PenTest/sqlmap
1
0
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-12-15 20:29:04 +00:00
Code Issues Projects Releases Wiki Activity

Completed support to get the list of targets from WebScarab/Burp proxies

Browse Source 
log file and updated the documentation
This commit is contained in:
Bernardo Damele
2008-11-27 22:33:33 +00:00
parent 785352d700
commit 6e548eb2ec
13 changed files with 232 additions and 166 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
doc/ChangeLog
View File

@@ -3,6 +3,10 @@ sqlmap (0.6.3-1) stable; urgency=low
* Major enhancement to support stacked queries when the web application
supports it which will be used in the long run by takeover
functionality;
* Major enhancement to get list of targets to test from Burp proxy
(http://portswigger.net/suite/) requests log file path or WebScarab
proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)
'conversations/' folder path;
* Minor enhancement to test if the injectable parameter is affected by
a time based blind SQL injection technique;
* Minor enhancement to fingerprint the web server operating system and
@@ -28,6 +32,7 @@ sqlmap (0.6.3-1) stable; urgency=low
* Minor bug fix to correctly enumerate columns on Microsoft SQL Server;
* Minor bug fix to correctly dump table entries when the column is
provided;
* Updated documentation.
-- Bernardo Damele A. G. <bernardo.damele@gmail.com> Day, X YYY 2008 10:00:00 +0000
@@ -218,14 +223,14 @@ sqlmap (0.4-1) stable; urgency=low
the remote DBMS;
* Major improvements in union.UnionCheck() and union.UnionUse()
functions to make it possible to exploit inband SQL injection also
with database comment characters ('--' and '#') in UNION SELECT
with database comment characters ('--' and '#') in UNION query
statements;
* Added the possibility to save the output into a file while performing
the queries (-o OUTPUTFILE) so it is possible to stop and resume the
same query output retrieving in a second time (--resume);
* Added support to specify the database table column to enumerate
(-C COL);
* Added inband SQL injection (UNION SELECT) support (--union-use);
* Added inband SQL injection (UNION query) support (--union-use);
* Complete code refactoring, a lot of minor and some major fixes in
libraries, many minor improvements;
* Reviewed the directory tree structure;

35
doc/README.html
View File

@@ -8,7 +8,7 @@
<H1>sqlmap user's manual</H1>
<H2>by
<A HREF="mailto:bernardo.damele@gmail.com">Bernardo Damele A. G.</A></H2>version 0.6.3, DDth of November 2008
<A HREF="mailto:bernardo.damele@gmail.com">Bernardo Damele A. G.</A></H2>version 0.6.3, DDth of December 2008
<HR>
<EM>This document is the user's manual to use
<A HREF="http://sqlmap.sourceforge.net">sqlmap</A>.
@@ -349,7 +349,7 @@ $ python sqlmap.py -h
sqlmap/0.6.3 coded by Bernardo Damele A. G. &lt;bernardo.damele@gmail.com>
and Daniele Bellucci &lt;daniele.bellucci@gmail.com>
Usage: sqlmap.py [options] {-u &lt;URL> | -g &lt;google dork> | -c &lt;config file>}
Usage: sqlmap.py [options] {-u "&lt;URL>" | -g "&lt;google dork>" | -c "&lt;config file>"}
Options:
--version show program's version number and exit
@@ -384,8 +384,8 @@ Options:
using the default blind SQL injection technique.
--time-test Test for Time based blind SQL injection
--union-test Test for UNION SELECT (inband) SQL injection
--union-use Use the UNION SELECT (inband) SQL injection to
--union-test Test for UNION query (inband) SQL injection
--union-use Use the UNION query (inband) SQL injection to
retrieve the queries output. No need to go blind
Fingerprint:
@@ -487,7 +487,7 @@ headers and level 5 show also HTTP responses page content.</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2 -v 1
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 1
[hh:mm:01] [INFO] testing connection to the target url
[hh:mm:01] [INFO] testing if the url is stable, wait a few seconds
@@ -525,7 +525,7 @@ back-end DBMS: MySQL >= 5.0.0
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2 -v 2
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 2
[hh:mm:34] [DEBUG] initializing the configuration
[hh:mm:34] [DEBUG] initializing the knowledge base
@@ -548,7 +548,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2 -v 3
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 3
[...]
[hh:mm:28] [INFO] testing connection to the target url
@@ -575,7 +575,7 @@ Connection: close
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2 -v 4
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 4
[...]
[hh:mm:32] [INFO] testing connection to the target url
@@ -620,7 +620,7 @@ Content-Type: text/html
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2 -v 5
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 5
[...]
[hh:mm:23] [INFO] testing connection to the target url
@@ -675,6 +675,13 @@ Content-Type: text/html
</P>
<H3>List of targets</H3>
<P>Option: <CODE>-l</CODE></P>
<P>TODO</P>
<H3>Process Google dork results as target urls</H3>
<P>Option: <CODE>-g</CODE></P>
@@ -733,7 +740,7 @@ injection test and inject directly only against the provided parameter(s).</P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&amp;cat=2" -v 1 \
-p id
-p "id"
[hh:mm:48] [INFO] testing connection to the target url
[hh:mm:48] [INFO] testing if the url is stable, wait a few seconds
@@ -769,7 +776,7 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&amp;ca
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 1 \
-p user-agent --user-agent "sqlmap/0.6.3 (http://sqlmap.sourceforge.net)"
-p "user-agent" --user-agent "sqlmap/0.6.3 (http://sqlmap.sourceforge.net)"
[hh:mm:40] [WARNING] the testable parameter 'user-agent' you provided is not into the GET
[hh:mm:40] [INFO] testing connection to the target url
@@ -816,7 +823,7 @@ tested for SQL injection like the <CODE>GET</CODE> parameters.</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/oracle/post_int.php --method POST \
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/post_int.php" --method POST \
--data "id=1&amp;cat=2"
[hh:mm:53] [INFO] testing connection to the target url
@@ -1216,7 +1223,7 @@ request. The valid value is a float, for instance 0.5.</P>
<P>TODO</P>
<H3>Test for UNION SELECT query SQL injection</H3>
<H3>Test for UNION query SQL injection</H3>
<P>Option: <CODE>--union-test</CODE></P>
@@ -1266,7 +1273,7 @@ affected by an inband SQL injection.
In case this vulnerability is exploitable it is strongly recommended to
use it.</P>
<H3>Use the UNION SELECT query SQL injection</H3>
<H3>Use the UNION query SQL injection</H3>
<P>Option: <CODE>--union-use</CODE></P>

BIN
doc/README.pdf
View File

Binary file not shown.

37
doc/README.sgml
View File

@@ -4,7 +4,7 @@
<title>sqlmap user's manual
<author>by <htmlurl url="mailto:bernardo.damele@gmail.com" name="Bernardo Damele A. G.">
<date>version 0.6.3, DDth of November 2008
<date>version 0.6.3, DDth of December 2008
<abstract>
This document is the user's manual to use <htmlurl url="http://sqlmap.sourceforge.net" name="sqlmap">.
Check the project <htmlurl url="http://sqlmap.sourceforge.net" name="homepage">
@@ -309,7 +309,7 @@ $ python sqlmap.py -h
sqlmap/0.6.3 coded by Bernardo Damele A. G. <bernardo.damele@gmail.com>
and Daniele Bellucci <daniele.bellucci@gmail.com>
Usage: sqlmap.py [options] {-u <URL> | -g <google dork> | -c <config file>}
Usage: sqlmap.py [options] {-u "<URL>" | -g "<google dork>" | -c "<config file>"}
Options:
--version show program's version number and exit
@@ -344,8 +344,8 @@ Options:
using the default blind SQL injection technique.
--time-test Test for Time based blind SQL injection
--union-test Test for UNION SELECT (inband) SQL injection
--union-use Use the UNION SELECT (inband) SQL injection to
--union-test Test for UNION query (inband) SQL injection
--union-use Use the UNION query (inband) SQL injection to
retrieve the queries output. No need to go blind
Fingerprint:
@@ -446,7 +446,7 @@ headers and level 5 show also HTTP responses page content.
Example on a <bf>MySQL 5.0.51</bf> target (verbosity level <bf>1</bf>):
<tscreen><verb>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2 -v 1
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 1
[hh:mm:01] [INFO] testing connection to the target url
[hh:mm:01] [INFO] testing if the url is stable, wait a few seconds
@@ -482,7 +482,7 @@ back-end DBMS: MySQL >= 5.0.0
Example on a <bf>MySQL 5.0.51</bf> target (verbosity level <bf>2</bf>):
<tscreen><verb>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2 -v 2
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 2
[hh:mm:34] [DEBUG] initializing the configuration
[hh:mm:34] [DEBUG] initializing the knowledge base
@@ -503,7 +503,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat
Example on a <bf>MySQL 5.0.51</bf> target (verbosity level <bf>3</bf>):
<tscreen><verb>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2 -v 3
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 3
[...]
[hh:mm:28] [INFO] testing connection to the target url
@@ -528,7 +528,7 @@ Connection: close
Example on a <bf>MySQL 5.0.51</bf> target (verbosity level <bf>4</bf>):
<tscreen><verb>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2 -v 4
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 4
[...]
[hh:mm:32] [INFO] testing connection to the target url
@@ -571,7 +571,7 @@ Content-Type: text/html
Example on a <bf>MySQL 5.0.51</bf> target (verbosity level <bf>5</bf>):
<tscreen><verb>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2 -v 5
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 5
[...]
[hh:mm:23] [INFO] testing connection to the target url
@@ -624,6 +624,15 @@ Content-Type: text/html
</verb></tscreen>
<sect2>List of targets
<p>
Option: <tt>-l</tt>
<p>
TODO
<sect2>Process Google dork results as target urls
<p>
@@ -685,7 +694,7 @@ Example on a <bf>PostgreSQL 8.2.7</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&amp;cat=2" -v 1 \
-p id
-p "id"
[hh:mm:48] [INFO] testing connection to the target url
[hh:mm:48] [INFO] testing if the url is stable, wait a few seconds
@@ -718,7 +727,7 @@ Example on a <bf>MySQL 5.0.51</bf> target:
<tscreen><verb>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" -v 1 \
-p user-agent --user-agent "sqlmap/0.6.3 (http://sqlmap.sourceforge.net)"
-p "user-agent" --user-agent "sqlmap/0.6.3 (http://sqlmap.sourceforge.net)"
[hh:mm:40] [WARNING] the testable parameter 'user-agent' you provided is not into the GET
[hh:mm:40] [INFO] testing connection to the target url
@@ -765,7 +774,7 @@ tested for SQL injection like the <tt>GET</tt> parameters.
Example on an <bf>Oracle XE 10.2.0.1</bf> target:
<tscreen><verb>
$ python sqlmap.py -u http://192.168.1.121/sqlmap/oracle/post_int.php --method POST \
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/post_int.php" --method POST \
--data "id=1&amp;cat=2"
[hh:mm:53] [INFO] testing connection to the target url
@@ -1158,7 +1167,7 @@ Option: <tt>--time-test</tt>
TODO
<sect2>Test for UNION SELECT query SQL injection
<sect2>Test for UNION query SQL injection
<p>
Option: <tt>--union-test</tt>
@@ -1207,7 +1216,7 @@ affected by an inband SQL injection.
In case this vulnerability is exploitable it is strongly recommended to
use it.
<sect2>Use the UNION SELECT query SQL injection
<sect2>Use the UNION query SQL injection
<p>
Option: <tt>--union-use</tt>

9
doc/THANKS
View File

@@ -51,8 +51,11 @@ Will Holcomb <wholcomb@gmail.com>
Luke Jahnke <luke.jahnke@gmail.com>
for reporting a bug when running against MySQL < 5.0
Anant Kochhar <anant.kochhar@secureyes.net>
for providing me with feedback on the user's manual
Nico Leidecker <nico@leidecker.info>
for providing with feedback on a few features
for providing me with feedback on a few features
Pavol Luptak <pavol.luptak@nethemba.com>
for reporting a bug when injecting on a POST data parameter
@@ -62,6 +65,10 @@ Michael Majchrowicz <mmajchrowicz@gmail.com>
for providing really appreciated feedback
for suggesting a lot of ideas and features
Ferruh Mavituna <ferruh@mavituna.com>
for providing me with ideas on the implementation on a couple of
new features
Enrico Milanese <enricomilanese@gmail.com>
for reporting a bugs when using (-a) a single line User-Agent file
for providing me with some ideas for the PHP backdoor