Miroslav Stampar
23a86ed612
minor bug fix related to Firebird time based test vectors
2010-12-03 11:05:16 +00:00
Bernardo Damele
0069a21a0d
Added also OR error-based checks, tweaked some TODOs and added some new boundaries for login forms (yet to test)
2010-12-03 10:52:24 +00:00
Miroslav Stampar
bf09b8a6d9
added Firebird error based (WHERE) attack vector
2010-12-02 15:09:21 +00:00
Bernardo Damele
df4cb1a601
On the way to get full support for injection on ORDER BY and GROUP BY clauses
2010-12-01 23:30:38 +00:00
Bernardo Damele
089c16a1b8
Added tag <epayload> to the payloads.xml's <test> tag to define which payload to use when exploiting the test type.
...
Removed some useless tests.
Moved <error> from queries.xml to payloads.xml as it makes more sense.
Beeps at sql inj found only if --beep is provided.
Minor fix in order to be able to pickle advancedDict() objects.
Minor code refactoring.
Removed useless folders.
2010-12-01 17:09:52 +00:00
Bernardo Damele
2708aad504
Unified start and stop delimiters accross errror-based (detection engine) and union query (--union-test) tests.
2010-12-01 10:31:50 +00:00
Bernardo Damele
c8f943f5e4
Now, if the back-end dbms type has been identified by the detection engine, skips the fingerprint phase.
...
Major code refactoring and commenting to detection engine.
Ask user whether or not to proceed to test remaining parameters after an injection point has been identified.
Restore beep at SQL injection find.
Avoid reuse of same variable in DBMS handler code.
Minor adjustment of payloads XML file.
2010-11-30 22:40:25 +00:00
Bernardo Damele
6525e08d6b
Minor adjustment to detect the proper parameter type based upon --prefix and --suffix values
2010-11-29 12:13:42 +00:00
Bernardo Damele
75f7df75b6
Minor fix
2010-11-28 23:33:51 +00:00
Bernardo Damele
7e3b24afe6
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own.
...
All (hopefully) functionalities should still be working.
Added two switches, --level and --risk to specify which injection tests and boundaries to use.
The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 18:10:54 +00:00
Bernardo Damele
e32be2b4e7
Minor adjustment
2010-11-23 15:06:40 +00:00
Miroslav Stampar
c6545f5c9f
we had a bug (nooooooooo!!!! :))
2010-11-19 10:36:47 +00:00
Bernardo Damele
17486e472a
Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!
2010-11-17 22:00:09 +00:00
Miroslav Stampar
42272ca78c
minor update
2010-11-11 22:26:36 +00:00
Miroslav Stampar
1a708cf12d
update for ASP/Ingres
2010-11-05 16:21:22 +00:00
Miroslav Stampar
173e893d11
added error message support for Ingres
2010-11-05 16:19:41 +00:00
Miroslav Stampar
3f0a443b83
some updates
2010-11-04 23:08:59 +00:00
Miroslav Stampar
d5fcc9d8b5
few updates/fixes here and there
2010-11-04 08:03:59 +00:00
Miroslav Stampar
977df7276d
minor update
2010-11-03 06:25:24 +00:00
Miroslav Stampar
4b56fa4f8f
now --tables work for MaxDB
2010-11-02 22:11:45 +00:00
Miroslav Stampar
b761523f3f
now --users works for MaxDB too
2010-11-02 21:52:48 +00:00
Miroslav Stampar
cd0d4135ac
implemented --banner for MaxDB and some minor fixes
2010-11-02 20:51:55 +00:00
Miroslav Stampar
49bf34ffd9
minor fix
2010-11-02 18:43:20 +00:00
Bernardo Damele
720e235d9a
Fixed Windows 2003/2008 signatures. Added more old RedHat Server header signatures. Added old Debian etch signature too.
2010-10-31 18:18:49 +00:00
Miroslav Stampar
f7d42af046
some fixes regarding --check-payload
2010-10-29 11:00:23 +00:00
Bernardo Damele
0efecde248
Minor update to properly differentiate Windows 2003 by 2008 via HTTP response headers
2010-10-27 10:09:47 +00:00
Miroslav Stampar
749e25a217
Implementation of --passwords for Sybase
2010-10-26 21:35:30 +00:00
Miroslav Stampar
1b90c1d131
added FreeBSD
2010-10-26 20:48:52 +00:00
Miroslav Stampar
4da2046492
massive update of server fingerprints
2010-10-26 20:00:29 +00:00
Miroslav Stampar
080c5aef80
minor update
2010-10-26 19:08:11 +00:00
Miroslav Stampar
8a9a57c709
update for Sybase and major bug fix for --passwords on MSSQL
2010-10-25 22:11:38 +00:00
Miroslav Stampar
9b56fbafbe
that Sybase is going to be pain in the ass
2010-10-25 21:43:13 +00:00
Miroslav Stampar
228ac0cde5
refactoring regarding --check-payload
2010-10-25 18:38:54 +00:00
Miroslav Stampar
378653a1ec
added IDS payload testing
2010-10-25 15:37:43 +00:00
Miroslav Stampar
aa931efd4d
several MySQL fixes/enhancements pointed out by Anton Mogilin
2010-10-24 22:05:14 +00:00
Miroslav Stampar
68d39d5976
minor minor fix
2010-10-23 09:12:08 +00:00
Miroslav Stampar
32a4350779
update for MaxDB
2010-10-23 09:03:59 +00:00
Miroslav Stampar
98f5586b87
minor update
2010-10-23 08:05:24 +00:00
Miroslav Stampar
f8850e3f41
update (xml fix and refactoring)
2010-10-23 07:44:34 +00:00
Miroslav Stampar
a7a53af924
update for Sybase
2010-10-23 07:37:43 +00:00
Miroslav Stampar
dec4d858b3
fix for Bug #207
2010-10-22 14:01:48 +00:00
Miroslav Stampar
e24bff0497
nice refactoring
2010-10-20 09:46:57 +00:00
Miroslav Stampar
5d3cbec457
no more regex. web server independent.
2010-10-20 09:35:46 +00:00
Miroslav Stampar
b032fdbf74
added randInt to error injection vectors
2010-10-20 08:56:58 +00:00
Miroslav Stampar
f2dae98448
fix for MySQL error queries
2010-10-19 23:30:08 +00:00
Miroslav Stampar
1fce9683f8
now --users work for MSSQL too
2010-10-19 15:05:32 +00:00
Miroslav Stampar
80505de15b
now --users work on Oracle and Postgre (tested)
2010-10-19 14:56:57 +00:00
Miroslav Stampar
4bc541ec3c
error based update
2010-10-19 14:47:13 +00:00
Miroslav Stampar
bf850af2d8
fix for Oracle error based query "space" problem
2010-10-19 14:10:09 +00:00
Miroslav Stampar
878135fe40
minor fix
2010-10-19 14:00:27 +00:00