based on various techniques like specific SQL dialects and inband error -messages, you can provide the --fingerprint option. +messages, you can provide the --fingerprint option.

Example on a MySQL 5.0.67 target: @@ -2347,7 +2347,7 @@ back-end DBMS: active fingerprint: PostgreSQL >= 8.3.0

As you can see from the last example, sqlmap first tested for MySQL, then for Oracle, then for PostgreSQL since the user did not forced the -back-end database management system name with option --dbms. +back-end database management system name with option --dbms.

Example on a Microsoft SQL Server 2000 Service Pack 0 target: @@ -2385,7 +2385,7 @@ back-end DBMS: active fingerprint: Microsoft SQL Server 2005

If you want an even more accurate result, based also on banner parsing, -you can also provide the -b or --banner option. +you can also provide the -b or --banner option.

Example on a MySQL 5.0.67 target: @@ -2498,7 +2498,7 @@ name="SQLSecurity.com site"> and outputs it to the XML versions file. Banner

-Option: -b or --banner +Option: -b or --banner

Most of the modern database management systems have a function and/or @@ -2570,7 +2570,7 @@ Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) Current user

-Option: --current-user +Option: --current-user

It is possible to retrieve the database management system's user which is @@ -2589,7 +2589,7 @@ current user: 'testuser@localhost' Current database

-Option: --current-db +Option: --current-db

It is possible to retrieve the database management system's database the @@ -2608,7 +2608,7 @@ current database: 'master' Detect if the DBMS current user is a database administrator

-Option: --is-dba +Option: --is-dba

It is possible to detect if the current database management system session user is @@ -2653,7 +2653,7 @@ current user is DBA: 'True' Users

-Option: --users +Option: --users

It is possible to enumerate the list of database management system users. @@ -2674,7 +2674,7 @@ database management system users [3]: Users password hashes

-Options: --passwords and -U +Options: --passwords and -U

It is possible to enumerate the password hashes for each database @@ -2759,7 +2759,7 @@ database management system users password hashes: Users privileges

-Options: --privileges and -U +Options: --privileges and -U

It is possible to enumerate the privileges for each database management @@ -2910,7 +2910,7 @@ management system is Microsoft SQL Server. Available databases

-Option: --dbs +Option: --dbs

It is possible to enumerate the list of databases. @@ -2937,7 +2937,7 @@ management system is Oracle. Databases tables

-Options: --tables and -D +Options: --tables and -D

It is possible to enumerate the list of tables for all database @@ -3049,7 +3049,7 @@ system user. Database table columns

-Options: --columns, -T and -D +Options: --columns, -T and -D

It is possible to enumerate the list of columns for a specific database @@ -3175,8 +3175,8 @@ Table: users Dump database table entries

-Options: --dump, -C, -T, -D, ---start and --stop +Options: --dump, -C, -T, -D, +--start and --stop

It is possible to dump the entries for a specific database table. @@ -3287,12 +3287,12 @@ $ cat /software/sqlmap/output/192.168.1.121/dump/public/users.csv

-You can also provide the --start and/or the --stop +You can also provide the --start and/or the --stop options to limit the dump to a range of entries. ---start specifies the first entry to enumerate ---stop specifies the last entry to enumerate +--start specifies the first entry to enumerate +--stop specifies the last entry to enumerate

@@ -3323,7 +3323,7 @@ table entry. Dump all databases tables entries

-Options: --dump-all and --exclude-sysdbs +Options: --dump-all and --exclude-sysdbs

It is possible to dump all databases tables entries at once. @@ -3394,7 +3394,7 @@ Table: CHARACTER_SETS

-You can also provide the --exclude-sysdbs option to exclude all +You can also provide the --exclude-sysdbs option to exclude all system databases. In that case sqlmap will only dump entries of users' databases tables. @@ -3450,7 +3450,7 @@ as a users' database. Run your own SQL statement

-Options: --sql-query and --sql-shell +Options: --sql-query and --sql-shell

The SQL query and the SQL shell features makes the user able to run @@ -3835,7 +3835,7 @@ support when the back-end DBMS is PostgreSQL. Read a file from the back-end DBMS file system

-Option: --read-file +Option: --read-file

It is possible to retrieve the content of files from the underlying file @@ -3958,7 +3958,7 @@ output/192.168.1.121/files/C__example.exe: PE32 executable for MS Windows (GUI) Write a local file on the back-end DBMS file system

-Options: --write-file and --dest-file +Options: --write-file and --dest-file

It is possible to upload a local file to the underlying file system when @@ -4012,7 +4012,7 @@ same size as the local file '/tmp/nc.exe.packed' Execute arbitrary operating system command

-Options: --os-cmd and --os-shell +Options: --os-cmd and --os-shell

It is possible to execute arbitrary commands on the underlying operating @@ -4044,7 +4044,7 @@ These techniques are detailed in white paper

It is possible to specify a single command to be executed with the ---os-cmd option. +--os-cmd option.

Example on a PostgreSQL 8.3.5 target: @@ -4119,9 +4119,9 @@ nt authority\network service

It is also possible to simulate a real shell where you can type as many -arbitrary commands as you wish. The option is --os-shell and has +arbitrary commands as you wish. The option is --os-shell and has the same TAB completion and history functionalities as provided by ---sql-shell. +--sql-shell.

Example on a MySQL 5.0.67 target: @@ -4237,7 +4237,7 @@ can only be deleted manually

-Now run it again, but specifying the --union-use to retrieve the +Now run it again, but specifying the --union-use to retrieve the command standard output quicker, via UNION based SQL injection, when the parameter is affected also by inband SQL injection vulnerability: @@ -4346,7 +4346,7 @@ wants to recreate them or keep them and save time. Prompt for an out-of-band shell, meterpreter or VNC

-Options: --os-pwn, --priv-esc, --msf-path and --tmp-path +Options: --os-pwn, --priv-esc, --msf-path and --tmp-path

It is possible to establish an out-of-band TCP stateful channel @@ -4471,7 +4471,7 @@ Microsoft SQL Server 2000 by default runs as SYSTEM, whereas Microsoft SQL Server 2005 and 2008 run most of the times as NETWORK SERVICE and sometimes as LOCAL SERVICE. -It is possible to provide sqlmap with the --priv-esc option to +It is possible to provide sqlmap with the --priv-esc option to abuse Windows access tokens and escalate privileges to SYSTEM within the Meterpreter session created if the underlying operating system is not patched against Microsoft Security Bulletin @@ -4597,7 +4597,7 @@ meterpreter > exit One click prompt for an out-of-band shell, meterpreter or VNC

-Options: --os-smbrelay, --priv-esc and --msf-path +Options: --os-smbrelay, --priv-esc and --msf-path

If the back-end database management system runs as Administrator @@ -4756,7 +4756,7 @@ msf exploit(smb_relay) > exit Stored procedure buffer overflow exploitation

-Options: --os-bof, --priv-esc and --msf-path +Options: --os-bof, --priv-esc and --msf-path

If the back-end database management system is not patched against Microsoft @@ -4863,7 +4863,7 @@ meterpreter > exit Estimated time of arrival

-Option: --eta +Option: --eta

It is possible to calculate and show the estimated time of arrival to @@ -4947,14 +4947,14 @@ counts the number of retrieved query output characters. Update sqlmap to the latest stable version

-Option: --update +Option: --update

It is possible to update sqlmap to the latest stable version available on project's by running it with the ---update option. +--update option. $ python sqlmap.py --update -v 4 @@ -5122,7 +5122,7 @@ banner: 'PostgreSQL 8.3.5 on i486-pc-linux-gnu, compiled by GCC gcc-4.3.real Save options on a configuration INI file

-Option: --save +Option: --save

It is possible to save the command line options to a configuration INI @@ -5255,11 +5255,11 @@ banner: 'PostgreSQL 8.3.5 on i486-pc-linux-gnu, compiled by GCC gcc-4.3.real Act in non-interactive mode

-Option: --batch +Option: --batch

If you want sqlmap to run as a batch tool, without any users interaction -when a choice has to be done, you can force it by using --batch +when a choice has to be done, you can force it by using --batch option, and leave sqlmap to go for a default behaviour.

@@ -5304,7 +5304,7 @@ to the first vulnerable parameter. Clean up the DBMS by sqlmap specific UDF and tables

-Option: --cleanup +Option: --cleanup

It is recommended to clean up the back-end database management system from