minor update of FAQ files

stamparm · stamparm · commit 32ca99da53a7 · 2012-02-16T13:26:00.000Z
diff --git a/doc/FAQ.html b/doc/FAQ.html
@@ -21,22 +21,20 @@ <H2><A NAME="toc1">1.</A> <A HREF="FAQ.html#s1">Frequently Asked Questions</A></
 <LI><A NAME="toc1.1">1.1</A> <A HREF="FAQ.html#ss1.1">What is sqlmap?</A>
 <LI><A NAME="toc1.2">1.2</A> <A HREF="FAQ.html#ss1.2">How do I execute sqlmap?</A>
 <LI><A NAME="toc1.3">1.3</A> <A HREF="FAQ.html#ss1.3">Can I integrate sqlmap with a security tool I am developing?</A>
-<LI><A NAME="toc1.4">1.4</A> <A HREF="FAQ.html#ss1.4">How can I integrate sqlmap with my own tool?</A>
-<LI><A NAME="toc1.5">1.5</A> <A HREF="FAQ.html#ss1.5">Will you support other database management systems?</A>
-<LI><A NAME="toc1.6">1.6</A> <A HREF="FAQ.html#ss1.6">How can I occasionally contribute?</A>
-<LI><A NAME="toc1.7">1.7</A> <A HREF="FAQ.html#ss1.7">Can I actively contribute in the long-term development?</A>
-<LI><A NAME="toc1.8">1.8</A> <A HREF="FAQ.html#ss1.8">How can I support the development?</A>
-<LI><A NAME="toc1.9">1.9</A> <A HREF="FAQ.html#ss1.9">Can you hack a site for me?</A>
-<LI><A NAME="toc1.10">1.10</A> <A HREF="FAQ.html#ss1.10">When sqlmap will switch to the Python 3?</A>
-<LI><A NAME="toc1.11">1.11</A> <A HREF="FAQ.html#ss1.11">What does <CODE>"WARNING unknown charset '...'"</CODE> mean?</A>
-<LI><A NAME="toc1.12">1.12</A> <A HREF="FAQ.html#ss1.12">How to use sqlmap with <CODE>mod_rewrite</CODE> enabled?</A>
-<LI><A NAME="toc1.13">1.13</A> <A HREF="FAQ.html#ss1.13">Why is sqlmap not able to get password hashes in some cases?</A>
-<LI><A NAME="toc1.14">1.14</A> <A HREF="FAQ.html#ss1.14">What is <CODE>-</CODE><CODE>-text-only</CODE> switch?</A>
-<LI><A NAME="toc1.15">1.15</A> <A HREF="FAQ.html#ss1.15">sqlmap is retrieving weird characters for even simplest data (e.g. <CODE>--banner</CODE>)?</A>
-<LI><A NAME="toc1.16">1.16</A> <A HREF="FAQ.html#ss1.16">I am getting <CODE>"CRITICAL connection timed"</CODE> while I am able to browse the site normally?</A>
-<LI><A NAME="toc1.17">1.17</A> <A HREF="FAQ.html#ss1.17">Is it possible to use <CODE>"INSERT/UPDATE"</CODE> SQL commands via <CODE>-</CODE><CODE>-sql-query</CODE></A>
-<LI><A NAME="toc1.18">1.18</A> <A HREF="FAQ.html#ss1.18">I am getting <CODE>"finally: SyntaxError: invalid syntax"</CODE> when trying to run sqlmap?</A>
-<LI><A NAME="toc1.19">1.19</A> <A HREF="FAQ.html#ss1.19">sqlmap is not able to detect/exploit injection while other commercial tools are?</A>
+<LI><A NAME="toc1.4">1.4</A> <A HREF="FAQ.html#ss1.4">Will you support other database management systems?</A>
+<LI><A NAME="toc1.5">1.5</A> <A HREF="FAQ.html#ss1.5">How can I occasionally contribute?</A>
+<LI><A NAME="toc1.6">1.6</A> <A HREF="FAQ.html#ss1.6">Can I actively contribute in the long-term development?</A>
+<LI><A NAME="toc1.7">1.7</A> <A HREF="FAQ.html#ss1.7">How can I support the development?</A>
+<LI><A NAME="toc1.8">1.8</A> <A HREF="FAQ.html#ss1.8">Can you hack a site for me?</A>
+<LI><A NAME="toc1.9">1.9</A> <A HREF="FAQ.html#ss1.9">When sqlmap will switch to the Python 3?</A>
+<LI><A NAME="toc1.10">1.10</A> <A HREF="FAQ.html#ss1.10">What does <CODE>"WARNING unknown charset '...'"</CODE> mean?</A>
+<LI><A NAME="toc1.11">1.11</A> <A HREF="FAQ.html#ss1.11">How to use sqlmap with <CODE>mod_rewrite</CODE> enabled?</A>
+<LI><A NAME="toc1.12">1.12</A> <A HREF="FAQ.html#ss1.12">Why is sqlmap not able to get password hashes in some cases?</A>
+<LI><A NAME="toc1.13">1.13</A> <A HREF="FAQ.html#ss1.13">What is <CODE>-</CODE><CODE>-text-only</CODE> switch?</A>
+<LI><A NAME="toc1.14">1.14</A> <A HREF="FAQ.html#ss1.14">I am getting <CODE>"CRITICAL connection timed"</CODE> while I am able to browse the site normally?</A>
+<LI><A NAME="toc1.15">1.15</A> <A HREF="FAQ.html#ss1.15">Is it possible to use <CODE>"INSERT/UPDATE"</CODE> SQL commands via <CODE>-</CODE><CODE>-sql-query</CODE></A>
+<LI><A NAME="toc1.16">1.16</A> <A HREF="FAQ.html#ss1.16">I am getting <CODE>"finally: SyntaxError: invalid syntax"</CODE> when trying to run sqlmap?</A>
+<LI><A NAME="toc1.17">1.17</A> <A HREF="FAQ.html#ss1.17">sqlmap is not able to detect/exploit injection while other commercial tools are?</A>
 </UL>
 
 <HR>
@@ -82,21 +80,15 @@ <H2><A NAME="ss1.3">1.3</A> <A HREF="#toc1.3">Can I integrate sqlmap with a secu
 
 <P>Yes. sqlmap is released under the terms of the GPLv2, which means that any
 derivative work must be distributed without further restrictions on the
-rights granted by the GPL itself. If this constitutes a problem, feel free
-to contact us so we can find a solution.</P>
+rights granted by the GPL itself.</P>
 
-<H2><A NAME="ss1.4">1.4</A> <A HREF="#toc1.4">How can I integrate sqlmap with my own tool?</A>
+<H2><A NAME="ss1.4">1.4</A> <A HREF="#toc1.4">Will you support other database management systems?</A>
 </H2>
 
-<P>TODO</P>
+<P>Yes. There are plans to support also Informix and Ingres at some
+point of time.</P>
 
-<H2><A NAME="ss1.5">1.5</A> <A HREF="#toc1.5">Will you support other database management systems?</A>
-</H2>
-
-<P>Yes. There are plans to support also IBM DB2, Informix and Ingres at some
-point.</P>
-
-<H2><A NAME="ss1.6">1.6</A> <A HREF="#toc1.6">How can I occasionally contribute?</A>
+<H2><A NAME="ss1.5">1.5</A> <A HREF="#toc1.5">How can I occasionally contribute?</A>
 </H2>
 
 <P>All help is greatly appreciated. First of all download the tool, make sure
@@ -108,7 +100,7 @@ <H2><A NAME="ss1.6">1.6</A> <A HREF="#toc1.6">How can I occasionally contribute?
 <A HREF="https://svn.sqlmap.org/sqlmap/trunk/sqlmap/doc/THANKS">contributed</A> in different ways to the sqlmap development.
 <B>You</B> can be the next!</P>
 
-<H2><A NAME="ss1.7">1.7</A> <A HREF="#toc1.7">Can I actively contribute in the long-term development?</A>
+<H2><A NAME="ss1.6">1.6</A> <A HREF="#toc1.6">Can I actively contribute in the long-term development?</A>
 </H2>
 
 <P>Yes, we are looking for people who can write some clean Python code, are
@@ -118,27 +110,27 @@ <H2><A NAME="ss1.7">1.7</A> <A HREF="#toc1.7">Can I actively contribute in the l
 If this sounds interesting to you, 
 <A HREF="http://www.sqlmap.org/#developers">get in touch</A>!</P>
 
-<H2><A NAME="ss1.8">1.8</A> <A HREF="#toc1.8">How can I support the development?</A>
+<H2><A NAME="ss1.7">1.7</A> <A HREF="#toc1.7">How can I support the development?</A>
 </H2>
 
 <P>If you think that sqlmap is a great tool, it really played well during
 your penetration tests, or you simply like it, you, or your boss, can
 <A HREF="http://www.sqlmap.org/#donate">donate some money</A> to the developers via PayPal.</P>
 
-<H2><A NAME="ss1.9">1.9</A> <A HREF="#toc1.9">Can you hack a site for me?</A>
+<H2><A NAME="ss1.8">1.8</A> <A HREF="#toc1.8">Can you hack a site for me?</A>
 </H2>
 
 <P><B>No</B>.</P>
 
-<H2><A NAME="ss1.10">1.10</A> <A HREF="#toc1.10">When sqlmap will switch to the Python 3?</A>
+<H2><A NAME="ss1.9">1.9</A> <A HREF="#toc1.9">When sqlmap will switch to the Python 3?</A>
 </H2>
 
-<P>Currently there is no huge pressure on Python projects to switch to the new
+<P>Currently there is no pressure on Python projects to switch to the new
 version of Python interpreter, as the process of switching, especially on
 larger projects can be cumbersome (due to the few backward incompatibilities).
 The switch will take place eventually, but currently it's a very low priority task.</P>
 
-<H2><A NAME="ss1.11">1.11</A> <A HREF="#toc1.11">What does <CODE>"WARNING unknown charset '...'"</CODE> mean?</A>
+<H2><A NAME="ss1.10">1.10</A> <A HREF="#toc1.10">What does <CODE>"WARNING unknown charset '...'"</CODE> mean?</A>
 </H2>
 
 <P>sqlmap needs to properly decode page content to be able to properly 
@@ -156,7 +148,7 @@ <H2><A NAME="ss1.11">1.11</A> <A HREF="#toc1.11">What does <CODE>"WARNING unknow
 <A HREF="http://thread.gmane.org/gmane.comp.security.sqlmap/1232">#2</A>
 <A HREF="http://thread.gmane.org/gmane.comp.security.sqlmap/1239">#3</A></P>
 
-<H2><A NAME="ss1.12">1.12</A> <A HREF="#toc1.12">How to use sqlmap with <CODE>mod_rewrite</CODE> enabled?</A>
+<H2><A NAME="ss1.11">1.11</A> <A HREF="#toc1.11">How to use sqlmap with <CODE>mod_rewrite</CODE> enabled?</A>
 </H2>
 
 <P>Just put * to the place where sqlmap should check for injections in URI 
@@ -168,7 +160,7 @@ <H2><A NAME="ss1.12">1.12</A> <A HREF="#toc1.12">How to use sqlmap with <CODE>mo
 <A HREF="http://thread.gmane.org/gmane.comp.security.sqlmap/728">#2</A>
 <A HREF="http://thread.gmane.org/gmane.comp.security.sqlmap/1258">#3</A></P>
 
-<H2><A NAME="ss1.13">1.13</A> <A HREF="#toc1.13">Why is sqlmap not able to get password hashes in some cases?</A>
+<H2><A NAME="ss1.12">1.12</A> <A HREF="#toc1.12">Why is sqlmap not able to get password hashes in some cases?</A>
 </H2>
 
 <P>You most probably don't have enough permissions for querying on a system 
@@ -177,7 +169,7 @@ <H2><A NAME="ss1.13">1.13</A> <A HREF="#toc1.13">Why is sqlmap not able to get p
 <P>Question(s):
 <A HREF="http://thread.gmane.org/gmane.comp.security.sqlmap/714">#1</A></P>
 
-<H2><A NAME="ss1.14">1.14</A> <A HREF="#toc1.14">What is <CODE>-</CODE><CODE>-text-only</CODE> switch?</A>
+<H2><A NAME="ss1.13">1.13</A> <A HREF="#toc1.13">What is <CODE>-</CODE><CODE>-text-only</CODE> switch?</A>
 </H2>
 
 <P>Switch <CODE>-</CODE><CODE>-text-only</CODE> is used for removing non-textual data (tags, 
@@ -187,19 +179,7 @@ <H2><A NAME="ss1.14">1.14</A> <A HREF="#toc1.14">What is <CODE>-</CODE><CODE>-te
 <P>Question(s):
 <A HREF="http://thread.gmane.org/gmane.comp.security.sqlmap/699">#1</A></P>
 
-<H2><A NAME="ss1.15">1.15</A> <A HREF="#toc1.15">sqlmap is retrieving weird characters for even simplest data (e.g. <CODE>--banner</CODE>)?</A>
-</H2>
-
-<P>If everything you retrieve from the target is garbled, then you are 
-most probably dealing with false positive blind injection. Please 
-report the problem to the 
-<A HREF="mailto:dev@sqlmap.org">developers</A>.</P>
-
-<P>Question(s):
-<A HREF="http://thread.gmane.org/gmane.comp.security.sqlmap/686">#1</A>
-<A HREF="http://thread.gmane.org/gmane.comp.security.sqlmap/1181">#2</A></P>
-
-<H2><A NAME="ss1.16">1.16</A> <A HREF="#toc1.16">I am getting <CODE>"CRITICAL connection timed"</CODE> while I am able to browse the site normally?</A>
+<H2><A NAME="ss1.14">1.14</A> <A HREF="#toc1.14">I am getting <CODE>"CRITICAL connection timed"</CODE> while I am able to browse the site normally?</A>
 </H2>
 
 <P>There are few IDSes that filter out all sqlmap requests based on default 
@@ -212,16 +192,17 @@ <H2><A NAME="ss1.16">1.16</A> <A HREF="#toc1.16">I am getting <CODE>"CRITICAL co
 <P>Question(s):
 <A HREF="http://thread.gmane.org/gmane.comp.security.sqlmap/1241">#1</A></P>
 
-<H2><A NAME="ss1.17">1.17</A> <A HREF="#toc1.17">Is it possible to use <CODE>"INSERT/UPDATE"</CODE> SQL commands via <CODE>-</CODE><CODE>-sql-query</CODE></A>
+<H2><A NAME="ss1.15">1.15</A> <A HREF="#toc1.15">Is it possible to use <CODE>"INSERT/UPDATE"</CODE> SQL commands via <CODE>-</CODE><CODE>-sql-query</CODE></A>
 and/or <CODE>-</CODE><CODE>-sql-shell</CODE>?</H2>
 
 <P>It is possible to use those commands, but only if the stacked injection is supported
-by the vulnerable target.</P>
+by the vulnerable target. In vast majority of cases affected DBMSes by these kind of
+attacks are Microsoft SQL Server and PostgreSQL.</P>
 
 <P>Question(s):
 <A HREF="http://thread.gmane.org/gmane.comp.security.sqlmap/1237">#1</A></P>
 
-<H2><A NAME="ss1.18">1.18</A> <A HREF="#toc1.18">I am getting <CODE>"finally: SyntaxError: invalid syntax"</CODE> when trying to run sqlmap?</A>
+<H2><A NAME="ss1.16">1.16</A> <A HREF="#toc1.16">I am getting <CODE>"finally: SyntaxError: invalid syntax"</CODE> when trying to run sqlmap?</A>
 </H2>
 
 <P>You are most probably using outdated version of Python. sqlmap is generally
@@ -231,13 +212,14 @@ <H2><A NAME="ss1.18">1.18</A> <A HREF="#toc1.18">I am getting <CODE>"finally: Sy
 <P>Question(s):
 <A HREF="http://thread.gmane.org/gmane.comp.security.sqlmap/1231">#1</A></P>
 
-<H2><A NAME="ss1.19">1.19</A> <A HREF="#toc1.19">sqlmap is not able to detect/exploit injection while other commercial tools are?</A>
+<H2><A NAME="ss1.17">1.17</A> <A HREF="#toc1.17">sqlmap is not able to detect/exploit injection while other commercial tools are?</A>
 </H2>
 
-<P>Currently there are only two of us working on a pure good will and donating our 
-free time to the community. If you are not willing to help us achive better tool
-you are strongly advised to buy those commercial tool(s) and just 
-forget about the sqlmap.</P>
+<P>In most of those kind of cases blatant error message detection is used by commercial
+tools making some "false positive" claims. You have to be aware that
+DBMS error message doesn't mean that the affected web application is vulnerable to
+SQL injection attacks. sqlmap goes several steps further and never claims
+an injection point without making through tests if it can be exploited at the first place. </P>
 
 <P>Question(s):
 <A HREF="http://thread.gmane.org/gmane.comp.security.sqlmap/970">#1</A></P>
diff --git a/doc/FAQ.pdf b/doc/FAQ.pdf
diff --git a/doc/FAQ.sgml b/doc/FAQ.sgml
@@ -50,19 +50,13 @@ url="http://www.python.org" name="Python"> <bf>>= 2.6</bf>.
 <p>
 Yes. sqlmap is released under the terms of the GPLv2, which means that any
 derivative work must be distributed without further restrictions on the
-rights granted by the GPL itself. If this constitutes a problem, feel free
-to contact us so we can find a solution.
-
-<sect1>How can I integrate sqlmap with my own tool?
-
-<p>
-TODO
+rights granted by the GPL itself.
 
 <sect1>Will you support other database management systems?
 
 <p>
-Yes. There are plans to support also IBM DB2, Informix and Ingres at some
-point.
+Yes. There are plans to support also Informix and Ingres at some
+point of time.
 
 <sect1>How can I occasionally contribute?
 
@@ -104,7 +98,7 @@ some money"> to the developers via PayPal.
 <sect1>When sqlmap will switch to the Python 3?
 
 <p>
-Currently there is no huge pressure on Python projects to switch to the new
+Currently there is no pressure on Python projects to switch to the new
 version of Python interpreter, as the process of switching, especially on
 larger projects can be cumbersome (due to the few backward incompatibilities).
 The switch will take place eventually, but currently it's a very low priority task.
@@ -162,18 +156,6 @@ improve detection capabilities.
 Question(s):
 <htmlurl url="http://thread.gmane.org/gmane.comp.security.sqlmap/699" name="#1">
 
-<sect1>sqlmap is retrieving weird characters for even simplest data (e.g. <tt>--banner</tt>)?
-
-<p>
-If everything you retrieve from the target is garbled, then you are 
-most probably dealing with false positive blind injection. Please 
-report the problem to the <htmlurl url="mailto:dev@sqlmap.org" name="developers">.
-
-<p>
-Question(s):
-<htmlurl url="http://thread.gmane.org/gmane.comp.security.sqlmap/686" name="#1">
-<htmlurl url="http://thread.gmane.org/gmane.comp.security.sqlmap/1181" name="#2">
-
 <sect1>I am getting <tt>"CRITICAL connection timed"</tt> while I am able to browse 
 the site normally?
 
@@ -194,7 +176,8 @@ and/or <tt>-</tt><tt>-sql-shell</tt>?
 
 <p>
 It is possible to use those commands, but only if the stacked injection is supported
-by the vulnerable target.
+by the vulnerable target. In vast majority of cases affected DBMSes by these kind of
+attacks are Microsoft SQL Server and PostgreSQL.
 
 <p>
 Question(s):
@@ -214,10 +197,11 @@ Question(s):
 <sect1>sqlmap is not able to detect/exploit injection while other commercial tools are?
 
 <p>
-Currently there are only two of us working on a pure good will and donating our 
-free time to the community. If you are not willing to help us achive better tool
-you are strongly advised to buy those commercial tool(s) and just 
-forget about the sqlmap.
+In most of those kind of cases blatant error message detection is used by commercial
+tools making some "false positive" claims. You have to be aware that
+DBMS error message doesn't mean that the affected web application is vulnerable to
+SQL injection attacks. sqlmap goes several steps further and never claims
+an injection point without making through tests if it can be exploited at the first place. 
 
 <p>
 Question(s):
