Updated documentation based upon recent developments

bdamele · bdamele · commit 374b9ba878df · 2008-12-21T16:35:45.000Z
diff --git a/doc/README.html b/doc/README.html
@@ -181,35 +181,44 @@ <H2><A NAME="ss1.2">1.2</A> <A HREF="#toc1.2">Scenario</A>
 <H2><A NAME="ss1.3">1.3</A> <A HREF="#toc1.3">Techniques</A>
 </H2>
 
-<P>sqlmap implements two techniques to exploit a SQL injection vulnerability:</P>
+<P>sqlmap implements three techniques to exploit a SQL injection
+vulnerability:</P>
 <P>
 <UL>
-<LI><B>Blind SQL injection</B>, also known as <B>Inferential Blind SQL
-injection</B> in this implementation: sqlmap appends to the affected
-parameter in the HTTP request, a syntatically valid SQL statement string
-containing a <CODE>SELECT</CODE> sub-statement, or any other SQL statement
-whose the user want to retrieve the output.
+<LI><B>Inferential Blind SQL injection</B>: sqlmap appends to the
+affected parameter in the HTTP request, a syntatically valid SQL statement
+string containing a <CODE>SELECT</CODE> sub-statement, or any other SQL
+statement whose the user want to retrieve the output.
 For each HTTP response, by making a comparison based upon HTML page
 content hashes, or string matches, with the original request, the tool
 determines the output value of the statement character by character.
 The bisection algorithm implemented in sqlmap to perform this technique
 is able to fetch each output character with at maximum seven HTTP
 requests.
 This is sqlmap default SQL injection technique.</LI>
-<LI><B>Inband SQL injection</B>, also known as <B>Full UNION query SQL
-injection</B>: sqlmap appends to the affected parameter in the HTTP
-request, a syntatically valid SQL statement string starting with a
-<CODE>UNION ALL SELECT</CODE>. This techique is useful if the web application
-page passes the output of the <CODE>SELECT</CODE> statement to a <CODE>for</CODE>
-cycle, or similar, so that each line of the query output is printed on the
-page content.
+<LI><B>UNION query (inband) SQL injection</B>, also known as <B>Full
+UNION query SQL injection</B>: sqlmap appends to the affected parameter
+in the HTTP request, a syntatically valid SQL statement string starting
+with a <CODE>UNION ALL SELECT</CODE>. This techique is useful if the web
+application page passes the output of the <CODE>SELECT</CODE> statement to a
+<CODE>for</CODE> cycle, or similar, so that each line of the query output is
+printed on the page content.
 sqlmap is also able to exploit <B>Partial UNION query SQL injection</B>
 vulnerabilities which occur when the output of the statement is not cycled
 in a for construct whereas only the first entry output is displayed.
 This technique is much faster if the target url is affected by because
 in a single HTTP response it returns the whole query output or a entry
 per each response within the page content.
 This SQL injection technique is an alternative to the first one.</LI>
+<LI><B>Stacked queries support</B>, also known as <B>multiple
+statements support</B>: sqlmap tests if the web application supports
+stacked queries then, in case it does support, it appends to the affected
+parameter in the HTTP request, a semi-colon (<CODE>;</CODE>) followed by the
+SQL statement to be executed. This technique is useful if to run SQL
+statements other than <CODE>SELECT</CODE> like, for instance, <EM>data
+definition</EM> or <EM>data manipulation</EM> statements possibly leading
+to file system read and write access and operating system command
+execution depending on the underlying back-end database management system.</LI>
 </UL>
 </P>
 <P>It is strongly recommended to run at least once sqlmap with the
@@ -241,16 +250,17 @@ <H2><A NAME="s2">2.</A> <A HREF="#toc2">Features</A></H2>
 to fingerprint the web server operating system, the web application
 technology and, in some circumstances, the back-end DBMS operating system.
 </LI>
-<LI>Full support for two SQL injection techniques: <B>blind SQL
-injection</B> and <B>inband SQL injection</B>. sqlmap can also test for
-<B>Time based blind SQL injection</B>.
+<LI>Full support for three SQL injection techniques: <B> inferential
+blind SQL injection</B>, <B>UNION query (inband) SQL injection</B> and
+<B>stacked queries (multiple statements) support</B>. sqlmap can also
+test for <B>time based blind SQL injection</B>.
 </LI>
 <LI>Options to retrieve on all four back-end database management system
 <B>banner</B>, <B>current user</B>, <B>current database</B>,
 enumerate <B>users</B>, <B>users password hashes</B>, <B>users
 privileges</B>, <B>databases</B>, <B>tables</B>, <B>columns</B>,
 dump <B>tables entries</B>, dump <B>whole database management
-system</B> and run your <B>own SQL <CODE>SELECT</CODE> statement</B>.
+system</B> and run your <B>own SQL statement</B>.
 </LI>
 <LI>If the back-end database management system is MySQL it is also
 possible to <B>read a specific file content</B> from the ile system and,
@@ -460,7 +470,7 @@ <H2><A NAME="s5">5.</A> <A HREF="#toc5">Usage</A></H2>
   Enumeration:
     These options can be used to enumerate the back-end database
     management system information, structure and data contained in the
-    tables. Moreover you can run your own SQL SELECT queries.
+    tables. Moreover you can run your own SQL statements.
 
     -b, --banner        Retrieve DBMS banner
     --current-user      Retrieve DBMS current user
@@ -481,7 +491,7 @@ <H2><A NAME="s5">5.</A> <A HREF="#toc5">Usage</A></H2>
     --exclude-sysdbs    Exclude DBMS system databases when enumerating tables
     --start=LIMITSTART  First table entry to dump
     --stop=LIMITSTOP    Last table entry to dump
-    --sql-query=QUERY   SQL SELECT query to be executed
+    --sql-query=QUERY   SQL statement to be executed
     --sql-shell         Prompt for an interactive SQL shell
 
   File system access:
@@ -3406,7 +3416,7 @@ <H3>Dump all databases tables entries</H3>
 as a users' database.</P>
 
 
-<H3>Run your own SQL SELECT statement</H3>
+<H3>Run your own SQL statement</H3>
 
 <P>Options: <CODE>--sql-query</CODE> and <CODE>--sql-shell</CODE></P>
 
diff --git a/doc/README.pdf b/doc/README.pdf
diff --git a/doc/README.sgml b/doc/README.sgml
@@ -138,35 +138,44 @@ in the following section to go ahead with the exploiting.
 <sect1>Techniques
 
 <p>
-sqlmap implements two techniques to exploit a SQL injection vulnerability:
+sqlmap implements three techniques to exploit a SQL injection
+vulnerability:
 
 <itemize>
-<item><bf>Blind SQL injection</bf>, also known as <bf>Inferential Blind SQL
-injection</bf> in this implementation: sqlmap appends to the affected
-parameter in the HTTP request, a syntatically valid SQL statement string
-containing a <tt>SELECT</tt> sub-statement, or any other SQL statement
-whose the user want to retrieve the output.
+<item><bf>Inferential Blind SQL injection</bf>: sqlmap appends to the
+affected parameter in the HTTP request, a syntatically valid SQL statement
+string containing a <tt>SELECT</tt> sub-statement, or any other SQL
+statement whose the user want to retrieve the output.
 For each HTTP response, by making a comparison based upon HTML page
 content hashes, or string matches, with the original request, the tool
 determines the output value of the statement character by character.
 The bisection algorithm implemented in sqlmap to perform this technique
 is able to fetch each output character with at maximum seven HTTP
 requests.
 This is sqlmap default SQL injection technique.
-<item><bf>Inband SQL injection</bf>, also known as <bf>Full UNION query SQL
-injection</bf>: sqlmap appends to the affected parameter in the HTTP
-request, a syntatically valid SQL statement string starting with a
-<tt>UNION ALL SELECT</tt>. This techique is useful if the web application
-page passes the output of the <tt>SELECT</tt> statement to a <tt>for</tt>
-cycle, or similar, so that each line of the query output is printed on the
-page content.
+<item><bf>UNION query (inband) SQL injection</bf>, also known as <bf>Full
+UNION query SQL injection</bf>: sqlmap appends to the affected parameter
+in the HTTP request, a syntatically valid SQL statement string starting
+with a <tt>UNION ALL SELECT</tt>. This techique is useful if the web
+application page passes the output of the <tt>SELECT</tt> statement to a
+<tt>for</tt> cycle, or similar, so that each line of the query output is
+printed on the page content.
 sqlmap is also able to exploit <bf>Partial UNION query SQL injection</bf>
 vulnerabilities which occur when the output of the statement is not cycled
 in a for construct whereas only the first entry output is displayed.
 This technique is much faster if the target url is affected by because
 in a single HTTP response it returns the whole query output or a entry
 per each response within the page content.
 This SQL injection technique is an alternative to the first one.
+<item><bf>Stacked queries support</bf>, also known as <bf>multiple
+statements support</bf>: sqlmap tests if the web application supports
+stacked queries then, in case it does support, it appends to the affected
+parameter in the HTTP request, a semi-colon (<tt>;</tt>) followed by the
+SQL statement to be executed. This technique is useful if to run SQL
+statements other than <tt>SELECT</tt> like, for instance, <em>data
+definition</em> or <em>data manipulation</em> statements possibly leading
+to file system read and write access and operating system command
+execution depending on the underlying back-end database management system.
 </itemize>
 
 It is strongly recommended to run at least once sqlmap with the
@@ -199,16 +208,17 @@ database management system name if you already know it. sqlmap is also able
 to fingerprint the web server operating system, the web application
 technology and, in some circumstances, the back-end DBMS operating system.
 
-<item>Full support for two SQL injection techniques: <bf>blind SQL
-injection</bf> and <bf>inband SQL injection</bf>. sqlmap can also test for
-<bf>Time based blind SQL injection</bf>.
+<item>Full support for three SQL injection techniques: <bf> inferential
+blind SQL injection</bf>, <bf>UNION query (inband) SQL injection</bf> and
+<bf>stacked queries (multiple statements) support</bf>. sqlmap can also
+test for <bf>time based blind SQL injection</bf>.
 
 <item>Options to retrieve on all four back-end database management system
 <bf>banner</bf>, <bf>current user</bf>, <bf>current database</bf>,
 enumerate <bf>users</bf>, <bf>users password hashes</bf>, <bf>users
 privileges</bf>, <bf>databases</bf>, <bf>tables</bf>, <bf>columns</bf>,
 dump <bf>tables entries</bf>, dump <bf>whole database management
-system</bf> and run your <bf>own SQL <tt>SELECT</tt> statement</bf>.
+system</bf> and run your <bf>own SQL statement</bf>.
 
 <item>If the back-end database management system is MySQL it is also
 possible to <bf>read a specific file content</bf> from the ile system and,
@@ -416,7 +426,7 @@ Options:
   Enumeration:
     These options can be used to enumerate the back-end database
     management system information, structure and data contained in the
-    tables. Moreover you can run your own SQL SELECT queries.
+    tables. Moreover you can run your own SQL statements.
 
     -b, --banner        Retrieve DBMS banner
     --current-user      Retrieve DBMS current user
@@ -437,7 +447,7 @@ Options:
     --exclude-sysdbs    Exclude DBMS system databases when enumerating tables
     --start=LIMITSTART  First table entry to dump
     --stop=LIMITSTOP    Last table entry to dump
-    --sql-query=QUERY   SQL SELECT query to be executed
+    --sql-query=QUERY   SQL statement to be executed
     --sql-shell         Prompt for an interactive SQL shell
 
   File system access:
@@ -3310,7 +3320,9 @@ considered a system database because some database administrators use it
 as a users' database.
 
 
-<sect2>Run your own SQL SELECT statement
+<sect2>Run your own SQL statement
+
+<!-- TODO: improve -->
 
 <p>
 Options: <tt>--sql-query</tt> and <tt>--sql-shell</tt>
diff --git a/doc/THANKS b/doc/THANKS
@@ -116,6 +116,10 @@ Sven Schluter <sschlueter@netzwerk.cc>
     for providing with a patch for waiting a number of seconds between
     each HTTP request
 
+Sumit Siddharth <sid@notsosecure.com>
+    for providing me with ideas on the implementation on a couple of
+    features
+
 M Simkin <mlsimkin@cox.net>
     for suggesting a feature
 
