sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 01:26:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

updates, added #TODO marks for parts which have to be updated

Browse Source
This commit is contained in:
Miroslav Stampar 2010-03-02 12:07:54 +00:00
parent 2f452480b3
commit ddd8b277a6
1 changed files with 322 additions and 173 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

495
doc/README.sgml
View File

@ -3,8 +3,8 @@
<article>
<title>sqlmap user's manual
<author>by <htmlurl url="mailto:bernardo.damele@gmail.com" name="Bernardo Damele A. G.">
<date>version 0.7, July 25, 2009
<author>by <htmlurl url="mailto:bernardo.damele@gmail.com" name="Bernardo Damele A. G.">, <htmlurl url="mailto:miroslav.stampar@gmail.com" name="Miroslav Stampar">
<date>version 0.8, March 01, 2010
<abstract>
This document is the user's manual to use <htmlurl url="http://sqlmap.sourceforge.net" name="sqlmap">.
Check the project <htmlurl url="http://sqlmap.sourceforge.net" name="homepage">
@ -354,24 +354,24 @@ sqlmap can be downloaded from its
It is available in various formats:
<itemize>
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.7.tar.gz"
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.8.tar.gz"
name="Source gzip compressed"> operating system independent.
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.7.tar.bz2"
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.8.tar.bz2"
name="Source bzip2 compressed"> operating system independent.
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.7.zip"
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.8.zip"
name="Source zip compressed"> operating system independent.
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap_0.7-1_all.deb"
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap_0.8-1_all.deb"
name="DEB binary package"> architecture independent for Debian and any
other Debian derivated GNU/Linux distribution.
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.7-1.noarch.rpm"
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.8-1.noarch.rpm"
name="RPM binary package"> architecture independent for Fedora and any
other operating system that can install RPM packages.
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.7_exe.zip"
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.8_exe.zip"
name="Portable executable for Windows"> that <bf>does not require the Python
interpreter</bf> to be installed on the operating system.
</itemize>
@ -403,8 +403,8 @@ sqlmap is copyrighted by
<tscreen><verb>
$ python sqlmap.py -h
sqlmap/0.7
by Bernardo Damele A. G. <bernardo.damele@gmail.com>
sqlmap/0.8 - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net
Usage: sqlmap.py [options]
@ -418,7 +418,8 @@ Options:
get target urls from.
-u URL, --url=URL Target url
-l LIST Parse targets from Burp or WebScarab logs
-l LIST Parse targets from Burp or WebScarab proxy logs
-r REQUESTFILE Load HTTP request from a file
-g GOOGLEDORK Process Google dork results as target urls
-c CONFIGFILE Load options from a configuration INI file
@ -428,17 +429,22 @@ Options:
--method=METHOD HTTP method, GET or POST (default GET)
--data=DATA Data string to be sent through POST
--cookie=COOKIE HTTP Cookie header
--referer=REFERER HTTP Referer header
--cookie-urlencode URL-encode generated cookie injections
--drop-set-cookie Ignore Set-Cookie header from response
--user-agent=AGENT HTTP User-Agent header
-a USERAGENTSFILE Load a random HTTP User-Agent header from file
--referer=REFERER HTTP Referer header
--headers=HEADERS Extra HTTP headers newline separated
--auth-type=ATYPE HTTP Authentication type (value Basic or Digest)
--auth-cred=ACRED HTTP Authentication credentials (value name:password)
--auth-type=ATYPE HTTP Authentication type (Basic, Digest or NTLM)
--auth-cred=ACRED HTTP Authentication credentials (name:password)
--auth-cert=ACERT HTTPs Authentication certificate (key_file,cert_file)
--proxy=PROXY Use a HTTP proxy to connect to the target url
--threads=THREADS Maximum number of concurrent HTTP requests (default 1)
--delay=DELAY Delay in seconds between each HTTP request
--timeout=TIMEOUT Seconds to wait before timeout connection (default 30)
--retries=RETRIES Retries when the connection timeouts (default 3)
--scope=SCOPE Regexp to filter targets from provided proxy log
--ignore-proxy Ignore system default HTTP proxy
Injection:
These options can be used to specify which parameters to test for,
@ -495,9 +501,17 @@ Options:
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
--start=LIMITSTART First query output entry to retrieve
--stop=LIMITSTOP Last query output entry to retrieve
--first=FIRSTCHAR First query output word character to retrieve
--last=LASTCHAR Last query output word character to retrieve
--sql-query=QUERY SQL statement to be executed
--sql-shell Prompt for an interactive SQL shell
User-defined function injection:
These options can be used to create custom user-defined functions.
--udf-inject Inject custom user-defined functions
--shared-lib=SHLIB Local path of the shared library
File system access:
These options can be used to access the back-end database management
system underlying file system.
@ -519,10 +533,23 @@ Options:
--msf-path=MSFPATH Local path where Metasploit Framework 3 is installed
--tmp-path=TMPPATH Remote absolute path of temporary files directory
Windows registry access:
This option can be used to access the back-end database management
system Windows registry.
--reg-read Read a Windows registry key value
--reg-add Write a Windows registry key value data
--reg-del Delete a Windows registry key value
--reg-key=REGKEY Windows registry key
--reg-value=REGVAL Windows registry key value
--reg-data=REGDATA Windows registry key value data
--reg-type=REGTYPE Windows registry key value type
Miscellaneous:
--eta Display for each output the estimated time of arrival
--update Update sqlmap to the latest stable version
-s SESSIONFILE Save and resume all data retrieved on a session file
--eta Display for each output the estimated time of arrival
--gpage=GOOGLEPAGE Use google dork results from specified page number
--update Update Microsoft SQL Server XML signature file
--save Save options on a configuration INI file
--batch Never ask for user input, use the default behaviour
--cleanup Clean up the DBMS by sqlmap specific UDF and tables
@ -622,7 +649,7 @@ Host: 192.168.1.121:80
Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.8 (http://sqlmap.sourceforge.net)
Connection: close
[...]
[hh:mm:55] [INFO] testing MySQL
@ -635,7 +662,7 @@ Host: 192.168.1.121:80
Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.8 (http://sqlmap.sourceforge.net)
Connection: close
[...]
</verb></tscreen>
@ -655,7 +682,7 @@ Host: 192.168.1.121:80
Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.8 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:44] [TRAFFIC IN] HTTP response (OK - 200):
@ -676,7 +703,7 @@ Host: 192.168.1.121:80
Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.8 (http://sqlmap.sourceforge.net)
Connection: close
[...]
</verb></tscreen>
@ -696,7 +723,7 @@ Host: 192.168.1.121:80
Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.8 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:17] [TRAFFIC IN] HTTP response (OK - 200):
@ -724,7 +751,7 @@ Host: 192.168.1.121:80
Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.8 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:18] [TRAFFIC IN] HTTP response (OK - 200):
@ -837,6 +864,13 @@ back-end DBMS: MySQL >= 5.0.0
</verb></tscreen>
<sect2>Load HTTP request from a file
<p>
Option: <tt>-r</tt>
#TODO
<sect2>Process Google dork results as target urls
<p>
@ -1034,7 +1068,7 @@ Host: 192.168.1.125:80
Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.8 (http://sqlmap.sourceforge.net)
Cookie: ASPSESSIONIDSABTRCAS=HPCBGONANJBGFJFHGOKDMCGJ
Connection: close
@ -1050,7 +1084,7 @@ Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
Cookie: ASPSESSIONIDSABTRCAS=469
User-agent: sqlmap/0.7 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.8 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:40] [WARNING] Cookie parameter 'ASPSESSIONIDSABTRCAS' is not dynamic
@ -1074,37 +1108,18 @@ values that you provided? [Y/n]
</verb></tscreen>
<sect2>HTTP <tt>Referer</tt> header
<sect2>URL-encode generated cookie injections
<p>
Option: <tt>-</tt><tt>-referer</tt>
Option: <tt>-</tt><tt>-cookie-urlencode</tt>
#TODO
<sect2>Ignore <tt>Set-Cookie</tt> header from response
<p>
It is possible to fake the HTTP <tt>Referer</tt> header value with this
option. By default no HTTP <tt>Referer</tt> header is sent in HTTP
requests.
<p>
Example on a <bf>PostgreSQL 8.3.5</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --referer \
"http://www.google.com" -v 3
[...]
[hh:mm:48] [INFO] testing connection to the target url
[hh:mm:48] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_int.php?id=1 HTTP/1.1
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: 192.168.1.121:80
Accept-language: en-us,en;q=0.5
Referer: http://www.google.com
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7 (http://sqlmap.sourceforge.net)
Connection: close
[...]
</verb></tscreen>
Option: <tt>-</tt><tt>-drop-set-cookie</tt>
#TODO
<sect2>HTTP <tt>User-Agent</tt> header
@ -1117,7 +1132,7 @@ By default sqlmap perform HTTP requests providing the following HTTP
<tt>User-Agent</tt> header value:
<tscreen><verb>
sqlmap/0.7 (http://sqlmap.sourceforge.net)
sqlmap/0.8 (http://sqlmap.sourceforge.net)
</verb></tscreen>
<p>
@ -1197,6 +1212,39 @@ to force the HTTP User-Agent header with option --user-agent or -a
</verb></tscreen>
<sect2>HTTP <tt>Referer</tt> header
<p>
Option: <tt>-</tt><tt>-referer</tt>
<p>
It is possible to fake the HTTP <tt>Referer</tt> header value with this
option. By default no HTTP <tt>Referer</tt> header is sent in HTTP
requests.
<p>
Example on a <bf>PostgreSQL 8.3.5</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --referer \
"http://www.google.com" -v 3
[...]
[hh:mm:48] [INFO] testing connection to the target url
[hh:mm:48] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_int.php?id=1 HTTP/1.1
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: 192.168.1.121:80
Accept-language: en-us,en;q=0.5
Referer: http://www.google.com
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.8 (http://sqlmap.sourceforge.net)
Connection: close
[...]
</verb></tscreen>
<sect2>Extra HTTP headers
<p>
@ -1209,16 +1257,16 @@ to provide them from the configuration INI file. Have a look at the sample
<tt>sqlmap.conf</tt> file.
<sect2>HTTP <tt>Basic</tt> and <tt>Digest</tt> authentications
<sect2>HTTP <tt>Basic</tt>, <tt>Digest</tt> and <tt>NTLM</tt> authentications
<p>
Options: <tt>-</tt><tt>-auth-type</tt> and <tt>-</tt><tt>-auth-cred</tt>
<p>
These options can be used to specify which HTTP authentication type the
web server implements and the valid credentials to be used to perfom all
HTTP requests to the target URL.
The two valid types are <tt>Basic</tt> and <tt>Digest</tt> and the
web server implements and the valid credentials to be used
to perfom all HTTP requests to the target URL.
The three valid types are <tt>Basic</tt>, <tt>Digest</tt> and <tt>NTLM</tt>, while the
credentials' syntax is <tt>username:password</tt>.
<p>
@ -1238,7 +1286,7 @@ Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
Authorization: Basic dGVzdHVzZXI6dGVzdHBhc3M=
User-agent: sqlmap/0.7 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.8 (http://sqlmap.sourceforge.net)
Connection: close
[...]
@ -1259,12 +1307,19 @@ Authorization: Digest username="testuser", realm="Testing digest authentication"
nonce="Qw52C8RdBAA=2d7eb362292b24718dcb6e4d9a7bf0f13d58fa9d",
uri="/sqlmap/mysql/digest/get_int.php?id=1", response="16d01b08ff2f77d8ff0183d706f96747",
algorithm="MD5", qop=auth, nc=00000001, cnonce="579be5eb8753693a"
User-agent: sqlmap/0.7 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.8 (http://sqlmap.sourceforge.net)
Connection: close
[...]
</verb></tscreen>
<sect2>HTTPs authentication with certificate
<p>
Option: <tt>-</tt><tt>-auth-cert</tt>
#TODO
<sect2>HTTP proxy
<p>
@ -1385,6 +1440,20 @@ It is possible to specify the maximum number of retries when the HTTP
connection timeouts. By default it retries up to three times.
<sect2>Filtering targets from provided proxy log using regular expression
<p>
Option: <tt>-</tt><tt>-scope</tt>
#TODO
<sect2>Ignoring system default HTTP proxy
<p>
Option: <tt>-</tt><tt>-ignore-proxy</tt>
#TODO
<sect1>Injection
<p>
@ -1442,7 +1511,7 @@ Example on a <bf>MySQL 5.0.67</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/ua_str.php" -v 1 \
-p "user-agent" --user-agent "sqlmap/0.7 (http://sqlmap.sourceforge.net)"
-p "user-agent" --user-agent "sqlmap/0.8 (http://sqlmap.sourceforge.net)"
[hh:mm:40] [WARNING] the testable parameter 'user-agent' you provided is not into the GET
[hh:mm:40] [INFO] testing connection to the target url
@ -1587,7 +1656,7 @@ Host: 192.168.1.121:80
Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.8 (http://sqlmap.sourceforge.net)
Connection: close
[...]
[hh:mm:17] [INFO] GET parameter 'id' is custom injectable
@ -1659,7 +1728,7 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=
[hh:mm:50] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_int_refresh.php?id=1 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.7 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.8 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:50] [TRAFFIC IN] HTTP response (OK - 200):
@ -1681,7 +1750,7 @@ Content-Type: text/html
[hh:mm:51] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_int_refresh.php?id=1 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.7 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.8 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:51] [TRAFFIC IN] HTTP response (OK - 200):
@ -1703,7 +1772,7 @@ Content-Type: text/html
[hh:mm:51] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_int_refresh.php?id=1 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.7 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.8 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:51] [TRAFFIC IN] HTTP response (OK - 200):
@ -2130,7 +2199,7 @@ Host: 192.168.1.121:80
Accept-language: en-us,en;q=0.5
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
image/png,*/*;q=0.5
User-agent: sqlmap/0.7 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.8 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:29] [TRAFFIC IN] HTTP response (OK - 200):
@ -3176,7 +3245,8 @@ Table: users
<p>
Options: <tt>-</tt><tt>-dump</tt>, <tt>-C</tt>, <tt>-T</tt>, <tt>-D</tt>,
<tt>-</tt><tt>-start</tt> and <tt>-</tt><tt>-stop</tt>
<tt>-</tt><tt>-start</tt>, <tt>-</tt><tt>-stop</tt>, <tt>-</tt><tt>-first</tt>
and <tt>-</tt><tt>-last</tt>
<p>
It is possible to dump the entries for a specific database table.
@ -3217,7 +3287,7 @@ Table: users
| 1 | luther | blissett |
| 2 | fluffy | bunny |
| 3 | wu | ming |
| 4 | sqlmap/0.7 (http://sqlmap.sourceforge.net) | user agent header |
| 4 | sqlmap/0.8 (http://sqlmap.sourceforge.net) | user agent header |
| 5 | NULL | nameisnull |
+----+----------------------------------------------+-------------------+
</verb></tscreen>
@ -3269,7 +3339,7 @@ Table: users
| 1 | luther | blissett |
| 2 | fluffy | bunny |
| 3 | wu | ming |
| 4 | sqlmap/0.7 (http://sqlmap.sourceforge.net) | user agent header |
| 4 | sqlmap/0.8 (http://sqlmap.sourceforge.net) | user agent header |
| 5 | | nameisnull |
+----+----------------------------------------------+-------------------+
@ -3282,13 +3352,15 @@ $ cat /software/sqlmap/output/192.168.1.121/dump/public/users.csv
"1","luther","blissett"
"2","fluffy","bunny"
"3","wu","ming"
"4","sqlmap/0.7 (http://sqlmap.sourceforge.net)","user agent header"
"4","sqlmap/0.8 (http://sqlmap.sourceforge.net)","user agent header"
"5","","nameisnull"
</verb></tscreen>
<p>
You can also provide the <tt>-</tt><tt>-start</tt> and/or the <tt>-</tt><tt>-stop</tt>
options to limit the dump to a range of entries.
options to limit the dump to a range of entries, while those entries can be further limited
to a range of character positions provided with <tt>-</tt><tt>-first</tt> and/or the
<tt>-</tt><tt>-last</tt> options.
<itemize>
<item><tt>-</tt><tt>-start</tt> specifies the first entry to enumerate
@ -3310,7 +3382,7 @@ Table: users
+----+----------------------------------------------+-------------------+
| 2 | fluffy | bunny |
| 3 | wu | ming |
| 4 | sqlmap/0.7 (http://sqlmap.sourceforge.net) | user agent header |
| 4 | sqlmap/0.8 (http://sqlmap.sourceforge.net) | user agent header |
+----+----------------------------------------------+-------------------+
</verb></tscreen>
@ -3342,7 +3414,7 @@ Table: users
| 1 | luther | blissett |
| 2 | fluffy | bunny |
| 3 | wu | ming |
| 4 | sqlmap/0.7 (http://sqlmap.sourceforge.net) | user agent header |
| 4 | sqlmap/0.8 (http://sqlmap.sourceforge.net) | user agent header |
| 5 | NULL | nameisnull |
+----+----------------------------------------------+-------------------+
@ -3431,7 +3503,7 @@ Table: users
+----+----------------------------------------------+-------------------+
| id | name | surname |
+----+----------------------------------------------+-------------------+
| 4 | sqlmap/0.7 (http://sqlmap.sourceforge.net) | user agent header |
| 4 | sqlmap/0.8 (http://sqlmap.sourceforge.net) | user agent header |
| 2 | fluffy | bunny |
| 1 | luther | blisset |
| 3 | wu | ming |
@ -3830,6 +3902,22 @@ support stacked queries when the back-end DBMS is MySQL, but it does
support when the back-end DBMS is PostgreSQL.
<sect1>User-defined function injection
<sect2>Inject custom user-injection functions
<p>
Option: <tt>-</tt><tt>-udf-inject</tt>
#TODO
<sect2>Local path of the shared library
<p>
Option: <tt>-</tt><tt>-shared-lib</tt>
#TODO
<sect1>File system access
<sect2>Read a file from the back-end DBMS file system
@ -4858,8 +4946,155 @@ meterpreter > exit
</verb></tscreen>
<sect1>Windows registry access
<sect2>Read a Windows registry key value
<p>
Option: <tt>-</tt><tt>-reg-read</tt>
#TODO
<sect2>Write a Windows registry key value data
<p>
Option: <tt>-</tt><tt>-reg-add</tt>
#TODO
<sect2>Delete a Windows registry key value
<p>
Option: <tt>-</tt><tt>-reg-del</tt>
#TODO
<sect2>Windows registry key
<p>
Option: <tt>-</tt><tt>-reg-key</tt>
#TODO
<sect2>Windows registry key value
<p>
Option: <tt>-</tt><tt>-reg-value</tt>
#TODO
<sect2>Windows registry key value data
<p>
Option: <tt>-</tt><tt>-reg-data</tt>
#TODO
<sect2>Windows registry key value type
<p>
Option: <tt>-</tt><tt>-reg-type</tt>
#TODO
<sect1>Miscellaneous
<sect2>Save and resume all data retrieved on a session file
<p>
Option: <tt>-s</tt>
<p>
It is possible to log all queries and their output into a text file while
performing whatever request, both in blind SQL injection and in inband SQL
injection.
This is useful if you stop the injection and resume it after some time.
<p>
Example on a <bf>PostgreSQL 8.3.5</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" -b \
-v 1 -s "sqlmap.log"
[...]
back-end DBMS: PostgreSQL
[hh:mm:02] [INFO] query: VERSION()
[hh:mm:02] [INFO] retrieved: PostgreSQL 8.3.5 on i486-pc-^C
[hh:mm:03] [ERROR] user aborted
</verb></tscreen>
<p>
As you can see, I stopped the injection with <tt>CTRL-C</tt> while
retrieving the PostgreSQL banner and logged the session to text file
<tt>sqlmap.log</tt>.
<tscreen><verb>
$ cat sqlmap.log
[hh:mm:00 MM/DD/YY]
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1][Injection point][GET]
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1][Injection parameter][id]
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1][Injection type][numeric]
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1][Parenthesis][0]
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1][CONCAT('9', '9')][]
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1][LENGTH(SYSDATE)][]
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1][COALESCE(3, NULL)][3]
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1][LENGTH('3')][1]
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1][DBMS][PostgreSQL]
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1][VERSION()][PostgreSQL 8.3.5
on i486-pc-
</verb></tscreen>
<p>
As you can see, all queries performed and their output have been logged to
the session file in real time while performing the injection.
<p>
The session file has a structure as follows:
<tscreen><verb>
[hh:mm:ss MM/DD/YY]
[Target URL][Injection point][Parameters][Query or information name][Query output or value]
</verb></tscreen>
<p>
Performing the same request now, sqlmap resumes all information already
retrieved then calculates the query length, in the example
<tt>VERSION()</tt>, and resumes the injection from the last character
retrieved to the end of the query output.
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" -b \
-v 1 -s "sqlmap.log"
[...]
[hh:mm:03] [INFO] resuming injection point 'GET' from session file
[hh:mm:03] [INFO] resuming injection parameter 'id' from session file
[hh:mm:03] [INFO] resuming injection type 'numeric' from session file
[hh:mm:03] [INFO] resuming 0 number of parenthesis from session file
[hh:mm:03] [INFO] resuming back-end DBMS 'PostgreSQL' from session file
[hh:mm:03] [INFO] testing connection to the target url
[hh:mm:03] [INFO] testing for parenthesis on injectable parameter
[hh:mm:03] [INFO] retrieving the length of query output
[hh:mm:03] [INFO] query: LENGTH(VERSION())
[hh:mm:03] [INFO] retrieved: 98
[hh:mm:03] [INFO] resumed from file 'sqlmap.log': PostgreSQL 8.3.5 on i486-pc-...
[hh:mm:03] [INFO] retrieving pending 70 query output characters
[hh:mm:03] [INFO] query: SUBSTR((VERSION())::text, 29, 98)
[hh:mm:03] [INFO] retrieved: linux-gnu, compiled by GCC gcc-4.3.real
(Ubuntu 4.3.2-1ubuntu11) 4.3.2
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
back-end DBMS: PostgreSQL
[hh:mm:07] [INFO] fetching banner
banner: 'PostgreSQL 8.3.5 on i486-pc-linux-gnu, compiled by GCC gcc-4.3.real
(Ubuntu 4.3.2-1ubuntu11) 4.3.2'
</verb></tscreen>
<sect2>Estimated time of arrival
<p>
@ -4944,10 +5179,18 @@ then estimates the time of arrival, shows the progress in percentage and
counts the number of retrieved query output characters.
<sect2>Update sqlmap to the latest stable version
<sect2>Use google dork results from specified page number
<p>
Option: <tt>-</tt><tt>-gpage</tt>
#TODO
<sect2>Update Microsoft SQL Server XML signature file
<p>
Option: <tt>-</tt><tt>-update</tt>
#TODO
<p>
@ -4969,7 +5212,7 @@ $ python sqlmap.py --update -v 4
[hh:mm:55] [TRAFFIC OUT] HTTP request:
GET /doc/VERSION HTTP/1.1
Host: sqlmap.sourceforge.net
User-agent: sqlmap/0.7 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.8 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:55] [TRAFFIC IN] HTTP response (OK - 200):
@ -4988,7 +5231,7 @@ X-Pad: avoid browser bug
[hh:mm:56] [TRAFFIC OUT] HTTP request:
GET /FAQs/SQLServerVersionDatabase/tabid/63/Default.aspx HTTP/1.1
Host: www.sqlsecurity.com
User-agent: sqlmap/0.7 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.8 (http://sqlmap.sourceforge.net)
Cookie: .ASPXANONYMOUS=dvus03cqyQEkAAAANDI0M2QzZmUtOGRkOS00ZDQxLThhMTUtN2ExMWJiNWVjN2My0;
language=en-US
Connection: close
@ -5023,102 +5266,6 @@ to <tt>sqlmap.conf.bak</tt> each time a new stable version is available and
your copy is outdated.
<sect2>Save and resume all data retrieved on a session file
<p>
Option: <tt>-s</tt>
<p>
It is possible to log all queries and their output into a text file while
performing whatever request, both in blind SQL injection and in inband SQL
injection.
This is useful if you stop the injection and resume it after some time.
<p>
Example on a <bf>PostgreSQL 8.3.5</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" -b \
-v 1 -s "sqlmap.log"
[...]
back-end DBMS: PostgreSQL
[hh:mm:02] [INFO] query: VERSION()
[hh:mm:02] [INFO] retrieved: PostgreSQL 8.3.5 on i486-pc-^C
[hh:mm:03] [ERROR] user aborted
</verb></tscreen>
<p>
As you can see, I stopped the injection with <tt>CTRL-C</tt> while
retrieving the PostgreSQL banner and logged the session to text file
<tt>sqlmap.log</tt>.
<tscreen><verb>
$ cat sqlmap.log
[hh:mm:00 MM/DD/YY]
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1][Injection point][GET]
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1][Injection parameter][id]
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1][Injection type][numeric]
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1][Parenthesis][0]
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1][CONCAT('9', '9')][]
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1][LENGTH(SYSDATE)][]
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1][COALESCE(3, NULL)][3]
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1][LENGTH('3')][1]
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1][DBMS][PostgreSQL]
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1][VERSION()][PostgreSQL 8.3.5
on i486-pc-
</verb></tscreen>
<p>
As you can see, all queries performed and their output have been logged to
the session file in real time while performing the injection.
<p>
The session file has a structure as follows:
<tscreen><verb>
[hh:mm:ss MM/DD/YY]
[Target URL][Injection point][Parameters][Query or information name][Query output or value]
</verb></tscreen>
<p>
Performing the same request now, sqlmap resumes all information already
retrieved then calculates the query length, in the example
<tt>VERSION()</tt>, and resumes the injection from the last character
retrieved to the end of the query output.
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" -b \
-v 1 -s "sqlmap.log"
[...]
[hh:mm:03] [INFO] resuming injection point 'GET' from session file
[hh:mm:03] [INFO] resuming injection parameter 'id' from session file
[hh:mm:03] [INFO] resuming injection type 'numeric' from session file
[hh:mm:03] [INFO] resuming 0 number of parenthesis from session file
[hh:mm:03] [INFO] resuming back-end DBMS 'PostgreSQL' from session file
[hh:mm:03] [INFO] testing connection to the target url
[hh:mm:03] [INFO] testing for parenthesis on injectable parameter
[hh:mm:03] [INFO] retrieving the length of query output
[hh:mm:03] [INFO] query: LENGTH(VERSION())
[hh:mm:03] [INFO] retrieved: 98
[hh:mm:03] [INFO] resumed from file 'sqlmap.log': PostgreSQL 8.3.5 on i486-pc-...
[hh:mm:03] [INFO] retrieving pending 70 query output characters
[hh:mm:03] [INFO] query: SUBSTR((VERSION())::text, 29, 98)
[hh:mm:03] [INFO] retrieved: linux-gnu, compiled by GCC gcc-4.3.real
(Ubuntu 4.3.2-1ubuntu11) 4.3.2
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
back-end DBMS: PostgreSQL
[hh:mm:07] [INFO] fetching banner
banner: 'PostgreSQL 8.3.5 on i486-pc-linux-gnu, compiled by GCC gcc-4.3.real
(Ubuntu 4.3.2-1ubuntu11) 4.3.2'
</verb></tscreen>
<sect2>Save options on a configuration INI file
<p>
@ -5344,17 +5491,19 @@ FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
details.
<p>
Whatever you do with this tool is uniquely your responsability. If you are
Whatever you do with this tool is uniquely your responsibility. If you are
not authorized to punch holes in the network you are attacking be aware
that such action might get you in trouble with a lot of law enforcement
agencies.
<sect>Author
<sect>Authors
<p>
<htmlurl url="mailto:bernardo.damele@gmail.com" name="Bernardo Damele A. G."> (inquis) - Lead developer.
PGP Key ID: <htmlurl url="http://pgp.mit.edu:11371/pks/lookup?op=get&amp;search=0x05F5A30F" name="0x05F5A30F">
<htmlurl url="mailto:miroslav.stampar@gmail.com" name="Miroslav Stampar"> (stamparm) - Developer.
PGP Key ID: <htmlurl url="http://pgp.mit.edu:11371/pks/lookup?op=get&amp;search=0xB5397B1B" name="0xB5397B1B">
</article>