Bernardo Damele
da3fd17fc3
Adjustment to make it work also in OR based injection
2010-12-05 12:24:23 +00:00
Miroslav Stampar
5764816891
minor cosmetics
2010-12-03 22:28:09 +00:00
Bernardo Damele
c22338ce90
Removed --error-test, --stacked-test and --time-test switches and adapted the code accordingly. This is due to the fact that the new XML based detection engine already supports all of those tests (and more).
2010-11-29 11:47:58 +00:00
Miroslav Stampar
6712f4da55
some refactoring and one less request for aspx maintanance during --os-shell
2010-11-24 14:20:43 +00:00
Miroslav Stampar
9579a97039
now ASPX works too for --os-shell
2010-11-24 11:38:27 +00:00
Bernardo Damele
17486e472a
Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!
2010-11-17 22:00:09 +00:00
Miroslav Stampar
17f0609263
minor bug fix
2010-11-17 13:29:57 +00:00
Miroslav Stampar
2802923dbe
some improvements regarding --os-shell web server application choice
2010-11-17 11:45:52 +00:00
Miroslav Stampar
bec152609a
minor cosmetics and bug fix for Windows machines ('\\' is interpreted as \ and inside the script it can screw things up as it's a marker for a special character - thus '\\\\' is interpreted as \\ which represents special character \)
2010-11-17 09:33:05 +00:00
Miroslav Stampar
e7a66371f8
update regarding os shell-ing regarding JSP and ASPX
2010-11-16 13:46:46 +00:00
Miroslav Stampar
862395ced1
further refactoring (all enumerations are now put into enums.py)
2010-11-08 09:20:02 +00:00
Bernardo Damele
91a3a582e8
Minor bug fix to avoid crash when running sqlmap behind a proxy server
2010-11-04 12:22:04 +00:00
Miroslav Stampar
6adee3792a
removed all trailing spaces from blank lines
2010-11-03 10:08:27 +00:00
Bernardo Damele
c7c84c3089
Closes #111 (DECLARE/CHAR encode xp_cmdshell parameter in MSSQL).
2010-11-02 15:31:51 +00:00
Miroslav Stampar
685a8e7d2c
refactoring of hard coded dbms names
2010-11-02 11:59:24 +00:00
Bernardo Damele
65a0a8d285
Delegate urlencoding to agent.py only
2010-10-31 13:28:05 +00:00
Bernardo Damele
a0df231aa4
Avoid waiting 30 seconds when cleaning up the dbms and file system from sqlmap data
2010-10-29 13:09:53 +00:00
Bernardo Damele
b3b2c3864a
Minor code refactoring
2010-10-29 10:51:09 +00:00
Bernardo Damele
4f8e9da1b6
Minor bug fix to properly delete sqlmap temporary files on the database server file system at shutdown.
...
Minor improvements at ICMPsh tunnel to cleanup properly the dbms at shutdown and avoid checking/writing sys_bineval() UDF as it's a PE and needs to be called by sys_exec() only.
Got rid of useless doubleslash param in delRemoteFile() method.
Major code refactoring to xp_cmdshell.py methods and parent calls.
2010-10-28 00:19:40 +00:00
Bernardo Damele
56c16cb471
Minor bug fixes and enhancements to ICMPsh tunnel
2010-10-27 23:01:17 +00:00
Bernardo Damele
a391be833b
Implemented ICMP tunneling for out-of-band takeover (--os-pwn) as an alternative to TCP tunneling (Metasploit). It relies on icmpsh, the back-end dbms server has to be Windows as the icmpsh slave runs on Windows only for the moment. sqlmap needs to be executed as root to work.
2010-10-27 21:02:22 +00:00
Bernardo Damele
bdb9c37a7e
Cosmetics
2010-10-25 15:17:59 +00:00
Miroslav Stampar
e6e48c5556
fix for Bug #204
2010-10-22 18:23:46 +00:00
Miroslav Stampar
1b2ec826bf
misc fixes regarding new query retrieval format
2010-10-21 23:17:06 +00:00
Bernardo Damele
e73e06069b
Minor code refactoring
2010-10-20 22:09:03 +00:00
Bernardo Damele
862cc9ac53
Minor cosmetic fixes
2010-10-20 21:58:33 +00:00
Bernardo Damele
f95098693f
Removed unused functions
2010-10-20 21:16:28 +00:00
Bernardo Damele
683184cc8f
Minor refactoring
2010-10-17 21:06:52 +00:00
Bernardo Damele
f54c134d22
Minor adjustment
2010-10-16 22:43:05 +00:00
Miroslav Stampar
4f7f20b94f
sorry, cosmetics
2010-10-14 23:18:29 +00:00
Miroslav Stampar
8b48833136
large commit with copyright header modifications
2010-10-14 14:41:14 +00:00
Miroslav Stampar
49915f3c33
minor update
2010-09-30 19:49:14 +00:00
Miroslav Stampar
87abec16bd
probable fix for a bug reported by Prashant Jadhav
2010-09-30 18:52:33 +00:00
Bernardo Damele
8dfe08a353
Minor bug fix to -d
2010-07-01 10:44:31 +00:00
Miroslav Stampar
12a5ec9f3d
more unicode refactoring
2010-06-02 12:45:40 +00:00
Bernardo Damele
8be91a98cc
Minor bug fix and adjustment
2010-05-29 15:28:37 +00:00
Bernardo Damele
89c721a451
More replacements from open() to codecs.open(). conf.dataEncoding has to be used only for non-binary files.
2010-05-29 10:10:28 +00:00
Bernardo Damele
84778f0e6c
Minor fix, leave like this
2010-05-29 08:58:55 +00:00
Miroslav Stampar
d3e527aba3
minor update
2010-05-29 07:13:54 +00:00
Bernardo Damele
10521b68eb
Major bug fix in multipartpost and minor adjustments elsewhere
2010-05-28 23:12:20 +00:00
Bernardo Damele
06af405efd
Adapted and merged in patch to support XML output (-x switch) - still in beta.
...
Minor bug fixes and adjustments.
2010-05-28 16:43:04 +00:00
Miroslav Stampar
a3db3c03c1
str() -> unicode()
2010-05-28 13:05:02 +00:00
Miroslav Stampar
dc83f794ea
fix regarding proper string isinstance checking (including unicode)
2010-05-25 10:09:35 +00:00
Bernardo Damele
a21a7fc56d
Minor code refactoring
2010-05-21 12:09:31 +00:00
Bernardo Damele
4c91b5a896
Minor fix
2010-05-10 14:18:41 +00:00
Bernardo Damele
a1b1f960cc
Finally fixed and adapted all code around to the new isWindowsDriveLetterPath() function
2010-04-23 16:34:20 +00:00
Miroslav Stampar
1bcec80e95
fix for that takeover bug Ethan Robish posted (Windows/PHP)
2010-04-22 10:31:33 +00:00
Bernardo Damele
b19de015c5
Minor bugs fixes
2010-03-31 13:52:51 +00:00
Bernardo Damele
d00e4a458a
Code cleanup
2010-03-21 00:39:44 +00:00
Miroslav Stampar
4c6c91a80b
another --reg-read fix
2010-03-12 23:12:06 +00:00
Bernardo Damele
7d8cc1a482
Get rid of Churrasco (Token kidnapping technique to --priv-esc). Reasons why:
...
1. there's kitrap0d (MS10-015) which is far more reliable, just recently fixed
2. works only to priv esc basically on MSSQL when it runs as NETWORK SERVICE and the machine is not patched against MS09-012 which is "rare" (hopefully) nowadays.
Now sqlmap relies on kitrap0d and incognito to privilege escalate the database process' user privileges to SYSTEM, both via Meterpreter.
Minor layout adjustments.
2010-03-12 22:43:35 +00:00
Miroslav Stampar
6b1ae62753
final fix for reading registry keys (now both parse and non-parse reads work fine)
2010-03-12 22:26:06 +00:00
Miroslav Stampar
0a2fe651ab
some fixes regarding registry reading
2010-03-12 22:09:58 +00:00
Bernardo Damele
b50a2288f4
Minor layout adjustments
2010-03-11 23:54:07 +00:00
Bernardo Damele
cc611c0010
Minor layout adjustments
2010-03-09 22:14:26 +00:00
Bernardo Damele
156fdd96ef
Updated copyright
2010-03-03 15:26:27 +00:00
Bernardo Damele
2f452480b3
Minor bug fix in syntax
2010-03-01 14:40:18 +00:00
Bernardo Damele
f53ef947f1
Slightly stealthier
2010-02-26 13:14:57 +00:00
Bernardo Damele
694356821d
sqlmap does not save nor leave back in temporary folder any file named 'sqlmapRANDOM', only random names now, less suspicious
2010-02-26 13:13:50 +00:00
Miroslav Stampar
1f2a1bb24c
removed some redundant code
2010-02-26 12:36:41 +00:00
Miroslav Stampar
e4c34ff86c
changed default web server language behaviour
2010-02-25 16:55:02 +00:00
Miroslav Stampar
0913d700a8
important update regarding default directories
2010-02-25 15:22:41 +00:00
Miroslav Stampar
4a3fa69f9d
minor adjustment
2010-02-25 15:07:54 +00:00
Bernardo Damele
0df5b5fed9
Minor bug fix and code adjustments
2010-02-25 14:06:44 +00:00
Miroslav Stampar
24d3e24db0
more updates regarding --os-shell feature
2010-02-25 12:16:49 +00:00
Miroslav Stampar
b558712a47
more feature updates
2010-02-25 11:40:49 +00:00
Miroslav Stampar
15d1fcbb7f
now runcmd exe has random name too
2010-02-25 10:47:12 +00:00
Miroslav Stampar
2cafd5697b
new changes regarding --os-shell
2010-02-25 10:33:41 +00:00
Miroslav Stampar
858cb25975
update
2010-02-24 23:40:56 +00:00
Miroslav Stampar
2a07af2294
removed pdb tracing
2010-02-20 22:36:17 +00:00
Miroslav Stampar
0debc95ad4
some fixes
2010-02-20 22:31:54 +00:00
Bernardo Damele
d1e3596382
Minor UPX adjustment
2010-02-20 19:02:55 +00:00
Miroslav Stampar
0ed5ba5559
minor update
2010-02-16 13:24:09 +00:00
Miroslav Stampar
c4951fd631
some updates regarding --os-shell option
2010-02-16 13:20:34 +00:00
Bernardo Damele
dc06b40ddc
Minor exception message fix
2010-02-11 23:07:33 +00:00
Bernardo Damele
89dc99188d
--read-file on PostgreSQL now relies on the new sys_fileread() UDF so that also binary files can be read.
...
Fixed a minor bug in custom UDF injection feature --udf-inject.
Major code refactoring.
2010-02-11 22:57:50 +00:00
Miroslav Stampar
00a23ace9a
some changes regarding web takeover
2010-02-09 14:27:41 +00:00
Bernardo Damele
5c92fad5dc
Avoid to check for existence of not needed UDFs and minor code adjustment for cleanup() method
2010-02-05 23:14:16 +00:00
Miroslav Stampar
d291464cd4
code refactoring regarding path normalization
2010-02-04 14:50:54 +00:00
Miroslav Stampar
dbd52c52e4
minor fix
2010-02-04 14:39:24 +00:00
Miroslav Stampar
ec63fc4036
code refactoring - added functions posixToNtSlashes and ntToPosixSlashes
2010-02-04 14:37:00 +00:00
Miroslav Stampar
87239476af
more fixes :)
2010-02-04 10:10:41 +00:00
Miroslav Stampar
e4699f389d
some bug fixes regarding --os-shell usage against windows servers
2010-02-04 09:49:31 +00:00
Miroslav Stampar
ea045eaa2f
fixed serious issue with adding file paths into kb.absFilePaths (dirname was wrongly added, and afterwards getDirs used dirname of dirname)
...
also, fixed some issues with Windows paths
2010-02-03 16:40:12 +00:00
Miroslav Stampar
7c88e32f9d
bug fix for 404 program termination during shell upload attempt
2010-02-03 16:16:34 +00:00
Miroslav Stampar
565433097e
used normalizePath instead of os.path.normalize
2010-02-03 16:10:09 +00:00
Miroslav Stampar
87c8bdbc29
removed pdb tracing
2010-02-03 14:52:29 +00:00
Miroslav Stampar
c74b920f54
bug fix
2010-02-03 14:49:28 +00:00
Bernardo Damele
979c919dc7
Minor logging message adjustment
2010-01-29 22:58:12 +00:00
Bernardo Damele
e8b0fd90c8
Minor bug fix
2010-01-29 19:32:02 +00:00
Bernardo Damele
767c67e37a
--priv-esc now relieas on more powerful and complete getsystem Meterpreter command that also implements kitrap0d as 4th technique
2010-01-29 14:57:33 +00:00
Miroslav Stampar
061794650f
minor fix
2010-01-29 10:15:05 +00:00
Miroslav Stampar
92817159dc
cloaked upx for windows (used mkstemp because of execution and file access rights problem)
2010-01-29 10:12:09 +00:00
Bernardo Damele
200518724c
By default do not use Churrasco, but still let the user choose it.
...
The default technique to privilege escalate the OS user to SYSTEM when --priv-esc is provided now it 'run kitrap0d'.
2010-01-29 02:27:50 +00:00
Bernardo Damele
7b8316728c
Major bug fix in takeover functionalities on Microsoft SQL Server
2010-01-29 00:09:05 +00:00
Bernardo Damele
6f5d2ed171
Minor cosmetic adjustments
2010-01-28 17:07:34 +00:00
Miroslav Stampar
a2077bfc0e
quick fix
2010-01-28 16:56:00 +00:00
Miroslav Stampar
732ed48e2b
some refactoring regarding decloaking
2010-01-28 16:50:34 +00:00
Bernardo Damele
dcbbad642d
Minor self fix, switched to rc6
2010-01-28 10:27:47 +00:00
Miroslav Stampar
f6b447f6e7
fix for "NameError: global name 'webFileStreamUpload' is not defined"
2010-01-28 08:54:47 +00:00
Miroslav Stampar
921e449454
added support for cloaking Churrasco.exe file
2010-01-28 00:07:33 +00:00
Miroslav Stampar
4559ded6c1
added new line at the end of the file
2010-01-27 17:02:23 +00:00
Miroslav Stampar
f4b8ce5c72
fix for 'No such file or directory' OSError exception
2010-01-27 17:00:54 +00:00
Miroslav Stampar
d0acb1c5a3
another fix. hope it works :)
2010-01-27 16:01:50 +00:00
Miroslav Stampar
f8056f4098
quick fix regarding usage of StringIO instead of file stream
2010-01-27 15:44:35 +00:00
Miroslav Stampar
1d15c595a4
minor fix
2010-01-27 14:08:09 +00:00
Miroslav Stampar
e63428207c
modified a way to handle shell scripts
2010-01-27 13:59:25 +00:00
Bernardo Damele
6437c16156
run kitrap0d script along with listing Windows Impersonation Tokens via meterpreter's incognito extension when --priv-esc is provided (see #149 ).
2010-01-26 01:14:44 +00:00
Bernardo Damele
f337cd6e0a
Minor speedup to check if sqlmap's UDF have already been created
2010-01-16 21:46:35 +00:00
Bernardo Damele
c4215ce8d2
Minor code refactoring
2010-01-14 20:42:45 +00:00
Bernardo Damele
1d968f51e9
More code refactoring
2010-01-14 15:11:32 +00:00
Bernardo Damele
c9863bc1d2
Minor code refactoring
2010-01-14 14:33:08 +00:00
Bernardo Damele
070ccc30e9
Added automatic support in --os-pwn to use the web uploader/backdoor to upload and execute the Metasploit payload stager when stacked queries SQL injection is not supported, for instance on MySQL/PHP and MySQL/ASP.
...
Updated ChangeLog.
Major code refactoring.
2010-01-14 14:03:16 +00:00
Bernardo Damele
bb61010a45
Avoid useless checks for --os-bof (no need to check for DBA or for xp_cmdshell). Minor code restyling.
2010-01-04 15:02:56 +00:00
Bernardo Damele
ce022a3b6e
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.
2010-01-02 02:02:12 +00:00
Bernardo Damele
e4e081cdc6
sqlmap 0.8-rc2: minor enhancement based on msfencode 3.3.3-dev -t exe-small so that also PostgreSQL supports again the out-of-band via Metasploit payload stager optionally to shellcode execution in-memory via sys_bineval() UDF. Speed up OOB connect back. Cleanup target file system after --os-pwn too. Minor bug fix to correctly forge file system paths with os.path.join() all around. Minor code refactoring and user's manual update.
2009-12-17 22:04:01 +00:00
Bernardo Damele
e28b98a366
Minor layout adjustments
2009-12-02 22:52:17 +00:00
Bernardo Damele
4779a5fe0f
Minor layout adjustment
2009-11-16 16:39:31 +00:00
Bernardo Damele
89c43893d4
Merged back from personal branch to trunk (svn merge -r846:940 ...)
...
Changes:
* Major enhancement to the Microsoft SQL Server stored procedure
heap-based buffer overflow exploit (--os-bof) to automatically bypass
DEP memory protection.
* Added support for MySQL and PostgreSQL to execute Metasploit shellcode
via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an
option instead of uploading the standalone payload stager executable.
* Added options for MySQL, PostgreSQL and Microsoft SQL Server to
read/add/delete Windows registry keys.
* Added options for MySQL and PostgreSQL to inject custom user-defined
functions.
* Added support for --first and --last so the user now has even more
granularity in what to enumerate in the query output.
* Minor enhancement to save the session by default in
'output/hostname/session' file if -s option is not specified.
* Minor improvement to automatically remove sqlmap created temporary
files from the DBMS underlying file system.
* Minor bugs fixed.
* Major code refactoring.
2009-09-25 23:03:45 +00:00
Bernardo Damele
d905e5ef9f
Minor bug fix to --os-cmd/--os-shell for Microsoft SQL Server
2009-07-25 11:45:23 +00:00
Bernardo Damele
b4fd71e8b9
Minor adjustment to reflect Metasploit r6849 ( http://trac.metasploit.com/changeset/6849 ) and minor code refactoring.
2009-07-20 14:36:33 +00:00
Bernardo Damele
4b622ed860
Minor bug fix.
...
Adapted Metasploit wrapping functions to work with latest msf3 development version too.
2009-07-06 14:40:33 +00:00
Bernardo Damele
0fc4587f02
Added support for reflective meterpreter by default when the target OS
...
is Windows and minor layout fix
2009-07-03 17:59:20 +00:00
Bernardo Damele
03a6739fbf
Minor layout adjustments
2009-06-11 15:34:31 +00:00
Bernardo Damele
06cc2a6d70
Minor bug fixes and code refactoring
2009-05-11 15:37:48 +00:00
Bernardo Damele
e8c115500d
Now it works also on Mac OS X
2009-04-30 10:46:50 +00:00
Bernardo Damele
16b4530bbe
Minor bug fixes to --os-shell (altought web backdoor functionality still to be reviewed).
...
Minor common library code refactoring.
Code cleanup.
Set back the default User-Agent to sqlmap for comparison algorithm reasons.
Updated THANKS.
2009-04-27 23:05:11 +00:00
Bernardo Damele
6f4035938b
Let the user choose also the local address in reverse OOB connection
2009-04-24 10:27:52 +00:00
Bernardo Damele
4ce74764b7
More verbose when reporting failure to create shellcode/payload stager (via Metasploit)
2009-04-23 20:39:32 +00:00
Bernardo Damele
8c0ac767f4
Updated to sqlmap 0.7 release candidate 1
2009-04-22 11:48:07 +00:00