Minor layout adjustments

bdamele · bdamele · commit 8f973ce574ec · 2009-01-18T22:36:48.000Z
diff --git a/doc/README.html b/doc/README.html
@@ -236,6 +236,11 @@ <H2><A NAME="s2">2.</A> <A HREF="#toc2">Features</A></H2>
 Besides these four database management systems software. sqlmap can also
 identify Microsoft Access, DB2, Informix, Sybase and Interbase.
 </LI>
+<LI>Full support for three SQL injection techniques: <B> inferential
+blind SQL injection</B>, <B>UNION query (inband) SQL injection</B> and
+<B>stacked queries (multiple statements) support</B>. sqlmap can also
+test for <B>time based blind SQL injection</B>.
+</LI>
 <LI><B>Extensive back-end database management system fingerprint</B>
 based upon
 <A HREF="http://bernardodamele.blogspot.com/2007/06/database-management-system-fingerprint.html">inband error messages</A>,
@@ -247,11 +252,6 @@ <H2><A NAME="s2">2.</A> <A HREF="#toc2">Features</A></H2>
 to fingerprint the web server operating system, the web application
 technology and, in some circumstances, the back-end DBMS operating system.
 </LI>
-<LI>Full support for three SQL injection techniques: <B> inferential
-blind SQL injection</B>, <B>UNION query (inband) SQL injection</B> and
-<B>stacked queries (multiple statements) support</B>. sqlmap can also
-test for <B>time based blind SQL injection</B>.
-</LI>
 <LI>Options to retrieve on all four back-end database management system
 <B>banner</B>, <B>current user</B>, <B>current database</B>,
 enumerate <B>users</B>, <B>users password hashes</B>, <B>users
@@ -313,6 +313,8 @@ <H2><A NAME="s2">2.</A> <A HREF="#toc2">Features</A></H2>
 there exist <B>six levels</B>. The default level is <B>1</B> in which
 information, warnings, errors and tracebacks, if they occur, will be shown.
 </LI>
+<LI>Granularity in the user's options.
+</LI>
 <LI><B>Estimated time of arrival</B> support for each query, updated
 in real time while fetching the information to give to the user an
 overview on how long it will take to retrieve the output.
@@ -329,6 +331,10 @@ <H2><A NAME="s2">2.</A> <A HREF="#toc2">Features</A></H2>
 <A HREF="http://metasploit.com/framework/">Metasploit</A> and 
 <A HREF="http://w3af.sourceforge.net/">w3af</A>.
 </LI>
+<LI><B>File system</B> read and write access and <B>operating
+system</B> command execution by providing own queries, depending on the
+session user privileges and back-end DBMS.
+</LI>
 <LI><B>PHP setting <CODE>magic_quotes_gpc</CODE> bypass</B> by encoding
 every query string, between single quotes, with <CODE>CHAR</CODE>, or similar,
 database management system function.</LI>
@@ -400,7 +406,7 @@ <H2><A NAME="s5">5.</A> <A HREF="#toc5">Usage</A></H2>
 $ python sqlmap.py -h
 
     sqlmap/0.6.4 coded by Bernardo Damele A. G. &lt;bernardo.damele@gmail.com>
-                        and Daniele Bellucci &lt;daniele.bellucci@gmail.com>
+                      and Daniele Bellucci &lt;daniele.bellucci@gmail.com>
 
 Usage: sqlmap.py [options]
 
@@ -433,7 +439,7 @@ <H2><A NAME="s5">5.</A> <A HREF="#toc5">Usage</A></H2>
     --proxy=PROXY       Use a HTTP proxy to connect to the target url
     --threads=THREADS   Maximum number of concurrent HTTP requests (default 1)
     --delay=DELAY       Delay in seconds between each HTTP request
-    --timeout=TIMEOUT   Seconds to wait before timeout connection (default 10)
+    --timeout=TIMEOUT   Seconds to wait before timeout connection (default 30)
 
   Injection:
     These options can be used to specify which parameters to test for,
@@ -456,8 +462,9 @@ <H2><A NAME="s5">5.</A> <A HREF="#toc5">Usage</A></H2>
     using the default blind SQL injection technique.
 
     --stacked-test      Test for stacked queries (multiple statements) support
-    --time-test         Test for Time based blind SQL injection
+    --time-test         Test for time based blind SQL injection
     --union-test        Test for UNION query (inband) SQL injection
+    --union-tech=UTECH  Technique to test for UNION query SQL injection
     --union-use         Use the UNION query (inband) SQL injection to retrieve
                         the queries output. No need to go blind
 
@@ -472,6 +479,7 @@ <H2><A NAME="s5">5.</A> <A HREF="#toc5">Usage</A></H2>
     -b, --banner        Retrieve DBMS banner
     --current-user      Retrieve DBMS current user
     --current-db        Retrieve DBMS current database
+    --is-dba            Detect if the DBMS current user is DBA
     --users             Enumerate DBMS users
     --passwords         Enumerate DBMS users password hashes (opt: -U)
     --privileges        Enumerate DBMS users privileges (opt: -U)
@@ -1878,7 +1886,7 @@ <H3>Test for stacked queries (multiple statements) support</H3>
 </P>
 
 
-<H3>Test for Time based blind SQL injection</H3>
+<H3>Test for time based blind SQL injection</H3>
 
 <P>Option: <CODE>--time-test</CODE></P>
 
@@ -1954,7 +1962,7 @@ <H3>Test for Time based blind SQL injection</H3>
 
 <H3>Test for UNION query SQL injection</H3>
 
-<P>Option: <CODE>--union-test</CODE></P>
+<P>Options: <CODE>--union-test</CODE> and <CODE>--union-tech</CODE></P>
 
 <P>It is possible to test if the target URL is affected by an <B>inband
 SQL injection</B> vulnerability.
diff --git a/doc/README.pdf b/doc/README.pdf
diff --git a/doc/README.sgml b/doc/README.sgml
@@ -193,6 +193,11 @@ and <bf>Microsoft SQL Server</bf> back-end database management systems.
 Besides these four database management systems software. sqlmap can also
 identify Microsoft Access, DB2, Informix, Sybase and Interbase.
 
+<item>Full support for three SQL injection techniques: <bf> inferential
+blind SQL injection</bf>, <bf>UNION query (inband) SQL injection</bf> and
+<bf>stacked queries (multiple statements) support</bf>. sqlmap can also
+test for <bf>time based blind SQL injection</bf>.
+
 <item><bf>Extensive back-end database management system fingerprint</bf>
 based upon
 <htmlurl url="http://bernardodamele.blogspot.com/2007/06/database-management-system-fingerprint.html" name="inband error messages">,
@@ -204,11 +209,6 @@ database management system name if you already know it. sqlmap is also able
 to fingerprint the web server operating system, the web application
 technology and, in some circumstances, the back-end DBMS operating system.
 
-<item>Full support for three SQL injection techniques: <bf> inferential
-blind SQL injection</bf>, <bf>UNION query (inband) SQL injection</bf> and
-<bf>stacked queries (multiple statements) support</bf>. sqlmap can also
-test for <bf>time based blind SQL injection</bf>.
-
 <item>Options to retrieve on all four back-end database management system
 <bf>banner</bf>, <bf>current user</bf>, <bf>current database</bf>,
 enumerate <bf>users</bf>, <bf>users password hashes</bf>, <bf>users
@@ -269,6 +269,8 @@ randomly selected from a text file.
 there exist <bf>six levels</bf>. The default level is <bf>1</bf> in which
 information, warnings, errors and tracebacks, if they occur, will be shown.
 
+<item>Granularity in the user's options.
+
 <item><bf>Estimated time of arrival</bf> support for each query, updated
 in real time while fetching the information to give to the user an
 overview on how long it will take to retrieve the output.
@@ -285,6 +287,10 @@ save command line options on a configuration INI file.
 <htmlurl url="http://metasploit.com/framework/" name="Metasploit"> and <htmlurl
 url="http://w3af.sourceforge.net/" name="w3af">.
 
+<item><bf>File system</bf> read and write access and <bf>operating
+system</bf> command execution by providing own queries, depending on the
+session user privileges and back-end DBMS.
+
 <item><bf>PHP setting <tt>magic_quotes_gpc</tt> bypass</bf> by encoding
 every query string, between single quotes, with <tt>CHAR</tt>, or similar,
 database management system function.
@@ -355,7 +361,7 @@ and <htmlurl url="mailto:daniele.bellucci@gmail.com" name="Daniele Bellucci">.
 $ python sqlmap.py -h
 
     sqlmap/0.6.4 coded by Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+                      and Daniele Bellucci <daniele.bellucci@gmail.com>
 
 Usage: sqlmap.py [options]
 
@@ -388,7 +394,7 @@ Options:
     --proxy=PROXY       Use a HTTP proxy to connect to the target url
     --threads=THREADS   Maximum number of concurrent HTTP requests (default 1)
     --delay=DELAY       Delay in seconds between each HTTP request
-    --timeout=TIMEOUT   Seconds to wait before timeout connection (default 10)
+    --timeout=TIMEOUT   Seconds to wait before timeout connection (default 30)
 
   Injection:
     These options can be used to specify which parameters to test for,
@@ -411,8 +417,9 @@ Options:
     using the default blind SQL injection technique.
 
     --stacked-test      Test for stacked queries (multiple statements) support
-    --time-test         Test for Time based blind SQL injection
+    --time-test         Test for time based blind SQL injection
     --union-test        Test for UNION query (inband) SQL injection
+    --union-tech=UTECH  Technique to test for UNION query SQL injection
     --union-use         Use the UNION query (inband) SQL injection to retrieve
                         the queries output. No need to go blind
 
@@ -427,6 +434,7 @@ Options:
     -b, --banner        Retrieve DBMS banner
     --current-user      Retrieve DBMS current user
     --current-db        Retrieve DBMS current database
+    --is-dba            Detect if the DBMS current user is DBA
     --users             Enumerate DBMS users
     --passwords         Enumerate DBMS users password hashes (opt: -U)
     --privileges        Enumerate DBMS users privileges (opt: -U)
@@ -1813,7 +1821,7 @@ stacked queries support:    'name=luther'; WAITFOR DELAY '0:0:5';-- AND 'wRcBC'=
 </verb></tscreen>
 
 
-<sect2>Test for Time based blind SQL injection
+<sect2>Test for time based blind SQL injection
 
 <p>
 Option: <tt>--time-test</tt>
@@ -1886,7 +1894,7 @@ time based blind sql injection payload:    'name=luther'; WAITFOR DELAY '0:0:5';
 <sect2>Test for UNION query SQL injection
 
 <p>
-Option: <tt>--union-test</tt>
+Options: <tt>--union-test</tt> and <tt>--union-tech</tt>
 
 <p>
 It is possible to test if the target URL is affected by an <bf>inband
diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py
@@ -163,7 +163,7 @@ def cmdLineParser():
 
         techniques.add_option("--time-test", dest="timeTest",
                               action="store_true",
-                              help="Test for Time based blind SQL injection")
+                              help="Test for time based blind SQL injection")
 
         techniques.add_option("--union-test", dest="unionTest",
                               action="store_true",
diff --git a/sqlmap.conf b/sqlmap.conf
@@ -133,7 +133,7 @@ eRegexp =
 # Valid: True or False
 stackedTest = False
 
-# Test for Time based blind SQL injection.
+# Test for time based blind SQL injection.
 # Valid: True or False
 timeTest = False
 
