mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-22 01:26:42 +03:00
Updated site, documentation (dev and user) and packaging scripts for 0.6.1
This commit is contained in:
parent
6ddb5afef9
commit
fcc16b2346
|
@ -2,7 +2,7 @@ sqlmap (0.6.1-1) stable; urgency=low
|
|||
|
||||
* Major bug fix to blind SQL injection bisection algorithm to handle an
|
||||
exception;
|
||||
* Added a Metasploit 3 auxiliary module to run sqlmap;
|
||||
* Added a Metasploit Framework 3 auxiliary module to run sqlmap;
|
||||
* Implemented possibility to test for and inject also on LIKE
|
||||
statements;
|
||||
* Implemented --start and --stop options to set the first and the last
|
||||
|
@ -12,6 +12,9 @@ sqlmap (0.6.1-1) stable; urgency=low
|
|||
* Minor enhancement to save also the length of query output in the
|
||||
session file when retrieving the query output length for ETA or for
|
||||
resume purposes;
|
||||
* Changed the order sqlmap dump table entries from column by column to
|
||||
row by row. Now it also dumps entries as they are stored in the tables,
|
||||
not forcing the entries' order alphabetically anymore;
|
||||
* Minor bug fix to correctly handle parameters' value with % character.
|
||||
|
||||
-- Bernardo Damele A. G. <bernardo.damele@gmail.com> Fri, 10 Oct 2008 10:00:00 +0100
|
||||
|
|
188
doc/README.html
188
doc/README.html
|
@ -245,8 +245,8 @@ those that vary the HTTP response page content.
|
|||
On the dynamic ones sqlmap automatically tests and detects the ones
|
||||
affected by SQL injection. Each dynamic parameter is tested for
|
||||
<EM>numeric</EM>, <EM>single quoted string</EM>, <EM>double quoted
|
||||
string</EM> and all of these three datatypes with zero, one and two
|
||||
parenthesis to correctly detect which is the <CODE>SELECT</CODE> statement syntax to
|
||||
string</EM> and all of these three datatypes with zero to two parenthesis
|
||||
to correctly detect which is the <CODE>SELECT</CODE> statement syntax to
|
||||
perform further injections with. It is also possible to specify the
|
||||
parameter(s) that you want to perform tests and use for injection on.</LI>
|
||||
<LI>Option to specify the <B>maximum number of concurrent HTTP
|
||||
|
@ -277,6 +277,9 @@ and <B>resume the injection from this file in a second time</B>.</LI>
|
|||
<LI>Support to read options from a configuration INI file rather than
|
||||
specify each time all of the options on the command line. Support also to
|
||||
save command line options on a configuration INI file.</LI>
|
||||
<LI>Integration with other IT security related open source projects,
|
||||
<A HREF="http://metasploit.com/framework/">Metasploit</A> and
|
||||
<A HREF="http://w3af.sourceforge.net/">w3af</A>.</LI>
|
||||
<LI><B>PHP setting <CODE>magic_quotes_gpc</CODE> bypass</B> by encoding
|
||||
every query string, between single quotes, with <CODE>CHAR</CODE>, or similar,
|
||||
database management system function.</LI>
|
||||
|
@ -292,19 +295,19 @@ It is available in various formats:</P>
|
|||
<P>
|
||||
<UL>
|
||||
<LI>
|
||||
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1.tar.gz">Source gzip compressed</A> operating system independent.</LI>
|
||||
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.tar.gz">Source gzip compressed</A> operating system independent.</LI>
|
||||
<LI>
|
||||
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1.tar.bz2">Source bzip2 compressed</A> operating system independent.</LI>
|
||||
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.tar.bz2">Source bzip2 compressed</A> operating system independent.</LI>
|
||||
<LI>
|
||||
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1.zip">Source zip compressed</A> operating system independent.</LI>
|
||||
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.zip">Source zip compressed</A> operating system independent.</LI>
|
||||
<LI>
|
||||
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap_0.6.1.1-1_all.deb">DEB binary package</A> architecture independent for Debian and any
|
||||
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap_0.6.1-1_all.deb">DEB binary package</A> architecture independent for Debian and any
|
||||
other Debian derivated GNU/Linux distribution.</LI>
|
||||
<LI>
|
||||
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1-1.noarch.rpm">RPM binary package</A> architecture independent for Fedora and any
|
||||
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1-1.noarch.rpm">RPM binary package</A> architecture independent for Fedora and any
|
||||
other operating system that can install RPM packages.</LI>
|
||||
<LI>
|
||||
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1_exe.zip">Portable executable for Windows</A> that <B>does not require the Python
|
||||
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1_exe.zip">Portable executable for Windows</A> that <B>does not require the Python
|
||||
interpreter</B> to be installed on the operating system.</LI>
|
||||
</UL>
|
||||
</P>
|
||||
|
@ -331,7 +334,7 @@ and
|
|||
<PRE>
|
||||
$ python sqlmap.py -h
|
||||
|
||||
sqlmap/0.6.1.1 coded by Bernardo Damele A. G. <bernardo.damele@gmail.com>
|
||||
sqlmap/0.6.1 coded by Bernardo Damele A. G. <bernardo.damele@gmail.com>
|
||||
and Daniele Bellucci <daniele.bellucci@gmail.com>
|
||||
|
||||
Usage: sqlmap.py [options] {-u <URL> | -g <google dork> | -c <config file>}
|
||||
|
@ -379,13 +382,16 @@ Options:
|
|||
--dbs Enumerate DBMS databases
|
||||
--tables Enumerate DBMS database tables (opt: -D)
|
||||
--columns Enumerate DBMS database table columns (req: -T, -D)
|
||||
--dump Dump DBMS database table entries (req: -T, -D opt: -C)
|
||||
--dump Dump DBMS database table entries (req: -T, -D opt: -C,
|
||||
--start, --stop)
|
||||
--dump-all Dump all DBMS databases tables entries
|
||||
-D DB DBMS database to enumerate
|
||||
-T TBL DBMS database table to enumerate
|
||||
-C COL DBMS database table column to enumerate
|
||||
-U USER DBMS user to enumerate
|
||||
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
|
||||
--start=LIMITSTART First table entry to dump
|
||||
--stop=LIMITSTOP Last table entry to dump
|
||||
--sql-query=QUERY SQL SELECT query to be executed
|
||||
--sql-shell Prompt for an interactive SQL shell
|
||||
|
||||
|
@ -417,6 +423,7 @@ Options:
|
|||
-s SESSIONFILE Save and resume all data retrieved on a session file
|
||||
-c CONFIGFILE Load options from a configuration INI file
|
||||
--save Save options on a configuration INI file
|
||||
--batch Never ask for user input, use the default behaviour
|
||||
</PRE>
|
||||
</CODE></BLOCKQUOTE>
|
||||
</P>
|
||||
|
@ -528,7 +535,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat
|
|||
[hh:mm:28] [TRAFFIC OUT] HTTP request:
|
||||
GET /sqlmap/mysql/get_int.php?id=1&cat=2 HTTP/1.1
|
||||
Host: 192.168.1.121:80
|
||||
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
|
||||
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
|
||||
Connection: close
|
||||
[...]
|
||||
[hh:mm:29] [INFO] testing MySQL
|
||||
|
@ -537,7 +544,7 @@ Connection: close
|
|||
GET /sqlmap/mysql/get_int.php?id=1%20AND%20ORD%28MID%28%28CONCAT%28CHAR%2852%29%2C%20
|
||||
CHAR%2852%29%29%29%2C%201%2C%201%29%29%20%3E%2063%20AND%207994=7994&cat=2 HTTP/1.1
|
||||
Host: 192.168.1.121:80
|
||||
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
|
||||
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
|
||||
Connection: close
|
||||
[...]
|
||||
</PRE>
|
||||
|
@ -555,7 +562,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat
|
|||
[hh:mm:32] [TRAFFIC OUT] HTTP request:
|
||||
GET /sqlmap/mysql/get_int.php?id=1&cat=2 HTTP/1.1
|
||||
Host: 192.168.1.121:80
|
||||
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
|
||||
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
|
||||
Connection: close
|
||||
|
||||
[hh:mm:32] [TRAFFIC IN] HTTP response (OK - 200):
|
||||
|
@ -573,7 +580,7 @@ Content-Type: text/html
|
|||
GET /sqlmap/mysql/get_int.php?id=1%20AND%20ORD%28MID%28%28CONCAT%28CHAR%2852%29%2C%20
|
||||
CHAR%2852%29%29%29%2C%201%2C%201%29%29%20%3E%2063%20AND%204435=4435&cat=2 HTTP/1.1
|
||||
Host: 192.168.1.121:80
|
||||
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
|
||||
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
|
||||
Connection: close
|
||||
|
||||
[hh:mm:33] [TRAFFIC IN] HTTP response (OK - 200):
|
||||
|
@ -600,7 +607,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat
|
|||
[hh:mm:23] [TRAFFIC OUT] HTTP request:
|
||||
GET /sqlmap/mysql/get_int.php?id=1&cat=2 HTTP/1.1
|
||||
Host: 192.168.1.121:80
|
||||
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
|
||||
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
|
||||
Connection: close
|
||||
|
||||
[hh:mm:23] [TRAFFIC IN] HTTP response (OK - 200):
|
||||
|
@ -2042,7 +2049,8 @@ is connected to, which is always <CODE>public</CODE>.</P>
|
|||
|
||||
<H3>Dump database tables entries</H3>
|
||||
|
||||
<P>Options: <CODE>--dump</CODE>, <CODE>-C</CODE>, <CODE>-T</CODE> and <CODE>-D</CODE></P>
|
||||
<P>Options: <CODE>--dump</CODE>, <CODE>-C</CODE>, <CODE>-T</CODE>, <CODE>-D</CODE>,
|
||||
<CODE>--start</CODE> and <CODE>--stop</CODE></P>
|
||||
|
||||
<P>It is possible to dump the entries for a specific database table.
|
||||
This functionality depends on both <CODE>-T</CODE> to specify the table name
|
||||
|
@ -2058,15 +2066,15 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&ca
|
|||
Database: test
|
||||
Table: users
|
||||
[5 entries]
|
||||
+----+--------------------------------------------+-------------------+
|
||||
| id | name | surname |
|
||||
+----+--------------------------------------------+-------------------+
|
||||
| 1 | luther | blissett |
|
||||
| 2 | fluffy | bunny |
|
||||
| 3 | wu | ming |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
| id | name | surname |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
| 1 | luther | blissett |
|
||||
| 2 | fluffy | bunny |
|
||||
| 3 | wu | ming |
|
||||
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
|
||||
| 5 | NULL | nameisnull |
|
||||
+----+--------------------------------------------+-------------------+
|
||||
| 5 | NULL | nameisnull |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
</PRE>
|
||||
</CODE></BLOCKQUOTE>
|
||||
</P>
|
||||
|
@ -2112,15 +2120,15 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&ca
|
|||
Database: public
|
||||
Table: users
|
||||
[5 entries]
|
||||
+----+--------------------------------------------+-------------------+
|
||||
| id | name | surname |
|
||||
+----+--------------------------------------------+-------------------+
|
||||
| 1 | luther | blissett |
|
||||
| 2 | fluffy | bunny |
|
||||
| 3 | wu | ming |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
| id | name | surname |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
| 1 | luther | blissett |
|
||||
| 2 | fluffy | bunny |
|
||||
| 3 | wu | ming |
|
||||
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
|
||||
| 5 | | nameisnull |
|
||||
+----+--------------------------------------------+-------------------+
|
||||
| 5 | | nameisnull |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
|
||||
[hh:mm:59] [INFO] Table 'public.users' dumped to CSV file '/software/sqlmap/output/
|
||||
192.168.1.121/dump/public/users.csv'
|
||||
|
@ -2138,6 +2146,40 @@ $ cat /software/sqlmap/output/192.168.1.121/dump/public/users.csv
|
|||
</CODE></BLOCKQUOTE>
|
||||
</P>
|
||||
|
||||
<P>You can also provide the <CODE>--start</CODE> and/or the <CODE>--stop</CODE> option
|
||||
to limit the dump to a range of entries.</P>
|
||||
<P>
|
||||
<UL>
|
||||
<LI><CODE>--start</CODE> specifies the first entry to enumerate</LI>
|
||||
<LI><CODE>--stop</CODE> specifies the last entry to enumerate</LI>
|
||||
</UL>
|
||||
</P>
|
||||
|
||||
<P>Example on a <B>MySQL 5.0.51</B> target:</P>
|
||||
<P>
|
||||
<BLOCKQUOTE><CODE>
|
||||
<PRE>
|
||||
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" --dump \
|
||||
-T users -D test --start 2 --stop 4
|
||||
|
||||
Database: test
|
||||
Table: users
|
||||
[3 entries]
|
||||
+----+----------------------------------------------+-------------------+
|
||||
| id | name | surname |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
| 2 | fluffy | bunny |
|
||||
| 3 | wu | ming |
|
||||
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
</PRE>
|
||||
</CODE></BLOCKQUOTE>
|
||||
</P>
|
||||
|
||||
<P>As you can see, sqlmap is very flexible: you can leave it automatically
|
||||
enumerate the whole database table up to a single column of a specific
|
||||
table entry.</P>
|
||||
|
||||
|
||||
<H3>Dump all databases tables entries</H3>
|
||||
|
||||
|
@ -2153,15 +2195,15 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&ca
|
|||
Database: test
|
||||
Table: users
|
||||
[5 entries]
|
||||
+----+--------------------------------------------+-------------------+
|
||||
| id | name | surname |
|
||||
+----+--------------------------------------------+-------------------+
|
||||
| 1 | luther | blissett |
|
||||
| 2 | fluffy | bunny |
|
||||
| 3 | wu | ming |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
| id | name | surname |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
| 1 | luther | blissett |
|
||||
| 2 | fluffy | bunny |
|
||||
| 3 | wu | ming |
|
||||
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
|
||||
| 5 | NULL | nameisnull |
|
||||
+----+--------------------------------------------+-------------------+
|
||||
| 5 | NULL | nameisnull |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
|
||||
Database: information_schema
|
||||
Table: CHARACTER_SETS
|
||||
|
@ -2246,15 +2288,15 @@ Table: spt_datatype_info_ext
|
|||
Database: master
|
||||
Table: users
|
||||
[5 entries]
|
||||
+----+--------------------------------------------+-------------------+
|
||||
| id | name | surname |
|
||||
+----+--------------------------------------------+-------------------+
|
||||
+----+----------------------------------------------+-------------------+
|
||||
| id | name | surname |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
|
||||
| 2 | fluffy | bunny |
|
||||
| 1 | luther | blisset |
|
||||
| 3 | wu | ming |
|
||||
| 5 | NULL | nameisnull |
|
||||
+----+--------------------------------------------+-------------------+
|
||||
| 2 | fluffy | bunny |
|
||||
| 1 | luther | blisset |
|
||||
| 3 | wu | ming |
|
||||
| 5 | NULL | nameisnull |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
|
||||
[...]
|
||||
</PRE>
|
||||
|
@ -3123,7 +3165,8 @@ back-end DBMS: MySQL >= 5.0.0
|
|||
|
||||
<P>Option: <CODE>--save</CODE></P>
|
||||
|
||||
|
||||
<P>It is possible to save the command line options to a configuration INI
|
||||
file.</P>
|
||||
|
||||
<P>Example on a <B>PostgreSQL 8.2.7</B> target:</P>
|
||||
<P>
|
||||
|
@ -3231,6 +3274,53 @@ banner: 'PostgreSQL 8.2.7 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.
|
|||
</P>
|
||||
|
||||
|
||||
<H3>Act in non-interactive mode</H3>
|
||||
|
||||
<P>Option: <CODE>--batch</CODE></P>
|
||||
|
||||
<P>If you want sqlmap to run as a batch tool, without interacting with you in
|
||||
case of a choice has to be done, you can force it by using <CODE>--batch</CODE>
|
||||
option than letting sqlmap go for a default behaviour.</P>
|
||||
|
||||
<P>Example on a <B>MySQL 5.0.51</B> target:</P>
|
||||
<P>
|
||||
<BLOCKQUOTE><CODE>
|
||||
<PRE>
|
||||
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_str.php?id=1&name=luther" -v 1 \
|
||||
--batch
|
||||
|
||||
[hh:mm:22] [INFO] testing if GET parameter 'id' is dynamic
|
||||
[hh:mm:22] [INFO] confirming that GET parameter 'id' is dynamic
|
||||
[hh:mm:22] [INFO] GET parameter 'id' is dynamic
|
||||
[hh:mm:22] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis
|
||||
[hh:mm:22] [INFO] testing unescaped numeric injection on GET parameter 'id'
|
||||
[hh:mm:22] [INFO] confirming unescaped numeric injection on GET parameter 'id'
|
||||
[hh:mm:22] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 parenthesis
|
||||
[hh:mm:22] [INFO] testing if GET parameter 'name' is dynamic
|
||||
[hh:mm:22] [INFO] confirming that GET parameter 'name' is dynamic
|
||||
[hh:mm:22] [INFO] GET parameter 'name' is dynamic
|
||||
[hh:mm:22] [INFO] testing sql injection on GET parameter 'name' with 0 parenthesis
|
||||
[hh:mm:22] [INFO] testing unescaped numeric injection on GET parameter 'name'
|
||||
[hh:mm:22] [INFO] GET parameter 'name' is not unescaped numeric injectable
|
||||
[hh:mm:22] [INFO] testing single quoted string injection on GET parameter 'name'
|
||||
[hh:mm:22] [INFO] confirming single quoted string injection on GET parameter 'name'
|
||||
[hh:mm:22] [INFO] GET parameter 'name' is single quoted string injectable with 0 parenthesis
|
||||
[hh:mm:22] [INFO] there were multiple injection points, please select the one to use to go ahead:
|
||||
[0] place: GET, parameter: id, type: numeric (default)
|
||||
[1] place: GET, parameter: name, type: stringsingle
|
||||
[q] Quit
|
||||
Choice: 0
|
||||
[hh:mm:22] [DEBUG] used the default behaviour, running in batch mode
|
||||
[...]
|
||||
back-end DBMS: MySQL >= 5.0.0
|
||||
</PRE>
|
||||
</CODE></BLOCKQUOTE>
|
||||
</P>
|
||||
|
||||
<P>As you can see, sqlmap choosed automatically to injection on the first
|
||||
vulnerable parameter which is the default behaviour.</P>
|
||||
|
||||
|
||||
<H2><A NAME="s6">6.</A> <A HREF="#toc6">Disclaimer</A></H2>
|
||||
|
||||
<P>sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
|
||||
|
|
BIN
doc/README.pdf
BIN
doc/README.pdf
Binary file not shown.
187
doc/README.sgml
187
doc/README.sgml
|
@ -207,8 +207,8 @@ those that vary the HTTP response page content.
|
|||
On the dynamic ones sqlmap automatically tests and detects the ones
|
||||
affected by SQL injection. Each dynamic parameter is tested for
|
||||
<em>numeric</em>, <em>single quoted string</em>, <em>double quoted
|
||||
string</em> and all of these three datatypes with zero, one and two
|
||||
parenthesis to correctly detect which is the <tt>SELECT</tt> statement syntax to
|
||||
string</em> and all of these three datatypes with zero to two parenthesis
|
||||
to correctly detect which is the <tt>SELECT</tt> statement syntax to
|
||||
perform further injections with. It is also possible to specify the
|
||||
parameter(s) that you want to perform tests and use for injection on.
|
||||
<item>Option to specify the <bf>maximum number of concurrent HTTP
|
||||
|
@ -239,6 +239,9 @@ and <bf>resume the injection from this file in a second time</bf>.
|
|||
<item>Support to read options from a configuration INI file rather than
|
||||
specify each time all of the options on the command line. Support also to
|
||||
save command line options on a configuration INI file.
|
||||
<item>Integration with other IT security related open source projects,
|
||||
<htmlurl url="http://metasploit.com/framework/" name="Metasploit"> and <htmlurl
|
||||
url="http://w3af.sourceforge.net/" name="w3af">.
|
||||
<item><bf>PHP setting <tt>magic_quotes_gpc</tt> bypass</bf> by encoding
|
||||
every query string, between single quotes, with <tt>CHAR</tt>, or similar,
|
||||
database management system function.
|
||||
|
@ -254,19 +257,19 @@ name="SourceForge File List page">.
|
|||
It is available in various formats:
|
||||
|
||||
<itemize>
|
||||
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1.tar.gz"
|
||||
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.tar.gz"
|
||||
name="Source gzip compressed"> operating system independent.
|
||||
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1.tar.bz2"
|
||||
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.tar.bz2"
|
||||
name="Source bzip2 compressed"> operating system independent.
|
||||
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1.zip"
|
||||
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.zip"
|
||||
name="Source zip compressed"> operating system independent.
|
||||
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap_0.6.1.1-1_all.deb"
|
||||
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap_0.6.1-1_all.deb"
|
||||
name="DEB binary package"> architecture independent for Debian and any
|
||||
other Debian derivated GNU/Linux distribution.
|
||||
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1-1.noarch.rpm"
|
||||
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1-1.noarch.rpm"
|
||||
name="RPM binary package"> architecture independent for Fedora and any
|
||||
other operating system that can install RPM packages.
|
||||
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1_exe.zip"
|
||||
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1_exe.zip"
|
||||
name="Portable executable for Windows"> that <bf>does not require the Python
|
||||
interpreter</bf> to be installed on the operating system.
|
||||
</itemize>
|
||||
|
@ -294,7 +297,7 @@ and <htmlurl url="mailto:daniele.bellucci@gmail.com" name="Daniele Bellucci">.
|
|||
<tscreen><verb>
|
||||
$ python sqlmap.py -h
|
||||
|
||||
sqlmap/0.6.1.1 coded by Bernardo Damele A. G. <bernardo.damele@gmail.com>
|
||||
sqlmap/0.6.1 coded by Bernardo Damele A. G. <bernardo.damele@gmail.com>
|
||||
and Daniele Bellucci <daniele.bellucci@gmail.com>
|
||||
|
||||
Usage: sqlmap.py [options] {-u <URL> | -g <google dork> | -c <config file>}
|
||||
|
@ -342,13 +345,16 @@ Options:
|
|||
--dbs Enumerate DBMS databases
|
||||
--tables Enumerate DBMS database tables (opt: -D)
|
||||
--columns Enumerate DBMS database table columns (req: -T, -D)
|
||||
--dump Dump DBMS database table entries (req: -T, -D opt: -C)
|
||||
--dump Dump DBMS database table entries (req: -T, -D opt: -C,
|
||||
--start, --stop)
|
||||
--dump-all Dump all DBMS databases tables entries
|
||||
-D DB DBMS database to enumerate
|
||||
-T TBL DBMS database table to enumerate
|
||||
-C COL DBMS database table column to enumerate
|
||||
-U USER DBMS user to enumerate
|
||||
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
|
||||
--start=LIMITSTART First table entry to dump
|
||||
--stop=LIMITSTOP Last table entry to dump
|
||||
--sql-query=QUERY SQL SELECT query to be executed
|
||||
--sql-shell Prompt for an interactive SQL shell
|
||||
|
||||
|
@ -380,6 +386,7 @@ Options:
|
|||
-s SESSIONFILE Save and resume all data retrieved on a session file
|
||||
-c CONFIGFILE Load options from a configuration INI file
|
||||
--save Save options on a configuration INI file
|
||||
--batch Never ask for user input, use the default behaviour
|
||||
</verb></tscreen>
|
||||
|
||||
|
||||
|
@ -486,7 +493,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat
|
|||
[hh:mm:28] [TRAFFIC OUT] HTTP request:
|
||||
GET /sqlmap/mysql/get_int.php?id=1&cat=2 HTTP/1.1
|
||||
Host: 192.168.1.121:80
|
||||
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
|
||||
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
|
||||
Connection: close
|
||||
[...]
|
||||
[hh:mm:29] [INFO] testing MySQL
|
||||
|
@ -495,7 +502,7 @@ Connection: close
|
|||
GET /sqlmap/mysql/get_int.php?id=1%20AND%20ORD%28MID%28%28CONCAT%28CHAR%2852%29%2C%20
|
||||
CHAR%2852%29%29%29%2C%201%2C%201%29%29%20%3E%2063%20AND%207994=7994&cat=2 HTTP/1.1
|
||||
Host: 192.168.1.121:80
|
||||
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
|
||||
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
|
||||
Connection: close
|
||||
[...]
|
||||
</verb></tscreen>
|
||||
|
@ -511,7 +518,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat
|
|||
[hh:mm:32] [TRAFFIC OUT] HTTP request:
|
||||
GET /sqlmap/mysql/get_int.php?id=1&cat=2 HTTP/1.1
|
||||
Host: 192.168.1.121:80
|
||||
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
|
||||
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
|
||||
Connection: close
|
||||
|
||||
[hh:mm:32] [TRAFFIC IN] HTTP response (OK - 200):
|
||||
|
@ -529,7 +536,7 @@ Content-Type: text/html
|
|||
GET /sqlmap/mysql/get_int.php?id=1%20AND%20ORD%28MID%28%28CONCAT%28CHAR%2852%29%2C%20
|
||||
CHAR%2852%29%29%29%2C%201%2C%201%29%29%20%3E%2063%20AND%204435=4435&cat=2 HTTP/1.1
|
||||
Host: 192.168.1.121:80
|
||||
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
|
||||
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
|
||||
Connection: close
|
||||
|
||||
[hh:mm:33] [TRAFFIC IN] HTTP response (OK - 200):
|
||||
|
@ -554,7 +561,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat
|
|||
[hh:mm:23] [TRAFFIC OUT] HTTP request:
|
||||
GET /sqlmap/mysql/get_int.php?id=1&cat=2 HTTP/1.1
|
||||
Host: 192.168.1.121:80
|
||||
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
|
||||
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
|
||||
Connection: close
|
||||
|
||||
[hh:mm:23] [TRAFFIC IN] HTTP response (OK - 200):
|
||||
|
@ -1977,7 +1984,8 @@ is connected to, which is always <tt>public</tt>.
|
|||
<sect2>Dump database tables entries
|
||||
|
||||
<p>
|
||||
Options: <tt>--dump</tt>, <tt>-C</tt>, <tt>-T</tt> and <tt>-D</tt>
|
||||
Options: <tt>--dump</tt>, <tt>-C</tt>, <tt>-T</tt>, <tt>-D</tt>,
|
||||
<tt>--start</tt> and <tt>--stop</tt>
|
||||
|
||||
<p>
|
||||
It is possible to dump the entries for a specific database table.
|
||||
|
@ -1994,15 +2002,15 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&ca
|
|||
Database: test
|
||||
Table: users
|
||||
[5 entries]
|
||||
+----+--------------------------------------------+-------------------+
|
||||
| id | name | surname |
|
||||
+----+--------------------------------------------+-------------------+
|
||||
| 1 | luther | blissett |
|
||||
| 2 | fluffy | bunny |
|
||||
| 3 | wu | ming |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
| id | name | surname |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
| 1 | luther | blissett |
|
||||
| 2 | fluffy | bunny |
|
||||
| 3 | wu | ming |
|
||||
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
|
||||
| 5 | NULL | nameisnull |
|
||||
+----+--------------------------------------------+-------------------+
|
||||
| 5 | NULL | nameisnull |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
</verb></tscreen>
|
||||
|
||||
<p>
|
||||
|
@ -2046,15 +2054,15 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&ca
|
|||
Database: public
|
||||
Table: users
|
||||
[5 entries]
|
||||
+----+--------------------------------------------+-------------------+
|
||||
| id | name | surname |
|
||||
+----+--------------------------------------------+-------------------+
|
||||
| 1 | luther | blissett |
|
||||
| 2 | fluffy | bunny |
|
||||
| 3 | wu | ming |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
| id | name | surname |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
| 1 | luther | blissett |
|
||||
| 2 | fluffy | bunny |
|
||||
| 3 | wu | ming |
|
||||
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
|
||||
| 5 | | nameisnull |
|
||||
+----+--------------------------------------------+-------------------+
|
||||
| 5 | | nameisnull |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
|
||||
[hh:mm:59] [INFO] Table 'public.users' dumped to CSV file '/software/sqlmap/output/
|
||||
192.168.1.121/dump/public/users.csv'
|
||||
|
@ -2070,6 +2078,39 @@ $ cat /software/sqlmap/output/192.168.1.121/dump/public/users.csv
|
|||
"5","","nameisnull"
|
||||
</verb></tscreen>
|
||||
|
||||
<p>
|
||||
You can also provide the <tt>--start</tt> and/or the <tt>--stop</tt> option
|
||||
to limit the dump to a range of entries.
|
||||
|
||||
<itemize>
|
||||
<item><tt>--start</tt> specifies the first entry to enumerate
|
||||
<item><tt>--stop</tt> specifies the last entry to enumerate
|
||||
</itemize>
|
||||
|
||||
<p>
|
||||
Example on a <bf>MySQL 5.0.51</bf> target:
|
||||
|
||||
<tscreen><verb>
|
||||
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" --dump \
|
||||
-T users -D test --start 2 --stop 4
|
||||
|
||||
Database: test
|
||||
Table: users
|
||||
[3 entries]
|
||||
+----+----------------------------------------------+-------------------+
|
||||
| id | name | surname |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
| 2 | fluffy | bunny |
|
||||
| 3 | wu | ming |
|
||||
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
</verb></tscreen>
|
||||
|
||||
<p>
|
||||
As you can see, sqlmap is very flexible: you can leave it automatically
|
||||
enumerate the whole database table up to a single column of a specific
|
||||
table entry.
|
||||
|
||||
|
||||
<sect2>Dump all databases tables entries
|
||||
|
||||
|
@ -2087,15 +2128,15 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&ca
|
|||
Database: test
|
||||
Table: users
|
||||
[5 entries]
|
||||
+----+--------------------------------------------+-------------------+
|
||||
| id | name | surname |
|
||||
+----+--------------------------------------------+-------------------+
|
||||
| 1 | luther | blissett |
|
||||
| 2 | fluffy | bunny |
|
||||
| 3 | wu | ming |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
| id | name | surname |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
| 1 | luther | blissett |
|
||||
| 2 | fluffy | bunny |
|
||||
| 3 | wu | ming |
|
||||
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
|
||||
| 5 | NULL | nameisnull |
|
||||
+----+--------------------------------------------+-------------------+
|
||||
| 5 | NULL | nameisnull |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
|
||||
Database: information_schema
|
||||
Table: CHARACTER_SETS
|
||||
|
@ -2179,15 +2220,15 @@ Table: spt_datatype_info_ext
|
|||
Database: master
|
||||
Table: users
|
||||
[5 entries]
|
||||
+----+--------------------------------------------+-------------------+
|
||||
| id | name | surname |
|
||||
+----+--------------------------------------------+-------------------+
|
||||
+----+----------------------------------------------+-------------------+
|
||||
| id | name | surname |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
|
||||
| 2 | fluffy | bunny |
|
||||
| 1 | luther | blisset |
|
||||
| 3 | wu | ming |
|
||||
| 5 | NULL | nameisnull |
|
||||
+----+--------------------------------------------+-------------------+
|
||||
| 2 | fluffy | bunny |
|
||||
| 1 | luther | blisset |
|
||||
| 3 | wu | ming |
|
||||
| 5 | NULL | nameisnull |
|
||||
+----+----------------------------------------------+-------------------+
|
||||
|
||||
[...]
|
||||
</verb></tscreen>
|
||||
|
@ -3039,6 +3080,8 @@ back-end DBMS: MySQL >= 5.0.0
|
|||
Option: <tt>--save</tt>
|
||||
|
||||
<p>
|
||||
It is possible to save the command line options to a configuration INI
|
||||
file.
|
||||
|
||||
<p>
|
||||
Example on a <bf>PostgreSQL 8.2.7</bf> target:
|
||||
|
@ -3140,6 +3183,54 @@ banner: 'PostgreSQL 8.2.7 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.
|
|||
</verb></tscreen>
|
||||
|
||||
|
||||
<sect2>Act in non-interactive mode
|
||||
|
||||
<p>
|
||||
Option: <tt>--batch</tt>
|
||||
|
||||
<p>
|
||||
If you want sqlmap to run as a batch tool, without interacting with you in
|
||||
case of a choice has to be done, you can force it by using <tt>--batch</tt>
|
||||
option than letting sqlmap go for a default behaviour.
|
||||
|
||||
<p>
|
||||
Example on a <bf>MySQL 5.0.51</bf> target:
|
||||
|
||||
<tscreen><verb>
|
||||
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_str.php?id=1&name=luther" -v 1 \
|
||||
--batch
|
||||
|
||||
[hh:mm:22] [INFO] testing if GET parameter 'id' is dynamic
|
||||
[hh:mm:22] [INFO] confirming that GET parameter 'id' is dynamic
|
||||
[hh:mm:22] [INFO] GET parameter 'id' is dynamic
|
||||
[hh:mm:22] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis
|
||||
[hh:mm:22] [INFO] testing unescaped numeric injection on GET parameter 'id'
|
||||
[hh:mm:22] [INFO] confirming unescaped numeric injection on GET parameter 'id'
|
||||
[hh:mm:22] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 parenthesis
|
||||
[hh:mm:22] [INFO] testing if GET parameter 'name' is dynamic
|
||||
[hh:mm:22] [INFO] confirming that GET parameter 'name' is dynamic
|
||||
[hh:mm:22] [INFO] GET parameter 'name' is dynamic
|
||||
[hh:mm:22] [INFO] testing sql injection on GET parameter 'name' with 0 parenthesis
|
||||
[hh:mm:22] [INFO] testing unescaped numeric injection on GET parameter 'name'
|
||||
[hh:mm:22] [INFO] GET parameter 'name' is not unescaped numeric injectable
|
||||
[hh:mm:22] [INFO] testing single quoted string injection on GET parameter 'name'
|
||||
[hh:mm:22] [INFO] confirming single quoted string injection on GET parameter 'name'
|
||||
[hh:mm:22] [INFO] GET parameter 'name' is single quoted string injectable with 0 parenthesis
|
||||
[hh:mm:22] [INFO] there were multiple injection points, please select the one to use to go ahead:
|
||||
[0] place: GET, parameter: id, type: numeric (default)
|
||||
[1] place: GET, parameter: name, type: stringsingle
|
||||
[q] Quit
|
||||
Choice: 0
|
||||
[hh:mm:22] [DEBUG] used the default behaviour, running in batch mode
|
||||
[...]
|
||||
back-end DBMS: MySQL >= 5.0.0
|
||||
</verb></tscreen>
|
||||
|
||||
<p>
|
||||
As you can see, sqlmap choosed automatically to injection on the first
|
||||
vulnerable parameter which is the default behaviour.
|
||||
|
||||
|
||||
<sect>Disclaimer
|
||||
|
||||
<p>
|
||||
|
|
|
@ -87,12 +87,12 @@ M Simkin <mlsimkin@cox.net>
|
|||
|
||||
Alessandro Tanasi <alessandro@tanasi.it>
|
||||
for extensively beta-testing sqlmap
|
||||
for suggesting many features and reporting some minor bugs
|
||||
for suggesting many features and reporting some bugs
|
||||
|
||||
Efrain Torres <et@metasploit.com>
|
||||
for helping me out to improve the Metasploit Framework 3 sqlmap
|
||||
auxiliary module and the integration with Metasploit WMAP framework
|
||||
for his great Metasploit WMAP framework
|
||||
auxiliary module and the integration with Metasploit WMAP Framework
|
||||
for his great Metasploit WMAP Framework
|
||||
|
||||
Sandro Tosi <matrixhasu@gmail.com>
|
||||
for helping to create sqlmap Debian package correctly
|
||||
|
|
|
@ -1,5 +1,11 @@
|
|||
To use Metasploit's sqlmap auxiliary module launch msfconsole and follow
|
||||
the example below:
|
||||
the example below.
|
||||
|
||||
Note that if you are willing to run Metasploit's sqlmap auxiliary module on
|
||||
Metasploit Framework 3.0 or 3.1 you first need to copy wmap_sqlmap.rb to
|
||||
your <msf3 root path>/modules/auxiliary/scanner/http/ folder then launch
|
||||
msfconsole because this module has been officially integrated in Metasploit
|
||||
from the release 3.2.
|
||||
|
||||
$ ./msfconsole
|
||||
|
Loading…
Reference in New Issue
Block a user