Bernardo Damele
ed4cfbb6d2
Minor fix
2011-06-27 08:58:59 +00:00
Miroslav Stampar
bedf16b88b
adding payloads for time-based injection on SAP MaxDB (heavy query)
2011-06-26 23:46:09 +00:00
Miroslav Stampar
d0490cc4e7
adding payloads for time-based injection on DB2 (heavy query)
2011-06-26 16:38:22 +00:00
Bernardo Damele
36c96ef796
Added DB2 support - patch provided by Sebastian Bittig
2011-06-25 09:44:24 +00:00
Bernardo Damele
b2e6cf3ed9
Enabled --search -C also for Oracle
2011-06-24 14:34:20 +00:00
Miroslav Stampar
4188df0501
fixes for Sybase
2011-06-15 18:49:35 +00:00
Miroslav Stampar
9f6b70f3f9
update
2011-05-26 22:45:33 +00:00
Miroslav Stampar
0baf931669
real generic comment is "-- " not "--" (MySQL doesn't support "--")
2011-05-24 09:16:21 +00:00
Miroslav Stampar
171a4c389b
added MySQL >=4.1 <=5.0 error based WHERE/HAVING payload
2011-05-23 06:24:45 +00:00
Miroslav Stampar
939e6541d0
far safer way for dealing with error-based payloads on MySQL (no timeouts with .CHARACTER_SETS on testing platforms versus when used .TABLES)
2011-05-19 23:36:51 +00:00
Miroslav Stampar
bd1b07fbc2
one more parameter replace payload for MySQL and rising level of GENERATE_SERIES for PostgreSQL
2011-05-19 06:32:23 +00:00
Miroslav Stampar
7f086916c0
decent parameter replace payload for PostgreSQL (GENERATE_SERIES)
2011-05-18 23:40:42 +00:00
Miroslav Stampar
e58d6d2e00
removing (CBRT(LN(0)) because it's nothing special compared to standard 1/0; also, removing parameter replacement with returned value 1 as it doesn't have much sense in comparison to origvalue one (which is far more stable and usable)
2011-05-18 23:20:02 +00:00
Miroslav Stampar
fe50d09cc8
added new payload for PostgreSQL (parameter replace)
2011-05-18 23:01:41 +00:00
Bernardo Damele
3a8309c4b0
Major bug fix to detect UNION query technique and various improvements to parsing and using of --union-char and --union-cols switches
2011-05-10 15:34:54 +00:00
Bernardo Damele
aae140080e
SVN roll back, DB2 patch will be recommitted after testing:
...
$ svn merge https://svn.sqlmap.org/sqlmap/trunk/sqlmap@HEAD https://svn.sqlmap.org/sqlmap/trunk/sqlmap@3847 .
2011-05-06 10:27:43 +00:00
Miroslav Stampar
6e392b6054
applying contributed patch for DB2
2011-05-06 09:30:39 +00:00
Bernardo Damele
36a9ddaacc
Minor bug fixes and code restyling for --privileges and --passwords
2011-04-30 14:50:27 +00:00
Bernardo Damele
7df954dd9f
paranoy
2011-04-21 23:41:25 +00:00
Miroslav Stampar
0764c4c752
parenthesis were missing; banning OR NOT from payloads
2011-04-21 23:32:53 +00:00
Bernardo Damele
1d61611145
leftover
2011-04-21 22:46:43 +00:00
Bernardo Damele
870f773d70
In some old versions of MySQL (perhaps others DBMS too) the NOT clause is not supported, hence we need also OR tests without NOT - tested and works like this
2011-04-21 20:36:50 +00:00
Miroslav Stampar
05a0e1d3b0
fix for a bug reported by m4l1c3 (TypeError: not all arguments converted during string formatting)
2011-04-15 11:34:14 +00:00
Miroslav Stampar
136e85abf3
little refresh of PHPIDS rules for --check-payload
2011-04-11 15:37:49 +00:00
Miroslav Stampar
75f286cf6d
minor update conformant to http://dev.mysql.com/doc/refman/4.1/en/comments.html
2011-04-10 23:41:00 +00:00
Miroslav Stampar
3177c6023d
lol. re-revert
2011-04-10 23:30:56 +00:00
Bernardo Damele
9ea4010508
Leave it as is :)
2011-04-10 23:20:35 +00:00
Miroslav Stampar
3e680978a9
revert of that last commit (waiting for some better days)
2011-04-10 23:18:38 +00:00
Miroslav Stampar
f532478a34
update of MySQL comments
2011-04-10 23:08:18 +00:00
Bernardo Damele
af096b2c83
Leave it as is!!!
2011-04-10 21:47:23 +00:00
Miroslav Stampar
d0cef21d9c
fix
2011-04-10 21:19:34 +00:00
Miroslav Stampar
6fa2fd139c
implemented support for __pivotDumpTable on MSSQL as normal tables tend to not play well with normal TOP 1 ..NOT IN..ORDER BY mechanism if the argument for ORDER BY is not the unique one (returns only number of rows equal to the number of distinct values for that field)
2011-04-08 15:17:57 +00:00
Bernardo Damele
02eeeccd33
Added UNION query SQL injection tests also with a random number for columns (not only NULL)
2011-04-07 13:39:36 +00:00
Miroslav Stampar
ca009e9fe2
minor update
2011-04-07 10:43:19 +00:00
Miroslav Stampar
672abc27fd
minor adjustment of livetests for new flavor of --technique
2011-04-07 10:41:12 +00:00
Miroslav Stampar
e27afef6be
minor update regarding --current-db on Oracle
2011-04-01 15:56:11 +00:00
Miroslav Stampar
60102209f6
quick fix for a bug reported by Kirill (AttributeError: 'NoneType' object has no attribute 'split')
2011-04-01 11:14:24 +00:00
Miroslav Stampar
b7813f9e68
incrementing level for MySQL stacked payloads
2011-03-29 07:31:56 +00:00
Miroslav Stampar
86f93713d3
fix for a bug reported by m4l1c3 (object of type 'NoneType' has no len()) and minor update
2011-03-29 06:25:17 +00:00
Miroslav Stampar
73e5d20ade
bulk commit for safe/unsafe identificator naming (done and tested for all 4 major DBMSes) and one bug fix for --search-column on MSSQL (inside queries)
2011-03-28 11:01:55 +00:00
Miroslav Stampar
5eb7787fc9
adding partial union cases to the live tests
2011-03-25 15:56:15 +00:00
Miroslav Stampar
670aa7f99b
update for live tests (added dumping of columns and table values)
2011-03-25 15:37:11 +00:00
Miroslav Stampar
e80c9e08d8
minor update regarding --live-test
2011-03-25 09:03:08 +00:00
Miroslav Stampar
82ab4c8dc2
minor fix (ORDER BY 1 screws things up in blind mode)
2011-03-24 14:19:32 +00:00
Miroslav Stampar
06a5c39efe
fix related to the bug reported by Alone Shell
2011-03-24 14:03:40 +00:00
Miroslav Stampar
cef2c0879d
adding live test cases for --technique=1 too
2011-03-24 12:19:40 +00:00
Miroslav Stampar
33c01726dd
adding basic live tests for MSSQL too
2011-03-24 12:01:53 +00:00
Miroslav Stampar
2b15ad57c2
basic live tests against 3 major DBMSes
2011-03-24 11:47:01 +00:00
Miroslav Stampar
b72cdfe9e6
fix for mssql regarding usage of schema names reported by jabra@spl0it.org
2011-03-23 10:40:34 +00:00
Miroslav Stampar
b5c9ccb755
Oracle XML based error payload has problems with char $ as with space
2011-03-21 13:13:12 +00:00
Miroslav Stampar
4889764114
minor update regarding last commit
2011-03-21 11:40:27 +00:00
Miroslav Stampar
5291fe35c9
proper implementation of --dbs on Oracle (we are using now schema names as a counterpart to dbs in other DBMSes)
2011-03-21 11:29:43 +00:00
Miroslav Stampar
0535225fe7
throwing out obsolete ORDER BY 1 from inband queries
2011-03-16 14:18:12 +00:00
Miroslav Stampar
eedd6a990d
removing space after , for our payloads
2011-03-08 14:29:22 +00:00
Miroslav Stampar
3dc31f6273
removing spaces after , in our queries
2011-03-08 14:07:26 +00:00
Miroslav Stampar
ff9080de48
MaxDB always precalculates values for both TRUE and FALSE, hence we can't trick him to run any "faulty" command (e.g. 1/0). This payload is fairly ok because in case of FALSE --> something=NULL is always NULL
2011-02-21 20:59:34 +00:00
Miroslav Stampar
08697e60a9
added some Microsoft Access payloads
2011-02-21 20:04:50 +00:00
Bernardo Damele
3e8c204121
Major bug fix to properly prepare UNION technique statement for --os-pwn and --is-dba
2011-02-21 16:00:56 +00:00
Miroslav Stampar
68a95fd1b1
minor update
2011-02-20 22:45:23 +00:00
Miroslav Stampar
aac817935a
further improvement of MaxDB support
2011-02-20 22:41:42 +00:00
Miroslav Stampar
a3ba8b6928
--dump now works on MaxDB too
2011-02-20 22:07:12 +00:00
Miroslav Stampar
59e666d16e
--is-dba (related) update for Sybase
2011-02-20 17:28:06 +00:00
Miroslav Stampar
67ec691eb1
more updates regarding Sybase
2011-02-20 16:28:48 +00:00
Miroslav Stampar
823e4351b5
minor change
2011-02-20 12:34:09 +00:00
Miroslav Stampar
f30dea74f3
more Sybase updates
2011-02-19 18:36:26 +00:00
Miroslav Stampar
b71bb321dd
some more Sybase updates
2011-02-19 18:04:27 +00:00
Miroslav Stampar
e0efe453ab
minor update regarding Sybase support
2011-02-19 14:07:08 +00:00
Miroslav Stampar
5f4ffc9287
update regarding Sybase dumping
2011-02-19 00:36:47 +00:00
Miroslav Stampar
5fb11fd173
update regarding multiple DBMS payloads
2011-02-13 21:20:21 +00:00
Bernardo Damele
394ccb5cc5
Added query for MSSQL/--privileges
2011-02-10 15:52:55 +00:00
Miroslav Stampar
5050a76b59
update regarding reading of table names from access system tables
2011-02-09 10:33:29 +00:00
Miroslav Stampar
1a5a66870e
problem fixed
2011-02-07 11:57:41 +00:00
Bernardo Damele
7dcfcca87f
Tests' titles adjustments
2011-02-06 23:17:39 +00:00
Miroslav Stampar
5ecb75cc56
minor update
2011-02-06 15:14:07 +00:00
Miroslav Stampar
f754953c4f
reverting this one. spotted a major bug. dbms is not properly enforced at this moment, don't know why. if it was this would be properly encoded.
2011-02-06 12:33:58 +00:00
Miroslav Stampar
97f9c9d119
bug fix (playing with wavsep i've realized that we are sending in this payload quoted 'string' (causing problems), while MD5 also accepts integer values
2011-02-06 12:24:50 +00:00
Bernardo Damele
27601babb4
Minor adjustments to levels of boundaries
2011-02-04 11:57:47 +00:00
Miroslav Stampar
76ab14f20f
revert of r3203
2011-02-04 09:30:20 +00:00
Miroslav Stampar
78d696fd4f
i believe that this one should be the first level 1 boundary
2011-02-03 21:27:03 +00:00
Miroslav Stampar
64f18724ad
new default UNION test(s) ranges
2011-02-03 16:26:35 +00:00
Miroslav Stampar
4bb7ffcb3a
minor update
2011-02-03 13:18:43 +00:00
Bernardo Damele
8397c526d8
Minor adjustment
2011-01-31 21:20:23 +00:00
Miroslav Stampar
f9eac97fe8
refactoring of MSSQL XML banner parsing
2011-01-31 11:38:00 +00:00
Miroslav Stampar
14de5809ea
update
2011-01-31 11:08:58 +00:00
Miroslav Stampar
5aa958a146
ASCII & CHR is quite common, so removing this one
2011-01-24 22:51:15 +00:00
Miroslav Stampar
a1619f84b6
changing level of last payload
2011-01-24 22:31:26 +00:00
Miroslav Stampar
8155f95b82
new payload - PostgreSQL boolean-based blind - Parameter replace (based on CHR(0) - "SQL error: ERROR: null character not permitted")
2011-01-24 22:28:54 +00:00
Miroslav Stampar
9f76468005
another premiere, yeeej. IDSes, watch yourself :)
2011-01-24 21:30:46 +00:00
Miroslav Stampar
2fb0c946d2
minor update
2011-01-24 21:21:47 +00:00
Miroslav Stampar
15645f50d4
world premiere :)
2011-01-24 21:21:11 +00:00
Miroslav Stampar
440264341c
minor update
2011-01-24 17:43:25 +00:00
Miroslav Stampar
0eea5665b2
minor update
2011-01-24 17:41:36 +00:00
Bernardo Damele
b0dc6c24eb
Moved
2011-01-24 17:04:49 +00:00
Miroslav Stampar
c188996627
patch for possible query optimization (avoid precalculation of 1/0)
2011-01-24 16:21:27 +00:00
Bernardo Damele
47fa600c04
Minor fix and cosmetics
2011-01-24 11:12:33 +00:00
Miroslav Stampar
db76bcb327
fix for cases when mixing ingres dbms with spanish word "ingresa"
2011-01-23 11:19:10 +00:00
Miroslav Stampar
7bf05bf2cb
minor update
2011-01-22 00:12:03 +00:00
Miroslav Stampar
d6d8d54eda
implemented Johannes Dahse / Reiners' technique
2011-01-22 00:06:27 +00:00
Miroslav Stampar
0743202879
minor update
2011-01-21 23:54:25 +00:00
Miroslav Stampar
cb0e7080c5
more appropriate name (on http://websec.wordpress.com/ they use term "conditional" for something very similar, although not stacked)
2011-01-21 23:47:45 +00:00
Miroslav Stampar
7c4c79477d
world premiere of "forced-error blind stacked" payloads (spent 3 hours on pgsql)
2011-01-21 18:32:10 +00:00
Miroslav Stampar
79e4b1efd5
added new signature for SQLite error messages
2011-01-20 22:47:03 +00:00
Bernardo Damele
6c490bfc8f
Avoid a traceback elsewhere
2011-01-20 21:43:41 +00:00
Bernardo Damele
7ce49bcf0d
Sorted boundaries so that the ones with parenthesis are tested first - it has to be like this!
...
Adjusted comments accordingly to new UNION-specific tags.
2011-01-20 21:42:55 +00:00
Miroslav Stampar
f6d79f58bc
another fix (LIMIT is not a good idea to have in inband queries)
2011-01-20 21:13:28 +00:00
Miroslav Stampar
ff1a44c335
probably a fix for that SQLite bug reported by Ahmed Shawky
2011-01-20 20:30:18 +00:00
Miroslav Stampar
a1d77737f5
minor grammar update (this should be a better form)
2011-01-20 18:35:21 +00:00
Bernardo Damele
81be23976e
Confirmed HAVING payloads work as WHERE ones.
...
Changed <risk> value of all 'heavy query' tests to 2 as it can potentially lead to a DoS.
Proper handling of title for UNION tests when --union-char is provided.
2011-01-18 22:55:20 +00:00
Miroslav Stampar
f7d9b22510
because other major DBMSes have at least one level 1 time based payload
2011-01-18 20:32:49 +00:00
Miroslav Stampar
bdcb10cdab
added MSSQL time based vector
2011-01-18 02:05:18 +00:00
Bernardo Damele
c2a358561f
Proper support for --union-cols
2011-01-17 22:57:33 +00:00
Miroslav Stampar
fb166e9445
adding USER_LOCK stacked query support for ORACLE (older versions)
2011-01-16 10:31:16 +00:00
Miroslav Stampar
f31c028232
Oracle stacked vector based on DBMS_LOCK.SLEEP ( https://foro.undersecurity.net/read.php?46,1436 )
2011-01-16 10:07:56 +00:00
Bernardo Damele
1b3717c79c
Improvement to make time-based blind to work also against login forms
2011-01-12 16:20:29 +00:00
Bernardo Damele
d7a7993e0d
Minor comment fix
2011-01-12 11:57:36 +00:00
Bernardo Damele
2f5995a7eb
Added generic and mysql UNION tests from 1 to 25 columns.
...
Adapted config file and command line removing now outdated --union-test switch.
Minor bug fix.
Minor code refactoring.
Got rid of some debug messages, standardized logging of UNION tests.
2011-01-11 22:56:21 +00:00
Bernardo Damele
300128042c
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though.
...
Major refactoring to Agent.payload() method.
Minor bug fixes, some code refactoring and a lot of core adjustments here and there.
Added more checks for injection in GROUP BY and ORDER BY.
2011-01-11 22:18:47 +00:00
Bernardo Damele
1c86ec374e
Code refactoring and cosmetics
2011-01-07 15:41:09 +00:00
Miroslav Stampar
2efe7928c0
more concise than previously
2011-01-02 17:06:13 +00:00
Miroslav Stampar
a56934e68b
one more MSSQL/ASPX error banner regex
2011-01-02 15:36:57 +00:00
Miroslav Stampar
e6f0c4d857
minor update
2011-01-02 15:32:35 +00:00
Miroslav Stampar
c1d0dde769
added support for .NET banners ( http://msdn.microsoft.com/en-us/library/system.data.sqlclient.aspx )
2011-01-02 14:46:31 +00:00
Miroslav Stampar
93cb75ff65
added Nginx
2011-01-02 08:50:27 +00:00
Miroslav Stampar
ded9798e3d
minor bug fix
2011-01-01 23:07:50 +00:00
Miroslav Stampar
c3065f6ecc
minor fix
2010-12-29 20:38:56 +00:00
Miroslav Stampar
96c3ffd3d7
changing risk level to 0 - lots of MySQL databases around have information_schema unreadable, thus disabling first AND based error payload
2010-12-27 19:02:13 +00:00
Miroslav Stampar
2c8115eed9
further improvement for ms access table dumping
2010-12-26 01:04:30 +00:00
Miroslav Stampar
fb099615e2
minor update
2010-12-25 11:16:35 +00:00
Miroslav Stampar
272476773f
getPageTextWordsSet on tableExists is pretty powerful stuff
2010-12-25 09:37:33 +00:00
Miroslav Stampar
706d8e0b88
development update (basic ms access dumping implemented)
2010-12-24 19:53:11 +00:00
Miroslav Stampar
edcf1a0872
few bug fixes
2010-12-24 18:40:48 +00:00
Miroslav Stampar
3043ed095a
bug fix (those two regexes where too generic making false MS ACCESS positives here and there)
2010-12-24 00:11:10 +00:00
Miroslav Stampar
5a0aef0f33
fix for a case: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [MySQL][ODBC 3.51 Driver][mysqld-5.1.31-community] - it was wrongly error message recognized as MS SQL Server
2010-12-23 09:53:13 +00:00
Miroslav Stampar
8fc60215ed
lol. this was a pesky bug. heuristic wasn't working on one mssql test site and i couldn't find why. at end the problem was that when the HTTP code was raised (like 500) no parseResponse was called.
2010-12-22 19:12:46 +00:00
Bernardo Damele
c9ab8ae60e
Bug fix to properly identify if current user is DBA (--is-dba) on MySQL
2010-12-22 14:06:01 +00:00
Bernardo Damele
e791f8f2b7
Minor fix
2010-12-20 10:33:24 +00:00
Miroslav Stampar
bfdc4fa000
new error vector for MS SQL (from David Guimaraes' mail)
2010-12-17 19:00:20 +00:00
Miroslav Stampar
3ee44584d4
i've found a way! thank you hesus! fyea (ASC(MID) was just crashing when MID returned 'empty string')
2010-12-14 12:57:59 +00:00
Bernardo Damele
207f63cebc
Prepare for UNION query tests at detection phase
2010-12-13 21:31:34 +00:00
Miroslav Stampar
33639578ee
minor update for MS Access
2010-12-12 15:25:19 +00:00
Miroslav Stampar
b1babeefe5
update regarding dumping of tables with blind on Sqlite
2010-12-11 22:00:16 +00:00
Miroslav Stampar
acc7d6d40c
fix
2010-12-11 11:03:32 +00:00
Miroslav Stampar
ac9080c07b
update
2010-12-11 08:24:29 +00:00
Miroslav Stampar
fe2039f5ba
coollyy little commits
2010-12-10 11:32:46 +00:00
Miroslav Stampar
7e2984b4b6
added stacked query support for Oracle
2010-12-09 15:24:48 +00:00
Bernardo Damele
4bb40c0a06
Higher the level for Oracle stacked tests just in case the SQL inj is within a PL/SQL function ('cause of no support for stacked queries by design on Oracle)
2010-12-09 15:14:18 +00:00
Miroslav Stampar
d8edc5b244
adding stacked-query vector for Firebird
2010-12-09 15:11:21 +00:00
Bernardo Damele
13b522efc2
Added error-based support for MySQL < 5.0 - closes #14
2010-12-09 15:09:03 +00:00
Miroslav Stampar
5aafd19957
added vector for SQLite's stacked query payload
2010-12-09 15:06:40 +00:00
Miroslav Stampar
71761ba9a5
another fix for another beautiful heavy query payload which took a few 100 megs and 5 mins to run
2010-12-09 10:35:18 +00:00
Miroslav Stampar
094baadc5b
bug fix (in SELECT based heavy queries COUNT(*) should be used; otherwise multiple row error happens without proper delay)
2010-12-09 10:17:04 +00:00
Bernardo Damele
3b293c4ea7
Added possible stacked queries time-based blind vector for MSSQL
2010-12-08 23:55:42 +00:00
Bernardo Damele
f5ce739bdf
Added support for time-based blind SQL injection via stacked queries too. Need to add vectors for some DBMS yet.
2010-12-08 23:52:31 +00:00
Miroslav Stampar
69c4f94980
update
2010-12-08 15:40:01 +00:00
Miroslav Stampar
ad00fe13c1
another fix for MySQL time based payloads
2010-12-08 12:00:27 +00:00
Miroslav Stampar
8227e6d3cf
bug fix for BENCHMARK time-based vectors
2010-12-08 11:49:55 +00:00
Bernardo Damele
8ff7c9a5a1
Works on Oracle's GROUP BY too
2010-12-07 17:17:01 +00:00
Miroslav Stampar
4f01d4c109
number crunching based time payloads are now affected by conf.timeSec
2010-12-07 13:24:18 +00:00
Miroslav Stampar
d0936bc8ed
adding vectors for SQLite time-based payloads
2010-12-07 13:14:56 +00:00
Bernardo Damele
54b8cb76a1
Messed up with my last merge, all fixed now
2010-12-07 12:59:53 +00:00
Miroslav Stampar
b38a634d95
bug fix
2010-12-07 12:55:31 +00:00
Bernardo Damele
7c32db6e9d
Forgot when merged with my last commit
2010-12-07 12:52:09 +00:00
Bernardo Damele
acac0d346f
Minor bug fixes and adjustments
2010-12-07 12:45:45 +00:00
Miroslav Stampar
2b2b7dc3a6
added vectors for time-based Firebird payloads
2010-12-07 12:20:48 +00:00
Miroslav Stampar
36a7fca8d5
added time-based payload vector for MSSQL
2010-12-07 12:06:25 +00:00
Miroslav Stampar
485981c619
added vectors for PostgresSQL time-based payloads
2010-12-07 11:57:33 +00:00
Miroslav Stampar
f9085e01e7
added vectors for Oracle time-based payloads
2010-12-07 11:47:29 +00:00
Miroslav Stampar
3d87489de5
minor update
2010-12-07 08:05:03 +00:00
Miroslav Stampar
90b776c1a2
update
2010-12-07 00:58:54 +00:00
Miroslav Stampar
0da1ebde7d
introducing PostgreSQL time based blind
2010-12-07 00:51:14 +00:00
Miroslav Stampar
1ba98dc9ec
found a fix for a OR time-based MySQL payload :)
2010-12-07 00:31:46 +00:00
Miroslav Stampar
61f82fd274
introducing [DELAYED] for heavy query time based payloads when response time is non-deterministic
2010-12-07 00:27:26 +00:00
Bernardo Damele
32f1909131
Some more "advanced" boundaries
2010-12-06 23:15:41 +00:00
Miroslav Stampar
84a038d0a3
added one more subtag
2010-12-06 23:10:38 +00:00
Miroslav Stampar
1031723c89
added one more time based blind for Oracle
2010-12-06 23:05:53 +00:00
Miroslav Stampar
7697d19292
space replace is not needed in other two Oracle error based payloads; removing incorrect dbms_version for ctxsys.drithsx.sn as it also works on 10g
2010-12-06 22:52:18 +00:00
Miroslav Stampar
2735848ab6
removed ERROR_SPACE
2010-12-06 22:40:07 +00:00
Miroslav Stampar
f516c18a2a
minor update
2010-12-06 21:39:57 +00:00
Miroslav Stampar
0c5c2aa807
adding one more error based payload for Oracle
2010-12-06 21:20:26 +00:00
Miroslav Stampar
956a155377
adding one more error based payload for Oracle
2010-12-06 20:43:23 +00:00
Miroslav Stampar
ff43a4a955
minor update to preserve consistency of payload naming
2010-12-06 20:28:26 +00:00
Miroslav Stampar
c0e05d6869
update
2010-12-06 19:11:05 +00:00
Miroslav Stampar
e4b51dd549
proper way of handling OR based injections (completely compatible with current AND based inference engine)
2010-12-06 17:23:21 +00:00
Bernardo Damele
a1e89d3e94
Minor tweak
2010-12-05 13:12:12 +00:00
Bernardo Damele
bf425d90bc
More tweaking
2010-12-05 12:23:18 +00:00
Bernardo Damele
41e1b95c6c
Minor code refactoring and finally make exploitation work also on OR boolean-based injections
2010-12-05 11:25:44 +00:00
Bernardo Damele
191ba3118f
Cosmetics
2010-12-05 11:08:52 +00:00
Bernardo Damele
1b17bac494
Sorted out
2010-12-05 11:06:37 +00:00
Bernardo Damele
8066610217
Minor improvements to OR based injections
2010-12-05 10:55:19 +00:00
Bernardo Damele
2612615978
Major improvements
2010-12-04 16:40:08 +00:00
Miroslav Stampar
9e5f933ace
some updates
2010-12-04 15:47:02 +00:00
Bernardo Damele
95a3f4b52f
Rudimental OR boolean-based tests for login forms
2010-12-03 22:58:35 +00:00
Bernardo Damele
9d55c4da87
Done with support for injection in ORDER BY and GROUP BY (hopefully)
2010-12-03 16:12:47 +00:00
Bernardo Damele
072835e04b
Removed for time being
2010-12-03 14:48:31 +00:00
Bernardo Damele
11058667e4
Better naming
2010-12-03 14:45:13 +00:00
Miroslav Stampar
73dfb69308
minor update for OR based time injection (Firebird)
2010-12-03 12:15:41 +00:00
Bernardo Damele
4dec049c22
Major bug fix for test on ORDER BY and GROUP BY clauses.
...
Minor bug fix to skip following tests if they do not match any of the clause previously identified (injection.clause value).
2010-12-03 12:00:03 +00:00
Miroslav Stampar
23a86ed612
minor bug fix related to Firebird time based test vectors
2010-12-03 11:05:16 +00:00
Bernardo Damele
0069a21a0d
Added also OR error-based checks, tweaked some TODOs and added some new boundaries for login forms (yet to test)
2010-12-03 10:52:24 +00:00
Miroslav Stampar
bf09b8a6d9
added Firebird error based (WHERE) attack vector
2010-12-02 15:09:21 +00:00
Bernardo Damele
df4cb1a601
On the way to get full support for injection on ORDER BY and GROUP BY clauses
2010-12-01 23:30:38 +00:00
Bernardo Damele
089c16a1b8
Added tag <epayload> to the payloads.xml's <test> tag to define which payload to use when exploiting the test type.
...
Removed some useless tests.
Moved <error> from queries.xml to payloads.xml as it makes more sense.
Beeps at sql inj found only if --beep is provided.
Minor fix in order to be able to pickle advancedDict() objects.
Minor code refactoring.
Removed useless folders.
2010-12-01 17:09:52 +00:00
Bernardo Damele
2708aad504
Unified start and stop delimiters accross errror-based (detection engine) and union query (--union-test) tests.
2010-12-01 10:31:50 +00:00
Bernardo Damele
c8f943f5e4
Now, if the back-end dbms type has been identified by the detection engine, skips the fingerprint phase.
...
Major code refactoring and commenting to detection engine.
Ask user whether or not to proceed to test remaining parameters after an injection point has been identified.
Restore beep at SQL injection find.
Avoid reuse of same variable in DBMS handler code.
Minor adjustment of payloads XML file.
2010-11-30 22:40:25 +00:00
Bernardo Damele
6525e08d6b
Minor adjustment to detect the proper parameter type based upon --prefix and --suffix values
2010-11-29 12:13:42 +00:00
Bernardo Damele
75f7df75b6
Minor fix
2010-11-28 23:33:51 +00:00
Bernardo Damele
7e3b24afe6
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own.
...
All (hopefully) functionalities should still be working.
Added two switches, --level and --risk to specify which injection tests and boundaries to use.
The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 18:10:54 +00:00
Bernardo Damele
e32be2b4e7
Minor adjustment
2010-11-23 15:06:40 +00:00
Miroslav Stampar
c6545f5c9f
we had a bug (nooooooooo!!!! :))
2010-11-19 10:36:47 +00:00
Bernardo Damele
17486e472a
Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!
2010-11-17 22:00:09 +00:00
Miroslav Stampar
42272ca78c
minor update
2010-11-11 22:26:36 +00:00
Miroslav Stampar
1a708cf12d
update for ASP/Ingres
2010-11-05 16:21:22 +00:00
Miroslav Stampar
173e893d11
added error message support for Ingres
2010-11-05 16:19:41 +00:00
Miroslav Stampar
3f0a443b83
some updates
2010-11-04 23:08:59 +00:00
Miroslav Stampar
d5fcc9d8b5
few updates/fixes here and there
2010-11-04 08:03:59 +00:00
Miroslav Stampar
977df7276d
minor update
2010-11-03 06:25:24 +00:00
Miroslav Stampar
4b56fa4f8f
now --tables work for MaxDB
2010-11-02 22:11:45 +00:00
Miroslav Stampar
b761523f3f
now --users works for MaxDB too
2010-11-02 21:52:48 +00:00
Miroslav Stampar
cd0d4135ac
implemented --banner for MaxDB and some minor fixes
2010-11-02 20:51:55 +00:00
Miroslav Stampar
49bf34ffd9
minor fix
2010-11-02 18:43:20 +00:00
Bernardo Damele
720e235d9a
Fixed Windows 2003/2008 signatures. Added more old RedHat Server header signatures. Added old Debian etch signature too.
2010-10-31 18:18:49 +00:00
Miroslav Stampar
f7d42af046
some fixes regarding --check-payload
2010-10-29 11:00:23 +00:00
Bernardo Damele
0efecde248
Minor update to properly differentiate Windows 2003 by 2008 via HTTP response headers
2010-10-27 10:09:47 +00:00
Miroslav Stampar
749e25a217
Implementation of --passwords for Sybase
2010-10-26 21:35:30 +00:00
Miroslav Stampar
1b90c1d131
added FreeBSD
2010-10-26 20:48:52 +00:00
Miroslav Stampar
4da2046492
massive update of server fingerprints
2010-10-26 20:00:29 +00:00
Miroslav Stampar
080c5aef80
minor update
2010-10-26 19:08:11 +00:00
Miroslav Stampar
8a9a57c709
update for Sybase and major bug fix for --passwords on MSSQL
2010-10-25 22:11:38 +00:00
Miroslav Stampar
9b56fbafbe
that Sybase is going to be pain in the ass
2010-10-25 21:43:13 +00:00
Miroslav Stampar
228ac0cde5
refactoring regarding --check-payload
2010-10-25 18:38:54 +00:00
Miroslav Stampar
378653a1ec
added IDS payload testing
2010-10-25 15:37:43 +00:00
Miroslav Stampar
aa931efd4d
several MySQL fixes/enhancements pointed out by Anton Mogilin
2010-10-24 22:05:14 +00:00
Miroslav Stampar
68d39d5976
minor minor fix
2010-10-23 09:12:08 +00:00
Miroslav Stampar
32a4350779
update for MaxDB
2010-10-23 09:03:59 +00:00
Miroslav Stampar
98f5586b87
minor update
2010-10-23 08:05:24 +00:00
Miroslav Stampar
f8850e3f41
update (xml fix and refactoring)
2010-10-23 07:44:34 +00:00
Miroslav Stampar
a7a53af924
update for Sybase
2010-10-23 07:37:43 +00:00
Miroslav Stampar
dec4d858b3
fix for Bug #207
2010-10-22 14:01:48 +00:00
Miroslav Stampar
e24bff0497
nice refactoring
2010-10-20 09:46:57 +00:00
Miroslav Stampar
5d3cbec457
no more regex. web server independent.
2010-10-20 09:35:46 +00:00
Miroslav Stampar
b032fdbf74
added randInt to error injection vectors
2010-10-20 08:56:58 +00:00
Miroslav Stampar
f2dae98448
fix for MySQL error queries
2010-10-19 23:30:08 +00:00
Miroslav Stampar
1fce9683f8
now --users work for MSSQL too
2010-10-19 15:05:32 +00:00
Miroslav Stampar
80505de15b
now --users work on Oracle and Postgre (tested)
2010-10-19 14:56:57 +00:00
Miroslav Stampar
4bc541ec3c
error based update
2010-10-19 14:47:13 +00:00
Miroslav Stampar
bf850af2d8
fix for Oracle error based query "space" problem
2010-10-19 14:10:09 +00:00
Miroslav Stampar
878135fe40
minor fix
2010-10-19 14:00:27 +00:00
Miroslav Stampar
6a8b1046d4
first successfull run of error based sqlmap in history :). tested --banner, --current-user, --current-db on 4 major DBMSes. still hidden from users (turn on flag error in getValue() in inject.py)
2010-10-19 12:02:04 +00:00
Miroslav Stampar
d123bb741a
added error based queries for MySQL, Postgre, MS SQL and Oracle
2010-10-18 21:26:13 +00:00
Miroslav Stampar
f9f79ffbaf
basic stuff for sybase
2010-10-12 19:05:12 +00:00
Miroslav Stampar
9840d25b55
update of MaxDB queries
2010-10-12 17:04:20 +00:00
Miroslav Stampar
de0f6b6f72
bug fix
2010-10-10 17:46:09 +00:00
Miroslav Stampar
18d27cabc5
more changes
2010-10-07 15:34:17 +00:00
Miroslav Stampar
440ff639bb
more refactoring
2010-10-07 14:05:34 +00:00
Miroslav Stampar
1e9ae40397
major refactoring
2010-10-07 12:12:26 +00:00
Miroslav Stampar
de6fa1247b
moved injections to xml format
2010-10-06 22:29:52 +00:00
Miroslav Stampar
d9d0c971fa
new file
2010-10-06 14:37:14 +00:00
Miroslav Stampar
10ab6371f2
minor update
2010-10-06 11:58:55 +00:00
Miroslav Stampar
3cd15960a0
more updates
2010-09-27 13:26:46 +00:00
Miroslav Stampar
3b9fe3e1c8
everything is ready for testing (smoke and live)
2010-09-27 11:20:48 +00:00
Miroslav Stampar
dc11ae0d65
update
2010-09-26 14:56:55 +00:00
Miroslav Stampar
35f35605df
changes regarding Feature #160
2010-09-26 14:02:13 +00:00
Miroslav Stampar
76233ff5a3
added skeleton for live testing
2010-09-15 13:55:28 +00:00
Miroslav Stampar
c4040ab297
fix for Feature #136
2010-08-31 14:25:37 +00:00
Miroslav Stampar
27496b91b2
fix
2010-08-31 13:08:57 +00:00
Miroslav Stampar
266974829d
minor update
2010-08-30 22:39:07 +00:00
Miroslav Stampar
48cc87f6a9
added support for fingerprinting SAP MaxDB (Issue 143)
2010-08-30 13:29:19 +00:00
Bernardo Damele
5bb8e154eb
Minor code improvements
2010-06-10 14:15:32 +00:00
Bernardo Damele
06af405efd
Adapted and merged in patch to support XML output (-x switch) - still in beta.
...
Minor bug fixes and adjustments.
2010-05-28 16:43:04 +00:00
Bernardo Damele
e0e2349529
Refactor to --search -C and minor bug fix - See #190 .
2010-05-17 16:16:49 +00:00
Bernardo Damele
c9ee11e0e4
Added support to search for tables (--search with -T). See #190 .
2010-05-16 20:46:17 +00:00
Bernardo Damele
65a05452f7
Added option --search to work in conjunction with -D (done), -T (soon) or -C (replaces --dump -C) - See #190 :
...
* --search -D foobar: searches all database names like the ones provided
* --search -T foobar: searches all databases' table names like the ones provided (soon)
* --search -C foobar: replaces --dump -C
2010-05-07 13:40:57 +00:00
Bernardo Damele
14f8514fb5
Minor "revert" to make resume of queries work again
2010-04-15 11:56:47 +00:00
Bernardo Damele
b72ddb6f1e
Fixes non-deterministic unsorted results for most of the DBMSes - see #185
2010-04-09 15:48:53 +00:00
Miroslav Stampar
d583cc07e7
ms access update
2010-03-30 15:04:55 +00:00
Bernardo Damele
1416cd0d86
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158 . This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module).
...
Minor layout adjustments.
2010-03-26 23:23:25 +00:00
Bernardo Damele
2aadc5c939
Added support for --roles (for Oracle ROLE_PRIVS). Enhanced Oracle --privileges to fall-back to USER_SYS_PRIVS if DBA_SYS_PRIVS is not accessible (so session user is not DBA) - Fixes ticket #180 .
...
Minor enhancement to Firebird to determine if a DB user is a DBA.
Minor code refactoring.
2010-03-25 15:46:06 +00:00
Bernardo Damele
0d559d14df
Initial support for SQLite (90% approx).
...
Initial support for Firebird (30% approx).
Initial support for Access (10% approx).
Shared libraries code/installation scripts ported to 64bit, directory structure adapted.
Minor code adjustments.
2010-03-18 17:20:54 +00:00
Miroslav Stampar
49aa1ae542
some fix/revert of mssql banner file
2010-03-03 14:37:57 +00:00
Miroslav Stampar
f941159f81
Updated MSSQL xml signatures file
2010-03-03 13:46:12 +00:00
Miroslav Stampar
6a5a5d55f2
fix for that --stacked-test error reported by dsu@dsu.com.ua
2010-02-09 11:27:42 +00:00
Bernardo Damele
9ed0744510
Added some error messages to detect back-end DBMS
2010-01-30 22:24:20 +00:00
Miroslav Stampar
645afee359
some changes
2010-01-28 00:25:36 +00:00
Miroslav Stampar
3197fada59
update of IDS checking method
2010-01-25 10:06:52 +00:00
Bernardo Damele
e4bd0eb92d
Updated MSSQL xml signatures file
2010-01-18 15:24:59 +00:00
Bernardo Damele
9c9988c375
Updated MSSQL xml signatures file
2010-01-13 14:50:13 +00:00
Bernardo Damele
80bd146696
Added support for --dump with -C also on MSSQL
2010-01-10 19:12:54 +00:00
Bernardo Damele
6c1b31d93c
Adjusted --columns with -C also for Microsoft SQL Server
2010-01-10 00:21:03 +00:00
Bernardo Damele
f316e722c1
sqlmap 0.8-rc4: --dump option now can also accept only -C: user can provide a string column and sqlmap will enumerate all databases, tables and columns that contain the 'provided_string' or '%provided_string%' then ask the user to dump the entries of only those columns.
...
--columns now accepts also -C option: user can provide a string column and sqlmap will enumerate all columns of a specific table like '%provided_string%'.
Minor enhancements.
Minor bug fixes.
2010-01-09 00:05:00 +00:00
Bernardo Damele
89c43893d4
Merged back from personal branch to trunk (svn merge -r846:940 ...)
...
Changes:
* Major enhancement to the Microsoft SQL Server stored procedure
heap-based buffer overflow exploit (--os-bof) to automatically bypass
DEP memory protection.
* Added support for MySQL and PostgreSQL to execute Metasploit shellcode
via UDF 'sys_bineval' (in-memory, anti-forensics technique) as an
option instead of uploading the standalone payload stager executable.
* Added options for MySQL, PostgreSQL and Microsoft SQL Server to
read/add/delete Windows registry keys.
* Added options for MySQL and PostgreSQL to inject custom user-defined
functions.
* Added support for --first and --last so the user now has even more
granularity in what to enumerate in the query output.
* Minor enhancement to save the session by default in
'output/hostname/session' file if -s option is not specified.
* Minor improvement to automatically remove sqlmap created temporary
files from the DBMS underlying file system.
* Minor bugs fixed.
* Major code refactoring.
2009-09-25 23:03:45 +00:00
Bernardo Damele
19c6804ded
Fixed two minor bugs with PostgreSQL reported by Sven Klemm, thanks!
2009-07-29 10:44:24 +00:00
Bernardo Damele
e5a01d500e
Minor bug fix in --update option, updated also Microsoft XML versions file
2009-06-16 15:12:02 +00:00
Bernardo Damele
58f3eee390
Updated Microsoft SQL Server XML signatures file and minor bug fix in connection library
2009-04-28 11:11:35 +00:00
Bernardo Damele
8c0ac767f4
Updated to sqlmap 0.7 release candidate 1
2009-04-22 11:48:07 +00:00
Bernardo Damele
954417072b
Updated Microsoft SQL Server XML versions file
2009-02-10 23:00:53 +00:00
Bernardo Damele
ad03684788
Added another PostgreSQL banner signature for Windows (it's specific
...
for PostgreSQL compiled by hand with MinGW/GCC or using the binary MSI
file of PostgreSQL version 8.2.x. PostgreSQL 8.3.x is compiled by
default using Visual C++)
2009-01-30 00:35:05 +00:00
Bernardo Damele
981c7a4428
Updated Microsoft SQL Server XML signature db
2009-01-22 22:30:45 +00:00
Bernardo Damele
793c323b2a
Major bug fixes
2009-01-22 22:28:27 +00:00
Bernardo Damele
2d87a3349f
Fixed custom MSSQL "limited" query support also for Partial UNION query technique
2009-01-03 00:27:04 +00:00
Bernardo Damele
2cc3bb2f6a
Minor improvement to PostgreSQL signatures file to identify Windows.
...
Minor improvement to Microsoft SQL Server "limit" queries.
2009-01-02 23:23:55 +00:00
Bernardo Damele
9340bf59fb
Updated Microsoft SQL Server signature XML file.
...
Minor layout adjustments to --update output messages/diff
2008-12-29 18:46:43 +00:00
Bernardo Damele
064029cb2d
Addd one more MS Access signature
2008-12-22 19:35:13 +00:00
Bernardo Damele
2f406b3e56
Minor adjustments
2008-12-22 00:04:28 +00:00
Bernardo Damele
ad228e6947
Ahead with the improvements to the comparison algorithm.
...
Added support internally to forge CASE statements, used only by
--is-dba query at the moment.
Allow DDL, DML (INSERT, UPDATE, etc.) from user in SQL query and
SQL shell.
Minor code adjustments.
2008-12-19 20:09:46 +00:00
Bernardo Damele
3fe493b63d
Minor enhancement to support an option (--is-dba) to show if the
...
current user is a database management system administrator.
2008-12-18 20:41:11 +00:00
Bernardo Damele
dda62ba463
Minor adjustments and bug fixes
2008-12-17 20:11:18 +00:00
Bernardo Damele
4156181367
Minor fix
2008-12-16 21:31:01 +00:00
Bernardo Damele
bf2a857b9a
Minor adjustments and minor bug fixes. Documentation almost complete for sqlmap 0.6.3.
2008-12-12 19:06:31 +00:00
Bernardo Damele
4cb161ce4f
Minor signatures adjustments
2008-12-02 23:48:07 +00:00
Bernardo Damele
428612b431
Comment and layout adjustments
2008-12-01 23:04:01 +00:00
Bernardo Damele
785352d700
Minor adjustments to signatures
2008-11-27 22:31:43 +00:00
Bernardo Damele
dc1f2deb74
Minor bug fix to correctly enumerate columns on Microsoft SQL Server.
...
Minor adjustments to XML signatures.
Updated documentation.
2008-11-25 11:33:44 +00:00
Bernardo Damele
8f74fe2ce9
Added new HTTP response headers on which fingerprint web app technology and web server OS.
...
Updated documentation.
2008-11-19 15:33:39 +00:00
Bernardo Damele
736b2e7323
Minor adjustments to the operating system fingerprint.
2008-11-19 00:36:44 +00:00
Bernardo Damele
727664aea7
Minor enhancement to fingerprint the web server operating system and
...
the web application technology by parsing also HTTP response Server
header.
Refactor libraries and plugins that parses XML to fingerprint and show
on standard output the information.
Updated changelog.
2008-11-18 17:42:46 +00:00
Bernardo Damele
7d0724843f
Major enhancement to the engine to parse XML files and matches on DBMS banner
...
and HTTP response headers.
Initial web application technology fingerprint (for the moment based only on
X-Powered-By HTTP response header and not shown yet to the user).
Minor layout adjustments.
2008-11-17 17:41:02 +00:00
Bernardo Damele
66fb3c3033
Minor enhancement to show the DBMS operating system (if fingerprinted)
...
also when only -b option is provided since it's an information that
sqlmap get parsing the DBMS banner.
Got rid completely of useless passive fuzzing.
2008-11-17 11:22:03 +00:00
Bernardo Damele
654aecedfe
Minor layout adjustments, minor fixes and updated changelog
2008-11-17 00:00:54 +00:00
Bernardo Damele
fa0507ab39
Minor enhancement to fingerprint the back-end DBMS operating system (type,
...
version, release, distribution, codename and service pack) by parsing the
DBMS banner value when both -f and -b are provided: adapted the code and
added XML files defining regular expressions for matching.
Example of the -f -b output now on MySQL 5.0.67 running on latest Ubuntu:
--8<--
back-end DBMS: active fingerprint: MySQL >= 5.0.38 and < 5.1.2
comment injection fingerprint: MySQL 5.0.67
banner parsing fingerprint: MySQL 5.0.67
html error message fingerprint: MySQL
back-end DBMS operating system: Linux Ubuntu 8.10 (Intrepid)
--8<--
2008-11-15 23:41:31 +00:00
Bernardo Damele
ecc4a98071
Properly moved and improved inject.goStacked() function and newly
...
implemented Time based blind SQL injection now is a single test file
within the lib/techniques/ folder.
Renamed lib/techniques/inference to lib/techniques/blind, it is more
approriate and adapted the rest of the libraries.
Updated ChangeLog file.
2008-11-12 23:44:09 +00:00
Bernardo Damele
81ed7c2086
Initial implementation of support for stacked queries.
...
Added method to test for Time based blind SQL injection query stacking
on the affected parameter a SLEEP() or similar DBMS specific function.
Adapted libraries, plugins and XML with the above changes.
Minor layout adjustments.
2008-11-12 00:36:50 +00:00
Bernardo Damele
bfe1863731
Updated Microsoft SQL Server XML versions file
2008-11-02 22:11:35 +00:00
Bernardo Damele
09ca578ca1
Major bug fix so that the users' privileges enumeration now works properly also on both MySQL < 5.0 and MySQL >= 5.0 also if the user has provided one or more users with -U option;
2008-11-02 18:17:12 +00:00
Bernardo Damele
7ad9639ed0
Updated the database management system fingerprint checks to correctly identify MySQL 5.1.x, MySQL 6.0.x and PostgreSQL 8.3
2008-10-29 15:32:12 +00:00
Bernardo Damele
38f13932bc
Minor improvements to queries
2008-10-20 10:09:37 +00:00
Bernardo Damele
8e3eb45510
After the storm, a restore..
2008-10-15 15:38:22 +00:00