From 997c9ba1e8c7a87700a2a27938e63eed7b5c3d59 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Fri, 12 Aug 2011 12:56:55 +0000 Subject: [PATCH] Minor adjustments to user's manual --- doc/README.sgml | 123 ++++++++++++++++++++++++------------------------ 1 file changed, 62 insertions(+), 61 deletions(-) diff --git a/doc/README.sgml b/doc/README.sgml index 8de357e7a..153933017 100644 --- a/doc/README.sgml +++ b/doc/README.sgml @@ -6,7 +6,7 @@ by , version 1.0-dev, XXX XX, 2011 -This document is the user's manual to use . +This document is the user's manual for . @@ -28,29 +28,26 @@ on the operating system via out-of-band connections.

sqlmap is developed in , -a dynamic object-oriented interpreted programming language. -This makes the tool independent from the operating system. It only -requires the Python interpreter version 2 equal or higher than -2.6. -The interpreter is freely downloadable from its -. +a dynamic, object-oriented, interpreted programming language freely available from +. +This makes sqlmap a cross-platform application which is independant of the +operating system. sqlmap requires Python version 2.6 or above. To make it even easier, many GNU/Linux distributions come out of the box -with Python interpreter installed and other Unices and Mac OSX too provide -it packaged in their formats and ready to be installed. -Windows users can download and install the Python setup-ready installer -for x86, AMD64 and Itanium too. +with Python installed. Other Unices and Mac OSX also provide Python packaged +and ready to be installed. +Windows users can download and install the Python installer for x86, AMD64 and Itanium. sqlmap relies on the for some of its post-exploitation takeover -features. You need to grab a copy of it from the +features. You need to grab a copy of the framework from the page - the required version is 3.5 or higher. -For the ICMP tunneling out-of-band takeover technique, sqlmap requires +For the ICMP tunneling out-of-band takeover technique, sqlmap requires the library too. If you are willing to connect directly to a database server (-d switch), -without passing via a web application, you need to install Python bindings +without passing through the web application, you need to install Python bindings for the database management system that you are going to attack: @@ -68,17 +65,17 @@ If you plan to attack a web application behind NTLM authentication or use the sqlmap update functionality (--update switch) you need to install respectively and libraries. +name="python-svn"> libraries respectively. -Optionally, if you are running sqlmap on Windows, you may wish to install +Optionally, if you are running sqlmap on Windows, you may wish to install the -library to be able to take advantage of the sqlmap TAB completion and +library in order to take advantage of the sqlmap TAB completion and history support features in the SQL shell and OS shell. -Note that these functionalities are available natively by Python standard +Note that these functionalities are available natively via the standard Python library on other operating systems. -You can also choose to install library to eventually speed up the sqlmap algorithmic operations. @@ -88,13 +85,13 @@ operations. Detect and exploit a SQL injection

Let's say that you are auditing a web application and found a web page -that accepts dynamic user-provided values on GET or POST -parameters or HTTP Cookie values or HTTP User-Agent -header value. +that accepts dynamic user-provided values via GET, POST +or Cookie parameters or via the HTTP User-Agent +request header. You now want to test if these are affected by a SQL injection vulnerability, and if so, exploit them to retrieve as much information as -possible out of the web application's back-end database management system -or even be able to access the underlying file system and operating system. +possible from the back-end database management system, or even be able to +access the underlying file system and operating system. In a simple world, consider that the target url is: @@ -104,59 +101,56 @@ Assume that: http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=1 -is the same page as the original one and: +is the same page as the original one and (the condition evaluates to True): http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=2 -differs from the original one, it means that you are in front of a SQL +differs from the original one (the condition evaluates to False). +This likely means that you are in front of a SQL injection vulnerability in the id GET parameter of the -index.php web application page which means that potentially no -IDS/IPS, no web application firewall, no parameters' value sanitization is -performed on the server-side before sending the SQL statement to the -back-end database management system the web application relies on. +index.php page. Additionally, no sanitisation of user's supplied +input is taking place before the SQL statement is sent to the +back-end database management system. -This is a quite common flaw in dynamic content web applications and it +This is quite a common flaw in dynamic content web applications and it does not depend upon the back-end database management system nor on the web -application programming language: it is a programmer code's security flaw. +application programming language; it is a flaw within the application code. The -rated on 2010 in their survey this vulnerability as the and important web application vulnerability along with other -injection flaws. +common"> and serious web application vulnerability in their + list from 2010. -Back to the scenario, probably the SQL SELECT statement into -get_int.php has a syntax similar to the following SQL query, in -pseudo PHP code: +Now that you have found the vulnerable parameter, you can exploit it by +manipulating the id parameter value in the HTTP request. + +Back to the scenario, we can make an educated guess about the probable +syntax of the SQL SELECT statement where the user supplied value is +being used in the get_int.php web page. In pseudo PHP code: $query = "SELECT [column(s) name] FROM [table name] WHERE id=" . $_REQUEST['id']; -As you can see, appending any other syntatically valid SQL condition after -a value for id such condition will take place when the web -application passes the query to the back-end database management system -that executes it, that is why the condition id=1 AND 1=1 is valid -(True) and returns the same page as the original one, with the -same content. This is the case of a boolean-based blind SQL injection -vulnerability. However, sqlmap is able to detect any type of SQL injection -and adapt its work-flow accordingly. Read below for further details. +As you can see, appending a syntactically valid SQL statement that will +evaluate to a True condition after the value for the id +parameter (such as id=1 AND 1=1) will result in the web application +returning the same web page as in the original request (where no SQL +statement is added). +This is because the back-end database management system has evaluated the +injected SQL statement. +The previous example describes a simple boolean-based blind SQL injection +vulnerability. +However, sqlmap is able to detect any type of SQL injection flaw and adapt +its work-flow accordingly. -Moreover, in this simple and easy to inject scenario it would be also -possible to append, not just one or more valid SQL condition(s), but also -stacked SQL queries, for instance something like [...]&id=1; -ANOTHER SQL QUERY# if the web application technology supports -stacked queries, also known as multiple statements. - -Now that you found this SQL injection vulnerable parameter, you can -exploit it by manipulating the id parameter value in the HTTP -request. - -There exist many -on the Net explaining in depth how to prevent, detect and exploit SQL -injection vulnerabilities in web application and it is recommended to read -them if you are not familiar with the issue before going ahead with sqlmap. +In this simple scenario it would also be possible to append, not just one or +more valid SQL conditions, but also (depending on the DBMS) stacked SQL +queries. For instance: [...]&id=1;ANOTHER SQL QUERY#. +sqlmap can automate the process of identifying and exploiting this type of +vulnerability. Passing the original address, http://192.168.136.131/sqlmap/mysql/get_int.php?id=1 to sqlmap, the tool will automatically: @@ -168,6 +162,13 @@ vulnerable parameter(s); Depending on the user's options, it will extensively fingerprint, enumerate data or takeover the database server as a whole. +...and depending on supplied options, it will enumerate data or takeover the +database server entirely. + +There exist many +on the web explaining in depth how to detect, exploit and prevent SQL +injection vulnerabilities in web applications. It is recommendeded that you read +them before going much further with sqlmap. Direct connection to the database management system