more doc updates

doc/ChangeLog

@@ -43,11 +43,12 @@ sqlmap (0.9-1) stable; urgency=low
   * Added --text-only switch to strip from the HTTP response body the
     HTML/JS code and compare pages based only on their textual content
     (Miroslav).
+  * Implemented few other features and switches (Bernardo and Miroslav).
   * Over 100 bugs fixed (Bernardo and Miroslav).
   * Major code refactoring (Bernardo and Miroslav).
   * User's manual updated (Bernardo).
 
- -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Day, DD MMM 2010 10:00:00 +0000
+ -- Bernardo Damele A. G. <bernardo.damele@gmail.com>  Sun, 10 Apr 2011 21:00:00 +0000
 
 sqlmap (0.8-1) stable; urgency=low
 

doc/README.html

@@ -9,7 +9,7 @@
 
 <H2>by 
 <A HREF="mailto:bernardo.damele@gmail.com">Bernardo Damele A. G.</A>, 
-<A HREF="mailto:miroslav.stampar@gmail.com">Miroslav Stampar</A></H2>version 0.9, April XX, 2011
+<A HREF="mailto:miroslav.stampar@gmail.com">Miroslav Stampar</A></H2>version 0.9, April 10, 2011
 <HR>
 <EM>This document is the user's manual to use 
 <A HREF="http://sqlmap.sourceforge.net">sqlmap</A>.</EM>
@@ -561,7 +561,7 @@ the
 
 <P>
 <UL>
-<LI><B>April XX</B>, 
+<LI><B>April 10</B>, 
 <A HREF="http://sqlmap.sourceforge.net/#developers">Bernardo and Miroslav</A> release sqlmap
 <B>0.9</B> featuring a totally rewritten and powerful SQL injection
 detection engine, the possibility to connect directly to a database
@@ -1444,23 +1444,49 @@ it.</P>
 
 <P>Switch: <CODE>-</CODE><CODE>-predict-output</CODE></P>
 
-<P>TODO</P>
+<P>This switch is used in inference algorithm for sequential statistical
+prediction of characters of value being retrieved. Based on items given in
+<CODE>txt/common-outputs.txt</CODE> together with the knowledge of current
+enumeration used statistical table with the most promising values is being
+built. In case that the value can be found among the common output values,
+as the process progresses, subsequent character tables are being narrowed
+more and more. If used in combination with retrieval of common DBMS
+entities, as with system table names and privileges, speed up is
+significant. Of course, you can edit the common outputs file according to
+your needs if, for instance, you notice common patterns in database table
+names or similar.</P>
+
+<P>Note that this switch is not compatible with <CODE>-</CODE><CODE>-threads</CODE>
+switch.</P>
 
 
 <H3>HTTP Keep-Alive</H3>
 
 <P>Switch: <CODE>-</CODE><CODE>-keep-alive</CODE></P>
 
-<P>This switch instructs sqlmap to use persistent HTTP(s) connections.
-Note that this switch is incompatible with <CODE>-</CODE><CODE>-proxy</CODE> switch.</P>
+<P>This switch instructs sqlmap to use persistent HTTP(s) connections.</P>
+
+<P>Note that this switch is incompatible with <CODE>-</CODE><CODE>-proxy</CODE>
+switch.</P>
 
 
 <H3>HTTP NULL connection</H3>
 
 <P>Switch: <CODE>-</CODE><CODE>-null-connection</CODE></P>
 
-<P>TODO
-Note that this switch is incompatible with <CODE>-</CODE><CODE>-text-only</CODE>
+<P>There are special HTTP request types which can be used to retrieve
+HTTP response's size without getting the HTTP body. This knowledge can be
+used in blind injection technique to distinguish <CODE>True</CODE> from
+<CODE>False</CODE> responses. When this switch is provided, sqlmap will try to
+test and exploit two different <EM>NULL connection</EM> techniques:
+<CODE>Range</CODE> and <CODE>HEAD</CODE>.
+If any of these is supported by the target web server, speed up will come
+from the obvious saving of used bandwidth.</P>
+
+<P>These techniques are detailed in the white paper
+<A HREF="http://www.wisec.it/sectou.php?id=472f952d79293">Bursting Performances in Blind SQL Injection - Take 2 (Bandwidth)</A>.</P>
+
+<P>Note that this switch is incompatible with <CODE>-</CODE><CODE>-text-only</CODE>
 switch.</P>
 
 
@@ -1485,6 +1511,9 @@ the bisection algorithm implemented in sqlmap.</P>
 injection technique. The maximum number of concurrent requests is set to
 <B>10</B> for performance and site reliability reasons.</P>
 
+<P>Note that this switch is not compatible with
+<CODE>-</CODE><CODE>-predict-output</CODE> switch.</P>
+
 
 <H2><A NAME="ss5.5">5.5</A> <A HREF="#toc5.5">Injection</A>
 </H2>
@@ -1787,7 +1816,10 @@ injected) page content with the injected wrong page content.
 This way the distinction will be based upon string presence or regular
 expression match.</P>
 
-<P>TODO: --text-only</P>
+<P>In cases with lot of active (e.g. scripts, embeds, etc.) content in the
+HTTP responses' body, you can filter pages (<CODE>-</CODE><CODE>-text-only</CODE>
+switch) just for their textual content. This way, in a good number of
+cases, you can automatically tune the detection engine.</P>
 
 
 <H2><A NAME="ss5.7">5.7</A> <A HREF="#toc5.7">Techniques</A>
@@ -2313,7 +2345,8 @@ of the following categories:</P>
 <UL>
 <LI>The database management system is MySQL <B>&lt; 5.0</B> where
 <CODE>information_schema</CODE> is not available.</LI>
-<LI>The database management system is Microsoft Access where there TODO.</LI>
+<LI>The database management system is Microsoft Access and system table
+<CODE>MSysObjects</CODE> is not readable - default setting.</LI>
 <LI>The session user does not have read privileges against the system
 table storing the scheme of the databases.</LI>
 </UL>
@@ -2343,7 +2376,8 @@ cases usually fit into one of the following categories:</P>
 <UL>
 <LI>The database management system is MySQL <B>&lt; 5.0</B> where
 <CODE>information_schema</CODE> is not available.</LI>
-<LI>The database management system is Microsoft Access where there TODO.</LI>
+<LI>The database management system is Microsoft Access where this
+kind of information is not available inside system tables.</LI>
 <LI>The session user does not have read privileges against the system
 table storing the scheme of the databases.</LI>
 </UL>
@@ -2800,7 +2834,7 @@ $ python sqlmap.py -u "http://192.168.136.131/sqlmap/oracle/get_int_bool.php?id=
 <BLOCKQUOTE><CODE>
 <PRE>
 100% [===================================================] 64/64               
-[10:28:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod
+[hh:mm:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod
 
 web application technology: PHP 5.2.6, Apache 2.2.9
 back-end DBMS: Oracle

doc/README.sgml

@@ -4,7 +4,7 @@
 
 <title>sqlmap user's manual
 <author>by <htmlurl url="mailto:bernardo.damele@gmail.com" name="Bernardo Damele A. G.">, <htmlurl url="mailto:miroslav.stampar@gmail.com" name="Miroslav Stampar">
-<date>version 0.9, April XX, 2011
+<date>version 0.9, April 10, 2011
 <abstract>
 This document is the user's manual to use <htmlurl url="http://sqlmap.sourceforge.net" name="sqlmap">.
 </abstract>
@@ -487,7 +487,7 @@ name="MS10-015">).
 
 <p>
 <itemize>
-<item><bf>April XX</bf>, <htmlurl name="Bernardo and Miroslav"
+<item><bf>April 10</bf>, <htmlurl name="Bernardo and Miroslav"
 url="http://sqlmap.sourceforge.net/#developers"> release sqlmap
 <bf>0.9</bf> featuring a totally rewritten and powerful SQL injection
 detection engine, the possibility to connect directly to a database
@@ -1402,7 +1402,21 @@ Read below for details about each switch.
 Switch: <tt>-</tt><tt>-predict-output</tt>
 
 <p>
-TODO
+This switch is used in inference algorithm for sequential statistical
+prediction of characters of value being retrieved. Based on items given in
+<tt>txt/common-outputs.txt</tt> together with the knowledge of current
+enumeration used statistical table with the most promising values is being
+built. In case that the value can be found among the common output values,
+as the process progresses, subsequent character tables are being narrowed
+more and more. If used in combination with retrieval of common DBMS
+entities, as with system table names and privileges, speed up is
+significant. Of course, you can edit the common outputs file according to
+your needs if, for instance, you notice common patterns in database table
+names or similar.
+
+<p>
+Note that this switch is not compatible with <tt>-</tt><tt>-threads</tt>
+switch.
 
 
 <sect2>HTTP Keep-Alive
@@ -1412,6 +1426,8 @@ Switch: <tt>-</tt><tt>-keep-alive</tt>
 
 <p>
 This switch instructs sqlmap to use persistent HTTP(s) connections.
+
+<p>
 Note that this switch is incompatible with <tt>-</tt><tt>-proxy</tt>
 switch.
 
@@ -1422,7 +1438,21 @@ switch.
 Switch: <tt>-</tt><tt>-null-connection</tt>
 
 <p>
-TODO
+There are special HTTP request types which can be used to retrieve
+HTTP response's size without getting the HTTP body. This knowledge can be
+used in blind injection technique to distinguish <tt>True</tt> from
+<tt>False</tt> responses. When this switch is provided, sqlmap will try to
+test and exploit two different <em>NULL connection</em> techniques:
+<tt>Range</tt> and <tt>HEAD</tt>.
+If any of these is supported by the target web server, speed up will come
+from the obvious saving of used bandwidth.
+
+<p>
+These techniques are detailed in the white paper
+<htmlurl url="http://www.wisec.it/sectou.php?id=472f952d79293"
+name="Bursting Performances in Blind SQL Injection - Take 2 (Bandwidth)">.
+
+<p>
 Note that this switch is incompatible with <tt>-</tt><tt>-text-only</tt>
 switch.
 
@@ -1448,9 +1478,12 @@ when that character is retrieved - it takes up to 7 HTTP(S) requests with
 the bisection algorithm implemented in sqlmap.
 
 <p>
-Note that the multi-threading switch does not affect any other SQL
-injection technique. The maximum number of concurrent requests is set to
-<bf>10</bf> for performance and site reliability reasons.
+The maximum number of concurrent requests is set to <bf>10</bf> for
+performance and site reliability reasons.
+
+<p>
+Note that this switch is not compatible with
+<tt>-</tt><tt>-predict-output</tt> switch.
 
 
 <sect1>Injection
@@ -2904,7 +2937,7 @@ Then:
 
 <tscreen><verb>
 100% [===================================================] 64/64               
-[10:28:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod
+[hh:mm:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod
 
 web application technology: PHP 5.2.6, Apache 2.2.9
 back-end DBMS: Oracle