sqlmap history <author>by <htmlurl url="mailto:bernardo.damele@gmail.com" name="Bernardo Damele A. G."> <date>Updated on April 30, 2010 <abstract> Timeline history of <htmlurl url="http://sqlmap.sourceforge.net" name="sqlmap">. Check the project <htmlurl url="http://sqlmap.sourceforge.net" name="homepage"> for the latest version. </abstract> <toc> <sect>2010 <itemize> <item><bf>...</bf> <item><bf>...</bf> <item><bf>...</bf> <item><bf>...</bf> <item><bf>...</bf> <item><bf>...</bf> </itemize> <sect>2009 <itemize> <item><bf>July 25</bf>, stable version of sqlmap <bf>0.7</bf> is out! <item><bf>May</bf>, Bernardo presents again his research on operating system takeover via SQL injection at <htmlurl url="http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland" name="OWASP AppSec Europe 2009"> in Warsaw, Poland and at <htmlurl url="http://eusecwest.com/" name="EUSecWest 2009"> in London, UK. <item><bf>April 22</bf>, sqlmap version <bf>0.7 release candidate 1</bf> is published, with all the attack vectors unveiled at Black Hat Conference. This include execution of arbitrary commands on the underlying operating system, full integration with Metasploit to establish an out-of-band TCP connection, first publicly available exploit for MS09-004 and others attacks to takeover the database server as a whole, not only the data from the database. <item><bf>April 16</bf>, Bernardo <htmlurl url="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides" name="presents"> his research (<htmlurl url="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf" name="whitepaper">) at Black Hat Europe 2009 in Amsterdam, The Netherlands. The feedback from the audience is good and there has been some <htmlurl url="http://bernardodamele.blogspot.com/2009/03/black-hat-europe-2009.html" name="media coverage"> too. <item><bf>March 5</bf>, Bernardo <htmlurl url="http://www.slideshare.net/inquis/sql-injection-not-only-and-11" name="presents"> for the first time some of the sqlmap recent features and upcoming enhancements at an international event, <htmlurl url="http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009" name="Front Range OWASP Conference 2009"> in Denver, USA. The presentation is titled <em>SQL injection: Not only AND 1=1</em>. <item><bf>February 24</bf>, Bernardo is accepted as a <htmlurl url="http://www.blackhat.com/html/bh-europe-09/bh-eu-09-archives.html#Damele" name="speaker"> at <htmlurl url="http://www.blackhat.com/html/bh-europe-09/bh-eu-09-main.html" name="Black Hat Europe 2009"> with a presentation titled <em>Advanced SQL injection exploitation to operating system full control</em>. <item><bf>February 3</bf>, sqlmap <bf>0.6.4</bf> is the last point release of 0.6: taking advantage of the stacked queries test implemented in 0.6.3, sqlmap can now be used to execute arbitrarly any SQL statement, not only SELECTs. Also, many features have been stabilized, tweaked and improved in terms of speed in this release. <item><bf>January 9</bf>, Bernardo <htmlurl url="http://www.slideshare.net/inquis/sql-injection-exploitation-internals-presentation" name="presents"> <em>SQL injection exploitation internals</em> at a Corporate event. </itemize> <sect>2008 <itemize> <item><bf>December 18</bf>, to celebrate Bernardo's first daughter birthday, sqlmap <bf>0.6.3</bf> is released featuring support to retrieve targets from Burp and WebScarab proxies log files, support to test for stacked queries ant time-based blind SQL injection, rough fingerprint of the web server and web application technologies in use and more options to customize the HTTP requests and enumerate further data from the database. <item><bf>November 2</bf>, sqlmap version <bf>0.6.2</bf> is a "bug fixes" release only. <item><bf>October 20</bf>, sqlmap first point release, <bf>0.6.1</bf> goes public. This includes minor bug fixes and the first contact between the tool and <htmlurl url="http://metasploit.com/framework" name="Metasploit">: an auxiliary module to launch sqlmap from within Metasploit Framework. sqlmap <htmlurl url="https://svn.sqlmap.org/sqlmap/trunk/sqlmap/" name="subversion development repository"> goes public again. <item><bf>September 1</bf>, nearly one year after the previous release, sqlmap <bf>0.6</bf> comes to life featuring the first major code refactoring, support to execute arbitrary SQL SELECT statements, more options to enumerate and dump specific information are added, brand new installation packages for Debian, Red Hat, Windows and much more. <item><bf>August</bf>, two public <htmlurl name="mailing lists" url="http://sqlmap.sourceforge.net/#ml"> are created on SourceForge. <item><bf>January</bf>, sqlmap development repository is moved away from SourceForge and goes private. </itemize> <sect>2007 <itemize> <item><bf>December 15</bf>, Bernardo's first daughter is born and will keep him quite busy for the next months. <item><bf>November 4</bf>, release <bf>0.5</bf> marks the end of the Spring of Code contest participation. Bernardo has <htmlurl url="http://www.owasp.org/index.php/SpoC_007_-_SQLMap_-_Progress_Page" name="accomplished"> all the propsed objects which include initial support for Oracle, enhanced support for UNION query SQL injection and support to inject on HTTP Cookie and User-Agent headers. <item><bf>June 15</bf>, Bernardo releases version <bf>0.4</bf> as a result of the first Spring of Code milestone. This release features, amongst others, improvements to the DBMS fingerprint engine, support to calculate the estimated time of arrival, options to enumerate specific data from the database server and brand new logging system. <item><bf>April</bf>, even though sqlmap was <bf>not</bf> and is <bf>not</bf> an OWASP project, it gets <htmlurl url="http://www.owasp.org/index.php/SpoC_007_-_SqlMap" name="accepted">, amongst many other open source projects to SpoC 2007. <item><bf>March 30</bf>, Bernardo applies to OWASP <htmlurl url="http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications#Bernardo_-_sqlmap" name="Spring of Code 2007">. <item><bf>January 20</bf>, sqlmap version <bf>0.3</bf> is released, featuring initial support for Microsoft SQL Server, support to test and exploit UNION query SQL injections and injection points in POST parameters. </itemize> <sect>2006 <itemize> <item><bf>December 13</bf>, Bernardo releases version <bf>0.2</bf> with major enhancements to the DBMS fingerprint functionalities and replacement of the old inference algorithm with the bisection algorithm. <item><bf>September</bf>, Daniele leaves the project, <htmlurl url="http://bernardodamele.blogspot.com" name="Bernardo Damele"> takes it over. <item><bf>August</bf>, Daniele adds initial support for PostgreSQL and releases version <bf>0.1</bf>. <item><bf>July 25</bf>, <htmlurl url="http://dbellucci.blogspot.com" name="Daniele Bellucci"> registers the sqlmap project on SourceForge and develops it on the SourceForge Subversion repository. The skeleton is implemented and limited support for MySQL added. </itemize> </article>