mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-24 18:43:47 +03:00
2734 lines
110 KiB
HTML
2734 lines
110 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.66">
|
|
<TITLE>sqlmap user's manual</TITLE>
|
|
</HEAD>
|
|
<BODY>
|
|
<H1>sqlmap user's manual</H1>
|
|
|
|
<H2>by
|
|
<A HREF="mailto:bernardo.damele@gmail.com">Bernardo Damele A. G.</A>,
|
|
<A HREF="mailto:miroslav.stampar@gmail.com">Miroslav Stampar</A></H2>version 0.9, March 10, 2011
|
|
<HR>
|
|
<EM>This document is the user's manual to use
|
|
<A HREF="http://sqlmap.sourceforge.net">sqlmap</A>.</EM>
|
|
<HR>
|
|
<P>
|
|
<H2><A NAME="toc1">1.</A> <A HREF="README.html#s1">Introduction</A></H2>
|
|
|
|
<UL>
|
|
<LI><A NAME="toc1.1">1.1</A> <A HREF="README.html#ss1.1">Requirements</A>
|
|
<LI><A NAME="toc1.2">1.2</A> <A HREF="README.html#ss1.2">Scenario</A>
|
|
<LI><A NAME="toc1.3">1.3</A> <A HREF="README.html#ss1.3">Techniques</A>
|
|
<LI><A NAME="toc1.4">1.4</A> <A HREF="README.html#ss1.4">Demo</A>
|
|
</UL>
|
|
<P>
|
|
<H2><A NAME="toc2">2.</A> <A HREF="README.html#s2">Features</A></H2>
|
|
|
|
<UL>
|
|
<LI><A NAME="toc2.1">2.1</A> <A HREF="README.html#ss2.1">Generic features</A>
|
|
<LI><A NAME="toc2.2">2.2</A> <A HREF="README.html#ss2.2">Fingerprint and enumeration features</A>
|
|
<LI><A NAME="toc2.3">2.3</A> <A HREF="README.html#ss2.3">Takeover features</A>
|
|
</UL>
|
|
<P>
|
|
<H2><A NAME="toc3">3.</A> <A HREF="README.html#s3">History</A></H2>
|
|
|
|
<UL>
|
|
<LI><A NAME="toc3.1">3.1</A> <A HREF="README.html#ss3.1">2011</A>
|
|
<LI><A NAME="toc3.2">3.2</A> <A HREF="README.html#ss3.2">2010</A>
|
|
<LI><A NAME="toc3.3">3.3</A> <A HREF="README.html#ss3.3">2009</A>
|
|
<LI><A NAME="toc3.4">3.4</A> <A HREF="README.html#ss3.4">2008</A>
|
|
<LI><A NAME="toc3.5">3.5</A> <A HREF="README.html#ss3.5">2007</A>
|
|
<LI><A NAME="toc3.6">3.6</A> <A HREF="README.html#ss3.6">2006</A>
|
|
</UL>
|
|
<P>
|
|
<H2><A NAME="toc4">4.</A> <A HREF="README.html#s4">Download and update</A></H2>
|
|
|
|
<P>
|
|
<H2><A NAME="toc5">5.</A> <A HREF="README.html#s5">Usage</A></H2>
|
|
|
|
<UL>
|
|
<LI><A NAME="toc5.1">5.1</A> <A HREF="README.html#ss5.1">Output verbosity</A>
|
|
<LI><A NAME="toc5.2">5.2</A> <A HREF="README.html#ss5.2">Target</A>
|
|
<LI><A NAME="toc5.3">5.3</A> <A HREF="README.html#ss5.3">Request</A>
|
|
<LI><A NAME="toc5.4">5.4</A> <A HREF="README.html#ss5.4">Optimization</A>
|
|
<LI><A NAME="toc5.5">5.5</A> <A HREF="README.html#ss5.5">Injection</A>
|
|
<LI><A NAME="toc5.6">5.6</A> <A HREF="README.html#ss5.6">Detection</A>
|
|
<LI><A NAME="toc5.7">5.7</A> <A HREF="README.html#ss5.7">Techniques</A>
|
|
<LI><A NAME="toc5.8">5.8</A> <A HREF="README.html#ss5.8">Fingerprint</A>
|
|
<LI><A NAME="toc5.9">5.9</A> <A HREF="README.html#ss5.9">Enumeration</A>
|
|
<LI><A NAME="toc5.10">5.10</A> <A HREF="README.html#ss5.10">Brute force</A>
|
|
<LI><A NAME="toc5.11">5.11</A> <A HREF="README.html#ss5.11">User-defined function injection</A>
|
|
<LI><A NAME="toc5.12">5.12</A> <A HREF="README.html#ss5.12">File system access</A>
|
|
<LI><A NAME="toc5.13">5.13</A> <A HREF="README.html#ss5.13">Operating system takeover</A>
|
|
<LI><A NAME="toc5.14">5.14</A> <A HREF="README.html#ss5.14">Windows registry access</A>
|
|
<LI><A NAME="toc5.15">5.15</A> <A HREF="README.html#ss5.15">General</A>
|
|
<LI><A NAME="toc5.16">5.16</A> <A HREF="README.html#ss5.16">Miscellaneous</A>
|
|
</UL>
|
|
<P>
|
|
<H2><A NAME="toc6">6.</A> <A HREF="README.html#s6">License and copyright</A></H2>
|
|
|
|
<P>
|
|
<H2><A NAME="toc7">7.</A> <A HREF="README.html#s7">Disclaimer</A></H2>
|
|
|
|
<P>
|
|
<H2><A NAME="toc8">8.</A> <A HREF="README.html#s8">Authors</A></H2>
|
|
|
|
|
|
<HR>
|
|
<H2><A NAME="s1">1.</A> <A HREF="#toc1">Introduction</A></H2>
|
|
|
|
<P>sqlmap is an open source penetration testing tool that automates the
|
|
process of detecting and exploiting SQL injection flaws and taking over of
|
|
database servers. It comes with a kick-ass detection engine, many niche
|
|
features for the ultimate penetration tester and a broad range of switches
|
|
lasting from database fingerprinting, over data fetching from the
|
|
database, to accessing the underlying file system and executing commands
|
|
on the operating system via out-of-band connections.</P>
|
|
|
|
|
|
<H2><A NAME="ss1.1">1.1</A> <A HREF="#toc1.1">Requirements</A>
|
|
</H2>
|
|
|
|
<P>sqlmap is developed in
|
|
<A HREF="http://www.python.org">Python</A>,
|
|
a dynamic object-oriented interpreted programming language.
|
|
This makes the tool independent from the operating system. It only
|
|
requires the Python interpreter version equal or higher than <B>2.6</B>.
|
|
The interpreter is freely downloadable from its
|
|
<A HREF="http://python.org/download/">official site</A>.
|
|
To make it even easier, many GNU/Linux distributions come out of the box
|
|
with Python interpreter installed and other Unices and Mac OSX too provide
|
|
it packaged in their formats and ready to be installed.
|
|
Windows users can download and install the Python setup-ready installer
|
|
for x86, AMD64 and Itanium too.</P>
|
|
<P>sqlmap relies on the
|
|
<A HREF="http://metasploit.com/framework/">Metasploit Framework</A> for some of its post-exploitation takeover
|
|
features. You need to grab a copy of it from the
|
|
<A HREF="http://metasploit.com/framework/download/">download</A>
|
|
page - the required version is <B>3.5</B> or higher.
|
|
For the ICMP tunneling out-of-band takeover technique, sqlmap requires
|
|
<A HREF="http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Impacket">Impacket</A> library too.</P>
|
|
<P>If you are willing to connect directly to a database server (<CODE>-d</CODE> switch), without passing
|
|
via a web application, you need to install Python bindings for the database
|
|
management system that you are going to attack:</P>
|
|
<P>
|
|
<UL>
|
|
<LI>Firebird:
|
|
<A HREF="http://kinterbasdb.sourceforge.net/">python-kinterbasdb</A>.</LI>
|
|
<LI>Microsoft Access:
|
|
<A HREF="http://pyodbc.googlecode.com/">python-pyodbc</A>.</LI>
|
|
<LI>Microsoft SQL Server:
|
|
<A HREF="http://pymssql.sourceforge.net/">python-pymssql</A>.</LI>
|
|
<LI>MySQL:
|
|
<A HREF="http://mysql-python.sourceforge.net/">python-mysqldb</A>.</LI>
|
|
<LI>Oracle:
|
|
<A HREF="http://cx-oracle.sourceforge.net/">python cx_Oracle</A>.</LI>
|
|
<LI>PostgreSQL:
|
|
<A HREF="http://initd.org/psycopg/">python-psycopg2</A>.</LI>
|
|
<LI>SQLite:
|
|
<A HREF="http://pysqlite.googlecode.com/">python-pysqlite2</A>.</LI>
|
|
<LI>Sybase:
|
|
<A HREF="http://pymssql.sourceforge.net/">python-pymssql</A>.</LI>
|
|
</UL>
|
|
</P>
|
|
<P>If you plan to attack a web application behind NTLM authentication or use
|
|
the sqlmap update functionality (<CODE>-</CODE><CODE>-update</CODE> switch) you need to
|
|
install respectively
|
|
<A HREF="http://code.google.com/p/python-ntlm/">python-ntlm</A> and
|
|
<A HREF="http://pysvn.tigris.org/">python-svn</A> libraries.</P>
|
|
<P>Optionally, if you are running sqlmap on Windows, you may wish to install
|
|
<A HREF="http://ipython.scipy.org/moin/PyReadline/Intro">PyReadline</A>
|
|
library to be able to take advantage of the sqlmap TAB completion and
|
|
history support features in the SQL shell and OS shell.
|
|
Note that these functionalities are available natively by Python standard
|
|
<A HREF="http://docs.python.org/library/readline.html">readline</A>
|
|
library on other operating systems.</P>
|
|
<P>You can also choose to install
|
|
<A HREF="http://psyco.sourceforge.net/">Psyco</A> library to eventually speed up the sqlmap algorithmic
|
|
operations.</P>
|
|
|
|
|
|
<H2><A NAME="ss1.2">1.2</A> <A HREF="#toc1.2">Scenario</A>
|
|
</H2>
|
|
|
|
<H3>Detect and exploit a SQL injection</H3>
|
|
|
|
<P>Let's say that you are auditing a web application and found a web page
|
|
that accepts dynamic user-provided values on <CODE>GET</CODE> or <CODE>POST</CODE>
|
|
parameters or HTTP <CODE>Cookie</CODE> values or HTTP <CODE>User-Agent</CODE>
|
|
header value.
|
|
You now want to test if these are affected by a SQL injection
|
|
vulnerability, and if so, exploit them to retrieve as much information as
|
|
possible out of the web application's back-end database management system
|
|
or even be able to access the underlying file system and operating system.</P>
|
|
<P>In a simple world, consider that the target url is:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<CODE>http://192.168.136.131/sqlmap/mysql/get_int.php?id=1</CODE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
<P>Assume that:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<CODE>http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=1</CODE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
<P>is the same page as the original one and:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<CODE>http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=2</CODE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
<P>differs from the original one, it means that you are in front of a SQL
|
|
injection vulnerability in the <CODE>id</CODE> <CODE>GET</CODE> parameter of the
|
|
<CODE>index.php</CODE> web application page which means that potentially no
|
|
IDS/IPS, no web application firewall, no parameters' value sanitization is
|
|
performed on the server-side before sending the SQL statement to the
|
|
back-end database management system the web application relies on.</P>
|
|
<P>This is a quite common flaw in dynamic content web applications and it
|
|
does not depend upon the back-end database management system nor on the web
|
|
application programming language: it is a programmer code's security flaw.
|
|
The
|
|
<A HREF="http://www.owasp.org">Open Web Application Security Project</A>
|
|
rated on 2010 in their
|
|
<A HREF="http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project">OWASP Top Ten</A> survey this vulnerability as the
|
|
<A HREF="http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf">most common</A> and important web application vulnerability along with other
|
|
injection flaws.</P>
|
|
<P>Back to the scenario, probably the SQL <CODE>SELECT</CODE> statement into
|
|
<CODE>get_int.php</CODE> has a syntax similar to the following SQL query, in
|
|
pseudo PHP code:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<CODE>$query = "SELECT [column(s) name] FROM [table name] WHERE id=" . $_REQUEST['id'];</CODE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
<P>As you can see, appending any other syntatically valid SQL condition after
|
|
a value for <CODE>id</CODE> such condition will take place when the web
|
|
application passes the query to the back-end database management system
|
|
that executes it, that is why the condition <CODE>id=1 AND 1=1</CODE> is valid
|
|
(<EM>True</EM>) and returns the same page as the original one, with the
|
|
same content. This is the case of a boolean-based blind SQL injection
|
|
vulnerability. However, sqlmap is able to detect any type of SQL injection
|
|
and adapt its work-flow accordingly. Read below for further details.</P>
|
|
<P>Moreover, in this simple and easy to inject scenario it would be also
|
|
possible to append, not just one or more valid SQL condition(s), but also
|
|
stacked SQL queries, for instance something like <CODE>[...]&id=1;
|
|
ANOTHER SQL QUERY#</CODE> if the web application technology supports
|
|
<EM>stacked queries</EM>, also known as <EM>multiple statements</EM>.</P>
|
|
<P>Now that you found this SQL injection vulnerable parameter, you can
|
|
exploit it by manipulating the <CODE>id</CODE> parameter value in the HTTP
|
|
request.</P>
|
|
<P>There exist many
|
|
<A HREF="http://delicious.com/inquis/sqlinjection">resources</A>
|
|
on the Net explaining in depth how to prevent, detect and exploit SQL
|
|
injection vulnerabilities in web application and it is recommended to read
|
|
them if you are not familiar with the issue before going ahead with sqlmap.</P>
|
|
<P>Passing the original address, <CODE>http://192.168.136.131/sqlmap/mysql/get_int.php?id=1</CODE>
|
|
to sqlmap, the tool will automatically:</P>
|
|
<P>
|
|
<UL>
|
|
<LI>Identify the vulnerable parameter(s) (<CODE>id</CODE> in this example);</LI>
|
|
<LI>Identify which SQL injection techniques can be used to exploit the
|
|
vulnerable parameter(s);</LI>
|
|
<LI>Fingerprint the back-end database management system;</LI>
|
|
<LI>Depending on the user's options, it will extensively fingerprint,
|
|
enumerate data or takeover the database server as a whole.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<H3>Direct connection to the database management system</H3>
|
|
|
|
<P>Up until sqlmap version <B>0.8</B>, the tool has been <EM>yet another
|
|
SQL injection tool</EM>, used by web application penetration testers/newbies/curious
|
|
teens/computer addicted/punks and so on. Things move on
|
|
and as they evolve, we do as well. Now it supports this new switch,
|
|
<CODE>-d</CODE>, that allows you to connect from your machine to the database
|
|
server's TCP port where the database management system daemon is listening
|
|
on and perform any operation you would do while using it to attack a
|
|
database via a SQL injection vulnerability.</P>
|
|
|
|
|
|
<H2><A NAME="ss1.3">1.3</A> <A HREF="#toc1.3">Techniques</A>
|
|
</H2>
|
|
|
|
<P>sqlmap is able to detect and exploit five different SQL injection
|
|
<EM>types</EM>:</P>
|
|
<P>
|
|
<UL>
|
|
<LI><B>Boolean-based blind SQL injection</B>, also known as <B>inferential
|
|
SQL injection</B>: sqlmap replaces or appends to the affected parameter in
|
|
the HTTP request, a syntatically valid SQL statement string containing a
|
|
<CODE>SELECT</CODE> sub-statement, or any other SQL statement whose the user
|
|
want to retrieve the output.
|
|
For each HTTP response, by making a comparison between the HTTP response
|
|
headers/body with the original request, the tool inference the output of
|
|
the injected statement character by character. Alternatively, the user
|
|
can provide a string or regular expression to match on True pages.
|
|
The bisection algorithm implemented in sqlmap to perform this technique
|
|
is able to fetch each character of the output with a maximum of seven HTTP
|
|
requests. Where the output is not within the clear-text plain charset,
|
|
sqlmap will adapt the algorithm with bigger ranges to detect the output.</LI>
|
|
<LI><B>Time-based blind SQL injection</B>, also known as <B>full blind
|
|
SQL injection</B>: sqlmap replaces or appends to the affected parameter in
|
|
the HTTP request, a syntatically valid SQL statement string containing a
|
|
query which put on hold the back-end DBMS to return for a certain number
|
|
of seconds.
|
|
For each HTTP response, by making a comparison between the HTTP response
|
|
time with the original request, the tool inference the output of
|
|
the injected statement character by character. Like for boolean-based
|
|
technique, the bisection algorithm is applied.</LI>
|
|
<LI><B>Error-based SQL injection</B>: sqlmap replaces or append to the
|
|
affected parameter a database-specific syntatically wrong statement and
|
|
parses the HTTP response headers and body in search of DBMS error messages
|
|
containing the injected pre-defined chain of characters and the statement
|
|
output within. This technique works when the web application has been
|
|
configured to disclose back-end database management system error messages
|
|
only.</LI>
|
|
<LI><B>UNION query SQL injection</B>, also known as <B>inband SQL
|
|
injection</B>: sqlmap appends to the affected parameter a syntatically
|
|
valid SQL statement string starting with a <CODE>UNION ALL SELECT</CODE>.
|
|
This techique works when the web application page passes the output of the
|
|
<CODE>SELECT</CODE> statement within a <CODE>for</CODE> cycle, or similar, so that
|
|
each line of the query output is printed on the page content.
|
|
sqlmap is also able to exploit <B>partial (single entry) UNION query SQL
|
|
injection</B> vulnerabilities which occur when the output of the
|
|
statement is not cycled in a <CODE>for</CODE> construct whereas only the first
|
|
entry of the query output is displayed.</LI>
|
|
<LI><B>Stacked queries SQL injection</B>, also known as <B>multiple
|
|
statements SQL injection</B>: sqlmap tests if the web application supports
|
|
stacked queries then, in case it does support, it appends to the affected
|
|
parameter in the HTTP request, a semi-colon (<CODE>;</CODE>) followed by the
|
|
SQL statement to be executed. This technique is useful to run SQL
|
|
statements other than <CODE>SELECT</CODE> like, for instance, <EM>data
|
|
definition</EM> or <EM>data manipulation</EM> statements possibly leading
|
|
to file system read and write access and operating system command
|
|
execution depending on the underlying back-end database management system
|
|
and the session user privileges.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
|
|
<H2><A NAME="ss1.4">1.4</A> <A HREF="#toc1.4">Demo</A>
|
|
</H2>
|
|
|
|
<P>You can watch several demo videos, they are hosted on
|
|
<A HREF="http://www.youtube.com/user/inquisb#g/u">YouTube</A>.</P>
|
|
|
|
|
|
<H2><A NAME="s2">2.</A> <A HREF="#toc2">Features</A></H2>
|
|
|
|
<P>Features implemented in sqlmap include:</P>
|
|
|
|
|
|
<H2><A NAME="ss2.1">2.1</A> <A HREF="#toc2.1">Generic features</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<UL>
|
|
<LI>Full support for <B>MySQL</B>, <B>Oracle</B>, <B>PostgreSQL</B>,
|
|
<B>Microsoft SQL Server</B>, <B>Microsoft Access</B>, <B>SQLite</B>,
|
|
<B>Firebird</B>, <B>Sybase</B> and <B>SAP MaxDB</B> database
|
|
management systems.
|
|
</LI>
|
|
<LI>Full support for five SQL injection techniques: <B>boolean-based
|
|
blind</B>, <B>time-based blind</B>, <B>error-based</B>,
|
|
<B>UNION query</B> and <B>stacked queries</B>.
|
|
</LI>
|
|
<LI>Support to <B>directly connect to the database</B> without passing
|
|
via a SQL injection, by providing DBMS credentials, IP address, port and
|
|
database name.
|
|
</LI>
|
|
<LI>It is possible to provide a single target URL, get the list of
|
|
targets from
|
|
<A HREF="http://portswigger.net/suite/">Burp proxy</A>
|
|
or
|
|
<A HREF="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project">WebScarab proxy</A> requests log files, get the whole HTTP request
|
|
from a text file or get the list of targets by providing sqlmap with a
|
|
Google dork which queries
|
|
<A HREF="http://www.google.com">Google</A> search engine and parses its results page. You can also
|
|
define a regular-expression based scope that is used to identify which of
|
|
the parsed addresses to test.
|
|
</LI>
|
|
<LI>Tests provided <B>GET</B> parameters, <B>POST</B> parameters,
|
|
HTTP <B>Cookie</B> header values, HTTP <B>User-Agent</B> header value
|
|
and HTTP <B>Referer</B> header value to identify and exploit SQL
|
|
injection vulnerabilities. It is also possible to specify a comma-separated
|
|
list of specific parameter(s) to test.
|
|
</LI>
|
|
<LI>Option to specify the <B>maximum number of concurrent HTTP(S)
|
|
requests (multi-threading)</B> to speed up the blind SQL injection
|
|
techniques. Vice versa, it is also possible to specify the number of
|
|
seconds to hold between each HTTP(S) request. Others optimization switches
|
|
to speed up the exploitation are implemented too.
|
|
</LI>
|
|
<LI><B>HTTP <CODE>Cookie</CODE> header</B> string support, useful when the
|
|
web application requires authentication based upon cookies and you have
|
|
such data or in case you just want to test for and exploit SQL injection
|
|
on such header values. You can also specify to always URL-encode the
|
|
Cookie.
|
|
</LI>
|
|
<LI>Automatically handles <B>HTTP <CODE>Set-Cookie</CODE> header</B> from
|
|
the application, re-establishing of the session if it expires. Test and
|
|
exploit on these values is supported too. Vice versa, you can also force
|
|
to ignore any <CODE>Set-Cookie</CODE> header.
|
|
</LI>
|
|
<LI>HTTP protocol <B>Basic, Digest, NTLM and Certificate
|
|
authentications</B> support.
|
|
</LI>
|
|
<LI><B>HTTP(S) proxy</B> support to pass by the requests to the target
|
|
application that works also with HTTPS requests and with authenticated
|
|
proxy servers.
|
|
</LI>
|
|
<LI>Options to fake the <B>HTTP <CODE>Referer</CODE> header</B> value and
|
|
the <B>HTTP <CODE>User-Agent</CODE> header</B> value specified by user or
|
|
randomly selected from a textual file.
|
|
</LI>
|
|
<LI>Support to increase the <B>verbosity level of output messages</B>:
|
|
there exist <B>seven levels</B> of verbosity.
|
|
</LI>
|
|
<LI>Support to <B>parse HTML forms</B> from the target URL and forge
|
|
HTTP(S) requests against those pages to test the form parameters against
|
|
vulnerabilities.
|
|
</LI>
|
|
<LI><B>Granularity and flexibility</B> in terms of both user's
|
|
switches and features.
|
|
</LI>
|
|
<LI><B>Estimated time of arrival</B> support for each query, updated
|
|
in real time, to provide the user with an overview on how long it will
|
|
take to retrieve the queries' output.
|
|
</LI>
|
|
<LI>Automatically saves the session (queries and their output, even if
|
|
partially retrieved) on a textual file in real time while fetching the
|
|
data and <B>resumes the injection</B> by parsing the session file.
|
|
</LI>
|
|
<LI>Support to read options from a configuration INI file rather than
|
|
specify each time all of the switches on the command line. Support also to
|
|
generate a configuration file based on the command line switches provided.
|
|
</LI>
|
|
<LI>Support to <B>replicate the back-end database tables structure and
|
|
entries</B> on a local SQLite 3 database.
|
|
</LI>
|
|
<LI>Option to update sqlmap to the latest development version from the
|
|
subversion repository.
|
|
</LI>
|
|
<LI>Support to parse HTTP(S) responses and display any DBMS error
|
|
message to the user.
|
|
</LI>
|
|
<LI>Integration with other IT security open source projects,
|
|
<A HREF="http://metasploit.com/framework/">Metasploit</A> and
|
|
<A HREF="http://w3af.sourceforge.net/">w3af</A>.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
|
|
<H2><A NAME="ss2.2">2.2</A> <A HREF="#toc2.2">Fingerprint and enumeration features</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<UL>
|
|
<LI><B>Extensive back-end database software version and underlying
|
|
operating system fingerprint</B> based upon
|
|
<A HREF="http://bernardodamele.blogspot.com/2007/06/database-management-system-fingerprint.html">error messages</A>,
|
|
<A HREF="http://bernardodamele.blogspot.com/2007/06/database-management-system-fingerprint.html">banner parsing</A>,
|
|
<A HREF="http://bernardodamele.blogspot.com/2007/07/more-on-database-management-system.html">functions output comparison</A> and
|
|
<A HREF="http://bernardodamele.blogspot.com/2007/07/more-on-database-management-system.html">specific features</A>
|
|
such as MySQL comment injection. It is also possible to force the back-end
|
|
database management system name if you already know it.
|
|
</LI>
|
|
<LI>Basic web server software and web application technology
|
|
fingerprint.
|
|
</LI>
|
|
<LI>Support to retrieve the DBMS <B>banner</B>, <B>session user</B>
|
|
and <B>current database</B> information. The tool can also check if the
|
|
session user is a <B>database administrator</B> (DBA).
|
|
</LI>
|
|
<LI>Support to enumerate <B>database users</B>, <B>users' password
|
|
hashes</B>, <B>users' privileges</B>, <B>users' roles</B>,
|
|
<B>databases</B>, <B>tables</B> and <B>columns</B>.
|
|
</LI>
|
|
<LI>Automatic recognition of password hashes format and support to
|
|
<B>crack them with a dictionary-based attack</B>.
|
|
</LI>
|
|
<LI>Support to <B>brute-force tables and columns name</B>. This is
|
|
useful when the session user has no read access over the system table
|
|
containing schema information or when the database management system does
|
|
not store this information anywhere (e.g. MySQL < 5.0).
|
|
</LI>
|
|
<LI>Support to <B>dump database tables</B> entirely, a range of
|
|
entries or specific columns as per user's choice. The user can also choose
|
|
to dump only a range of characters from each column's entry.
|
|
</LI>
|
|
<LI>Support to automatically <B>dump all databases</B>' schemas and
|
|
entries. It is possibly to exclude from the dump the system databases.
|
|
</LI>
|
|
<LI>Support to <B>search for specific database names, specific tables
|
|
across all databases or specific columns across all databases'
|
|
tables</B>. This is useful, for instance, to identify tables containing
|
|
custom application credentials where relevant columns' names contain
|
|
string like <EM>name</EM> and <EM>pass</EM>.
|
|
</LI>
|
|
<LI>Support to <B>run custom SQL statement(s)</B> as in an interactive
|
|
SQL client connecting to the back-end database. sqlmap automatically
|
|
dissects the provided statement, determines which technique fits best to
|
|
inject it and how to pack the SQL payload accordingly.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
|
|
<H2><A NAME="ss2.3">2.3</A> <A HREF="#toc2.3">Takeover features</A>
|
|
</H2>
|
|
|
|
<P>Some of these techniques are detailed in the white paper
|
|
<A HREF="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857">Advanced SQL injection to operating system full control</A> and in the
|
|
slide deck
|
|
<A HREF="http://www.slideshare.net/inquis/expanding-the-control-over-the-operating-system-from-the-database">Expanding the control over the operating system from the database</A>.</P>
|
|
<P>
|
|
<UL>
|
|
<LI>Support to <B>inject custom user-defined functions</B>: the user
|
|
can compile a shared library then use sqlmap to create within the back-end
|
|
DBMS user-defined functions out of the compiled shared library file. These
|
|
UDFs can then be executed, and optionally removed, via sqlmap. This is
|
|
supported when the database software is MySQL or PostgreSQL.
|
|
</LI>
|
|
<LI>Support to <B>download and upload any file</B> from the database
|
|
server underlying file system when the database software is MySQL,
|
|
PostgreSQL or Microsoft SQL Server.
|
|
</LI>
|
|
<LI>Support to <B>execute arbitrary commands and retrieve their
|
|
standard output</B> on the database server underlying operating system
|
|
when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
|
|
<UL>
|
|
<LI>On MySQL and PostgreSQL via user-defined function injection and
|
|
execution.</LI>
|
|
<LI>On Microsoft SQL Server via <CODE>xp_cmdshell()</CODE> stored procedure.
|
|
Also, the stored procedure is re-enabled if disabled or created from
|
|
scratch if removed by the DBA.</LI>
|
|
</UL>
|
|
|
|
</LI>
|
|
<LI>Support to <B>establish an out-of-band stateful TCP connection
|
|
between the attacker machine and the database server</B> underlying
|
|
operating system. This channel can be an interactive command prompt, a
|
|
Meterpreter session or a graphical user interface (VNC) session as per
|
|
user's choice.
|
|
sqlmap relies on Metasploit to create the shellcode and implements four
|
|
different techniques to execute it on the database server. These
|
|
techniques are:
|
|
<UL>
|
|
<LI>Database <B>in-memory execution of the Metasploit's shellcode</B>
|
|
via sqlmap own user-defined function <CODE>sys_bineval()</CODE>. Supported on
|
|
MySQL and PostgreSQL.</LI>
|
|
<LI>Upload and execution of a Metasploit's <B>stand-alone payload
|
|
stager</B> via sqlmap own user-defined function <CODE>sys_exec()</CODE> on
|
|
MySQL and PostgreSQL or via <CODE>xp_cmdshell()</CODE> on Microsoft SQL
|
|
Server.</LI>
|
|
<LI>Execution of Metasploit's shellcode by performing a <B>SMB
|
|
reflection attack</B> (
|
|
<A HREF="http://www.microsoft.com/technet/security/Bulletin/MS08-068.mspx">MS08-068</A>) with a UNC path request from the database server to
|
|
the attacker's machine where the Metasploit <CODE>smb_relay</CODE> server
|
|
exploit listens. Supported when running sqlmap with high privileges
|
|
(<CODE>uid=0</CODE>) on Linux/Unix and the target DBMS runs as Administrator
|
|
on Windows.</LI>
|
|
<LI>Database in-memory execution of the Metasploit's shellcode by
|
|
exploiting <B>Microsoft SQL Server 2000 and 2005
|
|
<CODE>sp_replwritetovarbin</CODE> stored procedure heap-based buffer
|
|
overflow</B> (
|
|
<A HREF="http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx">MS09-004</A>). sqlmap has its own exploit to trigger the
|
|
vulnerability with automatic DEP memory protection bypass, but it relies
|
|
on Metasploit to generate the shellcode to get executed upon successful
|
|
exploitation.</LI>
|
|
</UL>
|
|
|
|
</LI>
|
|
<LI>Support for <B>database process' user privilege escalation</B> via
|
|
Metasploit's <CODE>getsystem</CODE> command which include, among others,
|
|
the
|
|
<A HREF="http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html">kitrap0d</A> technique (
|
|
<A HREF="http://www.microsoft.com/technet/security/bulletin/ms10-015.mspx">MS10-015</A>).
|
|
</LI>
|
|
<LI>Support to access (read/add/delete) Windows registry hives.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
|
|
<H2><A NAME="s3">3.</A> <A HREF="#toc3">History</A></H2>
|
|
|
|
<H2><A NAME="ss3.1">3.1</A> <A HREF="#toc3.1">2011</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<UL>
|
|
<LI><B>March 10</B>,
|
|
<A HREF="http://sqlmap.sourceforge.net/#developers">Bernardo and Miroslav</A> release sqlmap
|
|
<B>0.9</B> featuring a totally rewritten and powerful SQL injection
|
|
detection engine, the possibility to connect directly to a database
|
|
server, support for time-based blind SQL injection and error-based SQL
|
|
injection, support for four new database management systems and much more.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<H2><A NAME="ss3.2">3.2</A> <A HREF="#toc3.2">2010</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<UL>
|
|
<LI><B>December</B>,
|
|
<A HREF="http://sqlmap.sourceforge.net/#developers">Bernardo and Miroslav</A> have enhanced sqlmap a
|
|
lot during the whole year and prepare to release sqlmap <B>0.9</B>
|
|
within the first quarter of 2011.</LI>
|
|
<LI><B>June 3</B>, Bernardo
|
|
<A HREF="http://www.slideshare.net/inquis/ath-con-2010bernardodamelegotdbownnet">presents</A>
|
|
a talk titled <EM>Got database access? Own the network!</EM> at AthCon
|
|
2010 in Athens (Greece).</LI>
|
|
<LI><B>March 14</B>,
|
|
<A HREF="http://sqlmap.sourceforge.net/#developers">Bernardo and Miroslav</A> release stable version of
|
|
sqlmap <B>0.8</B> featuring many features. Amongst these, support to
|
|
enumerate and dump all databases' tables containing user provided
|
|
column(s), stabilization and enhancements to the takeover functionalities,
|
|
updated integration with Metasploit 3.3.3 and a lot of minor features and
|
|
bug fixes.</LI>
|
|
<LI><B>March</B>, sqlmap demo videos have been
|
|
<A HREF="http://www.youtube.com/inquisb#g/u">published</A>.</LI>
|
|
<LI><B>January</B>, Bernardo is
|
|
<A HREF="http://www.athcon.org/speakers/">invited</A> to present at
|
|
<A HREF="http://www.athcon.org/archives/2010-2/">AthCon</A> conference in
|
|
Greece on June 2010.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<H2><A NAME="ss3.3">3.3</A> <A HREF="#toc3.3">2009</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<UL>
|
|
<LI><B>December 18</B>, Miroslav Stampar replies to the call for
|
|
developers. Along with Bernardo, he actively develops sqlmap from version
|
|
<B>0.8 release candidate 2</B>.
|
|
</LI>
|
|
<LI><B>December 12</B>, Bernardo writes to the mailing list a post
|
|
titled
|
|
<A HREF="http://bernardodamele.blogspot.com/2009/12/sqlmap-state-of-art-3-years-later.html">sqlmap state of art - 3 years later</A> highlighting the goals
|
|
achieved during these first three years of the project and launches a call
|
|
for developers.
|
|
</LI>
|
|
<LI><B>December 4</B>, sqlmap-devel mailing list has been merged into
|
|
sqlmap-users
|
|
<A HREF="http://sqlmap.sourceforge.net/#ml">mailing list</A>.
|
|
</LI>
|
|
<LI><B>November 20</B>, Bernardo and Guido present again their
|
|
research on stealth database server takeover at CONfidence 2009 in Warsaw,
|
|
Poland.
|
|
</LI>
|
|
<LI><B>September 26</B>, sqlmap version <B>0.8 release candidate
|
|
1</B> goes public on the
|
|
<A HREF="https://svn.sqlmap.org/sqlmap/trunk/sqlmap/">subversion repository</A>, with all the attack
|
|
vectors unveiled at SOURCE Barcelona 2009 Conference. These include an
|
|
enhanced version of the Microsoft SQL Server buffer overflow exploit to
|
|
automatically bypass DEP memory protection, support to establish the
|
|
out-of-band connection with the database server by executing in-memory
|
|
the Metasploit shellcode via UDF <EM>sys_bineval()</EM> (anti-forensics
|
|
technique), support to access the Windows registry hives and support to
|
|
inject custom user-defined functions.
|
|
</LI>
|
|
<LI><B>September 21</B>, Bernardo and
|
|
<A HREF="http://www.pornosecurity.org">Guido Landi</A>
|
|
<A HREF="http://www.sourceconference.com/index.php/pastevents/source-barcelona-2009/schedule">present</A>
|
|
their research (
|
|
<A HREF="http://www.slideshare.net/inquis/expanding-the-control-over-the-operating-system-from-the-database">slides</A>)
|
|
at SOURCE Conference 2009 in Barcelona, Spain.
|
|
</LI>
|
|
<LI><B>August</B>, Bernardo is accepted as a speaker at two others IT
|
|
security conferences,
|
|
<A HREF="http://www.sourceconference.com/index.php/pastevents/source-barcelona-2009">SOURCE Barcelona 2009</A> and
|
|
<A HREF="http://200902.confidence.org.pl/">CONfidence 2009 Warsaw</A>.
|
|
This new research is titled <EM>Expanding the control over the operating
|
|
system from the database</EM>.
|
|
</LI>
|
|
<LI><B>July 25</B>, stable version of sqlmap <B>0.7</B> is out!
|
|
</LI>
|
|
<LI><B>June 27</B>, Bernardo
|
|
<A HREF="http://www.slideshare.net/inquis/sql-injection-not-only-and-11-updated">presents</A>
|
|
an updated version of his
|
|
<EM>SQL injection: Not only AND 1=1</EM> slides at
|
|
<A HREF="http://www.digitalsecurityforum.eu/">2nd Digital Security Forum</A> in
|
|
Lisbon, Portugal.
|
|
</LI>
|
|
<LI><B>June 2</B>, sqlmap version <B>0.6.4</B> has made its way to
|
|
the official Ubuntu repository too.
|
|
</LI>
|
|
<LI><B>May</B>, Bernardo presents again his research on operating
|
|
system takeover via SQL injection at
|
|
<A HREF="http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland">OWASP AppSec Europe 2009</A> in Warsaw, Poland and at
|
|
<A HREF="http://eusecwest.com/">EUSecWest 2009</A> in London, UK.
|
|
</LI>
|
|
<LI><B>May 8</B>, sqlmap version <B>0.6.4</B> has been officially
|
|
accepted in Debian repository. Details on
|
|
<A HREF="http://bernardodamele.blogspot.com/2009/05/sqlmap-in-debian-package-repository.html">this blog post</A>.
|
|
</LI>
|
|
<LI><B>April 22</B>, sqlmap version <B>0.7 release candidate 1</B>
|
|
goes public, with all the attack vectors unveiled at Black Hat Europe 2009
|
|
Conference.
|
|
These include execution of arbitrary commands on the underlying operating
|
|
system, full integration with Metasploit to establish an out-of-band
|
|
TCP connection, first publicly available exploit for Microsoft Security
|
|
Bulletin
|
|
<A HREF="http://www.microsoft.com/technet/security/Bulletin/MS09-004.mspx">MS09-004</A> against Microsoft SQL Server 2000 and 2005 and others
|
|
attacks to takeover the database server as a whole, not only the data from
|
|
the database.
|
|
</LI>
|
|
<LI><B>April 16</B>, Bernardo
|
|
<A HREF="http://www.blackhat.com/html/bh-europe-09/bh-eu-09-archives.html#Damele">presents</A> his research (
|
|
<A HREF="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides">slides</A>,
|
|
<A HREF="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857">whitepaper</A>) at Black Hat Europe 2009 in Amsterdam, The Netherlands.
|
|
The feedback from the audience is good and there has been some
|
|
<A HREF="http://bernardodamele.blogspot.com/2009/03/black-hat-europe-2009.html">media coverage</A> too.
|
|
</LI>
|
|
<LI><B>March 5</B>, Bernardo
|
|
<A HREF="http://www.slideshare.net/inquis/sql-injection-not-only-and-11">presents</A> for the first time some of the sqlmap recent features and
|
|
upcoming enhancements at an international event,
|
|
<A HREF="http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009">Front Range OWASP Conference 2009</A> in Denver, USA. The presentation
|
|
is titled <EM>SQL injection: Not only AND 1=1</EM>.
|
|
</LI>
|
|
<LI><B>February 24</B>, Bernardo is accepted as a
|
|
<A HREF="http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele">speaker</A> at
|
|
<A HREF="http://www.blackhat.com/html/bh-europe-09/bh-eu-09-main.html">Black Hat Europe 2009</A> with a presentation titled <EM>Advanced SQL
|
|
injection exploitation to operating system full control</EM>.
|
|
</LI>
|
|
<LI><B>February 3</B>, sqlmap <B>0.6.4</B> is the last point release
|
|
for 0.6: taking advantage of the stacked queries test implemented in 0.6.3,
|
|
sqlmap can now be used to execute any arbitrary SQL statement, not only
|
|
<EM>SELECT</EM> anymore. Also, many features have been stabilized, tweaked
|
|
and improved in terms of speed in this release.
|
|
</LI>
|
|
<LI><B>January 9</B>, Bernardo
|
|
<A HREF="http://www.slideshare.net/inquis/sql-injection-exploitation-internals-presentation">presents</A> <EM>SQL injection exploitation internals</EM> at a
|
|
private event in London, UK.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<H2><A NAME="ss3.4">3.4</A> <A HREF="#toc3.4">2008</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<UL>
|
|
<LI><B>December 18</B>, sqlmap <B>0.6.3</B> is released featuring
|
|
support to retrieve targets from Burp and WebScarab proxies log files,
|
|
support to test for stacked queries ant time-based blind SQL injection,
|
|
rough fingerprint of the web server and web application technologies in
|
|
use and more options to customize the HTTP requests and enumerate more
|
|
information from the database.
|
|
</LI>
|
|
<LI><B>November 2</B>, sqlmap version <B>0.6.2</B> is a "bug fixes"
|
|
release only.
|
|
</LI>
|
|
<LI><B>October 20</B>, sqlmap first point release, <B>0.6.1</B>, goes
|
|
public. This includes minor bug fixes and the first contact between the
|
|
tool and
|
|
<A HREF="http://metasploit.com/framework">Metasploit</A>:
|
|
an auxiliary module to launch sqlmap from within Metasploit Framework.
|
|
The
|
|
<A HREF="https://svn.sqlmap.org/sqlmap/trunk/sqlmap/">subversion development repository</A> goes public again.
|
|
</LI>
|
|
<LI><B>September 1</B>, nearly one year after the previous release,
|
|
sqlmap <B>0.6</B> comes to life featuring a complete code
|
|
refactoring, support to execute arbitrary SQL <EM>SELECT</EM> statements,
|
|
more options to enumerate and dump specific information are added, brand
|
|
new installation packages for Debian, Red Hat, Windows and much more.
|
|
</LI>
|
|
<LI><B>August</B>, two public
|
|
<A HREF="http://sqlmap.sourceforge.net/#ml">mailing lists</A> are created on SourceForge.
|
|
</LI>
|
|
<LI><B>January</B>, sqlmap subversion development repository is moved
|
|
away from SourceForge and goes private for a while.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<H2><A NAME="ss3.5">3.5</A> <A HREF="#toc3.5">2007</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<UL>
|
|
<LI><B>November 4</B>, release <B>0.5</B> marks the end of the OWASP
|
|
Spring of Code 2007 contest participation. Bernardo has
|
|
<A HREF="http://www.owasp.org/index.php/SpoC_007_-_SQLMap_-_Progress_Page">accomplished</A> all the propsed objects which include also initial
|
|
support for Oracle, enhanced support for UNION query SQL injection and
|
|
support to test and exploit SQL injections in HTTP Cookie and User-Agent
|
|
headers.
|
|
</LI>
|
|
<LI><B>June 15</B>, Bernardo releases version <B>0.4</B> as a
|
|
result of the first OWASP Spring of Code 2007 milestone. This release
|
|
features, amongst others, improvements to the DBMS fingerprint engine,
|
|
support to calculate the estimated time of arrival, options to enumerate
|
|
specific data from the database server and brand new logging system.
|
|
</LI>
|
|
<LI><B>April</B>, even though sqlmap was <B>not</B> and is <B>not</B>
|
|
an OWASP project, it gets
|
|
<A HREF="http://www.owasp.org/index.php/SpoC_007_-_SqlMap">accepted</A>, amongst many other open source projects to OWASP Spring
|
|
of Code 2007.
|
|
</LI>
|
|
<LI><B>March 30</B>, Bernardo applies to OWASP
|
|
<A HREF="http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications#Bernardo_-_sqlmap">Spring of Code 2007</A>.
|
|
</LI>
|
|
<LI><B>January 20</B>, sqlmap version <B>0.3</B> is released,
|
|
featuring initial support for Microsoft SQL Server, support to test
|
|
and exploit UNION query SQL injections and injection points in POST
|
|
parameters.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<H2><A NAME="ss3.6">3.6</A> <A HREF="#toc3.6">2006</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<UL>
|
|
<LI><B>December 13</B>, Bernardo releases version <B>0.2</B> with
|
|
major enhancements to the DBMS fingerprint functionalities and replacement
|
|
of the old inference algorithm with the bisection algorithm.
|
|
</LI>
|
|
<LI><B>September</B>, Daniele leaves the project,
|
|
<A HREF="http://bernardodamele.blogspot.com">Bernardo Damele A. G.</A>
|
|
takes it over.
|
|
</LI>
|
|
<LI><B>August</B>, Daniele adds initial support for PostgreSQL and releases
|
|
version <B>0.1</B>.
|
|
</LI>
|
|
<LI><B>July 25</B>,
|
|
<A HREF="http://dbellucci.blogspot.com">Daniele Bellucci</A>
|
|
registers the sqlmap project on SourceForge and develops it on the
|
|
<A HREF="http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/">SourceForge subversion repository</A>. The skeleton is implemented and
|
|
limited support for MySQL added.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
|
|
<H2><A NAME="s4">4.</A> <A HREF="#toc4">Download and update</A></H2>
|
|
|
|
<P>sqlmap can be downloaded from its
|
|
<A HREF="http://sourceforge.net/projects/sqlmap/files/">SourceForge File List page</A>.
|
|
It is available in two formats:</P>
|
|
<P>
|
|
<UL>
|
|
<LI>
|
|
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.9.tar.gz">Source gzip compressed</A>.
|
|
</LI>
|
|
<LI>
|
|
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.9.zip">Source zip compressed</A>.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<P>You can also checkout the latest development version from the
|
|
<A HREF="https://svn.sqlmap.org/sqlmap/trunk/sqlmap/">subversion</A>
|
|
repository:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>You can update it at any time to the latest development version by running:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py --update
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
<P>Or:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ svn update
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>This is strongly recommended <B>before</B> reporting any bug to the
|
|
<A HREF="http://sqlmap.sourceforge.net/#ml">mailing list</A>.</P>
|
|
|
|
|
|
<H2><A NAME="s5">5.</A> <A HREF="#toc5">Usage</A></H2>
|
|
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -h
|
|
|
|
sqlmap/0.9 - automatic SQL injection and database takeover tool
|
|
http://sqlmap.sourceforge.net
|
|
|
|
Usage: sqlmap.py [options]
|
|
|
|
Options:
|
|
--version show program's version number and exit
|
|
-h, --help show this help message and exit
|
|
-v VERBOSE Verbosity level: 0-6 (default 1)
|
|
|
|
Target:
|
|
At least one of these options has to be specified to set the source to
|
|
get target urls from.
|
|
|
|
-d DIRECT Direct connection to the database
|
|
-u URL, --url=URL Target url
|
|
-l LIST Parse targets from Burp or WebScarab proxy logs
|
|
-r REQUESTFILE Load HTTP request from a file
|
|
-g GOOGLEDORK Process Google dork results as target urls
|
|
-c CONFIGFILE Load options from a configuration INI file
|
|
|
|
Request:
|
|
These options can be used to specify how to connect to the target url.
|
|
|
|
--data=DATA Data string to be sent through POST
|
|
--cookie=COOKIE HTTP Cookie header
|
|
--cookie-urlencode URL Encode generated cookie injections
|
|
--drop-set-cookie Ignore Set-Cookie header from response
|
|
--user-agent=AGENT HTTP User-Agent header
|
|
--random-agent Use randomly selected HTTP User-Agent header
|
|
--referer=REFERER HTTP Referer header
|
|
--headers=HEADERS Extra HTTP headers newline separated
|
|
--auth-type=ATYPE HTTP authentication type (Basic, Digest or NTLM)
|
|
--auth-cred=ACRED HTTP authentication credentials (name:password)
|
|
--auth-cert=ACERT HTTP authentication certificate (key_file,cert_file)
|
|
--proxy=PROXY Use a HTTP proxy to connect to the target url
|
|
--proxy-cred=PCRED HTTP proxy authentication credentials (name:password)
|
|
--ignore-proxy Ignore system default HTTP proxy
|
|
--delay=DELAY Delay in seconds between each HTTP request
|
|
--timeout=TIMEOUT Seconds to wait before timeout connection (default 30)
|
|
--retries=RETRIES Retries when the connection timeouts (default 3)
|
|
--scope=SCOPE Regexp to filter targets from provided proxy log
|
|
--safe-url=SAFURL Url address to visit frequently during testing
|
|
--safe-freq=SAFREQ Test requests between two visits to a given safe url
|
|
|
|
Optimization:
|
|
These options can be used to optimize the performance of sqlmap.
|
|
|
|
-o Turn on all optimization switches
|
|
--predict-output Predict common queries output
|
|
--keep-alive Use persistent HTTP(s) connections
|
|
--null-connection Retrieve page length without actual HTTP response body
|
|
--threads=THREADS Max number of concurrent HTTP(s) requests (default 1)
|
|
--group-concat Use GROUP_CONCAT MySQL technique in dumping phase
|
|
|
|
Injection:
|
|
These options can be used to specify which parameters to test for,
|
|
provide custom injection payloads and optional tampering scripts.
|
|
|
|
-p TESTPARAMETER Testable parameter(s)
|
|
--dbms=DBMS Force back-end DBMS to this value
|
|
--os=OS Force back-end DBMS operating system to this value
|
|
--prefix=PREFIX Injection payload prefix string
|
|
--suffix=SUFFIX Injection payload suffix string
|
|
--tamper=TAMPER Use given script(s) for tampering injection data
|
|
|
|
Detection:
|
|
These options can be used to specify how to parse and compare page
|
|
content from HTTP responses when using blind SQL injection technique.
|
|
|
|
--level=LEVEL Level of tests to perform (1-5, default 1)
|
|
--risk=RISK Risk of tests to perform (0-3, default 1)
|
|
--string=STRING String to match in page when the query is valid
|
|
--regexp=REGEXP Regexp to match in page when the query is valid
|
|
--text-only Compare pages based only on their textual content
|
|
|
|
Techniques:
|
|
These options can be used to tweak how specific SQL injection
|
|
techniques are tested.
|
|
|
|
--time-sec=TIMESEC Seconds to delay the DBMS response (default 5)
|
|
--union-cols=UCOLS Range of columns to test for UNION query SQL injection
|
|
--union-char=UCHAR Character to use to bruteforce number of columns
|
|
|
|
Fingerprint:
|
|
-f, --fingerprint Perform an extensive DBMS version fingerprint
|
|
|
|
Enumeration:
|
|
These options can be used to enumerate the back-end database
|
|
management system information, structure and data contained in the
|
|
tables. Moreover you can run your own SQL statements.
|
|
|
|
-b, --banner Retrieve DBMS banner
|
|
--current-user Retrieve DBMS current user
|
|
--current-db Retrieve DBMS current database
|
|
--is-dba Detect if the DBMS current user is DBA
|
|
--users Enumerate DBMS users
|
|
--passwords Enumerate DBMS users password hashes
|
|
--privileges Enumerate DBMS users privileges
|
|
--roles Enumerate DBMS users roles
|
|
--dbs Enumerate DBMS databases
|
|
--tables Enumerate DBMS database tables
|
|
--columns Enumerate DBMS database table columns
|
|
--dump Dump DBMS database table entries
|
|
--dump-all Dump all DBMS databases tables entries
|
|
--search Search column(s), table(s) and/or database name(s)
|
|
-D DB DBMS database to enumerate
|
|
-T TBL DBMS database table to enumerate
|
|
-C COL DBMS database table column to enumerate
|
|
-U USER DBMS user to enumerate
|
|
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
|
|
--start=LIMITSTART First query output entry to retrieve
|
|
--stop=LIMITSTOP Last query output entry to retrieve
|
|
--first=FIRSTCHAR First query output word character to retrieve
|
|
--last=LASTCHAR Last query output word character to retrieve
|
|
--sql-query=QUERY SQL statement to be executed
|
|
--sql-shell Prompt for an interactive SQL shell
|
|
|
|
Brute force:
|
|
These options can be used to run brute force checks.
|
|
|
|
--common-tables Check existence of common tables
|
|
--common-columns Check existence of common columns
|
|
|
|
User-defined function injection:
|
|
These options can be used to create custom user-defined functions.
|
|
|
|
--udf-inject Inject custom user-defined functions
|
|
--shared-lib=SHLIB Local path of the shared library
|
|
|
|
File system access:
|
|
These options can be used to access the back-end database management
|
|
system underlying file system.
|
|
|
|
--file-read=RFILE Read a file from the back-end DBMS file system
|
|
--file-write=WFILE Write a local file on the back-end DBMS file system
|
|
--file-dest=DFILE Back-end DBMS absolute filepath to write to
|
|
|
|
Operating system access:
|
|
These options can be used to access the back-end database management
|
|
system underlying operating system.
|
|
|
|
--os-cmd=OSCMD Execute an operating system command
|
|
--os-shell Prompt for an interactive operating system shell
|
|
--os-pwn Prompt for an out-of-band shell, meterpreter or VNC
|
|
--os-smbrelay One click prompt for an OOB shell, meterpreter or VNC
|
|
--os-bof Stored procedure buffer overflow exploitation
|
|
--priv-esc Database process' user privilege escalation
|
|
--msf-path=MSFPATH Local path where Metasploit Framework 3 is installed
|
|
--tmp-path=TMPPATH Remote absolute path of temporary files directory
|
|
|
|
Windows registry access:
|
|
These options can be used to access the back-end database management
|
|
system Windows registry.
|
|
|
|
--reg-read Read a Windows registry key value
|
|
--reg-add Write a Windows registry key value data
|
|
--reg-del Delete a Windows registry key value
|
|
--reg-key=REGKEY Windows registry key
|
|
--reg-value=REGVAL Windows registry key value
|
|
--reg-data=REGDATA Windows registry key value data
|
|
--reg-type=REGTYPE Windows registry key value type
|
|
|
|
General:
|
|
These options can be used to set some general working parameters.
|
|
|
|
-x XMLFILE Dump the data into an XML file
|
|
-s SESSIONFILE Save and resume all data retrieved on a session file
|
|
-t TRAFFICFILE Log all HTTP traffic into a textual file
|
|
--flush-session Flush session file for current target
|
|
--eta Display for each output the estimated time of arrival
|
|
--update Update sqlmap
|
|
--save Save options on a configuration INI file
|
|
--batch Never ask for user input, use the default behaviour
|
|
|
|
Miscellaneous:
|
|
--beep Alert when sql injection found
|
|
--check-payload IDS detection testing of injection payload
|
|
--cleanup Clean up the DBMS by sqlmap specific UDF and tables
|
|
--forms Parse and test forms on target url
|
|
--gpage=GOOGLEPAGE Use google dork results from specified page number
|
|
--parse-errors Parse DBMS error messages from response pages
|
|
--replicate Replicate dumped data into a sqlite3 database
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
|
|
<H2><A NAME="ss5.1">5.1</A> <A HREF="#toc5.1">Output verbosity</A>
|
|
</H2>
|
|
|
|
<P>Switch: <CODE>-v</CODE></P>
|
|
|
|
<P>This switch can be used to set the verbosity level of output messages.
|
|
There exist <B>seven</B> levels of verbosity.
|
|
The default level is <B>1</B> in which information, warning, error and
|
|
critical messages and Python tracebacks (if any occur) will be displayed.</P>
|
|
<P>
|
|
<UL>
|
|
<LI><B>0</B>: Show only Python tracebacks, error and critical messages.</LI>
|
|
<LI><B>1</B>: Show also information and warning messages.</LI>
|
|
<LI><B>2</B>: Show also debug messages.</LI>
|
|
<LI><B>3</B>: Show also payloads injected.</LI>
|
|
<LI><B>4</B>: Show also HTTP requests.</LI>
|
|
<LI><B>5</B>: Show also HTTP responses' headers.</LI>
|
|
<LI><B>6</B>: Show also HTTP responses' page content.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<P>A reasonable level of verbosity to further understand what sqlmap does
|
|
under the hood is level <B>2</B>, primarily for the detection phase and
|
|
the take-over functionalities. Whereas if you want to see the SQL payloads
|
|
the tools sends, level <B>3</B> is your best choice.
|
|
In order to further debug potential bugs or unexpected behaviours, we
|
|
recommend you to set the verbosity to level <B>4</B> or above. This
|
|
level is recommended to be used when you feed the developers with a bug
|
|
report too.</P>
|
|
|
|
|
|
<H2><A NAME="ss5.2">5.2</A> <A HREF="#toc5.2">Target</A>
|
|
</H2>
|
|
|
|
<P>At least one of these options has to be provided.</P>
|
|
|
|
<H3>Target URL</H3>
|
|
|
|
<P>Switch: <CODE>-u</CODE> or <CODE>-</CODE><CODE>-url</CODE></P>
|
|
|
|
<P>Run sqlmap against a single target URL. This switch requires an argument
|
|
which is the target URL in the form <CODE>http(s)://targeturl[:port]/[...]</CODE>.</P>
|
|
|
|
<H3>Parse targets from Burp or WebScarab proxy logs</H3>
|
|
|
|
<P>Switch: <CODE>-l</CODE></P>
|
|
|
|
<P>Rather than providing a single target URL, it is possible to test and
|
|
inject against HTTP requests proxied through
|
|
<A HREF="http://portswigger.net/suite/">Burp proxy</A> or
|
|
<A HREF="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project">WebScarab proxy</A> This switch requires an argument which is the
|
|
proxy's HTTP requests log file.</P>
|
|
|
|
<H3>Load HTTP request from a file</H3>
|
|
|
|
<P>Switch: <CODE>-r</CODE></P>
|
|
|
|
<P>One of the possibilities of sqlmap is loading of complete HTTP request
|
|
from a textual file. That way you can skip usage of bunch of other
|
|
options (e.g. setting of cookies, POSTed data, etc).</P>
|
|
|
|
<P>Sample content of a HTTP request file provided as argument to this switch:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
POST /sqlmap/mysql/post_int.php HTTP/1.1
|
|
Host: 192.168.136.131
|
|
User-Agent: Mozilla/4.0
|
|
|
|
id=1
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<H3>Process Google dork results as target addresses</H3>
|
|
|
|
<P>Switch: <CODE>-g</CODE></P>
|
|
|
|
<P>It is also possible to test and inject on <CODE>GET</CODE> parameters on the
|
|
results of your Google dork.</P>
|
|
|
|
<P>This option makes sqlmap negotiate with the search engine its session
|
|
cookie to be able to perform a search, then sqlmap will retrieve Google
|
|
first 100 results for the Google dork expression with <CODE>GET</CODE>
|
|
parameters asking you if you want to test and inject on each possible
|
|
affected URL.</P>
|
|
|
|
<H3>Load options from a configuration INI file</H3>
|
|
|
|
<P>Switch: <CODE>-c</CODE></P>
|
|
|
|
<P>It is possible to pass user's options from a configuration INI file, an
|
|
example is <CODE>sqlmap.conf</CODE>.</P>
|
|
|
|
<P>Note that if you also provide other options from command line, those are
|
|
evaluated when running sqlmap and overwrite those provided in the
|
|
configuration file.</P>
|
|
|
|
|
|
<H2><A NAME="ss5.3">5.3</A> <A HREF="#toc5.3">Request</A>
|
|
</H2>
|
|
|
|
<P>These options can be used to specify how to connect to the target url.</P>
|
|
|
|
<H3>HTTP data</H3>
|
|
|
|
<P>Option: <CODE>-</CODE><CODE>-data</CODE></P>
|
|
|
|
<P>By default the HTTP method used to perform HTTP requests is <CODE>GET</CODE>,
|
|
but you can implicitly change it to <CODE>POST</CODE> by providing the data to
|
|
be sent in the <CODE>POST</CODE> requests. Such data, being those parameters,
|
|
are tested for SQL injection as well as any provided <CODE>GET</CODE>
|
|
parameters.</P>
|
|
|
|
|
|
<H3>HTTP <CODE>Cookie</CODE> header</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-cookie</CODE>, <CODE>-</CODE><CODE>-drop-set-cookie</CODE>
|
|
and <CODE>-</CODE><CODE>-cookie-urlencode</CODE> </P>
|
|
|
|
<P>This feature can be useful in two ways:</P>
|
|
<P>
|
|
<UL>
|
|
<LI>The web application requires authentication based upon cookies and
|
|
you have such data.</LI>
|
|
<LI>You want to detect and exploit SQL injection on such header values.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<P>Either reason brings you to need to send cookies with sqlmap requests, the
|
|
steps to go through are the following:</P>
|
|
<P>
|
|
<UL>
|
|
<LI>Login to the application with your favourite browser.</LI>
|
|
<LI>Get the HTTP Cookie from the browser's preferences or from the HTTP
|
|
proxy screen and copy to the clipboard.</LI>
|
|
<LI>Go back to your shell and run sqlmap by pasting your clipboard as
|
|
the argument of the <CODE>-</CODE><CODE>-cookie</CODE> switch.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<P>Note that the HTTP <CODE>Cookie</CODE> header values are usually separated by
|
|
a <CODE>;</CODE> character, <B>not</B> by an <CODE>&</CODE>. sqlmap can
|
|
recognize these as separate sets of <CODE>parameter=value</CODE> too, as well
|
|
as GET and POST parameters.</P>
|
|
|
|
<P>If at any time during the communication, the web application responds with
|
|
<CODE>Set-Cookie</CODE> headers, sqlmap will automatically use its value in
|
|
all further HTTP requests as the <CODE>Cookie</CODE> header. sqlmap will also
|
|
automatically test those values for SQL injection. This can be avoided by
|
|
providing the switch <CODE>-</CODE><CODE>-drop-set-cookie</CODE> - sqlmap will
|
|
ignore any coming <CODE>Set-Cookie</CODE> header.</P>
|
|
|
|
<P>Vice versa, if you provide a HTTP <CODE>Cookie</CODE> header with
|
|
<CODE>-</CODE><CODE>-cookie</CODE> switch and the target URL sends an HTTP
|
|
<CODE>Set-Cookie</CODE> header at any time, sqlmap will ask you which set of
|
|
cookies to use for the following HTTP requests.</P>
|
|
|
|
<P>sqlmap by default does <B>not</B> URL-encode generated cookie payloads,
|
|
but you can force it by using the <CODE>-</CODE><CODE>-cookie-urlencode</CODE>
|
|
switch. Cookie content encoding is not declared by HTTP protocol standard
|
|
in any way, so it is solely the matter of web application's behaviour.</P>
|
|
|
|
<P>Note that also the HTTP <CODE>Cookie</CODE> header is tested against SQL
|
|
injection if the <CODE>-</CODE><CODE>-level</CODE> is set to <B>2</B> or above.
|
|
Read below for details.</P>
|
|
|
|
|
|
<H3>HTTP <CODE>User-Agent</CODE> header</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-user-agent</CODE> and <CODE>-</CODE><CODE>-random-agent</CODE></P>
|
|
|
|
<P>By default sqlmap performs HTTP requests with the following <CODE>User-Agent</CODE>
|
|
header value:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
sqlmap/0.9 (http://sqlmap.sourceforge.net)
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>However, it is possible to fake it with the <CODE>-</CODE><CODE>-user-agent</CODE>
|
|
switch by providing custom User-Agent as the switch argument.</P>
|
|
|
|
<P>Moreover, by providing the <CODE>-</CODE><CODE>-random-agent</CODE> switch, sqlmap
|
|
will randomly select a <CODE>User-Agent</CODE> from the <CODE>./txt/user-agents.txt</CODE>
|
|
textual file and use it for all HTTP requests within the session.</P>
|
|
|
|
<P>Some sites perform a server-side check on the HTTP <CODE>User-Agent</CODE>
|
|
header value and fail the HTTP response if a valid <CODE>User-Agent</CODE> is
|
|
not provided, its value is not expected or is blacklisted by a web
|
|
application firewall or similar intrusion prevention system. In this case
|
|
sqlmap will show you a message as follows:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
[hh:mm:20] [ERROR] the target url responded with an unknown HTTP status code, try to
|
|
force the HTTP User-Agent header with option --user-agent or --random-agent
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>Note that also the HTTP <CODE>User-Agent</CODE> header is tested against SQL
|
|
injection if the <CODE>-</CODE><CODE>-level</CODE> is set to <B>3</B> or above.
|
|
Read below for details.</P>
|
|
|
|
|
|
<H3>HTTP <CODE>Referer</CODE> header</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-referer</CODE></P>
|
|
|
|
<P>It is possible to fake the HTTP <CODE>Referer</CODE> header value. By default
|
|
<B>no</B> HTTP <CODE>Referer</CODE> header is sent in HTTP requests if not
|
|
explicitly set.</P>
|
|
|
|
<P>Note that also the HTTP <CODE>Referer</CODE> header is tested against SQL
|
|
injection if the <CODE>-</CODE><CODE>-level</CODE> is set to <B>3</B> or above.
|
|
Read below for details.</P>
|
|
|
|
|
|
<H3>Extra HTTP headers</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-headers</CODE></P>
|
|
|
|
<P>It is possible to provide extra HTTP headers by setting the
|
|
<CODE>-</CODE><CODE>-headers</CODE> switch. Each header must be separated by a
|
|
newline and it is much easier to provide them from the configuration INI
|
|
file. Have a look at the sample <CODE>sqlmap.conf</CODE> file for an example.</P>
|
|
|
|
|
|
<H3>HTTP protocol authentication</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-auth-type</CODE> and <CODE>-</CODE><CODE>-auth-cred</CODE></P>
|
|
|
|
<P>These options can be used to specify which HTTP protocol authentication
|
|
the web server implements and the valid credentials to be used to perform
|
|
all HTTP requests to the target application.</P>
|
|
<P>The three supported HTTP protocol authentication mechanisms are:</P>
|
|
<P>
|
|
<UL>
|
|
<LI><CODE>Basic</CODE></LI>
|
|
<LI><CODE>Digest</CODE></LI>
|
|
<LI><CODE>NTLM</CODE></LI>
|
|
</UL>
|
|
</P>
|
|
<P>While the credentials' syntax is <CODE>username:password</CODE>.</P>
|
|
|
|
<P>Example of valid syntax:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/basic/get_int.php?id=1" \
|
|
--auth-type Basic --auth-cred "testuser:testpass"
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
|
|
<H3>HTTP protocol certificate authentication</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-auth-cert</CODE></P>
|
|
|
|
<P>This switch should be used in cases when the web server requires proper
|
|
client-side certificate for authentication. Supplied values should be in
|
|
the form: <CODE>key_file,cert_file</CODE>, where <CODE>key_file</CODE> should be
|
|
the name of a PEM formatted file that contains your private key, while
|
|
<CODE>cert_file</CODE> should be the name for a PEM formatted certificate
|
|
chain file.</P>
|
|
|
|
|
|
<H3>HTTP(S) proxy</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-proxy</CODE>, <CODE>-</CODE><CODE>-proxy-cred</CODE> and <CODE>-</CODE><CODE>-ignore-proxy</CODE></P>
|
|
|
|
<P>It is possible to provide an HTTP(S) proxy address to pass by the HTTP(S)
|
|
requests to the target URL. The syntax of HTTP(S) proxy value is
|
|
<CODE>http://url:port</CODE>.</P>
|
|
|
|
<P>If the HTTP(S) proxy requires authentication, you can provide the
|
|
credentials in the format <CODE>username:password</CODE> to the
|
|
<CODE>-</CODE><CODE>-proxy-cred</CODE> switch.</P>
|
|
|
|
<P>If, for any reason, you need to stay anonymous, instead of passing by a
|
|
single predefined HTTP(S) proxy server, you can configure a
|
|
<A HREF="http://www.torproject.org/">Tor client</A> together with
|
|
<A HREF="http://www.privoxy.org">Privoxy</A> (or similar) on
|
|
your machine as explained on the Tor client guide and use the Privoxy
|
|
daemon, by default listening on <CODE>127.0.0.1:8118</CODE>, as the sqlmap
|
|
proxy.</P>
|
|
|
|
<P>The switch <CODE>-</CODE><CODE>-ignore-proxy</CODE> should be used when you want
|
|
to run sqlmap against a target part of a local area network by ignoring
|
|
the system-wide set HTTP(S) proxy server setting.</P>
|
|
|
|
|
|
<H3>Delay between each HTTP request</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-delay</CODE></P>
|
|
|
|
<P>It is possible to specify a number of seconds to hold between each HTTP(S)
|
|
request. The valid value is a float, for instance <CODE>0.5</CODE> means half
|
|
a second.
|
|
By default, no delay is set.</P>
|
|
|
|
|
|
<H3>Seconds to wait before timeout connection</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-timeout</CODE></P>
|
|
|
|
<P>It is possible to specify a number of seconds to wait before considering
|
|
the HTTP(S) request timed out. The valid value is a float, for instance
|
|
10.5 means ten seconds and a half.
|
|
By default <B>30 seconds</B> are set.</P>
|
|
|
|
|
|
<H3>Maximum number of retries when the HTTP connection timeouts</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-retries</CODE></P>
|
|
|
|
<P>It is possible to specify the maximum number of retries when the HTTP(S)
|
|
connection timeouts. By default it retries up to <B>three times</B>.</P>
|
|
|
|
|
|
<H3>Filtering targets from provided proxy log using regular expression</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-scope</CODE></P>
|
|
|
|
<P>Rather than using all hosts parsed from provided logs with switch
|
|
<CODE>-l</CODE>, you can specify valid Python regular expression to be used
|
|
for filtering desired ones.</P>
|
|
<P>Example of valid syntax:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -l burp.log --scope="(www)?\.target\.(com|net|org)"
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
|
|
<H3>Avoid your session to be destroyed after too many unsuccessful requests</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-safe-url</CODE> and <CODE>-</CODE><CODE>-safe-freq</CODE></P>
|
|
|
|
<P>Sometimes web applications or inspection technology in between destroys
|
|
the session if a certain number of unsuccessful requests is performed.
|
|
This might occur during the detection phase of sqlmap or when it exploits
|
|
any of the blind SQL injection types. Reason why is that the SQL payload
|
|
does not necessarily returns output and might therefore raise a signal to
|
|
either the application session management or the inspection technology.</P>
|
|
|
|
<P>To bypass this limitation set by the target, you can provide two switches:</P>
|
|
<P>
|
|
<UL>
|
|
<LI><CODE>-</CODE><CODE>-safe-url</CODE>: Url address to visit frequently during
|
|
testing.</LI>
|
|
<LI><CODE>-</CODE><CODE>-safe-freq</CODE>: Test requests between two visits to a
|
|
given safe url.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<P>This way, sqlmap will visit every a predefined number of requests a
|
|
certain <EM>safe</EM> URL without performing any kind of injection against
|
|
it.</P>
|
|
|
|
|
|
<H2><A NAME="ss5.4">5.4</A> <A HREF="#toc5.4">Optimization</A>
|
|
</H2>
|
|
|
|
<P>These switches can be used to optimize the performance of sqlmap.</P>
|
|
|
|
|
|
<H3>Bundle optimization</H3>
|
|
|
|
<P>Switch: <CODE>-o</CODE></P>
|
|
|
|
<P>This switch is an alias that implicitly sets the following switches:</P>
|
|
<P>
|
|
<UL>
|
|
<LI><CODE>-</CODE><CODE>-keep-alive</CODE></LI>
|
|
<LI><CODE>-</CODE><CODE>-null-connection</CODE></LI>
|
|
<LI><CODE>-</CODE><CODE>-threads 4</CODE></LI>
|
|
<LI><CODE>-</CODE><CODE>-group-concat</CODE></LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<P>Read below for details about each switch.</P>
|
|
|
|
|
|
<H3>Output prediction</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-predict-output</CODE></P>
|
|
|
|
<P>TODO</P>
|
|
|
|
|
|
<H3>HTTP Keep-Alive</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-keep-alive</CODE></P>
|
|
|
|
<P>TODO</P>
|
|
|
|
|
|
<H3>HTTP NULL connection</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-null-connection</CODE></P>
|
|
|
|
<P>TODO</P>
|
|
|
|
|
|
<H3>Concurrent HTTP(S) requests</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-threads</CODE></P>
|
|
|
|
<P>It is possible to specify the maximum number of concurrent HTTP(S)
|
|
requests that sqlmap is allowed to do.
|
|
This feature relies on the
|
|
<A HREF="http://en.wikipedia.org/wiki/Multithreading">multi-threading</A> concept and inherits both its pro and its cons.</P>
|
|
|
|
<P>This features applies to the brute-force switches and when the data
|
|
fetching is done through any of the blind SQL injection techniques.
|
|
For the latter case, sqlmap first calculates the length of the query
|
|
output in a single thread, then starts the multi-threading. Each thread is
|
|
assigned to retrieve one character of the query output. The thread ends
|
|
when that character is retrieved - it takes up to 7 HTTP(S) requests with
|
|
the bisection algorithm implemented in sqlmap.</P>
|
|
|
|
<P>Note that the multi-threading switch does not affect any other SQL
|
|
injection technique. The maximum number of concurrent requests is set to
|
|
<B>10</B> for performance and site reliability reasons.</P>
|
|
|
|
|
|
<H3>MySQL GROUP_CONCAT() speed up</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-group-concat</CODE></P>
|
|
|
|
<P>TODO</P>
|
|
|
|
|
|
<H2><A NAME="ss5.5">5.5</A> <A HREF="#toc5.5">Injection</A>
|
|
</H2>
|
|
|
|
<P>These options can be used to specify which parameters to test for, provide
|
|
custom injection payloads and optional tampering scripts.</P>
|
|
|
|
|
|
<H3>Testable parameter(s)</H3>
|
|
|
|
<P>Switch: <CODE>-p</CODE></P>
|
|
|
|
<P>By default sqlmap tests all <CODE>GET</CODE> parameters and <CODE>POST</CODE>
|
|
parameters. When the value of <CODE>-</CODE><CODE>-level</CODE> is >= <B>2</B>
|
|
it tests also HTTP <CODE>Cookie</CODE> header values. When this value is >=
|
|
<B>3</B> it tests also HTTP <CODE>User-Agent</CODE> and HTTP <CODE>Referer</CODE>
|
|
header value for SQL injections.
|
|
It is however possible to manually specify a comma-separated list of
|
|
parameter(s) that you want sqlmap to test. This will bypass the dependence
|
|
on the value of <CODE>-</CODE><CODE>-level</CODE> too.</P>
|
|
|
|
<P>For instance, to test for GET parameter <CODE>id</CODE> and for HTTP
|
|
<CODE>User-Agent</CODE> only, provide <CODE>-p id,user-agent</CODE>.</P>
|
|
|
|
|
|
<H3>Force the database management system name</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-dbms</CODE></P>
|
|
|
|
<P>By default sqlmap automatically detects the web application's back-end
|
|
database management system.
|
|
As of version <B>0.9</B>, sqlmap fully supports the following database
|
|
management systems:</P>
|
|
<P>
|
|
<UL>
|
|
<LI>MySQL</LI>
|
|
<LI>Oracle</LI>
|
|
<LI>PostgreSQL</LI>
|
|
<LI>Microsoft SQL Server</LI>
|
|
<LI>Microsoft Access</LI>
|
|
<LI>SQLite</LI>
|
|
<LI>Firebird</LI>
|
|
<LI>Sybase</LI>
|
|
<LI>SAP MaxDB</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<P>If for any reason sqlmap fails to detect the back-end DBMS once a SQL
|
|
injection has been identified or if you want to avoid an active fingeprint,
|
|
you can provide the name of the back-end DBMS yourself (e.g. <CODE>postgresql</CODE>).
|
|
For MySQL and Microsoft SQL Server provide them respectively in the form
|
|
<CODE>MySQL <version></CODE> and <CODE>Microsoft SQL Server <version></CODE>, where <CODE><version></CODE> is a valid version for the DBMS; for
|
|
instance <CODE>5.0</CODE> for MySQL and <CODE>2005</CODE> for Microsoft SQL Server.</P>
|
|
|
|
<P>In case you provide <CODE>-</CODE><CODE>-fingerprint</CODE> together with
|
|
<CODE>-</CODE><CODE>-dbms</CODE>, sqlmap will only perform the extensive
|
|
fingerprint for the specified database management system only, read below
|
|
for further details.</P>
|
|
|
|
<P>Note that this option is <B>not</B> mandatory and it is strongly
|
|
recommended to use it <B>only if you are absolutely sure</B> about the
|
|
back-end database management system. If you do not know it, let sqlmap
|
|
automatically fingerprint it for you.</P>
|
|
|
|
|
|
<H3>Force the database management system operating system name</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-os</CODE></P>
|
|
|
|
<P>By default sqlmap automatically detects the web application's back-end
|
|
database management system underlying operating system when this
|
|
information is a dependence of any other provided switch.
|
|
At the moment the fully supported operating systems are two:</P>
|
|
<P>
|
|
<UL>
|
|
<LI>Linux</LI>
|
|
<LI>Windows</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<P>It is possible to force the operating system name if you already know it
|
|
so that sqlmap will avoid doing it itself.</P>
|
|
|
|
<P>Note that this option is <B>not</B> mandatory and it is strongly
|
|
recommended to use it <B>only if you are absolutely sure</B> about the
|
|
back-end database management system underlying operating system. If you do
|
|
not know it, let sqlmap automatically identify it for you.</P>
|
|
|
|
|
|
<H3>Custom injection payload</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-prefix</CODE> and <CODE>-</CODE><CODE>-suffix</CODE></P>
|
|
|
|
<P>In some circumstances the vulnerable parameter is exploitable only if the
|
|
user provides a specific suffix to be appended to the injection payload.
|
|
Another scenario where these options come handy presents itself when the
|
|
user already knows that query syntax and want to detect and exploit the
|
|
SQL injection by directly providing a injection payload prefix and suffix.</P>
|
|
|
|
<P>Example of vulnerable source code:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$query = "SELECT * FROM users WHERE id=('" . $_GET['id'] . "') LIMIT 0, 1";
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>To detect and exploit this SQL injection, you can either let sqlmap detect
|
|
the <B>boundaries</B> (as in combination of SQL payload prefix and
|
|
suffix) for you during the detection phase, or provide them on your own.
|
|
For example:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_str_brackets.php?id=1" \
|
|
-p id --prefix "')" --suffix "AND ('abc'='abc"
|
|
[...]
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>This will result in all sqlmap requests to end up in a query as follows:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$query = "SELECT * FROM users WHERE id=('1') <PAYLOAD> AND ('abc'='abc') LIMIT 0, 1";
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>Which makes the query syntactically correct.</P>
|
|
|
|
<P>In this simple example, sqlmap could detect the SQL injection and exploit
|
|
it without need to provide custom boundaries, but sometimes in real world
|
|
application it is necessary to provide it when the injection point is
|
|
within nested <CODE>JOIN</CODE> queries for instance.</P>
|
|
|
|
|
|
<H3>Tamper injection data</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-tamper</CODE></P>
|
|
|
|
<P>TODO</P>
|
|
|
|
|
|
<H2><A NAME="ss5.6">5.6</A> <A HREF="#toc5.6">Detection</A>
|
|
</H2>
|
|
|
|
<P>These options can be used to specify how to parse and compare page content
|
|
from HTTP responses when using blind SQL injection technique.</P>
|
|
|
|
|
|
<H3>Level</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-level</CODE></P>
|
|
|
|
<P>TODO</P>
|
|
|
|
|
|
<H3>Risk</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-risk</CODE></P>
|
|
|
|
<P>TODO</P>
|
|
|
|
|
|
<H3>TODO: Page comparison</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-string</CODE> and <CODE>-</CODE><CODE>-regexp</CODE></P>
|
|
|
|
<P>By default the distinction of a True query by a False one (basic concept
|
|
for Inferential blind SQL injection attacks) is done comparing injected
|
|
requests page content MD5 hash with the original not injected page content
|
|
MD5 hash.
|
|
Not always this concept works because sometimes the page content changes at
|
|
each refresh even not injecting anything, for instance when the page has a
|
|
counter, a dynamic advertisment banner or any other part of the HTML which
|
|
is render dynamically and might change in time not only consequently to
|
|
user's input.
|
|
To bypass this limit, sqlmap makes it possible to manually provide a
|
|
string which is <B>always</B> present on the not injected page
|
|
<B>and</B> on all True injected query pages, but that it is <B>not</B>
|
|
on the False ones. This can also be achieved by providing a regular
|
|
expression.
|
|
Such information is easy for an user to retrieve, simply try to inject on
|
|
the affected URL parameter an invalid value and compare original (not
|
|
injected) page content with the injected wrong page content to identify
|
|
which string or regular expression match is on not injected and True page
|
|
only.
|
|
This way the distinction will be based upon string presence or regular
|
|
expression match and not page MD5 hash comparison.</P>
|
|
|
|
<P>As you can see, the string after <CODE>Dynamic content</CODE> changes its
|
|
value every second. In the example it is just a call to PHP
|
|
<CODE>time()</CODE> function, but on the real world it is usually much more
|
|
than that.</P>
|
|
|
|
<P>Looking at the HTTP responses page content you can see that the first five
|
|
lines of code do not change at all.
|
|
So choosing for instance the word <CODE>luther</CODE> as an output that is
|
|
on the not injected page content and it is not on the False page content
|
|
(because the query condition returns no output so <CODE>luther</CODE> is not
|
|
displayed on the page content) and passing it to sqlmap, you are able to
|
|
inject anyway.</P>
|
|
|
|
<P>You can also specify a regular expression to match rather than a string if
|
|
you prefer.</P>
|
|
|
|
<P>As you can see, when one of these options is specified, sqlmap skips the
|
|
URL stability test.</P>
|
|
|
|
<P><B>Consider one of these options a MUST when dealing with a page
|
|
with content that changes itself at each refresh without modifying the
|
|
user's input</B>.</P>
|
|
|
|
|
|
<H2><A NAME="ss5.7">5.7</A> <A HREF="#toc5.7">Techniques</A>
|
|
</H2>
|
|
|
|
<P>These options can be used to tweak how specific SQL injection techniques
|
|
are tested.</P>
|
|
|
|
<H3>Seconds to delay the DBMS response for time-based blind SQL injection</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-time-sec</CODE></P>
|
|
|
|
<P>It is possible to set the seconds to delay the response when testing for
|
|
time-based blind SQL injection, by providing the
|
|
<CODE>-</CODE><CODE>-time-sec</CODE> option followed by an integer.
|
|
By default delay is set to <B>5 seconds</B>.</P>
|
|
|
|
<H3>TODO</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-union-cols</CODE></P>
|
|
|
|
<P>TODO</P>
|
|
|
|
<H3>TODO</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-union-char</CODE></P>
|
|
|
|
<P>TODO</P>
|
|
|
|
|
|
<H2><A NAME="ss5.8">5.8</A> <A HREF="#toc5.8">Fingerprint</A>
|
|
</H2>
|
|
|
|
<H3>TODO: Extensive database management system fingerprint</H3>
|
|
|
|
<P>Switches: <CODE>-f</CODE> or <CODE>-</CODE><CODE>-fingerprint</CODE></P>
|
|
|
|
<P>By default the web application's back-end database management system
|
|
fingerprint is performed requesting a database specific function which
|
|
returns a known static value. By comparing these value with the returned
|
|
value it is possible to identify if the back-end database is effectively
|
|
the one that sqlmap expected. Depending on the DBMS being tested, a
|
|
SQL dialect syntax which is syntatically correct depending upon the
|
|
back-end DBMS is also tested.</P>
|
|
<P>After identifying an injectable vector, sqlmap fingerprints the back-end
|
|
database management system and go ahead with the injection with its
|
|
specific syntax within the limits of the database architecture.</P>
|
|
|
|
<P>As you can see, sqlmap automatically fingerprints the web server operating
|
|
system and the web application technology by parsing some HTTP response headers.</P>
|
|
|
|
<P>If you want to perform an extensive database management system fingerprint
|
|
based on various techniques like specific SQL dialects and inband error
|
|
messages, you can provide the <CODE>-</CODE><CODE>-fingerprint</CODE> option.</P>
|
|
|
|
<P>As you can see from the last example, sqlmap first tested for MySQL,
|
|
then for Oracle, then for PostgreSQL since the user did not forced the
|
|
back-end database management system name with option <CODE>-</CODE><CODE>-dbms</CODE>.</P>
|
|
|
|
<P>If you want an even more accurate result, based also on banner parsing,
|
|
you can also provide the <CODE>-b</CODE> or <CODE>-</CODE><CODE>-banner</CODE> option.</P>
|
|
|
|
<P>As you can see, sqlmap was also able to fingerprint the back-end DBMS
|
|
operating system by parsing the DBMS banner value.</P>
|
|
|
|
<P>As you can see, from the Microsoft SQL Server banner, sqlmap was able to
|
|
correctly identify the database management system patch level.
|
|
The Microsoft SQL Server XML versions file is the result of a sqlmap
|
|
parsing library that fetches data from Chip Andrews'
|
|
<A HREF="http://www.sqlsecurity.com/FAQs/SQLServerVersionDatabase/tabid/63/Default.aspx">SQLSecurity.com site</A> and outputs it to the XML versions file.</P>
|
|
|
|
|
|
<H2><A NAME="ss5.9">5.9</A> <A HREF="#toc5.9">Enumeration</A>
|
|
</H2>
|
|
|
|
<P>These options can be used to enumerate the back-end database management
|
|
system information, structure and data contained in the tables. Moreover
|
|
you can run your own SQL statements.</P>
|
|
|
|
|
|
<H3>Banner</H3>
|
|
|
|
<P>Switch: <CODE>-b</CODE> or <CODE>-</CODE><CODE>-banner</CODE></P>
|
|
|
|
<P>Most of the modern database management systems have a function and/or
|
|
an environment variable which returns the database management system
|
|
version and eventually details on its patch level, the underlying
|
|
system. Usually the function is <CODE>version()</CODE> and the environment
|
|
variable is <CODE>@@version</CODE>, but this vary depending on the target
|
|
DBMS.</P>
|
|
|
|
|
|
<H3>Session user</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-current-user</CODE></P>
|
|
|
|
<P>On the majority of modern DBMSes is possible to retrieve the database
|
|
management system's user which is effectively performing the query against
|
|
the back-end DBMS from the web application.</P>
|
|
|
|
|
|
<H3>Current database</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-current-db</CODE></P>
|
|
|
|
<P>It is possible to retrieve the database management system's database name
|
|
that the web application is connected to.</P>
|
|
|
|
|
|
<H3>Detect whether or not the session user is a database administrator</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-is-dba</CODE></P>
|
|
|
|
<P>It is possible to detect if the current database management system session
|
|
user is a database administrator, also known as DBA.
|
|
sqlmap will return <CODE>True</CODE> if it is, viceversa <CODE>False</CODE>.</P>
|
|
|
|
|
|
<H3>List database management system users</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-users</CODE></P>
|
|
|
|
<P>When the session user has read access to the system table containing
|
|
information about the DBMS users, it is possible to enumerate the list of
|
|
users.</P>
|
|
|
|
|
|
<H3>List and crack database management system users password hashes</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-passwords</CODE> and <CODE>-U</CODE></P>
|
|
|
|
<P>When the session user has read access to the system table containing
|
|
information about the DBMS users' passwords, it is possible to enumerate
|
|
the password hashes for each database management system user.
|
|
sqlmap will first enumerate the users, then the different password hashes
|
|
for each of them.</P>
|
|
|
|
<P>Example against a PostgreSQL target:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" --passwords -v 1
|
|
|
|
[...]
|
|
back-end DBMS: PostgreSQL
|
|
[hh:mm:38] [INFO] fetching database users password hashes
|
|
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
|
|
[hh:mm:42] [INFO] using hash method: 'postgres_passwd'
|
|
what's the dictionary's location? [/tmp/sqlmap/txt/wordlist.txt]
|
|
[hh:mm:46] [INFO] loading dictionary from: '/tmp/sqlmap/txt/wordlist.txt'
|
|
do you want to use common password suffixes? (slow!) [y/N] n
|
|
[hh:mm:48] [INFO] starting dictionary attack (postgres_passwd)
|
|
[hh:mm:49] [INFO] found: 'testpass' for user: 'testuser'
|
|
[hh:mm:50] [INFO] found: 'testpass' for user: 'postgres'
|
|
database management system users password hashes:
|
|
[*] postgres [1]:
|
|
password hash: md5d7d880f96044b72d0bba108ace96d1e4
|
|
clear-text password: testpass
|
|
[*] testuser [1]:
|
|
password hash: md599e5ea7a6f7c3269995cba3927fd0093
|
|
clear-text password: testpass
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>Not only sqlmap enumerated the DBMS users and their passwords, but it also
|
|
recognized the hash format to be PostgreSQL, asked the user whether or not
|
|
to test the hashes against a dictionary file and identified the clear-text
|
|
password for the <CODE>postgres</CODE> user, which is usually a DBA along the
|
|
other user, <CODE>testuser</CODE>, password.</P>
|
|
|
|
<P>This feature has been implemented for all DBMS where it is possible to
|
|
enumerate users' password hashes, including Oracle and Microsoft SQL
|
|
Server pre and post 2005.</P>
|
|
|
|
<P>You can also provide the <CODE>-U</CODE> option to specify the specific user
|
|
who you want to enumerate and eventually crack the password hash(es).
|
|
If you provide <CODE>CU</CODE> as username it will consider it as an alias for
|
|
current user and will retrieve the password hash(es) for this user.</P>
|
|
|
|
|
|
<H3>List database management system users privileges</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-privileges</CODE> and <CODE>-U</CODE></P>
|
|
|
|
<P>When the session user has read access to the system table containing
|
|
information about the DBMS users, it is possible to enumerate the
|
|
privileges for each database management system user.
|
|
By the privileges, sqlmap will also show you which are database
|
|
administrators.</P>
|
|
|
|
<P>You can also provide the <CODE>-U</CODE> option to specify the user who you
|
|
want to enumerate the privileges.</P>
|
|
|
|
<P>If you provide <CODE>CU</CODE> as username it will consider it as an alias for
|
|
current user and will enumerate the privileges for this user.</P>
|
|
|
|
|
|
<H3>List database management system users roles</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-roles</CODE> and <CODE>-U</CODE></P>
|
|
|
|
<P>When the session user has read access to the system table containing
|
|
information about the DBMS users, it is possible to enumerate the
|
|
roles for each database management system user.</P>
|
|
|
|
<P>You can also provide the <CODE>-U</CODE> option to specify the user who you
|
|
want to enumerate the privileges.</P>
|
|
|
|
<P>If you provide <CODE>CU</CODE> as username it will consider it as an alias for
|
|
current user and will enumerate the privileges for this user.</P>
|
|
|
|
<P>This feature is only available when the DBMS is Oracle.</P>
|
|
|
|
|
|
<H3>List database management system's databases</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-dbs</CODE></P>
|
|
|
|
<P>When the session user has read access to the system table containing
|
|
information about available databases, it is possible to enumerate the
|
|
list of databases.</P>
|
|
|
|
<P>Note that this feature is not available if the database management system
|
|
is Oracle.</P>
|
|
|
|
|
|
<H3>Enumerate database's tables</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-tables</CODE> and <CODE>-D</CODE></P>
|
|
|
|
<P>When the session user has read access to the system table containing
|
|
information about databases' tables, it is possible to enumerate
|
|
the list of tables for a specific database management system's databases.</P>
|
|
|
|
<P>If you do not provide a specific database with switch <CODE>-D</CODE>, sqlmap
|
|
will enumerate the tables for all DBMS databases.</P>
|
|
|
|
<P>Note that on Oracle you have to provide the <CODE>TABLESPACE_NAME</CODE>
|
|
instead of the database name.</P>
|
|
|
|
|
|
<H3>Enumerate database table columns</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-columns</CODE>, <CODE>-C</CODE>, <CODE>-T</CODE> and <CODE>-D</CODE></P>
|
|
|
|
<P>When the session user has read access to the system table containing
|
|
information about database's tables, it is possible to enumerate the list
|
|
of columns for a specific database table.
|
|
sqlmap also enumerates the data-type for each column.</P>
|
|
|
|
<P>This feature depends on the option <CODE>-T</CODE> to specify the table name
|
|
and optionally on <CODE>-D</CODE> to specify the database name. When the
|
|
database name is not specified, the current database name is used.
|
|
You can also provide the <CODE>-C</CODE> option to specify the table columns
|
|
name like the one you provided to be enumerated.</P>
|
|
|
|
<P>Example against a SQLite target:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/sqlite/get_int.php?id=1" --columns -D testdb \
|
|
-T users -C name
|
|
[...]
|
|
Database: SQLite_masterdb
|
|
Table: users
|
|
[3 columns]
|
|
+---------+---------+
|
|
| Column | Type |
|
|
+---------+---------+
|
|
| id | INTEGER |
|
|
| name | TEXT |
|
|
| surname | TEXT |
|
|
+---------+---------+
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>Note that on PostgreSQL you have to provide <CODE>public</CODE> or the
|
|
name of a system database. That's because it is not possible to enumerate
|
|
other databases tables, only the tables under the schema that the web
|
|
application's user is connected to, which is always aliased by
|
|
<CODE>public</CODE>.</P>
|
|
|
|
|
|
<H3>Dump database table entries</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-dump</CODE>, <CODE>-C</CODE>, <CODE>-T</CODE>, <CODE>-D</CODE>,
|
|
<CODE>-</CODE><CODE>-start</CODE>, <CODE>-</CODE><CODE>-stop</CODE>, <CODE>-</CODE><CODE>-first</CODE>
|
|
and <CODE>-</CODE><CODE>-last</CODE></P>
|
|
|
|
<P>When the session user has read access to a specific database's table it is
|
|
possible to dump the table entries.</P>
|
|
|
|
<P>This functionality depends on switch <CODE>-T</CODE> to specify the table
|
|
name and optionally on switch <CODE>-D</CODE> to specify the database name.
|
|
If the table name is provided, but the database name is not, the current
|
|
database name is used.</P>
|
|
|
|
<P>Example against a Firebird target:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/firebird/get_int.php?id=1" --dump -T users
|
|
[...]
|
|
Database: Firebird_masterdb
|
|
Table: USERS
|
|
[4 entries]
|
|
+----+--------+------------+
|
|
| ID | NAME | SURNAME |
|
|
+----+--------+------------+
|
|
| 1 | luther | blisset |
|
|
| 2 | fluffy | bunny |
|
|
| 3 | wu | ming |
|
|
| 4 | NULL | nameisnull |
|
|
+----+--------+------------+
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>You can also provide a comma-separated list of the specific columns to
|
|
dump with the <CODE>-C</CODE> switch.</P>
|
|
|
|
<P>sqlmap also generates for each table dumped the entries in a CSV format
|
|
textual file.
|
|
You can see the absolute path where sqlmap creates the file by providing a
|
|
verbosity level greater than or equal to <B>1</B>.</P>
|
|
|
|
<P>If you want to dump only a range of entries, then you can provide switches
|
|
<CODE>-</CODE><CODE>-start</CODE> and/or <CODE>-</CODE><CODE>-stop</CODE> to respectively
|
|
start to dump from a certain entry and stop the dump at a certain entry.
|
|
For instance, if you want to dump only the first entry, provide
|
|
<CODE>-</CODE><CODE>-stop 1</CODE> in your command line. Vice versa if, for
|
|
instance, you want to dump only the second and third entry, provide
|
|
<CODE>-</CODE><CODE>-start 1</CODE> <CODE>-</CODE><CODE>-stop 3</CODE>.</P>
|
|
|
|
<P>It is also possible to specify which single character or range of characters
|
|
to dump with switches <CODE>-</CODE><CODE>-first</CODE> and <CODE>-</CODE><CODE>-last</CODE>.
|
|
For instance, if you want to dump columns' entries from the third to the
|
|
fifth character, provide <CODE>-</CODE><CODE>-first 3</CODE> <CODE>-</CODE><CODE>-last
|
|
5</CODE>.
|
|
This feature only applies to the blind SQL injection techniques because for
|
|
error-based and UNION query SQL injection techniques the number of requests
|
|
is exactly the same, regardless of the length of the column's entry output
|
|
to dump.</P>
|
|
|
|
<P>As you know by down, sqlmap is <B>flexible</B>. You can leave it to
|
|
automatically enumerate the whole database table or you can be very
|
|
precise in which characters to dump, from which columns and which range of
|
|
entries.</P>
|
|
|
|
|
|
<H3>Dump all databases tables entries</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-dump-all</CODE> and <CODE>-</CODE><CODE>-exclude-sysdbs</CODE></P>
|
|
|
|
<P>It is possible to dump all databases tables entries at once that the
|
|
session user has read access on.</P>
|
|
|
|
<P>You can also provide the <CODE>-</CODE><CODE>-exclude-sysdbs</CODE> switch to
|
|
exclude all system databases. In that case sqlmap will only dump entries
|
|
of users' databases tables.</P>
|
|
|
|
<P>Note that on Microsoft SQL Server the <CODE>master</CODE> database is not
|
|
considered a system database because some database administrators use it
|
|
as a users' database.</P>
|
|
|
|
|
|
<H3>Search for columns, tables or databases</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-search</CODE>, <CODE>-C</CODE>, <CODE>-T</CODE>, <CODE>-D</CODE></P>
|
|
|
|
<P>TODO</P>
|
|
|
|
|
|
<H3>Run custom SQL statement</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-sql-query</CODE> and <CODE>-</CODE><CODE>-sql-shell</CODE></P>
|
|
|
|
<P>The SQL query and the SQL shell features allow to run arbitrary SQL
|
|
statements on the database management system.
|
|
sqlmap automatically dissects the provided statement, determines which
|
|
technique is appropriate to use to inject it and how to pack the SQL
|
|
payload accordingly.</P>
|
|
|
|
<P>If the query is a <CODE>SELECT</CODE> statement, sqlmap will retrieve its
|
|
output.
|
|
Otherwise it will execute the query through the stacked query SQL
|
|
injection technique if the web application supports multiple statements on
|
|
the back-end database management system.
|
|
Beware that some web application technologies do not support stacked
|
|
queries on specific database management systems. For instance, PHP does
|
|
not support stacked queries when the back-end DBMS is MySQL, but it does
|
|
support when the back-end DBMS is PostgreSQL.</P>
|
|
|
|
<P>Examples against a Microsoft SQL Server 2000 target:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/get_int.php?id=1" --sql-query \
|
|
"SELECT 'foo'" -v 1
|
|
|
|
[...]
|
|
[hh:mm:14] [INFO] fetching SQL SELECT query output: 'SELECT 'foo''
|
|
[hh:mm:14] [INFO] retrieved: foo
|
|
SELECT 'foo': 'foo'
|
|
|
|
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/get_int.php?id=1" --sql-query \
|
|
"SELECT 'foo', 'bar'" -v 2
|
|
|
|
[...]
|
|
[hh:mm:50] [INFO] fetching SQL SELECT query output: 'SELECT 'foo', 'bar''
|
|
[hh:mm:50] [INFO] the SQL query provided has more than a field. sqlmap will now unpack it into
|
|
distinct queries to be able to retrieve the output even if we are going blind
|
|
[hh:mm:50] [DEBUG] query: SELECT ISNULL(CAST((CHAR(102)+CHAR(111)+CHAR(111)) AS VARCHAR(8000)),
|
|
(CHAR(32)))
|
|
[hh:mm:50] [INFO] retrieved: foo
|
|
[hh:mm:50] [DEBUG] performed 27 queries in 0 seconds
|
|
[hh:mm:50] [DEBUG] query: SELECT ISNULL(CAST((CHAR(98)+CHAR(97)+CHAR(114)) AS VARCHAR(8000)),
|
|
(CHAR(32)))
|
|
[hh:mm:50] [INFO] retrieved: bar
|
|
[hh:mm:50] [DEBUG] performed 27 queries in 0 seconds
|
|
SELECT 'foo', 'bar': 'foo, bar'
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>As you can see, sqlmap splits the provided query into two different
|
|
<CODE>SELECT</CODE> statements then retrieves the output for each separate
|
|
query.</P>
|
|
|
|
<P>If the provided query is a <CODE>SELECT</CODE> statement and contains a
|
|
<CODE>FROM</CODE> clause, sqlmap will ask you if such statement can return
|
|
multiple entries. In that case the tool knows how to unpack the query
|
|
correctly to count the number of possible entries and retrieve its output,
|
|
entry per entry.</P>
|
|
|
|
<P>The SQL shell option allows you to run your own SQL statement
|
|
interactively, like a SQL console connected to the database management
|
|
system.
|
|
This feature provides TAB completion and history support too.</P>
|
|
|
|
|
|
<H2><A NAME="ss5.10">5.10</A> <A HREF="#toc5.10">Brute force</A>
|
|
</H2>
|
|
|
|
<P>These options can be used to run brute force checks.</P>
|
|
|
|
<H3>Brute force tables names</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-common-tables</CODE></P>
|
|
|
|
<P>TODO</P>
|
|
|
|
|
|
<H3>Brute force columns names</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-common-columns</CODE></P>
|
|
|
|
<P>TODO</P>
|
|
|
|
|
|
<H2><A NAME="ss5.11">5.11</A> <A HREF="#toc5.11">User-defined function injection</A>
|
|
</H2>
|
|
|
|
<P>These options can be used to create custom user-defined functions.</P>
|
|
|
|
<H3>Inject custom user-defined functions (UDF)</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-udf-inject</CODE> and <CODE>-</CODE><CODE>-shared-lib</CODE></P>
|
|
|
|
<P>You can inject your own user-defined functions (UDFs) by compiling a
|
|
MySQL or PostgreSQL shared library, DLL for Windows and shared object for
|
|
Linux/Unix, then provide sqlmap with the path where the shared library
|
|
is stored locally on your machine. sqlmap will then ask you some
|
|
questions, upload the shared library on the database server file system,
|
|
create the user-defined function(s) from it and, depending on your
|
|
options, execute them. When you are finished using the injected UDFs,
|
|
sqlmap can also remove them from the database for you.</P>
|
|
|
|
<P>These techniques are detailed in the white paper
|
|
<A HREF="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857">Advanced SQL injection to operating system full control</A>.</P>
|
|
|
|
<P>Use switch <CODE>-</CODE><CODE>-udf-inject</CODE> and follow the instructions.</P>
|
|
|
|
<P>If you want, you can specify the shared library local file system path
|
|
via command line too by using <CODE>-</CODE><CODE>-shared-lib</CODE> option. Vice
|
|
versa sqlmap will ask you for the path at runtime.</P>
|
|
|
|
<P>This feature is available only when the database management system is
|
|
MySQL or PostgreSQL.</P>
|
|
|
|
|
|
<H2><A NAME="ss5.12">5.12</A> <A HREF="#toc5.12">File system access</A>
|
|
</H2>
|
|
|
|
<H3>Read a file from the database server's file system</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-file-read</CODE></P>
|
|
|
|
<P>It is possible to retrieve the content of files from the underlying file
|
|
system when the back-end database management system is either MySQL,
|
|
PostgreSQL or Microsoft SQL Server, and the session user has the needed
|
|
privileges to abuse database specific functionalities and architectural
|
|
weaknesses.
|
|
The file specified can be either a textual or a binary file. sqlmap will
|
|
handle it properly.</P>
|
|
|
|
<P>These techniques are detailed in the white paper
|
|
<A HREF="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857">Advanced SQL injection to operating system full control</A>.</P>
|
|
|
|
<P>Example against a Microsoft SQL Server 2005 target to retrieve a binary
|
|
file:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mssql/iis/get_str2.asp?name=luther" \
|
|
--file-read "C:/example.exe" -v 1
|
|
|
|
[...]
|
|
[hh:mm:49] [INFO] the back-end DBMS is Microsoft SQL Server
|
|
web server operating system: Windows 2000
|
|
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
|
|
back-end DBMS: Microsoft SQL Server 2005
|
|
|
|
[hh:mm:50] [INFO] fetching file: 'C:/example.exe'
|
|
[hh:mm:50] [INFO] the SQL query provided returns 3 entries
|
|
C:/example.exe file saved to: '/tmp/sqlmap/output/192.168.136.129/files/C__example.exe'
|
|
[...]
|
|
|
|
$ ls -l output/192.168.136.129/files/C__example.exe
|
|
-rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.129/files/C__example.exe
|
|
|
|
$ file output/192.168.136.129/files/C__example.exe
|
|
output/192.168.136.129/files/C__example.exe: PE32 executable for MS Windows (GUI) Intel
|
|
80386 32-bit
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
|
|
<H3>Upload a file to the database server's file system</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-file-write</CODE> and <CODE>-</CODE><CODE>-file-dest</CODE></P>
|
|
|
|
<P>It is possible to upload a local file to the database server's file system
|
|
when the back-end database management system is either MySQL, PostgreSQL
|
|
or Microsoft SQL Server, and the session user has the needed privileges to
|
|
abuse database specific functionalities and architectural weaknesses.
|
|
The file specified can be either a textual or a binary file. sqlmap will
|
|
handle it properly.</P>
|
|
|
|
<P>These techniques are detailed in the white paper
|
|
<A HREF="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857">Advanced SQL injection to operating system full control</A>.</P>
|
|
|
|
<P>Example against a MySQL target to upload a binary UPX-compressed file:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ file /tmp/nc.exe.packed
|
|
/tmp/nc.exe.packed: PE32 executable for MS Windows (console) Intel 80386 32-bit
|
|
|
|
$ ls -l /tmp/nc.exe.packed
|
|
-rwxr-xr-x 1 inquis inquis 31744 2009-MM-DD hh:mm /tmp/nc.exe.packed
|
|
|
|
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int.aspx?id=1" --file-write \
|
|
"/tmp/nc.exe.packed" --file-dest "C:/WINDOWS/Temp/nc.exe" -v 1
|
|
|
|
[...]
|
|
[hh:mm:29] [INFO] the back-end DBMS is MySQL
|
|
web server operating system: Windows 2003 or 2008
|
|
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
|
|
back-end DBMS: MySQL >= 5.0.0
|
|
|
|
[...]
|
|
do you want confirmation that the file 'C:/WINDOWS/Temp/nc.exe' has been successfully
|
|
written on the back-end DBMS file system? [Y/n] y
|
|
[hh:mm:52] [INFO] retrieved: 31744
|
|
[hh:mm:52] [INFO] the file has been successfully written and its size is 31744 bytes,
|
|
same size as the local file '/tmp/nc.exe.packed'
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
|
|
<H2><A NAME="ss5.13">5.13</A> <A HREF="#toc5.13">Operating system takeover</A>
|
|
</H2>
|
|
|
|
<H3>Run arbitrary operating system command</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-os-cmd</CODE> and <CODE>-</CODE><CODE>-os-shell</CODE></P>
|
|
|
|
<P>It is possible to <B>run arbitrary commands on the database server's
|
|
underlying operating system</B> when the back-end database management
|
|
system is either MySQL, PostgreSQL or Microsoft SQL Server, and the
|
|
session user has the needed privileges to abuse database specific
|
|
functionalities and architectural weaknesses.</P>
|
|
|
|
<P>On MySQL and PostgreSQL, sqlmap uploads (via the file upload functionality
|
|
explained above) a shared library (binary file) containing two
|
|
user-defined functions, <CODE>sys_exec()</CODE> and <CODE>sys_eval()</CODE>, then
|
|
it creates these two functions on the database and calls one of them to
|
|
execute the specified command, depending on user's choice to display the
|
|
standard output or not.
|
|
On Microsoft SQL Server, sqlmap abuses the <CODE>xp_cmdshell</CODE> stored
|
|
procedure: if it is disabled (by default on Microsoft SQL Server >= 2005),
|
|
sqlmap re-enables it; if it does not exist, sqlmap creates it from
|
|
scratch.</P>
|
|
|
|
<P>When the user requests the standard output, sqlmap uses one of the
|
|
enumeration SQL injection techniques (blind, inband or error-based) to
|
|
retrieve it. Vice versa, if the standard output is not required, stacked
|
|
query SQL injection technique is used to execute the command.</P>
|
|
|
|
<P>These techniques are detailed in the white paper
|
|
<A HREF="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857">Advanced SQL injection to operating system full control</A>.</P>
|
|
|
|
<P>Example against a PostgreSQL target:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" \
|
|
--os-cmd id -v 1
|
|
|
|
[...]
|
|
web application technology: PHP 5.2.6, Apache 2.2.9
|
|
back-end DBMS: PostgreSQL
|
|
[hh:mm:12] [INFO] fingerprinting the back-end DBMS operating system
|
|
[hh:mm:12] [INFO] the back-end DBMS operating system is Linux
|
|
[hh:mm:12] [INFO] testing if current user is DBA
|
|
[hh:mm:12] [INFO] detecting back-end DBMS version from its banner
|
|
[hh:mm:12] [INFO] checking if UDF 'sys_eval' already exist
|
|
[hh:mm:12] [INFO] checking if UDF 'sys_exec' already exist
|
|
[hh:mm:12] [INFO] creating UDF 'sys_eval' from the binary UDF file
|
|
[hh:mm:12] [INFO] creating UDF 'sys_exec' from the binary UDF file
|
|
do you want to retrieve the command standard output? [Y/n/a] y
|
|
command standard output: 'uid=104(postgres) gid=106(postgres) groups=106(postgres)'
|
|
|
|
[hh:mm:19] [INFO] cleaning up the database management system
|
|
do you want to remove UDF 'sys_eval'? [Y/n] y
|
|
do you want to remove UDF 'sys_exec'? [Y/n] y
|
|
[hh:mm:23] [INFO] database management system cleanup finished
|
|
[hh:mm:23] [WARNING] remember that UDF shared object files saved on the file system can
|
|
only be deleted manually
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>It is also possible to simulate a real shell where you can type as many
|
|
arbitrary commands as you wish. The option is <CODE>-</CODE><CODE>-os-shell</CODE> and has
|
|
the same TAB completion and history functionalities that
|
|
<CODE>-</CODE><CODE>-sql-shell</CODE> has.</P>
|
|
|
|
<P>Where stacked queries has not been identified on the web application
|
|
(e.g. PHP or ASP with back-end database management system being MySQL) and
|
|
the DBMS is MySQL, it is still possible to abuse the <CODE>SELECT</CODE>
|
|
clause's <CODE>INTO OUTFILE</CODE> to create a web backdoor in a writable
|
|
folder within the web server document root and still get command
|
|
execution assuming the back-end DBMS and the web server are hosted on the
|
|
same server.
|
|
sqlmap supports this technique and allows the user to provide a
|
|
comma-separated list of possible document root sub-folders where try to
|
|
upload the web file stager and the subsequent web backdoor. Also, sqlmap
|
|
has its own tested web file stagers and backdoors for the following
|
|
languages:</P>
|
|
<P>
|
|
<UL>
|
|
<LI>ASP</LI>
|
|
<LI>ASP.NET</LI>
|
|
<LI>JSP</LI>
|
|
<LI>PHP</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
|
|
<H3>Out-of-band stateful connection: Meterpreter & friends</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-os-pwn</CODE>, <CODE>-</CODE><CODE>-os-smbrelay</CODE>,
|
|
<CODE>-</CODE><CODE>-os-bof</CODE>, <CODE>-</CODE><CODE>-priv-esc</CODE>,
|
|
<CODE>-</CODE><CODE>-msf-path</CODE> and <CODE>-</CODE><CODE>-tmp-path</CODE></P>
|
|
|
|
<P>It is possible to establish an <B>out-of-band stateful TCP connection
|
|
between the attacker machine and the database server</B> underlying
|
|
operating system when the back-end database management system is either
|
|
MySQL, PostgreSQL or Microsoft SQL Server, and the session user has the
|
|
needed privileges to abuse database specific functionalities and
|
|
architectural weaknesses.
|
|
This channel can be an interactive command prompt, a Meterpreter session
|
|
or a graphical user interface (VNC) session as per user's choice.</P>
|
|
|
|
<P>sqlmap relies on Metasploit to create the shellcode and implements four
|
|
different techniques to execute it on the database server. These
|
|
techniques are:
|
|
<UL>
|
|
<LI>Database <B>in-memory execution of the Metasploit's shellcode</B>
|
|
via sqlmap own user-defined function <CODE>sys_bineval()</CODE>. Supported on
|
|
MySQL and PostgreSQL - switch <CODE>-</CODE><CODE>-os-pwn</CODE>.</LI>
|
|
<LI>Upload and execution of a Metasploit's <B>stand-alone payload
|
|
stager</B> via sqlmap own user-defined function <CODE>sys_exec()</CODE> on
|
|
MySQL and PostgreSQL or via <CODE>xp_cmdshell()</CODE> on Microsoft SQL
|
|
Server - switch <CODE>-</CODE><CODE>-os-pwn</CODE>.</LI>
|
|
<LI>Execution of Metasploit's shellcode by performing a <B>SMB
|
|
reflection attack</B> (
|
|
<A HREF="http://www.microsoft.com/technet/security/Bulletin/MS08-068.mspx">MS08-068</A>) with a UNC path request from the database server to
|
|
the attacker's machine where the Metasploit <CODE>smb_relay</CODE> server
|
|
exploit listens. Supported when running sqlmap with high privileges
|
|
(<CODE>uid=0</CODE>) on Linux/Unix and the target DBMS runs as Administrator
|
|
on Windows - switch <CODE>-</CODE><CODE>-os-smbrelay</CODE>.</LI>
|
|
<LI>Database in-memory execution of the Metasploit's shellcode by
|
|
exploiting <B>Microsoft SQL Server 2000 and 2005
|
|
<CODE>sp_replwritetovarbin</CODE> stored procedure heap-based buffer
|
|
overflow</B> (
|
|
<A HREF="http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx">MS09-004</A>). sqlmap has its own exploit to trigger the
|
|
vulnerability with automatic DEP memory protection bypass, but it relies
|
|
on Metasploit to generate the shellcode to get executed upon successful
|
|
exploitation - switch <CODE>-</CODE><CODE>-os-bof</CODE>.</LI>
|
|
</UL>
|
|
</P>
|
|
|
|
<P>These techniques are detailed in the white paper
|
|
<A HREF="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857">Advanced SQL injection to operating system full control</A> and in the
|
|
slide deck
|
|
<A HREF="http://www.slideshare.net/inquis/expanding-the-control-over-the-operating-system-from-the-database">Expanding the control over the operating system from the database</A>.</P>
|
|
|
|
<P>Example against a MySQL target:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int_51.aspx?id=1" \
|
|
--os-pwn -v 1 --msf-path /tmp/metasploit
|
|
|
|
[...]
|
|
TODO
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>By default MySQL on Windows runs as <CODE>SYSTEM</CODE>, however PostgreSQL
|
|
runs as a low-privileged user <CODE>postgres</CODE> on both Windows and Linux.
|
|
Microsoft SQL Server 2000 by default runs as <CODE>SYSTEM</CODE>, whereas
|
|
Microsoft SQL Server 2005 and 2008 run most of the times as <CODE>NETWORK
|
|
SERVICE</CODE> and sometimes as <CODE>LOCAL SERVICE</CODE>.</P>
|
|
|
|
<P>It is possible to provide sqlmap with the <CODE>-</CODE><CODE>-priv-esc</CODE>
|
|
switch to perform a <B>database process' user privilege escalation</B>
|
|
via Metasploit's <CODE>getsystem</CODE> command which include, among others,
|
|
the
|
|
<A HREF="http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html">kitrap0d</A> technique (
|
|
<A HREF="http://www.microsoft.com/technet/security/bulletin/ms10-015.mspx">MS10-015</A>).</P>
|
|
|
|
|
|
<H2><A NAME="ss5.14">5.14</A> <A HREF="#toc5.14">Windows registry access</A>
|
|
</H2>
|
|
|
|
<P>It is possible to access Windows registry when the back-end database
|
|
management system is either MySQL, PostgreSQL or Microsoft SQL Server,
|
|
and when the web application supports stacked queries. Also, session user
|
|
has to have the needed privileges to access it.</P>
|
|
|
|
<H3>Read a Windows registry key value</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-reg-read</CODE></P>
|
|
|
|
<P>Using this option you can read registry key values.</P>
|
|
|
|
<H3>Write a Windows registry key value</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-reg-add</CODE></P>
|
|
|
|
<P>Using this option you can write registry key values.</P>
|
|
|
|
<H3>Delete a Windows registry key</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-reg-del</CODE></P>
|
|
|
|
<P>Using this option you can delete registry keys.</P>
|
|
|
|
<H3>Auxiliary registry switches</H3>
|
|
|
|
<P>Switches: <CODE>-</CODE><CODE>-reg-key</CODE>, <CODE>-</CODE><CODE>-reg-value</CODE>,
|
|
<CODE>-</CODE><CODE>-reg-data</CODE> and <CODE>-</CODE><CODE>-reg-type</CODE></P>
|
|
|
|
<P>These switches can be used to provide data needed for proper running of
|
|
options <CODE>-</CODE><CODE>-reg-read</CODE>, <CODE>-</CODE><CODE>-reg-add</CODE> and
|
|
<CODE>-</CODE><CODE>-reg-del</CODE>. So, instead of providing registry key
|
|
information when asked, you can use them at command prompt as program
|
|
arguments.</P>
|
|
|
|
<P>With <CODE>-</CODE><CODE>-reg-key</CODE> option you specify used Windows registry
|
|
key path, with <CODE>-</CODE><CODE>-reg-value</CODE> value item name inside
|
|
provided key, with <CODE>-</CODE><CODE>-reg-data</CODE> value data, while with
|
|
<CODE>-</CODE><CODE>-reg-type</CODE> option you specify type of the value item.</P>
|
|
|
|
<P>A sample command line for adding a registry key hive follows:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u http://192.168.136.129/sqlmap/pgsql/get_int.aspx?id=1 --reg-add \
|
|
--reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap" --reg-value=Test --reg-type=REG_SZ --reg-data=1
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
|
|
<H2><A NAME="ss5.15">5.15</A> <A HREF="#toc5.15">General</A>
|
|
</H2>
|
|
|
|
<H3>TODO</H3>
|
|
|
|
<P>Switch: <CODE>-t</CODE></P>
|
|
|
|
<P>TODO</P>
|
|
|
|
|
|
<H3>Session file: save and resume data retrieved</H3>
|
|
|
|
<P>Switch: <CODE>-s</CODE></P>
|
|
|
|
<P>By default sqlmap logs all queries and their output into a textual file
|
|
called <EM>session file</EM>, regardless of the technique used to extract
|
|
the data.
|
|
This is useful if you stop the injection for any reason and rerun it
|
|
afterwards: sqlmap will parse the session file and resume enumerated data
|
|
from it, then carry on extracting data from the exact point where it left
|
|
before you stopped the tool.</P>
|
|
|
|
<P>The default session file is <CODE>output/TARGET_URL/session</CODE>, but you
|
|
can specify a different file path with <CODE>-s</CODE> switch.</P>
|
|
|
|
<P>The session file has the following structure:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
[hh:mm:ss MM/DD/YY]
|
|
[Target URL][Injection point][Parameters][Query or information name][Query output or value]
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>A more user friendly textual file where all data retrieved is saved, is
|
|
the <EM>log file</EM>, <CODE>output/TARGET_URL/log</CODE>. This file can be
|
|
useful to see all information enumerated to the end.</P>
|
|
|
|
|
|
<H3>Flush session file</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-flush-session</CODE></P>
|
|
|
|
<P>As you are already familiar with the concept of a session file from the
|
|
description above, it is good to know that you can flush the content of
|
|
that file using option <CODE>-</CODE><CODE>-flush-session</CODE>.
|
|
This way you can avoid the caching mechanisms implemented by default in
|
|
sqlmap. Other possible way is to manually remove the session file(s).</P>
|
|
|
|
|
|
<H3>Estimated time of arrival</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-eta</CODE></P>
|
|
|
|
<P>It is possible to calculate and show in real time the estimated time of
|
|
arrival to retrieve each query output. This is shown when the technique
|
|
used to retrieve the output is any of the blind SQL injection types.</P>
|
|
|
|
<P>Example against an Oracle target affected only by boolean-based blind SQL
|
|
injection:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/oracle/get_int_bool.php?id=1" -b --eta
|
|
|
|
[...]
|
|
[hh:mm:01] [INFO] the back-end DBMS is Oracle
|
|
[hh:mm:01] [INFO] fetching banner
|
|
[hh:mm:01] [INFO] retrieving the length of query output
|
|
[hh:mm:01] [INFO] retrieved: 64
|
|
17% [========> ] 11/64 ETA 00:19
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>Then:</P>
|
|
<P>
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
100% [===================================================] 64/64
|
|
[10:28:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod
|
|
|
|
web application technology: PHP 5.2.6, Apache 2.2.9
|
|
back-end DBMS: Oracle
|
|
banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
</P>
|
|
|
|
<P>As you can see, sqlmap first calculates the length of the query output,
|
|
then estimates the time of arrival, shows the progress in percentage and
|
|
counts the number of retrieved output characters.</P>
|
|
|
|
|
|
<H3>Update sqlmap</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-update</CODE></P>
|
|
|
|
<P>Using this option you can update the tool to the latest development
|
|
version directly from the subversion repository. You obviously need
|
|
Internet access.</P>
|
|
|
|
<P>If, for any reason, this operation fails, run <CODE>svn update</CODE> from
|
|
your sqlmap working copy. It will perform the exact same operation of
|
|
switch <CODE>-</CODE><CODE>-update</CODE>.
|
|
If you are running sqlmap on Windows, you can use the TartoiseSVN client
|
|
by right-clicking in Windows Explorer into your sqlmap working copy and
|
|
clicking on <CODE>Update</CODE>.</P>
|
|
|
|
<P>This is strongly recommended <B>before</B> reporting any bug to the
|
|
<A HREF="http://sqlmap.sourceforge.net/#ml">mailing lists</A>.</P>
|
|
|
|
|
|
<H3>Save options in a configuration INI file</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-save</CODE></P>
|
|
|
|
<P>It is possible to save the command line options to a configuration INI
|
|
file.
|
|
The generated file can then be edited and passed to sqlmap with the
|
|
<CODE>-c</CODE> option as explained above.</P>
|
|
|
|
|
|
<H3>Act in non-interactive mode</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-batch</CODE></P>
|
|
|
|
<P>If you want sqlmap to run as a batch tool, without any user's interaction
|
|
when sqlmap requires it, you can force that by using
|
|
<CODE>-</CODE><CODE>-batch</CODE> switch. This will leave sqlmap to go with a
|
|
default behaviour whenever user's input would be required.</P>
|
|
|
|
|
|
<H2><A NAME="ss5.16">5.16</A> <A HREF="#toc5.16">Miscellaneous</A>
|
|
</H2>
|
|
|
|
<H3>TODO</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-beep</CODE></P>
|
|
|
|
<P>TODO</P>
|
|
|
|
|
|
<H3>TODO</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-check-payload</CODE></P>
|
|
|
|
<P>TODO</P>
|
|
|
|
|
|
<H3>Cleanup the DBMS from sqlmap specific UDF(s) and table(s)</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-cleanup</CODE></P>
|
|
|
|
<P>It is recommended to clean up the back-end database management system from
|
|
sqlmap temporary table(s) and created user-defined function(s) when you
|
|
are done taking over the underlying operating system or file system.
|
|
Switch <CODE>-</CODE><CODE>-cleanup</CODE> will attempt to clean up the DBMS and
|
|
the file system wherever possible.</P>
|
|
|
|
|
|
<H3>TODO</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-forms</CODE></P>
|
|
|
|
<P>TODO</P>
|
|
|
|
|
|
<H3>Use Google dork results from specified page number</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-gpage</CODE></P>
|
|
|
|
<P>Default sqlmap behavior with option <CODE>-g</CODE> is to do a Google
|
|
search and use the first 100 resulting URLs for further SQL injection
|
|
testing. However, in combination with this option you can specify with
|
|
this switch, <CODE>-</CODE><CODE>-gpage</CODE>, some page other than the first one
|
|
to retrieve target URLs from.</P>
|
|
|
|
|
|
<H3>TODO</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-parse-errors</CODE></P>
|
|
|
|
<P>TODO</P>
|
|
|
|
|
|
<H3>TODO</H3>
|
|
|
|
<P>Switch: <CODE>-</CODE><CODE>-replicate</CODE></P>
|
|
|
|
<P>TODO</P>
|
|
|
|
|
|
<H2><A NAME="s6">6.</A> <A HREF="#toc6">License and copyright</A></H2>
|
|
|
|
<P>sqlmap is released under the terms of the
|
|
<A HREF="http://www.gnu.org/licenses/old-licenses/gpl-2.0.html">General Public License v2</A>.
|
|
sqlmap is copyrighted by its
|
|
<A HREF="http://sqlmap.sourceforge.net/#developers">developers</A>.</P>
|
|
|
|
|
|
<H2><A NAME="s7">7.</A> <A HREF="#toc7">Disclaimer</A></H2>
|
|
|
|
<P>sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
|
|
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
|
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
|
details.</P>
|
|
|
|
<P>Whatever you do with this tool is uniquely your responsibility. If you are
|
|
not authorized to punch holes in the network you are attacking be aware
|
|
that such action might get you in trouble with a lot of law enforcement
|
|
agencies.</P>
|
|
|
|
|
|
<H2><A NAME="s8">8.</A> <A HREF="#toc8">Authors</A></H2>
|
|
|
|
<P>
|
|
<A HREF="mailto:bernardo.damele@gmail.com">Bernardo Damele A. G.</A> (inquis) - Lead developer.
|
|
PGP Key ID:
|
|
<A HREF="http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x05F5A30F">0x05F5A30F</A></P>
|
|
<P>
|
|
<A HREF="mailto:miroslav.stampar@gmail.com">Miroslav Stampar</A> (stamparm) - Developer.
|
|
PGP Key ID:
|
|
<A HREF="http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5397B1B">0xB5397B1B</A></P>
|
|
|
|
</BODY>
|
|
</HTML>
|