sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 01:26:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

Updated documentation

Browse Source
This commit is contained in:
Bernardo Damele 2010-03-03 15:16:43 +00:00
parent 49aa1ae542
commit e774578180
2 changed files with 164 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/ChangeLog
View File

@ -55,7 +55,7 @@ sqlmap (0.8-1) stable; urgency=low
shells consequently reducing drastically the number of anti-virus
softwares that mistakenly mark sqlmap as a malware (Miroslav).
-- Bernardo Damele A. G. <bernardo.damele@gmail.com> Mon, 1 Mar 2010 10:00:00 +0000
-- Bernardo Damele A. G. <bernardo.damele@gmail.com> Sun, 14 Mar 2010 10:00:00 +0000
sqlmap (0.8rc1-1) stable; urgency=low

259
doc/README.sgml
View File

@ -4,7 +4,7 @@
<title>sqlmap user's manual
<author>by <htmlurl url="mailto:bernardo.damele@gmail.com" name="Bernardo Damele A. G.">, <htmlurl url="mailto:miroslav.stampar@gmail.com" name="Miroslav Stampar">
<date>version 0.8, March 01, 2010
<date>version 0.8, March 14, 2010
<abstract>
This document is the user's manual to use <htmlurl url="http://sqlmap.sourceforge.net" name="sqlmap">.
Check the project <htmlurl url="http://sqlmap.sourceforge.net" name="homepage">
@ -16,20 +16,8 @@ for the latest version.
<sect>Introduction
<p>
sqlmap is an open source command-line automatic
<htmlurl url="http://www.google.com/search?q=SQL+injection" name="SQL injection">
tool.
Its goal is to detect and take advantage of SQL injection vulnerabilities
in web applications. Once it detects one or more SQL injections on the
target host, the user can choose among a variety of options to perform an
extensive back-end database management system fingerprint, retrieve DBMS
session user and database, enumerate users, password hashes, privileges,
databases, dump entire or user's specified DBMS tables/columns, run his own
SQL statement, read or write either text or binary files on the file
system, execute arbitrary commands on the operating system, establish an
out-of-band stateful connection between the attacker box and the database
server via Metasploit payload stager, database stored procedure buffer
overflow exploitation or SMB relay attack and more.
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end database servers.
It comes with a broad range of features lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
<sect1>Requirements
@ -37,21 +25,29 @@ overflow exploitation or SMB relay attack and more.
<p>
sqlmap is developed in <htmlurl url="http://www.python.org" name="Python">,
a dynamic object-oriented interpreted programming language.
This makes the tool independent from the operating system since it only
This makes the tool independent from the operating system. It only
requires the Python interpreter version equal or above to <bf>2.5</bf>.
The interpreter is freely downloadable from its
<htmlurl url="http://python.org/download/" name="official site">.
To make it even easier, many GNU/Linux distributions come out of the box
with Python interpreter package installed and other Unices and MacOS X
too provide it packaged in their formats and ready to be installed.
with Python interpreter installed and other Unices and MacOS X too provide
it packaged in their formats and ready to be installed.
Windows users can download and install the Python setup-ready installer
for x86, AMD64 and Itanium too.
sqlmap relies on the <htmlurl url="http://metasploit.com/framework/"
name="Metasploit Framework"> for some of its post-exploitation takeover
functionalities. You need to grab a copy of it from the
features. You need to grab a copy of it from the
<htmlurl url="http://metasploit.com/framework/download/" name="download">
page. The required version is <bf>3.3.3</bf> or above.
page. The required version is <bf>3.3.3</bf> or above. However, it is
recommended to use the Metasploit latest development version from the
<htmlurl url="https://www.metasploit.com/svn/framework3/trunk/"
name="Subversion repository">.
If you plan to attack a web application behind NTLM authentication or use
the sqlmap update functionality you need to install respectively
<htmlurl url="http://code.google.com/p/python-ntlm/" name="python-ntlm">
and <htmlurl url="http://pysvn.tigris.org/" name="python-svn"> libraries.
Optionally, if you are running sqlmap on Windows, you may wish to install
<htmlurl url="http://ipython.scipy.org/moin/PyReadline/Intro" name="PyReadline">
@ -98,12 +94,11 @@ This is a quite common flaw in dynamic content web applications and it
does not depend upon the back-end database management system nor on the web
application programming language: it is a programmer code's security flaw.
The <htmlurl url="http://www.owasp.org" name="Open Web Application Security Project">
rated on 2007 in their <htmlurl url="http://www.owasp.org/index.php/Top_10_2007"
rated on 2010 in their <htmlurl url="http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project"
name="OWASP Top Ten"> survey this vulnerability as the <htmlurl
url="http://www.owasp.org/index.php/Top_10_2007-A2" name="most
common"> and important web application vulnerability, second only to
<htmlurl url="http://www.owasp.org/index.php/Top_10_2007-A1"
name="Cross-Site Scripting">.
url="http://www.owasp.org/images/0/0f/OWASP_T10_-_2010_rc1.pdf" name="most
common"> and important web application vulnerability along with other
injection flaws.
Back to the scenario, probably the SQL <tt>SELECT</tt> statement into
<tt>get_int.php</tt> has a syntax similar to the following SQL query, in
@ -141,9 +136,8 @@ to sqlmap, the tool will automatically:
<itemize>
<item>Identify the vulnerable parameter(s) (<tt>id</tt> in this scenario);
<item>Depending on the user's options, sqlmap uses the <bf>blind SQL
injection</bf> or the <bf>inband SQL injection</bf> technique as described
in the following section to go ahead with the exploiting.
<item>Depending on the user's options, fingerprint, enumerate, takeover
the database server.
</itemize>
@ -197,7 +191,7 @@ and the session user privileges.
<sect>Features
<p>
Major features implemented in sqlmap include:
Features implemented in sqlmap include:
<sect1>Generic features
@ -206,7 +200,7 @@ Major features implemented in sqlmap include:
<itemize>
<item>Full support for <bf>MySQL</bf>, <bf>Oracle</bf>, <bf>PostgreSQL</bf>
and <bf>Microsoft SQL Server</bf> back-end database management systems.
Besides these four database management systems software. sqlmap can also
Besides these four database management systems software, sqlmap can also
identify Microsoft Access, DB2, Informix, Sybase and Interbase.
<item>Full support for three SQL injection techniques: <bf> inferential
@ -216,12 +210,13 @@ blind SQL injection</bf>.
<item>It is possible to provide a single target URL, get the list of
targets from <htmlurl url="http://portswigger.net/suite/" name="Burp proxy">
requests log file path or
requests log file or
<htmlurl url="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project" name="WebScarab proxy">
<tt>conversations/</tt> folder path or get the list of targets by providing
sqlmap with a Google dork which queries
<htmlurl url="http://www.google.com" name="Google"> search engine and
parses its results page.
<tt>conversations/</tt> folder, get the whole HTTP request from a text
file or get the list of targets by providing sqlmap with a Google dork
which queries <htmlurl url="http://www.google.com" name="Google"> search engine and
parses its results page. You can also define a regular-expression based
scope that is used to identify which of the parsed addresses to test.
<item>Automatically tests all provided <bf>GET</bf> parameters,
<bf>POST</bf> parameters, HTTP <bf>Cookie</bf> header values and HTTP
@ -230,29 +225,32 @@ those that vary the HTTP response page content.
On the dynamic ones sqlmap automatically tests and detects the ones
affected by SQL injection. Each dynamic parameter is tested for
<em>numeric</em>, <em>single quoted string</em>, <em>double quoted
string</em> and all of these three datatypes with zero to two parenthesis
string</em> and all of these three data-types with zero to two parenthesis
to correctly detect which is the <tt>SELECT</tt> statement syntax to
perform further injections with. It is also possible to specify the
perform further injections with. It is also possible to specify the only
parameter(s) that you want to perform tests and use for injection on.
<item>Option to specify the <bf>maximum number of concurrent HTTP
requests</bf> to speed up the blind SQL injection algorithms
(multithreading). It is also possible to specify the number of seconds to
requests</bf> to speed up the inferential blind SQL injection algorithms
(multi-threading). It is also possible to specify the number of seconds to
wait between each HTTP request.
<item><bf>HTTP <tt>Cookie</tt> header</bf> string support, useful when the
web application requires authentication based upon cookies and you have
such data or in case you just want to test for and exploit SQL injection
on such header.
on such header. You can also specify to always URL-encode the Cookie
header.
<item>Automatically handle <bf>HTTP <tt>Set-Cookie</tt> header</bf> from
target url, re-establishing of the session if it expires. Test and exploit
on these values is supported too.
the application, re-establishing of the session if it expires. Test and
exploit on these values is supported too. You can also force to ignore any
<tt>Set-Cookie</tt> header.
<item><bf>HTTP Basic and Digest authentications</bf> support.
<item><bf>HTTP Basic, Digest, NTLM and Certificate authentications</bf>
support.
<item><bf>Anonymous HTTP proxy</bf> support to pass by the requests to the
target URL that works also with HTTPS requests.
target application that works also with HTTPS requests.
<item>Options to fake the <bf>HTTP <tt>Referer</tt> header</bf> value and
the <bf>HTTP <tt>User-Agent</tt> header</bf> value specified by user or
@ -260,7 +258,7 @@ randomly selected from a text file.
<item>Support to increase the <bf>verbosity level of output messages</bf>:
there exist <bf>six levels</bf>. The default level is <bf>1</bf> in which
information, warnings, errors and tracebacks, if they occur, will be shown.
information, warnings, errors and tracebacks (if any occur) will be shown.
<item>Granularity in the user's options.
@ -268,84 +266,141 @@ information, warnings, errors and tracebacks, if they occur, will be shown.
in real time while fetching the information to give to the user an
overview on how long it will take to retrieve the output.
<item>Support to save the session (queries and their output, even if
partially retrieved) in real time while fetching the data on a text file
and <bf>resume the injection from this file in a second time</bf>.
<item>Automatic support to save the session (queries and their output,
even if partially retrieved) in real time while fetching the data on a
text file and <bf>resume the injection from this file in a second
time</bf>.
<item>Support to read options from a configuration INI file rather than
specify each time all of the options on the command line. Support also to
save command line options on a configuration INI file.
<item>Integration with other IT security related open source projects,
<item>Option to update sqlmap as a whole to the latest development version
from the Subversion repository.
<item>Integration with other IT security open source projects,
<htmlurl url="http://metasploit.com/framework/" name="Metasploit"> and <htmlurl
url="http://w3af.sourceforge.net/" name="w3af">.
<item><bf>PHP setting <tt>magic_quotes_gpc</tt> bypass</bf> by encoding
every query string, between single quotes, with <tt>CHAR</tt>, or similar,
database management system function.
</itemize>
<sect1>Enumeration features
<sect1>Fingerprint and enumeration features
<p>
<itemize>
<item><bf>Extensive back-end database management system software and
underlying operating system fingerprint</bf>
based upon
<item><bf>Extensive back-end database software version and underlying
operating system fingerprint</bf> based upon
<htmlurl url="http://bernardodamele.blogspot.com/2007/06/database-management-system-fingerprint.html" name="inband error messages">,
<htmlurl url="http://bernardodamele.blogspot.com/2007/06/database-management-system-fingerprint.html" name="banner parsing">,
<htmlurl url="http://bernardodamele.blogspot.com/2007/07/more-on-database-management-system.html" name="functions output comparison"> and
<htmlurl url="http://bernardodamele.blogspot.com/2007/07/more-on-database-management-system.html" name="specific features">
such as MySQL comment injection. It is also possible to force the back-end
database management system name if you already know it. sqlmap is also able
to fingerprint the web server operating system, the web application
technology and, in some circumstances, the back-end DBMS operating system.
database management system name if you already know it.
<item>Basic web server software and web application technology fingerprint.
<item>Support to retrieve on all four back-end database management system
<bf>banner</bf>, <bf>current user</bf>, <bf>current database</bf>, check
if the current user is a database administrator, enumerate <bf>users</bf>,
<bf>users password hashes</bf>, <bf>users privileges</bf>,
<bf>databases</bf>, <bf>tables</bf>, <bf>columns</bf>, dump <bf>tables
entries</bf>, dump <bf>whole database management system</bf> and run user's
<bf>own SQL statement</bf>.
<item>Support to retrieve the DBMS <bf>banner</bf>, <bf>session user</bf>
and <bf>current database</bf> information. The tool can also check if the
session user is a database administrator (DBA).
<item>Support to enumerate <bf>database users</bf>, <bf>users' password
hashes</bf>, <bf>users' privileges</bf>, <bf>databases</bf>,
<bf>tables</bf> and <bf>columns</bf>.
<item>Support to <bf>dump database tables</bf> as a whole or a range of
entries as per user's choice. The user can also choose to dump only
specific column(s).
<item>Support to automatically dump <bf>all</bf> databases' schemas and
entries. It is possibly to exclude from the dump the system databases.
<item>Support to enumerate and dump <bf>all databases' tables containing user
provided column(s)</bf>. Useful to identify for instance tables containing
custom application credentials.
<item>Support to <bf>run custom SQL statement(s)</bf> as in an interactive
SQL client connecting to the back-end database. sqlmap automatically
dissects the provided statement, determins which technique to use to
inject it and how to pack the SQL payload accordingly.
</itemize>
<sect1>Takeover features
<p>
<itemize>
<item>Support to <bf>read either text or binary files</bf> from the
database server underlying file system when the database software is MySQL,
PostgreSQL and Microsoft SQL Server.
Some of these techniques are detailed in white paper
<htmlurl url="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf"
name="Advanced SQL injection to operating system full control"> and
slides <htmlurl
url="http://www.slideshare.net/inquis/expanding-the-control-over-the-operating-system-from-the-database"
name="Expanding the control over the operating system from the database">.
<item>Support to <bf>execute arbitrary commands</bf> on the database server
underlying operating system when the database software is MySQL,
PostgreSQL via user-defined function injection and Microsoft SQL Server via
<tt>xp_cmdshell()</tt> stored procedure.
<item>Support to <bf>establish an out-of-band stateful connection between
the attacker box and the database server</bf> underlying operating system
via:
<itemize>
<item><bf>Stand-alone payload stager</bf> created by Metasploit and
supporting Meterpreter, shell and VNC payloads for both Windows and Linux;
<item><bf>Microsoft SQL Server 2000 and 2005 <tt>sp_replwritetovarbin</tt>
stored procedure heap-based buffer overflow</bf> (MS09-004) exploitation
with multi-stage Metasploit payload support;
<item><bf>SMB reflection attack</bf> with UNC path request from the
database server to the attacker box by using the Metasploit
<tt>smb_relay</tt> exploit on the attacker box.
<item>Support to <bf>inject custom user-defined functions</bf>: the user
can compile shared object then use sqlmap to create within the back-end
DBMS user-defined functions out of the compiled shared object file. These
UDFs can then be executed, and optionally removed, via sqlmap too.
<item>Support to <bf>read and upload any file</bf> from the database
server underlying file system when the database software is MySQL,
PostgreSQL or Microsoft SQL Server.
<item>Support to <bf>execute arbitrary commands and retrieve their
standard output</bf> on the database server underlying operating system
when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
<itemize>
<item>On MySQL and PostgreSQL via user-defined function injection and
execution.
<item>On Microsoft SQL Server via <tt>xp_cmdshell()</tt> stored procedure.
Also, the stored procedure is re-enabled if disabled or created from
scratch if removed.
</itemize>
<item>Support to <bf>establish an out-of-band stateful TCP connection
between the user machine and the database server</bf> underlying operating
system. This channel can be an interactive command prompt, a Meterpreter
session or a graphical user interface (VNC) session as per user's choice.
sqlmap relies on Metasploit to create the shellcode and implements four
different techniques to execute it on the database server. These
techniques are:
<itemize>
<item>Database <bf>in-memory execution of the Metasploit's shellcode</bf>
via sqlmap own user-defined function <tt>sys_bineval()</tt>. Supported on
MySQL and PostgreSQL.
<item>Upload and execution of a Metasploit's <bf>stand-alone payload
stager</bf> via sqlmap own user-defined function <tt>sys_exec()</tt> on
MySQL and PostgreSQL or via <tt>xp_cmdshell()</tt> on Microsoft SQL
Server.
<item>Execution of Metasploit's shellcode by performing a <bf>SMB
reflection attack</bf> (<htmlurl
url="http://www.microsoft.com/technet/security/Bulletin/MS08-068.mspx"
name="MS08-068">) with a UNC path request from the database server to
the user's machine where the Metasploit <tt>smb_relay</tt> server exploit
runs.
<item>Database in-memory execution of the Metasploit's shellcode by
exploiting <bf>Microsoft SQL Server 2000 and 2005
<tt>sp_replwritetovarbin</tt> stored procedure heap-based buffer
overflow</bf> (<htmlurl
url="http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx"
name="MS09-004">) with automatic DEP bypass.
</itemize>
<item>Support for <bf>database process' user privilege escalation</bf> via
Windows Access Tokens kidnapping on MySQL and Microsoft SQL Server via
either Meterpreter's <tt>incognito</tt> extension or <tt>Churrasco</tt>
stand-alone executable.
Metasploit's <tt>getsystem</tt> command which include, among others,
the <htmlurl
url="http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html"
name="kitrap0d"> technique (<htmlurl
url="http://www.microsoft.com/technet/security/bulletin/ms10-015.mspx"
name="MS10-015">) or via <htmlurl
url="http://www.argeniss.com/research/TokenKidnapping.pdf"
name="Windows Access Tokens kidnapping"> by using either Meterpreter's
<tt>incognito</tt> extension or <tt>Churrasco</tt> stand-alone executable
as per user's choice.
<item>Support to access (read/add/delete) Windows registry hives.
</itemize>
<sect>Download and update
<p>
@ -377,14 +432,28 @@ interpreter</bf> to be installed on the operating system.
</itemize>
<p>
You can also checkout the source code from the sqlmap
You can also checkout the latest development version from the sqlmap
<htmlurl url="https://svn.sqlmap.org/sqlmap/trunk/sqlmap/" name="Subversion">
repository to give a try to the development release:
repository:
<tscreen><verb>
$ svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev
</verb></tscreen>
<p>
Either way you downloaded sqlmap, you can update it to the latest
development version anytime by running:
<tscreen><verb>
$ python sqlmap.py --update
</verb></tscreen>
Or:
<tscreen><verb>
$ svn update
</verb></tscreen>
<sect>License and copyright
@ -392,9 +461,7 @@ $ svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev
sqlmap is released under the terms of the
<htmlurl url="http://www.gnu.org/licenses/old-licenses/gpl-2.0.html" name="General Public License v2">.
sqlmap is copyrighted by
<htmlurl url="mailto:bernardo.damele@gmail.com" name="Bernardo Damele A. G.">
(2007-2009) and <htmlurl url="mailto:daniele.bellucci@gmail.com" name="Daniele Bellucci">
(2006).
<htmlurl url="mailto:bernardo.damele@gmail.com" name="Bernardo Damele A. G.">.
<sect>Usage
@ -549,7 +616,7 @@ Options:
-s SESSIONFILE Save and resume all data retrieved on a session file
--eta Display for each output the estimated time of arrival
--gpage=GOOGLEPAGE Use google dork results from specified page number
--update Update Microsoft SQL Server XML signature file
--update Update sqlmap
--save Save options on a configuration INI file
--batch Never ask for user input, use the default behaviour
--cleanup Clean up the DBMS by sqlmap specific UDF and tables