sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-07-29 17:39:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Automatic SQL injection and database takeover tool
7,814 Commits 2 Branches 127 Tags 112 MiB
Python 98.3%
C 0.6%
Shell 0.6%
HTML 0.3%
Perl 0.1%
0f4272fabe
Go to file
Dirk 0f4272fabe Add --ignore-400 
I encountered a situation where the console - I am running usally at debug level 2 or 3
is flooded with HTTP 400 (which are kind of annoying):

```
[15:02:41] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:41] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:42] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:42] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:42] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:43] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:43] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:44] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:44] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:44] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:45] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:45] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:46] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:46] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:46] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:47] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:47] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:48] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:52] [DEBUG] got HTTP error code: 400 (Bad Request)
```

as this is triggered by almost every request.

This is a workaround for the above scenario so that on the console I see only what I wanted
to, like:

```
[18:51:18] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Generic comment)'
[18:51:41] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Generic comment) (NOT)'
[18:52:06] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[18:52:06] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL) (original value)'
[18:52:07] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[18:52:08] [INFO] testing 'Boolean-based blind - Parameter replace (CASE) (original value)'
[18:52:08] [INFO] testing 'Oracle AND boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[18:52:34] [INFO] testing 'Oracle OR boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[18:52:57] [INFO] testing 'Oracle boolean-based blind - Parameter replace'
[18:52:57] [INFO] testing 'Oracle boolean-based blind - Parameter replace (original value)'
[18:52:58] [INFO] testing 'Oracle boolean-based blind - ORDER BY, GROUP BY clause'
[18:52:59] [INFO] testing 'Oracle boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[18:53:00] [INFO] testing 'Oracle boolean-based blind - Stacked queries'
[18:53:23] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[18:53:41] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (XMLType)'
[18:53:57] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)'
[18:54:13] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)'
[18:54:26] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[18:54:43] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[18:54:57] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)'
[18:55:13] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)'
[18:55:27] [INFO] testing 'Oracle error-based - Parameter replace'
[18:55:27] [INFO] testing 'Oracle error-based - ORDER BY, GROUP BY clause'
```

Admittedly this is may seem a bit hackish as it only addresses HTTP 400 and doesn't cover other
app specific errors which can happen in other scenarios. It could also be that ``--suppress-400``
would sound better as it would describe better what it does but as there's
``--ignore-401`` so I settled for ``--ignore-400``.
2017-07-17 18:54:03 +02:00
doc Edit Bulgarian translation 2017-06-01 16:51:00 +03:00
extra PEP 3113 cleanup 2017-04-19 14:56:32 +02:00
lib Add --ignore-400 2017-07-17 18:54:03 +02:00
plugins Fixes #2598 2017-07-03 14:17:11 +02:00
procs Minor update 2016-05-30 01:29:40 +02:00
shell Minor consistency update 2017-04-18 14:02:25 +02:00
tamper append %A0 to space2mysqlblank 2017-06-19 22:39:09 +08:00
thirdparty Reverting back the bottle.py revision because of numerous Python 2.6 incompatibilities 2017-04-07 15:10:28 +02:00
txt Update for #2597 2017-07-03 16:55:24 +02:00
udf Stripping PostgreSQL .so files for size issues (Issue #2173) 2016-09-23 13:52:57 +02:00
waf Minor cleanup 2017-04-14 13:14:53 +02:00
xml Implements #2557 2017-06-07 11:22:06 +02:00
.gitattributes Update regarding the #2467 2017-04-10 16:44:12 +02:00
.gitignore Taking couple of suggestions from #2417 2017-02-27 22:03:15 +01:00
.travis.yml Adding support for Travis CI 2016-02-29 00:04:31 +01:00
ISSUE_TEMPLATE.md Implementation for an Issue #2221 2016-10-11 17:33:36 +02:00
README.md Minor update 2017-06-02 00:50:00 +02:00
sqlmap.conf Implementation for an Issue #2505 2017-05-07 23:12:42 +02:00
sqlmap.py Update for #2597 2017-07-03 16:55:24 +02:00
sqlmapapi.py New version preparation 2017-01-02 14:19:18 +01:00

README.md

sqlmap

Build Status Python 2.6|2.7 License Twitter

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Screenshots

Screenshot

You can visit the collection of screenshots demonstrating some of features on the wiki.

Installation

You can download the latest tarball by clicking here or latest zipball by clicking here.

Preferably, you can download sqlmap by cloning the Git repository:

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

sqlmap works out of the box with Python version 2.6.x and 2.7.x on any platform.

Usage

To get a list of basic options and switches use:

python sqlmap.py -h

To get a list of all options and switches use:

python sqlmap.py -hh

You can find a sample run here. To get an overview of sqlmap capabilities, list of supported features and description of all options and switches, along with examples, you are advised to consult the user's manual.

Links

Translations