diff --git a/doc/ChangeLog b/doc/ChangeLog index 78f152623..66b4c6d58 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -2,7 +2,7 @@ sqlmap (0.6.1-1) stable; urgency=low * Major bug fix to blind SQL injection bisection algorithm to handle an exception; - * Written a Metasploit 3 auxiliary module to run sqlmap; + * Added a Metasploit 3 auxiliary module to run sqlmap; * Implemented possibility to test for and inject also on LIKE statements; * Implemented --start and --stop options to set the first and the last diff --git a/extra/msfauxmod/README b/extra/msfauxmod/README index 26d16f35a..b37865b27 100644 --- a/extra/msfauxmod/README +++ b/extra/msfauxmod/README @@ -32,43 +32,42 @@ msf auxiliary(wmap_sqlmap) > show options Module options: - Name Current Setting Required Description - ---- --------------- -------- ----------- - BATCH true yes Never ask for user input, use the default behaviour - DATA no The data string to be sent through POST - METHOD GET yes HTTP Method - OPTS --dbs --current-user no The sqlmap options to use - PATH /sqlmap/mysql/get_int.php yes The path/file to test for SQL injection - Proxies no Use a proxy chain - QUERY id=1 no HTTP GET query - RHOSTS 192.168.1.121 yes The target address range or CIDR identifier - RPORT 80 yes The target port - SQLMAP_PATH /home/inquis/software/sqlmap/trunk/sqlmap/sqlmap.py yes The sqlmap >= 0.6.1 full path - SSL false no Use SSL - THREADS 1 yes The number of concurrent threads - VHOST no HTTP server virtual host + Name Current Setting Required Description + ---- --------------- -------- ----------- + BATCH true yes Never ask for user input, use the default behaviour + BODY no The data string to be sent through POST + METHOD GET yes HTTP Method + OPTS --dbs --current-user no The sqlmap options to use + PATH /sqlmap/mysql/get_int.php yes The path/file to test for SQL injection + Proxies no Use a proxy chain + QUERY id=1 no HTTP GET query + RHOSTS 192.168.1.121 yes The target address range or CIDR identifier + RPORT 80 yes The target port + SQLMAP_PATH /home/inquis/software/sqlmap/trunk/sqlmap/sqlmap.py yes The sqlmap >= 0.6.1 full path + SSL false no Use SSL + THREADS 1 yes The number of concurrent threads + VHOST no HTTP server virtual host msf auxiliary(wmap_sqlmap) > run -[*] exec: /home/inquis/software/sqlmap/trunk/sqlmap/sqlmap.py -u 'http://192.168.1.121/sqlmap/mysql/get_int.php?id=1' --method GET --dbs --current-user --batch +[*] exec: /home/inquis/software/sqlmap/trunk/sqlmap/sqlmap.py -u 'http://192.168.1.121:80//sqlmap/mysql/get_int.php?id=1' --method GET --dbs --current-user --batch SQLMAP: SQLMAP: sqlmap/0.6.1 coded by Bernardo Damele A. G. SQLMAP: and Daniele Bellucci SQLMAP: -SQLMAP: [*] starting at: 01:31:41 +SQLMAP: [*] starting at: 16:23:19 SQLMAP: -SQLMAP: [01:31:42] [WARNING] User-Agent parameter 'User-Agent' is not dynamic +SQLMAP: [16:23:20] [WARNING] User-Agent parameter 'User-Agent' is not dynamic SQLMAP: back-end DBMS: MySQL >= 5.0.0 SQLMAP: SQLMAP: current user: 'testuser@localhost' SQLMAP: -SQLMAP: available databases [4]: +SQLMAP: available databases [3]: SQLMAP: [*] information_schema SQLMAP: [*] mysql -SQLMAP: [*] privatedb SQLMAP: [*] test SQLMAP: SQLMAP: -SQLMAP: [*] shutting down at: 01:31:44 +SQLMAP: [*] shutting down at: 16:23:21 SQLMAP: [*] Auxiliary module execution completed msf auxiliary(wmap_sqlmap) > diff --git a/extra/msfauxmod/wmap_sqlmap.rb b/extra/msfauxmod/wmap_sqlmap.rb index 9a0fc91b0..091b45ef3 100644 --- a/extra/msfauxmod/wmap_sqlmap.rb +++ b/extra/msfauxmod/wmap_sqlmap.rb @@ -39,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary OptString.new('METHOD', [ true, "HTTP Method", 'GET' ]), OptString.new('PATH', [ true, "The path/file to test for SQL injection", 'index.php' ]), OptString.new('QUERY', [ false, "HTTP GET query", 'id=1' ]), - OptString.new('DATA', [ false, "The data string to be sent through POST", '' ]), + OptString.new('BODY', [ false, "The data string to be sent through POST", '' ]), OptString.new('OPTS', [ false, "The sqlmap options to use", ' ' ]), OptPath.new('SQLMAP_PATH', [ true, "The sqlmap >= 0.6.1 full path ", '/sqlmap/sqlmap.py' ]), OptBool.new('BATCH', [ true, "Never ask for user input, use the default behaviour", 'true' ]) @@ -56,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary return end - data = datastore['DATA'] + data = datastore['BODY'] method = datastore['METHOD'].upcase sqlmap_url = (datastore['SSL'] ? "https" : "http") diff --git a/lib/request/connect.py b/lib/request/connect.py index be335b785..09371bc89 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -98,9 +98,12 @@ class Connect: requestMsg += " HTTP/1.1" + if cookie: + cookie = urlencode(cookie).replace("%%", "%") + try: # Perform HTTP request - headers = forgeHeaders(urlencode(cookie).replace("%%", "%"), ua) + headers = forgeHeaders(cookie, ua) req = urllib2.Request(url, post, headers) conn = urllib2.urlopen(req) diff --git a/sqlmap.conf b/sqlmap.conf index c72d48811..7570b09f6 100644 --- a/sqlmap.conf +++ b/sqlmap.conf @@ -2,15 +2,7 @@ # Target URL. # Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2 -url = http://127.0.0.1/sqlmap/mysql/get_int.php?id=1 -#url = http://127.0.0.1/sqlmap/mysql/get_brackets.php?id=1 -#url = http://127.0.0.1/sqlmap/mysql/get_str_like.php?id=1 -#url = http://127.0.0.1/sqlmap/mysql/get_str_like_par.php?id=1 -#url = http://127.0.0.1/sqlmap/mysql/get_str_like_par2.php?id=1 -#url = http://127.0.0.1/sqlmap/mysql/get_str_like_par3.php?id=1 -#url = http://127.0.0.1/sqlmap/mysql/get_dstr_like_par.php?id=1 -#url = http://127.0.0.1/sqlmap/mysql/get_dstr_like_par2.php?id=1 -#url = http://127.0.0.1/sqlmap/mysql/get_int_str.php?id=1&name=luther +url = # Rather than providing a target url, let Google return target # hosts as result of your Google dork expression. For a list of Google