Minor adjustments and minor bug fixes. Documentation almost complete for sqlmap 0.6.3.

extra/msfauxmod/README.txt

@@ -2,10 +2,9 @@ To use Metasploit's sqlmap auxiliary module launch msfconsole and follow
 the example below.
 
 Note that if you are willing to run Metasploit's sqlmap auxiliary module on
-Metasploit Framework 3.0 or 3.1 you first need to copy wmap_sqlmap.rb to
+through WMAP framework you first need to install sqlmap on your system or
-your <msf3 root path>/modules/auxiliary/scanner/http/ folder then launch
+add its file system path to the PATH environment variable.
-msfconsole because this module has been officially integrated in Metasploit
+
-from the release 3.2.
 
 $ ./msfconsole
 

lib/controller/checks.py

@@ -24,6 +24,7 @@ Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 
 
 
+import re
 import time
 
 from lib.controller.action import action
@@ -35,6 +36,7 @@ from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.exception import sqlmapConnectionException
 from lib.core.session import setString
+from lib.core.session import setRegexp
 from lib.request.connect import Connect as Request
 
 
@@ -337,6 +339,38 @@ def checkString():
         return False
 
 
+def checkRegexp():
+    if not conf.regexp:
+        return True
+
+    condition = (
+                  kb.resumedQueries.has_key(conf.url) and
+                  kb.resumedQueries[conf.url].has_key("Regular expression") and
+                  kb.resumedQueries[conf.url]["Regular expression"][:-1] == conf.regexp
+                )
+
+    if condition:
+        return True
+
+    infoMsg  = "testing if the provided regular expression matches within "
+    infoMsg += "the target URL page content"
+    logger.info(infoMsg)
+
+    page = Request.queryPage(content=True)
+
+    if re.search(conf.regexp, page, re.I | re.M):
+        setRegexp()
+        return True
+    else:
+        errMsg  = "you provided '%s' as the regular expression to " % conf.regexp
+        errMsg += "match, but such a regular expression does not have any "
+        errMsg += "match within the target URL page content, please provide "
+        errMsg += "another regular expression."
+        logger.error(errMsg)
+
+        return False
+
+
 def checkConnection():
     infoMsg = "testing connection to the target url"
     logger.info(infoMsg)

lib/controller/controller.py

@@ -29,6 +29,7 @@ from lib.controller.checks import checkSqlInjection
 from lib.controller.checks import checkDynParam
 from lib.controller.checks import checkStability
 from lib.controller.checks import checkString
+from lib.controller.checks import checkRegexp
 from lib.controller.checks import checkConnection
 from lib.core.common import paramToDict
 from lib.core.common import readInput
@@ -117,7 +118,7 @@ def start():
 
         if conf.multipleTargets:
             hostCount += 1
-            message = "url %d:\n%s %s" % (hostCount, conf.method, targetUrl)
+            message = "url %d:\n%s %s" % (hostCount, conf.method or "GET", targetUrl)
 
             if conf.cookie:
                 message += "\nCookie: %s" % conf.cookie
@@ -140,7 +141,7 @@ def start():
 
         initTargetEnv()
 
-        if not checkConnection() or not checkString():
+        if not checkConnection() or not checkString() or not checkRegexp():
             continue
 
         for _, cookie in enumerate(conf.cj):
@@ -173,14 +174,14 @@ def start():
                     __testableParameters = True
 
         if not kb.injPlace or not kb.injParameter or not kb.injType:
-            if not conf.string:
+            if not conf.string and not conf.regexp and not conf.eRegexp:
                 if checkStability():
                     logMsg = "url is stable"
                     logger.info(logMsg)
                 else:
-                    errMsg  = "url is not stable, try with --string option, refer "
+                    errMsg  = "url is not stable, try with --string or "
-                    errMsg += "to the user's manual paragraph 'String match' "
+                    errMsg += "--regexp options, refer to the user's manual "
-                    errMsg += "for details"
+                    errMsg += "paragraph 'Page comparison' for details"
 
                     if conf.multipleTargets:
                         errMsg += ", skipping to next url"
@@ -214,7 +215,6 @@ def start():
 
                             if injType:
                                 injData.append((place, parameter, injType))
-                                kb.parenthesis = parenthesis
 
                                 break
                             else:

lib/core/session.py

@@ -48,6 +48,20 @@ def setString():
         dataToSessionFile("[%s][None][None][String][%s]\n" % (conf.url, conf.string))
 
 
+def setRegexp():
+    """
+    Save regular expression to match in session file.
+    """
+
+    condition = (
+                  not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
+                  not kb.resumedQueries[conf.url].has_key("Regular expression") )
+                )
+
+    if condition:
+        dataToSessionFile("[%s][None][None][Regular expression][%s]\n" % (conf.url, conf.regexp))
+
+
 def setInjection():
     """
     Save information retrieved about injection place and parameter in the
@@ -178,6 +192,28 @@ def resumeConfKb(expression, url, value):
             if not test or test[0] in ("y", "Y"):
                 conf.string = string
 
+    elif expression == "Regular expression" and url == conf.url:
+        regexp = value[:-1]
+
+        logMsg  = "resuming regular expression match '%s' from session file" % regexp
+        logger.info(logMsg)
+
+        if regexp and ( not conf.regexp or regexp != conf.regexp ):
+            if not conf.regexp:
+                message  = "you did not provide any regular expression "
+                message += "to match. "
+            else:
+                message  = "The regular expression you provided does not "
+                message += "match the resumed regular expression. "
+
+            message += "Do you want to use the resumed regular expression "
+            message += "to be matched in page when the query "
+            message += "is valid? [Y/n] "
+            test = readInput(message, default="Y")
+
+            if not test or test[0] in ("y", "Y"):
+                conf.regexp = regexp
+
     elif expression == "Injection point" and url == conf.url:
         injPlace = value[:-1]
 

lib/core/settings.py

@@ -30,7 +30,7 @@ import sys
 
 
 # sqlmap version and site
-VERSION            = "0.6.3-rc5"
+VERSION            = "0.6.3"
 VERSION_STRING     = "sqlmap/%s" % VERSION
 SITE               = "http://sqlmap.sourceforge.net"
 

lib/parse/cmdline.py

@@ -24,6 +24,8 @@ Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 
 
 
+import sys
+
 from optparse import OptionError
 from optparse import OptionGroup
 from optparse import OptionParser
@@ -37,7 +39,7 @@ def cmdLineParser():
     This function parses the command line parameters and arguments
     """
 
-    usage = "sqlmap.py [options]"
+    usage = "%s [options]" % sys.argv[0]
     parser = OptionParser(usage=usage, version=VERSION_STRING)
 
     try:
@@ -108,7 +110,12 @@ def cmdLineParser():
 
 
         # Injection options
-        injection = OptionGroup(parser, "Injection")
+        injection = OptionGroup(parser, "Injection", "These options can be "
+                                "used to specify which parameters to test "
+                                "for, provide custom injection payloads and "
+                                "how to parse and compare HTTP responses "
+                                "page content when using the blind SQL "
+                                "injection technique.")
 
         injection.add_option("-p", dest="testParameter",
                              help="Testable parameter(s)")

lib/utils/parenthesis.py

@@ -46,7 +46,11 @@ def checkForParenthesis():
 
     count = 0
 
+    if kb.parenthesis != None:
+        return
+
     if conf.prefix or conf.postfix:
+        kb.parenthesis = 0
         return
 
     for parenthesis in range(1, 4):

sqlmap.conf

@@ -3,8 +3,8 @@
 # Target URL.
 # Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2
 # PHP and MySQL (local)
-url = http://127.0.0.1/sqlmap/mysql/get_str.php?id=1
+#url = http://127.0.0.1/sqlmap/mysql/get_int.php?id=1
-#url = http://127.0.0.1/sqlmap/mysql/get_int_partialunion.php?id=1
+url = http://127.0.0.1/sqlmap/mysql/get_int_partialunion.php?id=1
 # PHP and Oracle (local)
 #url = http://127.0.0.1/sqlmap/oracle/get_int.php?id=1
 # PHP and PostgreSQL (local)

xml/banner/postgresql.xml

@@ -7,6 +7,10 @@
 
     <!-- Ubuntu -->
     <regexp value="PostgreSQL\s+(8\.2\.7)\s+on\s+.*?\s+\(Ubuntu 4\.2\.3-2ubuntu4\)">
-        <info dbms_version="1" type="Linux" distrib="Ubuntu" release="8.10" codename="Intrepid"/>
+        <info dbms_version="1" type="Linux" distrib="Ubuntu" release="8.04" codename="Hardy Heron"/>
+    </regexp>
+
+    <regexp value="PostgreSQL\s+(8\.3\.5)\s+on\s+.*?\s+\(Ubuntu 4\.3\.2-1ubuntu11\)">
+        <info dbms_version="1" type="Linux" distrib="Ubuntu" release="8.10" codename="Intrepid Ibex"/>
     </regexp>
 </root>