sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-09-21 03:22:27 +03:00
Code Issues Packages Projects Releases Wiki Activity

Commit Graph

  • 283a04e29a On my way to properly parse test's <where> tag in exploitation phase Bernardo Damele 2010-12-01 23:32:58 +0000
  • 09b265a1ea Got rid of conf.logic for the moment, haven't decided yet what to do with parenthesis check Bernardo Damele 2010-12-01 23:32:02 +0000
  • df4cb1a601 On the way to get full support for injection on ORDER BY and GROUP BY clauses Bernardo Damele 2010-12-01 23:30:38 +0000
  • 47f2d22181 Minor bug fix Bernardo Damele 2010-12-01 17:18:31 +0000
  • 089c16a1b8 Added tag <epayload> to the payloads.xml's <test> tag to define which payload to use when exploiting the test type. Removed some useless tests. Moved <error> from queries.xml to payloads.xml as it makes more sense. Beeps at sql inj found only if --beep is provided. Minor fix in order to be able to pickle advancedDict() objects. Minor code refactoring. Removed useless folders. Bernardo Damele 2010-12-01 17:09:52 +0000
  • c00ea7f5e5 Store and resume also UNION char to session file (--union-char) Bernardo Damele 2010-12-01 10:59:58 +0000
  • 025361c970 Higher precedence to union query sql inj than error-based Bernardo Damele 2010-12-01 10:57:17 +0000
  • 56d2b2f322 Avoid storing to session file also payload delimiters Bernardo Damele 2010-12-01 10:55:59 +0000
  • 2708aad504 Unified start and stop delimiters accross errror-based (detection engine) and union query (--union-test) tests. Bernardo Damele 2010-12-01 10:31:50 +0000
  • 8d84dcc5dc More sense Bernardo Damele 2010-12-01 09:17:17 +0000
  • c8f943f5e4 Now, if the back-end dbms type has been identified by the detection engine, skips the fingerprint phase. Major code refactoring and commenting to detection engine. Ask user whether or not to proceed to test remaining parameters after an injection point has been identified. Restore beep at SQL injection find. Avoid reuse of same variable in DBMS handler code. Minor adjustment of payloads XML file. Bernardo Damele 2010-11-30 22:40:25 +0000
  • fcdebbd55f cosmeticados Miroslav Stampar 2010-11-30 14:48:13 +0000
  • 47a7708950 minor improvement of dynamic content detection/removal part Miroslav Stampar 2010-11-30 12:45:42 +0000
  • 8b9706656e Got rid of unreliable 'ORDER BY' technique to detect UNION query SQL injection, consequently switch --union-tech has gone now. Minor code refactoring too. Bernardo Damele 2010-11-29 17:18:38 +0000
  • e9291932e5 Apply --level also to User-Agent (level >= 4) and Cookie (level >= 3). GET and POST parameters are always tested. Bernardo Damele 2010-11-29 16:33:20 +0000
  • e735f2960a minor update Miroslav Stampar 2010-11-29 15:25:45 +0000
  • c76d740a25 just a precaution Bernardo Damele 2010-11-29 15:21:56 +0000
  • 70e87d959e update of dynamicity engine Miroslav Stampar 2010-11-29 15:14:49 +0000
  • ee4e04ebca Minor adjustment Bernardo Damele 2010-11-29 15:09:40 +0000
  • 2efb3b78ea Consider also --dbms value during the detection phase Bernardo Damele 2010-11-29 14:48:07 +0000
  • be6df7abd9 improvement of dynamicity engine Miroslav Stampar 2010-11-29 14:30:57 +0000
  • 76ce9cc888 Minor bug fix for --forms Bernardo Damele 2010-11-29 12:46:18 +0000
  • 6525e08d6b Minor adjustment to detect the proper parameter type based upon --prefix and --suffix values Bernardo Damele 2010-11-29 12:13:42 +0000
  • c22338ce90 Removed --error-test, --stacked-test and --time-test switches and adapted the code accordingly. This is due to the fact that the new XML based detection engine already supports all of those tests (and more). Bernardo Damele 2010-11-29 11:47:58 +0000
  • e8c6c01e27 precaution Bernardo Damele 2010-11-29 09:54:30 +0000
  • 9d7087e2ff Proper saving and resuming when more than a parameter are injectable. Minor bug fix to --stacked-test Minor code refactoring. Bernardo Damele 2010-11-29 01:04:42 +0000
  • 75f7df75b6 Minor fix Bernardo Damele 2010-11-28 23:33:51 +0000
  • 472f4465a6 Prioritize DBMS fingerprint based on DBMS (<dbms>) identified during the detection phase. Minor bug fix to properly handle the case that no injections are found. Nicer display of injection vulnerabilities detected. Minor code refactoring. Bernardo Damele 2010-11-28 21:27:47 +0000
  • 7e3b24afe6 Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work! Bernardo Damele 2010-11-28 18:10:54 +0000
  • a8b38ba76b removed a trailer blank like (cosmetics) Miroslav Stampar 2010-11-24 14:25:16 +0000
  • 6712f4da55 some refactoring and one less request for aspx maintanance during --os-shell Miroslav Stampar 2010-11-24 14:20:43 +0000
  • 253eafb643 paranoid cosmetics Bernardo Damele 2010-11-24 12:03:01 +0000
  • b2b521fc8a gready regex bastard :) Miroslav Stampar 2010-11-24 12:01:36 +0000
  • 9579a97039 now ASPX works too for --os-shell Miroslav Stampar 2010-11-24 11:38:27 +0000
  • ca58bdbc66 minor update Miroslav Stampar 2010-11-24 10:54:15 +0000
  • c54c9ee5d1 minor update Miroslav Stampar 2010-11-23 22:33:00 +0000
  • 57ad59206b cosmetics as it's best Miroslav Stampar 2010-11-23 22:09:10 +0000
  • 7a147041c4 cosmetics Miroslav Stampar 2010-11-23 21:44:58 +0000
  • f4f0bc9db3 minor fix Miroslav Stampar 2010-11-23 21:17:01 +0000
  • f9f076ba97 code refactoring Miroslav Stampar 2010-11-23 21:00:42 +0000
  • 7877a931d5 more cosmetics regarding dictionary attack Miroslav Stampar 2010-11-23 20:54:40 +0000
  • e3b3e05748 minor update Miroslav Stampar 2010-11-23 19:21:30 +0000
  • 0d24a15182 more cosmetics Miroslav Stampar 2010-11-23 19:10:34 +0000
  • 836a1c214a los cosmeticados (of hash dictionary attack) Miroslav Stampar 2010-11-23 18:57:00 +0000
  • c4414df594 minor update Miroslav Stampar 2010-11-23 15:33:13 +0000
  • 78024eafe0 little precaution Miroslav Stampar 2010-11-23 15:31:23 +0000
  • 4af000e699 minor language update (in testing phase "used" is more preferable than "provided") Miroslav Stampar 2010-11-23 15:11:15 +0000
  • e32be2b4e7 Minor adjustment Bernardo Damele 2010-11-23 15:06:40 +0000
  • b41ee8d0d0 minor refactoring Miroslav Stampar 2010-11-23 14:57:36 +0000
  • aa5d038f18 more code refactoring Miroslav Stampar 2010-11-23 14:50:47 +0000
  • 3cae76627c code refactoring regarding dictionary attack Miroslav Stampar 2010-11-23 13:58:01 +0000
  • ba4ea32603 first working version of dictionary attack Miroslav Stampar 2010-11-23 13:24:02 +0000
  • c471b815cc fix for a bug reported by BugTrace (IndexError: list index out of range) Miroslav Stampar 2010-11-22 10:58:08 +0000
  • bfc9378542 sorry, even more proper naming should be like this (passwd is a standard naming for this kind of function(s)) Miroslav Stampar 2010-11-20 13:22:59 +0000
  • db59faedb9 more proper naming Miroslav Stampar 2010-11-20 13:20:28 +0000
  • 52c722dab5 renaming of dicts.zip to wordlists.zip (more proper name) Miroslav Stampar 2010-11-20 13:17:13 +0000
  • 1f8a9fe033 foundations for dictionary attack support combined with the sqlmap's password/hash retrieval functionality (--password switch) Miroslav Stampar 2010-11-20 13:14:13 +0000
  • 71107e4e9e quick fix for google searches Miroslav Stampar 2010-11-19 21:38:20 +0000
  • 99a23e23cf Extra check on --union-cols value Bernardo Damele 2010-11-19 16:39:26 +0000
  • da7eb329bb removing file Miroslav Stampar 2010-11-19 16:04:07 +0000
  • 1fa567e14d new file added (dictionary attack on password hashes - MySQL, MSSQL, Oracle and Posgres - is soon going to be a part of sqlmap) Miroslav Stampar 2010-11-19 15:51:56 +0000
  • c23126547e Improved --union-cols to accept a range to test for union SQL injection. By default it is 1-20. Bernardo Damele 2010-11-19 15:48:24 +0000
  • ad17e9ed2a Added new switch --union-char to be able to provide the character used in union-test and exploit (default is still NULL, but can be any) Bernardo Damele 2010-11-19 14:56:20 +0000
  • c6545f5c9f we had a bug (nooooooooo!!!! :)) Miroslav Stampar 2010-11-19 10:36:47 +0000
  • df88280681 minor update of google regex (that * was a junky one) Miroslav Stampar 2010-11-19 10:04:29 +0000
  • e8bef28337 updating google parsing regex (for the better, of course) Miroslav Stampar 2010-11-19 10:00:29 +0000
  • d97e97d884 minor update :) Miroslav Stampar 2010-11-19 09:02:44 +0000
  • 4a9bd3a240 Finally a proper union query SQL injection test engine for --union-test. It does much more requests, but for god sake now it works well! Bernardo Damele 2010-11-18 17:55:43 +0000
  • 544327379f Little precaution Bernardo Damele 2010-11-18 14:32:52 +0000
  • f6a17cb1a8 Revert wrong fix Bernardo Damele 2010-11-18 10:41:06 +0000
  • 17486e472a Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only! Bernardo Damele 2010-11-17 22:00:09 +0000
  • ca5125bbe0 minor update related to r2401 Miroslav Stampar 2010-11-17 20:50:31 +0000
  • 360aff7a4d sqlite3 library is not part of Gentoo (perhaps others) Python packages or installation bundle Bernardo Damele 2010-11-17 17:20:32 +0000
  • a0df36beda when in multi target mode this should be done (another bug was reported by ToR for using "old" data - kb was not properly cleared) Miroslav Stampar 2010-11-17 15:33:07 +0000
  • 17f0609263 minor bug fix Miroslav Stampar 2010-11-17 13:29:57 +0000
  • 3d25071d06 another minor improvement regarding logging of http traffic Miroslav Stampar 2010-11-17 12:16:48 +0000
  • 3e569a1693 minor update Miroslav Stampar 2010-11-17 12:04:33 +0000
  • 2802923dbe some improvements regarding --os-shell web server application choice Miroslav Stampar 2010-11-17 11:45:52 +0000
  • 5abbea4a9f fix for a bug reported by nightman (unknown charset 'null') Miroslav Stampar 2010-11-17 09:57:32 +0000
  • d757e4ae1c bug fix (when user manually sets web root, that same directory should be used as one of potentionaly default dirs) Miroslav Stampar 2010-11-17 09:46:04 +0000
  • bec152609a minor cosmetics and bug fix for Windows machines ('\\' is interpreted as \ and inside the script it can screw things up as it's a marker for a special character - thus '\\\\' is interpreted as \\ which represents special character \) Miroslav Stampar 2010-11-17 09:33:05 +0000
  • af92c05930 removing 'MD5' referings Miroslav Stampar 2010-11-17 09:15:40 +0000
  • 76c3f5768b cosmetics Miroslav Stampar 2010-11-17 09:12:48 +0000
  • 2a8e270bef proper handling of carriage return character from Windows target machines Miroslav Stampar 2010-11-16 15:11:03 +0000
  • ab33651f96 minor bug fix for displaying text from windows machines (\r was interfering with normal dataToStdout behavior) Miroslav Stampar 2010-11-16 15:02:22 +0000
  • 3487429eac minor cosmetics Miroslav Stampar 2010-11-16 14:41:46 +0000
  • 3640dbf745 fix for --parse-errors (on IIS HTTP error is raised which need to be processed) Miroslav Stampar 2010-11-16 14:33:30 +0000
  • cccb565859 cosmetics Miroslav Stampar 2010-11-16 14:11:32 +0000
  • b9d9f18939 added General cmdline group Miroslav Stampar 2010-11-16 14:09:09 +0000
  • e7a66371f8 update regarding os shell-ing regarding JSP and ASPX Miroslav Stampar 2010-11-16 13:46:46 +0000
  • 6232397129 minor update Miroslav Stampar 2010-11-16 10:52:49 +0000
  • 6ef3846400 update regarding error parsing (and reporting) Miroslav Stampar 2010-11-16 10:42:42 +0000
  • 71cb982039 Another bug fix to --union-test Bernardo Damele 2010-11-15 21:42:56 +0000
  • b3ad63b71e major bug fix (haven't applied dynamic content removal to the original comparison (conf.seqMatcher.a) page) Miroslav Stampar 2010-11-15 14:59:37 +0000
  • ff310475c8 some reporting update for --forms Miroslav Stampar 2010-11-15 14:17:51 +0000
  • 20d6b9a5c1 minor fix Miroslav Stampar 2010-11-15 12:24:32 +0000
  • 39c6c9f386 minor update Miroslav Stampar 2010-11-15 12:19:22 +0000
  • 819085155e minor update/fix Miroslav Stampar 2010-11-15 12:07:13 +0000
  • c25c017c08 cosmetics regarding --forms Miroslav Stampar 2010-11-15 11:50:33 +0000
  • 36c544f440 update (--forms acts now more like -g switch) Miroslav Stampar 2010-11-15 11:34:57 +0000