<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<HTML>

<HEAD>

<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.66">

<TITLE>sqlmap user's manual</TITLE>

</HEAD>

<BODY>

<H1>sqlmap user's manual</H1>

<H2>by

<A HREF="mailto:bernardo@sqlmap.org">Bernardo Damele A. G.</A>,

<A HREF="mailto:miroslav@sqlmap.org">Miroslav Stampar</A></H2>version 1.0-dev, XXX XX, 2011

<HR>

<EM>This document is the user's manual to use

<A HREF="http://www.sqlmap.org">sqlmap</A>.</EM>

<HR>

<P>

<H2><A NAME="toc1">1.</A> <A HREF="README.html#s1">Introduction</A></H2>

<UL>

<LI><A NAME="toc1.1">1.1</A> <A HREF="README.html#ss1.1">Requirements</A>

<LI><A NAME="toc1.2">1.2</A> <A HREF="README.html#ss1.2">Scenario</A>

<LI><A NAME="toc1.3">1.3</A> <A HREF="README.html#ss1.3">Techniques</A>

<LI><A NAME="toc1.4">1.4</A> <A HREF="README.html#ss1.4">Demo</A>

</UL>

<P>

<H2><A NAME="toc2">2.</A> <A HREF="README.html#s2">Features</A></H2>

<UL>

<LI><A NAME="toc2.1">2.1</A> <A HREF="README.html#ss2.1">Generic features</A>

<LI><A NAME="toc2.2">2.2</A> <A HREF="README.html#ss2.2">Fingerprint and enumeration features</A>

<LI><A NAME="toc2.3">2.3</A> <A HREF="README.html#ss2.3">Takeover features</A>

</UL>

<P>

<H2><A NAME="toc3">3.</A> <A HREF="README.html#s3">History</A></H2>

<UL>

<LI><A NAME="toc3.1">3.1</A> <A HREF="README.html#ss3.1">2011</A>

<LI><A NAME="toc3.2">3.2</A> <A HREF="README.html#ss3.2">2010</A>

<LI><A NAME="toc3.3">3.3</A> <A HREF="README.html#ss3.3">2009</A>

<LI><A NAME="toc3.4">3.4</A> <A HREF="README.html#ss3.4">2008</A>

<LI><A NAME="toc3.5">3.5</A> <A HREF="README.html#ss3.5">2007</A>

<LI><A NAME="toc3.6">3.6</A> <A HREF="README.html#ss3.6">2006</A>

</UL>

<P>

<H2><A NAME="toc4">4.</A> <A HREF="README.html#s4">Download and update</A></H2>

<P>

<H2><A NAME="toc5">5.</A> <A HREF="README.html#s5">Usage</A></H2>

<UL>

<LI><A NAME="toc5.1">5.1</A> <A HREF="README.html#ss5.1">Output verbosity</A>

<LI><A NAME="toc5.2">5.2</A> <A HREF="README.html#ss5.2">Target</A>

<LI><A NAME="toc5.3">5.3</A> <A HREF="README.html#ss5.3">Request</A>

<LI><A NAME="toc5.4">5.4</A> <A HREF="README.html#ss5.4">Optimization</A>

<LI><A NAME="toc5.5">5.5</A> <A HREF="README.html#ss5.5">Injection</A>

<LI><A NAME="toc5.6">5.6</A> <A HREF="README.html#ss5.6">Detection</A>

<LI><A NAME="toc5.7">5.7</A> <A HREF="README.html#ss5.7">Techniques</A>

<LI><A NAME="toc5.8">5.8</A> <A HREF="README.html#ss5.8">Fingerprint</A>

<LI><A NAME="toc5.9">5.9</A> <A HREF="README.html#ss5.9">Enumeration</A>

<LI><A NAME="toc5.10">5.10</A> <A HREF="README.html#ss5.10">Brute force</A>

<LI><A NAME="toc5.11">5.11</A> <A HREF="README.html#ss5.11">User-defined function injection</A>

<LI><A NAME="toc5.12">5.12</A> <A HREF="README.html#ss5.12">File system access</A>

<LI><A NAME="toc5.13">5.13</A> <A HREF="README.html#ss5.13">Operating system takeover</A>

<LI><A NAME="toc5.14">5.14</A> <A HREF="README.html#ss5.14">Windows registry access</A>

<LI><A NAME="toc5.15">5.15</A> <A HREF="README.html#ss5.15">General</A>

<LI><A NAME="toc5.16">5.16</A> <A HREF="README.html#ss5.16">Miscellaneous</A>

</UL>

<P>

<H2><A NAME="toc6">6.</A> <A HREF="README.html#s6">License and copyright</A></H2>

<P>

<H2><A NAME="toc7">7.</A> <A HREF="README.html#s7">Disclaimer</A></H2>

<P>

<H2><A NAME="toc8">8.</A> <A HREF="README.html#s8">Authors</A></H2>

<HR>

<H2><A NAME="s1">1.</A> <A HREF="#toc1">Introduction</A></H2>

<P>sqlmap is an open source penetration testing tool that automates the

process of detecting and exploiting SQL injection flaws and taking over of

database servers. It comes with a powerful detection engine, many niche

features for the ultimate penetration tester and a broad range of switches

lasting from database fingerprinting, over data fetching from the

database, to accessing the underlying file system and executing commands

on the operating system via out-of-band connections.</P>

<H2><A NAME="ss1.1">1.1</A> <A HREF="#toc1.1">Requirements</A>

</H2>

<P>sqlmap is developed in

<A HREF="http://www.python.org">Python</A>,

a dynamic object-oriented interpreted programming language.

This makes the tool independent from the operating system. It only

requires the Python interpreter version <B>2</B> equal or higher than

<B>2.6</B>.

The interpreter is freely downloadable from its

<A HREF="http://python.org/download/">official site</A>.

To make it even easier, many GNU/Linux distributions come out of the box

with Python interpreter installed and other Unices and Mac OSX too provide

it packaged in their formats and ready to be installed.

Windows users can download and install the Python setup-ready installer

for x86, AMD64 and Itanium too.</P>

<P>sqlmap relies on the

<A HREF="http://metasploit.com">Metasploit Framework</A> for some of its post-exploitation takeover

features. You need to grab a copy of it from the

<A HREF="http://metasploit.com/download/">download</A>

page - the required version is <B>3.5</B> or higher.

For the ICMP tunneling out-of-band takeover technique, sqlmap requires

<A HREF="http://corelabs.coresecurity.com/index.php?module=Wiki&amp;action=view&amp;type=tool&amp;name=Impacket">Impacket</A> library too.</P>

<P>If you are willing to connect directly to a database server (<CODE>-d</CODE> switch),

without passing via a web application, you need to install Python bindings

for the database management system that you are going to attack:</P>

<P>

<UL>

<LI>Firebird:

<A HREF="http://kinterbasdb.sourceforge.net/">python-kinterbasdb</A>.</LI>

<LI>Microsoft Access:

<A HREF="http://pyodbc.googlecode.com/">python-pyodbc</A>.</LI>

<LI>Microsoft SQL Server:

<A HREF="http://pymssql.sourceforge.net/">python-pymssql</A>.</LI>

<LI>MySQL:

<A HREF="http://code.google.com/p/pymysql/">python pymysql</A>.</LI>

<LI>Oracle:

<A HREF="http://cx-oracle.sourceforge.net/">python cx_Oracle</A>.</LI>

<LI>PostgreSQL:

<A HREF="http://initd.org/psycopg/">python-psycopg2</A>.</LI>

<LI>SQLite:

<A HREF="http://pysqlite.googlecode.com/">python-pysqlite2</A>.</LI>

<LI>Sybase:

<A HREF="http://pymssql.sourceforge.net/">python-pymssql</A>.</LI>

</UL>

</P>

<P>If you plan to attack a web application behind NTLM authentication or use

the sqlmap update functionality (<CODE>-</CODE><CODE>-update</CODE> switch) you need to

install respectively

<A HREF="http://code.google.com/p/python-ntlm/">python-ntlm</A> and

<A HREF="http://pysvn.tigris.org/">python-svn</A> libraries.</P>

<P>Optionally, if you are running sqlmap on Windows, you may wish to install

<A HREF="http://ipython.scipy.org/moin/PyReadline/Intro">PyReadline</A>

library to be able to take advantage of the sqlmap TAB completion and

history support features in the SQL shell and OS shell.

Note that these functionalities are available natively by Python standard

<A HREF="http://docs.python.org/library/readline.html">readline</A>

library on other operating systems.</P>

<P>You can also choose to install

<A HREF="http://psyco.sourceforge.net/">Psyco</A> library to eventually speed up the sqlmap algorithmic

operations.</P>

<H2><A NAME="ss1.2">1.2</A> <A HREF="#toc1.2">Scenario</A>

</H2>

<H3>Detect and exploit a SQL injection</H3>

<P>Let's say that you are auditing a web application and found a web page

that accepts dynamic user-provided values on <CODE>GET</CODE> or <CODE>POST</CODE>

parameters or HTTP <CODE>Cookie</CODE> values or HTTP <CODE>User-Agent</CODE>

header value.

You now want to test if these are affected by a SQL injection

vulnerability, and if so, exploit them to retrieve as much information as

possible out of the web application's back-end database management system

or even be able to access the underlying file system and operating system.</P>

<P>In a simple world, consider that the target url is:</P>

<P>

<BLOCKQUOTE><CODE>

<CODE>http://192.168.136.131/sqlmap/mysql/get_int.php?id=1</CODE>

</CODE></BLOCKQUOTE>

</P>

<P>Assume that:</P>

<P>

<BLOCKQUOTE><CODE>

<CODE>http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=1</CODE>

</CODE></BLOCKQUOTE>

</P>

<P>is the same page as the original one and:</P>

<P>

<BLOCKQUOTE><CODE>

<CODE>http://192.168.136.131/sqlmap/mysql/get_int.php?id=1+AND+1=2</CODE>

</CODE></BLOCKQUOTE>

</P>

<P>differs from the original one, it means that you are in front of a SQL

injection vulnerability in the <CODE>id</CODE> <CODE>GET</CODE> parameter of the

<CODE>index.php</CODE> web application page which means that potentially no

IDS/IPS, no web application firewall, no parameters' value sanitization is

performed on the server-side before sending the SQL statement to the

back-end database management system the web application relies on.</P>

<P>This is a quite common flaw in dynamic content web applications and it

does not depend upon the back-end database management system nor on the web

application programming language: it is a programmer code's security flaw.

The

<A HREF="http://www.owasp.org">Open Web Application Security Project</A>

rated on 2010 in their

<A HREF="http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project">OWASP Top Ten</A> survey this vulnerability as the

<A HREF="http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf">most common</A> and important web application vulnerability along with other

injection flaws.</P>

<P>Back to the scenario, probably the SQL <CODE>SELECT</CODE> statement into

<CODE>get_int.php</CODE> has a syntax similar to the following SQL query, in

pseudo PHP code:</P>

<P>

<BLOCKQUOTE><CODE>

<CODE>$query = "SELECT [column(s) name] FROM [table name] WHERE id=" . $_REQUEST['id'];</CODE>

</CODE></BLOCKQUOTE>

</P>

<P>As you can see, appending any other syntatically valid SQL condition after

a value for <CODE>id</CODE> such condition will take place when the web

application passes the query to the back-end database management system

that executes it, that is why the condition <CODE>id=1 AND 1=1</CODE> is valid

(<EM>True</EM>) and returns the same page as the original one, with the

same content. This is the case of a boolean-based blind SQL injection

vulnerability. However, sqlmap is able to detect any type of SQL injection

and adapt its work-flow accordingly. Read below for further details.</P>

<P>Moreover, in this simple and easy to inject scenario it would be also

possible to append, not just one or more valid SQL condition(s), but also

stacked SQL queries, for instance something like <CODE>[...]&amp;id=1;

ANOTHER SQL QUERY#</CODE> if the web application technology supports

<EM>stacked queries</EM>, also known as <EM>multiple statements</EM>.</P>

<P>Now that you found this SQL injection vulnerable parameter, you can

exploit it by manipulating the <CODE>id</CODE> parameter value in the HTTP

request.</P>

<P>There exist many

<A HREF="http://delicious.com/inquis/sqlinjection">resources</A>

on the Net explaining in depth how to prevent, detect and exploit SQL

injection vulnerabilities in web application and it is recommended to read

them if you are not familiar with the issue before going ahead with sqlmap.</P>

<P>Passing the original address, <CODE>http://192.168.136.131/sqlmap/mysql/get_int.php?id=1</CODE>

to sqlmap, the tool will automatically:</P>

<P>

<UL>

<LI>Identify the vulnerable parameter(s) (<CODE>id</CODE> in this example);</LI>

<LI>Identify which SQL injection techniques can be used to exploit the

vulnerable parameter(s);</LI>

<LI>Fingerprint the back-end database management system;</LI>

<LI>Depending on the user's options, it will extensively fingerprint,

enumerate data or takeover the database server as a whole.</LI>

</UL>

</P>

<H3>Direct connection to the database management system</H3>

<P>Up until sqlmap version <B>0.8</B>, the tool has been <EM>yet another

SQL injection tool</EM>, used by web application penetration testers/newbies/curious

teens/computer addicted/punks and so on. Things move on

and as they evolve, we do as well. Now it supports this new switch,

<CODE>-d</CODE>, that allows you to connect from your machine to the database

server's TCP port where the database management system daemon is listening

on and perform any operation you would do while using it to attack a

database via a SQL injection vulnerability.</P>

<H2><A NAME="ss1.3">1.3</A> <A HREF="#toc1.3">Techniques</A>

</H2>

<P>sqlmap is able to detect and exploit five different SQL injection

<EM>types</EM>:</P>

<P>

<UL>

<LI><B>Boolean-based blind SQL injection</B>, also known as <B>inferential

SQL injection</B>: sqlmap replaces or appends to the affected parameter in

the HTTP request, a syntatically valid SQL statement string containing a

<CODE>SELECT</CODE> sub-statement, or any other SQL statement whose the user

want to retrieve the output.

For each HTTP response, by making a comparison between the HTTP response

headers/body with the original request, the tool inference the output of

the injected statement character by character. Alternatively, the user

can provide a string or regular expression to match on True pages.

The bisection algorithm implemented in sqlmap to perform this technique

is able to fetch each character of the output with a maximum of seven HTTP

requests. Where the output is not within the clear-text plain charset,

sqlmap will adapt the algorithm with bigger ranges to detect the output.</LI>

<LI><B>Time-based blind SQL injection</B>, also known as <B>full blind

SQL injection</B>: sqlmap replaces or appends to the affected parameter in

the HTTP request, a syntatically valid SQL statement string containing a

query which put on hold the back-end DBMS to return for a certain number

of seconds.

For each HTTP response, by making a comparison between the HTTP response

time with the original request, the tool inference the output of

the injected statement character by character. Like for boolean-based

technique, the bisection algorithm is applied.</LI>

<LI><B>Error-based SQL injection</B>: sqlmap replaces or append to the

affected parameter a database-specific syntatically wrong statement and

parses the HTTP response headers and body in search of DBMS error messages

containing the injected pre-defined chain of characters and the statement

output within. This technique works when the web application has been

configured to disclose back-end database management system error messages

only.</LI>

<LI><B>UNION query SQL injection</B>, also known as <B>inband SQL

injection</B>: sqlmap appends to the affected parameter a syntatically

valid SQL statement string starting with a <CODE>UNION ALL SELECT</CODE>.

This techique works when the web application page passes the output of the

<CODE>SELECT</CODE> statement within a <CODE>for</CODE> cycle, or similar, so that

each line of the query output is printed on the page content.

sqlmap is also able to exploit <B>partial (single entry) UNION query SQL

injection</B> vulnerabilities which occur when the output of the

statement is not cycled in a <CODE>for</CODE> construct whereas only the first

entry of the query output is displayed.</LI>

<LI><B>Stacked queries SQL injection</B>, also known as <B>multiple

statements SQL injection</B>: sqlmap tests if the web application supports

stacked queries then, in case it does support, it appends to the affected

parameter in the HTTP request, a semi-colon (<CODE>;</CODE>) followed by the

SQL statement to be executed. This technique is useful to run SQL

statements other than <CODE>SELECT</CODE> like, for instance, <EM>data

definition</EM> or <EM>data manipulation</EM> statements possibly leading

to file system read and write access and operating system command

execution depending on the underlying back-end database management system

and the session user privileges.</LI>

</UL>

</P>

<H2><A NAME="ss1.4">1.4</A> <A HREF="#toc1.4">Demo</A>

</H2>

<P>You can watch several demo videos, they are hosted on

<A HREF="http://www.youtube.com/user/inquisb#g/u">YouTube</A>.</P>

<H2><A NAME="s2">2.</A> <A HREF="#toc2">Features</A></H2>

<P>Features implemented in sqlmap include:</P>

<H2><A NAME="ss2.1">2.1</A> <A HREF="#toc2.1">Generic features</A>

</H2>

<P>

<UL>

<LI>Full support for <B>MySQL</B>, <B>Oracle</B>, <B>PostgreSQL</B>,

<B>Microsoft SQL Server</B>, <B>Microsoft Access</B>, <B>SQLite</B>,

<B>Firebird</B>, <B>Sybase</B> and <B>SAP MaxDB</B> database

management systems.

</LI>

<LI>Full support for five SQL injection techniques: <B>boolean-based

blind</B>, <B>time-based blind</B>, <B>error-based</B>,

<B>UNION query</B> and <B>stacked queries</B>.

</LI>

<LI>Support to <B>directly connect to the database</B> without passing

via a SQL injection, by providing DBMS credentials, IP address, port and

database name.

</LI>

<LI>It is possible to provide a single target URL, get the list of

targets from

<A HREF="http://portswigger.net/suite/">Burp proxy</A>

or

<A HREF="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project">WebScarab proxy</A> requests log files, get the whole HTTP request

from a text file or get the list of targets by providing sqlmap with a

Google dork which queries

<A HREF="http://www.google.com">Google</A> search engine and parses its results page. You can also

define a regular-expression based scope that is used to identify which of

the parsed addresses to test.

</LI>

<LI>Tests provided <B>GET</B> parameters, <B>POST</B> parameters,

HTTP <B>Cookie</B> header values, HTTP <B>User-Agent</B> header value

and HTTP <B>Referer</B> header value to identify and exploit SQL

injection vulnerabilities. It is also possible to specify a comma-separated

list of specific parameter(s) to test.

</LI>

<LI>Option to specify the <B>maximum number of concurrent HTTP(S)

requests (multi-threading)</B> to speed up the blind SQL injection

techniques. Vice versa, it is also possible to specify the number of

seconds to hold between each HTTP(S) request. Others optimization switches

to speed up the exploitation are implemented too.

</LI>

<LI><B>HTTP <CODE>Cookie</CODE> header</B> string support, useful when the

web application requires authentication based upon cookies and you have

such data or in case you just want to test for and exploit SQL injection

on such header values. You can also specify to always URL-encode the

Cookie.

</LI>

<LI>Automatically handles <B>HTTP <CODE>Set-Cookie</CODE> header</B> from

the application, re-establishing of the session if it expires. Test and

exploit on these values is supported too. Vice versa, you can also force

to ignore any <CODE>Set-Cookie</CODE> header.

</LI>

<LI>HTTP protocol <B>Basic, Digest, NTLM and Certificate

authentications</B> support.

</LI>

<LI><B>HTTP(S) proxy</B> support to pass by the requests to the target

application that works also with HTTPS requests and with authenticated

proxy servers.

</LI>

<LI>Options to fake the <B>HTTP <CODE>Referer</CODE> header</B> value and

the <B>HTTP <CODE>User-Agent</CODE> header</B> value specified by user or

randomly selected from a textual file.

</LI>

<LI>Support to increase the <B>verbosity level of output messages</B>:

there exist <B>seven levels</B> of verbosity.

</LI>

<LI>Support to <B>parse HTML forms</B> from the target URL and forge

HTTP(S) requests against those pages to test the form parameters against

vulnerabilities.

</LI>

<LI><B>Granularity and flexibility</B> in terms of both user's

switches and features.

</LI>

<LI><B>Estimated time of arrival</B> support for each query, updated

in real time, to provide the user with an overview on how long it will

take to retrieve the queries' output.

</LI>

<LI>Automatically saves the session (queries and their output, even if

partially retrieved) on a textual file in real time while fetching the

data and <B>resumes the injection</B> by parsing the session file.

</LI>

<LI>Support to read options from a configuration INI file rather than

specify each time all of the switches on the command line. Support also to

generate a configuration file based on the command line switches provided.

</LI>

<LI>Support to <B>replicate the back-end database tables structure and

entries</B> on a local SQLite 3 database.

</LI>

<LI>Option to update sqlmap to the latest development version from the

subversion repository.

</LI>

<LI>Support to parse HTTP(S) responses and display any DBMS error

message to the user.

</LI>

<LI>Integration with other IT security open source projects,

<A HREF="http://metasploit.com">Metasploit</A> and

<A HREF="http://w3af.sourceforge.net/">w3af</A>.</LI>

</UL>

</P>

<H2><A NAME="ss2.2">2.2</A> <A HREF="#toc2.2">Fingerprint and enumeration features</A>

</H2>

<P>

<UL>

<LI><B>Extensive back-end database software version and underlying

operating system fingerprint</B> based upon

<A HREF="http://bernardodamele.blogspot.com/2007/06/database-management-system-fingerprint.html">error messages</A>,

<A HREF="http://bernardodamele.blogspot.com/2007/06/database-management-system-fingerprint.html">banner parsing</A>,

<A HREF="http://bernardodamele.blogspot.com/2007/07/more-on-database-management-system.html">functions output comparison</A> and

<A HREF="http://bernardodamele.blogspot.com/2007/07/more-on-database-management-system.html">specific features</A>

such as MySQL comment injection. It is also possible to force the back-end

database management system name if you already know it.

</LI>

<LI>Basic web server software and web application technology

fingerprint.

</LI>

<LI>Support to retrieve the DBMS <B>banner</B>, <B>session user</B>

and <B>current database</B> information. The tool can also check if the

session user is a <B>database administrator</B> (DBA).

</LI>

<LI>Support to enumerate <B>database users</B>, <B>users' password

hashes</B>, <B>users' privileges</B>, <B>users' roles</B>,

<B>databases</B>, <B>tables</B> and <B>columns</B>.

</LI>

<LI>Automatic recognition of password hashes format and support to

<B>crack them with a dictionary-based attack</B>.

</LI>

<LI>Support to <B>brute-force tables and columns name</B>. This is

useful when the session user has no read access over the system table

containing schema information or when the database management system does

not store this information anywhere (e.g. MySQL &lt; 5.0).

</LI>

<LI>Support to <B>dump database tables</B> entirely, a range of

entries or specific columns as per user's choice. The user can also choose

to dump only a range of characters from each column's entry.

</LI>

<LI>Support to automatically <B>dump all databases</B>' schemas and

entries. It is possibly to exclude from the dump the system databases.

</LI>

<LI>Support to <B>search for specific database names, specific tables

across all databases or specific columns across all databases'

tables</B>. This is useful, for instance, to identify tables containing

custom application credentials where relevant columns' names contain

string like <EM>name</EM> and <EM>pass</EM>.

</LI>

<LI>Support to <B>run custom SQL statement(s)</B> as in an interactive

SQL client connecting to the back-end database. sqlmap automatically

dissects the provided statement, determines which technique fits best to

inject it and how to pack the SQL payload accordingly.</LI>

</UL>

</P>

<H2><A NAME="ss2.3">2.3</A> <A HREF="#toc2.3">Takeover features</A>

</H2>

<P>Some of these techniques are detailed in the white paper

<A HREF="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857">Advanced SQL injection to operating system full control</A> and in the

slide deck

<A HREF="http://www.slideshare.net/inquis/expanding-the-control-over-the-operating-system-from-the-database">Expanding the control over the operating system from the database</A>.</P>

<P>

<UL>

<LI>Support to <B>inject custom user-defined functions</B>: the user

can compile a shared library then use sqlmap to create within the back-end

DBMS user-defined functions out of the compiled shared library file. These

UDFs can then be executed, and optionally removed, via sqlmap. This is

supported when the database software is MySQL or PostgreSQL.

</LI>

<LI>Support to <B>download and upload any file</B> from the database

server underlying file system when the database software is MySQL,

PostgreSQL or Microsoft SQL Server.

</LI>

<LI>Support to <B>execute arbitrary commands and retrieve their

standard output</B> on the database server underlying operating system

when the database software is MySQL, PostgreSQL or Microsoft SQL Server.

<UL>

<LI>On MySQL and PostgreSQL via user-defined function injection and

execution.</LI>

<LI>On Microsoft SQL Server via <CODE>xp_cmdshell()</CODE> stored procedure.

Also, the stored procedure is re-enabled if disabled or created from

scratch if removed by the DBA.</LI>

</UL>

</LI>

<LI>Support to <B>establish an out-of-band stateful TCP connection

between the attacker machine and the database server</B> underlying

operating system. This channel can be an interactive command prompt, a

Meterpreter session or a graphical user interface (VNC) session as per

user's choice.

sqlmap relies on Metasploit to create the shellcode and implements four

different techniques to execute it on the database server. These

techniques are:

<UL>

<LI>Database <B>in-memory execution of the Metasploit's shellcode</B>

via sqlmap own user-defined function <CODE>sys_bineval()</CODE>. Supported on

MySQL and PostgreSQL.</LI>

<LI>Upload and execution of a Metasploit's <B>stand-alone payload

stager</B> via sqlmap own user-defined function <CODE>sys_exec()</CODE> on

MySQL and PostgreSQL or via <CODE>xp_cmdshell()</CODE> on Microsoft SQL

Server.</LI>

<LI>Execution of Metasploit's shellcode by performing a <B>SMB

reflection attack</B> (

<A HREF="http://www.microsoft.com/technet/security/Bulletin/MS08-068.mspx">MS08-068</A>) with a UNC path request from the database server to

the attacker's machine where the Metasploit <CODE>smb_relay</CODE> server

exploit listens. Supported when running sqlmap with high privileges

(<CODE>uid=0</CODE>) on Linux/Unix and the target DBMS runs as Administrator

on Windows.</LI>

<LI>Database in-memory execution of the Metasploit's shellcode by

exploiting <B>Microsoft SQL Server 2000 and 2005

<CODE>sp_replwritetovarbin</CODE> stored procedure heap-based buffer

overflow</B> (

<A HREF="http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx">MS09-004</A>). sqlmap has its own exploit to trigger the

vulnerability with automatic DEP memory protection bypass, but it relies

on Metasploit to generate the shellcode to get executed upon successful

exploitation.</LI>

</UL>

</LI>

<LI>Support for <B>database process' user privilege escalation</B> via

Metasploit's <CODE>getsystem</CODE> command which include, among others,

the

<A HREF="http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html">kitrap0d</A> technique (

<A HREF="http://www.microsoft.com/technet/security/bulletin/ms10-015.mspx">MS10-015</A>).

</LI>

<LI>Support to access (read/add/delete) Windows registry hives.</LI>

</UL>

</P>

<H2><A NAME="s3">3.</A> <A HREF="#toc3">History</A></H2>

<H2><A NAME="ss3.1">3.1</A> <A HREF="#toc3.1">2011</A>

</H2>

<P>

<UL>

<LI><B>April 10</B>,

<A HREF="http://www.sqlmap.org/#developers">Bernardo and Miroslav</A> release sqlmap

<B>0.9</B> featuring a totally rewritten and powerful SQL injection

detection engine, the possibility to connect directly to a database

server, support for time-based blind SQL injection and error-based SQL

injection, support for four new database management systems and much more.</LI>

</UL>

</P>

<H2><A NAME="ss3.2">3.2</A> <A HREF="#toc3.2">2010</A>

</H2>

<P>

<UL>

<LI><B>December</B>,

<A HREF="http://www.sqlmap.org/#developers">Bernardo and Miroslav</A> have enhanced sqlmap a

lot during the whole year and prepare to release sqlmap <B>0.9</B>

within the first quarter of 2011.</LI>

<LI><B>June 3</B>, Bernardo

<A HREF="http://www.slideshare.net/inquis/ath-con-2010bernardodamelegotdbownnet">presents</A>

a talk titled <EM>Got database access? Own the network!</EM> at AthCon

2010 in Athens (Greece).</LI>

<LI><B>March 14</B>,

<A HREF="http://www.sqlmap.org/#developers">Bernardo and Miroslav</A> release stable version of

sqlmap <B>0.8</B> featuring many features. Amongst these, support to

enumerate and dump all databases' tables containing user provided

column(s), stabilization and enhancements to the takeover functionalities,

updated integration with Metasploit 3.3.3 and a lot of minor features and

bug fixes.</LI>

<LI><B>March</B>, sqlmap demo videos have been

<A HREF="http://www.youtube.com/inquisb#g/u">published</A>.</LI>

<LI><B>January</B>, Bernardo is

<A HREF="http://www.athcon.org/speakers/">invited</A> to present at

<A HREF="http://www.athcon.org/archives/2010-2/">AthCon</A> conference in

Greece on June 2010.</LI>

</UL>

</P>

<H2><A NAME="ss3.3">3.3</A> <A HREF="#toc3.3">2009</A>

</H2>

<P>

<UL>

<LI><B>December 18</B>, Miroslav Stampar replies to the call for

developers. Along with Bernardo, he actively develops sqlmap from version

<B>0.8 release candidate 2</B>.

</LI>

<LI><B>December 12</B>, Bernardo writes to the mailing list a post

titled

<A HREF="http://bernardodamele.blogspot.com/2009/12/sqlmap-state-of-art-3-years-later.html">sqlmap state of art - 3 years later</A> highlighting the goals

achieved during these first three years of the project and launches a call

for developers.

</LI>

<LI><B>December 4</B>, sqlmap-devel mailing list has been merged into

sqlmap-users

<A HREF="http://www.sqlmap.org/#ml">mailing list</A>.

</LI>

<LI><B>November 20</B>, Bernardo and Guido present again their

research on stealth database server takeover at CONfidence 2009 in Warsaw,

Poland.

</LI>

<LI><B>September 26</B>, sqlmap version <B>0.8 release candidate

1</B> goes public on the

<A HREF="https://svn.sqlmap.org/sqlmap/trunk/sqlmap/">subversion repository</A>, with all the attack

vectors unveiled at SOURCE Barcelona 2009 Conference. These include an

enhanced version of the Microsoft SQL Server buffer overflow exploit to

automatically bypass DEP memory protection, support to establish the

out-of-band connection with the database server by executing in-memory

the Metasploit shellcode via UDF <EM>sys_bineval()</EM> (anti-forensics

technique), support to access the Windows registry hives and support to

inject custom user-defined functions.

</LI>

<LI><B>September 21</B>, Bernardo and

<A HREF="http://www.pornosecurity.org">Guido Landi</A>

<A HREF="http://www.sourceconference.com/index.php/pastevents/source-barcelona-2009/schedule">present</A>

their research (

<A HREF="http://www.slideshare.net/inquis/expanding-the-control-over-the-operating-system-from-the-database">slides</A>)

at SOURCE Conference 2009 in Barcelona, Spain.

</LI>

<LI><B>August</B>, Bernardo is accepted as a speaker at two others IT

security conferences,

<A HREF="http://www.sourceconference.com/index.php/pastevents/source-barcelona-2009">SOURCE Barcelona 2009</A> and

<A HREF="http://200902.confidence.org.pl/">CONfidence 2009 Warsaw</A>.

This new research is titled <EM>Expanding the control over the operating

system from the database</EM>.

</LI>

<LI><B>July 25</B>, stable version of sqlmap <B>0.7</B> is out!

</LI>

<LI><B>June 27</B>, Bernardo

<A HREF="http://www.slideshare.net/inquis/sql-injection-not-only-and-11-updated">presents</A>

an updated version of his

<EM>SQL injection: Not only AND 1=1</EM> slides at

<A HREF="http://www.digitalsecurityforum.eu/">2nd Digital Security Forum</A> in

Lisbon, Portugal.

</LI>

<LI><B>June 2</B>, sqlmap version <B>0.6.4</B> has made its way to

the official Ubuntu repository too.

</LI>

<LI><B>May</B>, Bernardo presents again his research on operating

system takeover via SQL injection at

<A HREF="http://www.owasp.org/index.php/OWASP_AppSec_Europe_2009_-_Poland">OWASP AppSec Europe 2009</A> in Warsaw, Poland and at

<A HREF="http://eusecwest.com/">EUSecWest 2009</A> in London, UK.

</LI>

<LI><B>May 8</B>, sqlmap version <B>0.6.4</B> has been officially

accepted in Debian repository. Details on

<A HREF="http://bernardodamele.blogspot.com/2009/05/sqlmap-in-debian-package-repository.html">this blog post</A>.

</LI>

<LI><B>April 22</B>, sqlmap version <B>0.7 release candidate 1</B>

goes public, with all the attack vectors unveiled at Black Hat Europe 2009

Conference.

These include execution of arbitrary commands on the underlying operating

system, full integration with Metasploit to establish an out-of-band

TCP connection, first publicly available exploit for Microsoft Security

Bulletin

<A HREF="http://www.microsoft.com/technet/security/Bulletin/MS09-004.mspx">MS09-004</A> against Microsoft SQL Server 2000 and 2005 and others

attacks to takeover the database server as a whole, not only the data from

the database.

</LI>

<LI><B>April 16</B>, Bernardo

<A HREF="http://www.blackhat.com/html/bh-europe-09/bh-eu-09-archives.html#Damele">presents</A> his research (

<A HREF="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides">slides</A>,

<A HREF="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857">whitepaper</A>) at Black Hat Europe 2009 in Amsterdam, The Netherlands.

The feedback from the audience is good and there has been some

<A HREF="http://bernardodamele.blogspot.com/2009/03/black-hat-europe-2009.html">media coverage</A> too.

</LI>

<LI><B>March 5</B>, Bernardo

<A HREF="http://www.slideshare.net/inquis/sql-injection-not-only-and-11">presents</A> for the first time some of the sqlmap recent features and

upcoming enhancements at an international event,

<A HREF="http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009">Front Range OWASP Conference 2009</A> in Denver, USA. The presentation

is titled <EM>SQL injection: Not only AND 1=1</EM>.

</LI>

<LI><B>February 24</B>, Bernardo is accepted as a

<A HREF="http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele">speaker</A> at

<A HREF="http://www.blackhat.com/html/bh-europe-09/bh-eu-09-main.html">Black Hat Europe 2009</A> with a presentation titled <EM>Advanced SQL

injection exploitation to operating system full control</EM>.

</LI>

<LI><B>February 3</B>, sqlmap <B>0.6.4</B> is the last point release

for 0.6: taking advantage of the stacked queries test implemented in 0.6.3,

sqlmap can now be used to execute any arbitrary SQL statement, not only

<EM>SELECT</EM> anymore. Also, many features have been stabilized, tweaked

and improved in terms of speed in this release.

</LI>

<LI><B>January 9</B>, Bernardo

<A HREF="http://www.slideshare.net/inquis/sql-injection-exploitation-internals-presentation">presents</A> <EM>SQL injection exploitation internals</EM> at a

private event in London, UK.</LI>

</UL>

</P>

<H2><A NAME="ss3.4">3.4</A> <A HREF="#toc3.4">2008</A>

</H2>

<P>

<UL>

<LI><B>December 18</B>, sqlmap <B>0.6.3</B> is released featuring

support to retrieve targets from Burp and WebScarab proxies log files,

support to test for stacked queries ant time-based blind SQL injection,

rough fingerprint of the web server and web application technologies in

use and more options to customize the HTTP requests and enumerate more

information from the database.

</LI>

<LI><B>November 2</B>, sqlmap version <B>0.6.2</B> is a "bug fixes"

release only.

</LI>

<LI><B>October 20</B>, sqlmap first point release, <B>0.6.1</B>, goes

public. This includes minor bug fixes and the first contact between the

tool and

<A HREF="http://metasploit.com">Metasploit</A>:

an auxiliary module to launch sqlmap from within Metasploit Framework.

The

<A HREF="https://svn.sqlmap.org/sqlmap/trunk/sqlmap/">subversion development repository</A> goes public again.

</LI>

<LI><B>September 1</B>, nearly one year after the previous release,

sqlmap <B>0.6</B> comes to life featuring a complete code

refactoring, support to execute arbitrary SQL <EM>SELECT</EM> statements,

more options to enumerate and dump specific information are added, brand

new installation packages for Debian, Red Hat, Windows and much more.

</LI>

<LI><B>August</B>, two public

<A HREF="http://www.sqlmap.org/#ml">mailing lists</A> are created on SourceForge.

</LI>

<LI><B>January</B>, sqlmap subversion development repository is moved

away from SourceForge and goes private for a while.</LI>

</UL>

</P>

<H2><A NAME="ss3.5">3.5</A> <A HREF="#toc3.5">2007</A>

</H2>

<P>

<UL>

<LI><B>November 4</B>, release <B>0.5</B> marks the end of the OWASP

Spring of Code 2007 contest participation. Bernardo has

<A HREF="http://www.owasp.org/index.php/SpoC_007_-_SQLMap_-_Progress_Page">accomplished</A> all the propsed objects which include also initial

support for Oracle, enhanced support for UNION query SQL injection and

support to test and exploit SQL injections in HTTP Cookie and User-Agent

headers.

</LI>

<LI><B>June 15</B>, Bernardo releases version <B>0.4</B> as a

result of the first OWASP Spring of Code 2007 milestone. This release

features, amongst others, improvements to the DBMS fingerprint engine,

support to calculate the estimated time of arrival, options to enumerate

specific data from the database server and brand new logging system.

</LI>

<LI><B>April</B>, even though sqlmap was <B>not</B> and is <B>not</B>

an OWASP project, it gets

<A HREF="http://www.owasp.org/index.php/SpoC_007_-_SqlMap">accepted</A>, amongst many other open source projects to OWASP Spring

of Code 2007.

</LI>

<LI><B>March 30</B>, Bernardo applies to OWASP

<A HREF="http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications#Bernardo_-_sqlmap">Spring of Code 2007</A>.

</LI>

<LI><B>January 20</B>, sqlmap version <B>0.3</B> is released,

featuring initial support for Microsoft SQL Server, support to test

and exploit UNION query SQL injections and injection points in POST

parameters.</LI>

</UL>

</P>

<H2><A NAME="ss3.6">3.6</A> <A HREF="#toc3.6">2006</A>

</H2>

<P>

<UL>

<LI><B>December 13</B>, Bernardo releases version <B>0.2</B> with

major enhancements to the DBMS fingerprint functionalities and replacement

of the old inference algorithm with the bisection algorithm.

</LI>

<LI><B>September</B>, Daniele leaves the project,

<A HREF="http://bernardodamele.blogspot.com">Bernardo Damele A. G.</A>

takes it over.

</LI>

<LI><B>August</B>, Daniele adds initial support for PostgreSQL and releases

version <B>0.1</B>.

</LI>

<LI><B>July 25</B>,

<A HREF="http://dbellucci.blogspot.com">Daniele Bellucci</A>

registers the sqlmap project on SourceForge and develops it on the

<A HREF="http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/">SourceForge subversion repository</A>. The skeleton is implemented and

limited support for MySQL added.</LI>

</UL>

</P>

<H2><A NAME="s4">4.</A> <A HREF="#toc4">Download and update</A></H2>

<P>sqlmap can be downloaded from its

<A HREF="http://sourceforge.net/projects/sqlmap/files/">SourceForge File List page</A>.

It is available in two formats:</P>

<P>

<UL>

<LI>

<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.9.tar.gz">Source gzip compressed</A>.

</LI>

<LI>

<A HREF="http://downloads.sourceforge.net/sqlmap/sqlmap-0.9.zip">Source zip compressed</A>.</LI>

</UL>

</P>

<P>You can also checkout the latest development version from the

<A HREF="https://svn.sqlmap.org/sqlmap/trunk/sqlmap/">subversion</A>

repository:</P>

<P>

<BLOCKQUOTE><CODE>

<PRE>

$ svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev

</PRE>

</CODE></BLOCKQUOTE>

</P>

<P>You can update it at any time to the latest development version by running:</P>

<P>

<BLOCKQUOTE><CODE>

<PRE>

$ python sqlmap.py --update

</PRE>

</CODE></BLOCKQUOTE>

</P>

<P>Or:</P>

<P>

<BLOCKQUOTE><CODE>

<PRE>

$ svn update

</PRE>

</CODE></BLOCKQUOTE>

</P>

<P>This is strongly recommended <B>before</B> reporting any bug to the

<A HREF="http://www.sqlmap.org/#ml">mailing list</A>.</P>

<H2><A NAME="s5">5.</A> <A HREF="#toc5">Usage</A></H2>

<P>

<BLOCKQUOTE><CODE>

<PRE>

$ python sqlmap.py -h

sqlmap/1.0 - automatic SQL injection and database takeover tool

http://www.sqlmap.org

Usage: python sqlmap.py [options]

Options:

--version show program's version number and exit

-h, --help show this help message and exit

-v VERBOSE Verbosity level: 0-6 (default 1)

Target:

At least one of these options has to be specified to set the source to

get target urls from.

-d DIRECT Direct connection to the database

-u URL, --url=URL Target url

-l LIST Parse targets from Burp or WebScarab proxy logs

-r REQUESTFILE Load HTTP request from a file

-g GOOGLEDORK Process Google dork results as target urls

-c CONFIGFILE Load options from a configuration INI file

Request:

These options can be used to specify how to connect to the target url.

--data=DATA Data string to be sent through POST

--cookie=COOKIE HTTP Cookie header

--cookie-urlencode URL Encode generated cookie injections

--drop-set-cookie Ignore Set-Cookie header from response

--user-agent=AGENT HTTP User-Agent header

--random-agent Use randomly selected HTTP User-Agent header

--referer=REFERER HTTP Referer header

--headers=HEADERS Extra HTTP headers newline separated

--auth-type=ATYPE HTTP authentication type (Basic, Digest or NTLM)

--auth-cred=ACRED HTTP authentication credentials (name:password)

--auth-cert=ACERT HTTP authentication certificate (key_file,cert_file)

--proxy=PROXY Use a HTTP proxy to connect to the target url

--proxy-cred=PCRED HTTP proxy authentication credentials (name:password)

--ignore-proxy Ignore system default HTTP proxy

--delay=DELAY Delay in seconds between each HTTP request

--timeout=TIMEOUT Seconds to wait before timeout connection (default 30)

--retries=RETRIES Retries when the connection timeouts (default 3)

--scope=SCOPE Regexp to filter targets from provided proxy log

--safe-url=SAFURL Url address to visit frequently during testing

--safe-freq=SAFREQ Test requests between two visits to a given safe url

Optimization:

These options can be used to optimize the performance of sqlmap.

-o Turn on all optimization switches

--predict-output Predict common queries output

--keep-alive Use persistent HTTP(s) connections

--null-connection Retrieve page length without actual HTTP response body

--threads=THREADS Max number of concurrent HTTP(s) requests (default 1)

Injection:

These options can be used to specify which parameters to test for,

provide custom injection payloads and optional tampering scripts.

-p TESTPARAMETER Testable parameter(s)

--dbms=DBMS Force back-end DBMS to this value

--os=OS Force back-end DBMS operating system to this value

--prefix=PREFIX Injection payload prefix string

--suffix=SUFFIX Injection payload suffix string

--tamper=TAMPER Use given script(s) for tampering injection data

Detection:

These options can be used to specify how to parse and compare page

content from HTTP responses when using blind SQL injection technique.

--level=LEVEL Level of tests to perform (1-5, default 1)

--risk=RISK Risk of tests to perform (0-3, default 1)

--string=STRING String to match in page when the query is valid

--regexp=REGEXP Regexp to match in page when the query is valid

--text-only Compare pages based only on the textual content

Techniques:

These options can be used to tweak testing of specific SQL injection

techniques.

--technique=TECH SQL injection techniques to test for (default BEUST)

--time-sec=TIMESEC Seconds to delay the DBMS response (default 5)

--union-cols=UCOLS Range of columns to test for UNION query SQL injection

--union-char=UCHAR Character to use for bruteforcing number of columns

Fingerprint:

-f, --fingerprint Perform an extensive DBMS version fingerprint

Enumeration:

These options can be used to enumerate the back-end database

management system information, structure and data contained in the

tables. Moreover you can run your own SQL statements.

-b, --banner Retrieve DBMS banner

--current-user Retrieve DBMS current user

--current-db Retrieve DBMS current database

--is-dba Detect if the DBMS current user is DBA

--users Enumerate DBMS users

--passwords Enumerate DBMS users password hashes

--privileges Enumerate DBMS users privileges

--roles Enumerate DBMS users roles

--dbs Enumerate DBMS databases

--tables Enumerate DBMS database tables

--columns Enumerate DBMS database table columns

--schema Enumerate DBMS schema

--count Retrieve number of entries for table(s)

--dump Dump DBMS database table entries

--dump-all Dump all DBMS databases tables entries

--search Search column(s), table(s) and/or database name(s)

-D DB DBMS database to enumerate

-T TBL DBMS database table to enumerate

-C COL DBMS database table column to enumerate

-U USER DBMS user to enumerate

--exclude-sysdbs Exclude DBMS system databases when enumerating tables

--start=LIMITSTART First query output entry to retrieve

--stop=LIMITSTOP Last query output entry to retrieve

--first=FIRSTCHAR First query output word character to retrieve

--last=LASTCHAR Last query output word character to retrieve

--sql-query=QUERY SQL statement to be executed

--sql-shell Prompt for an interactive SQL shell

Brute force:

These options can be used to run brute force checks.

--common-tables Check existence of common tables

--common-columns Check existence of common columns

User-defined function injection:

These options can be used to create custom user-defined functions.

--udf-inject Inject custom user-defined functions

--shared-lib=SHLIB Local path of the shared library

File system access:

These options can be used to access the back-end database management

system underlying file system.

--file-read=RFILE Read a file from the back-end DBMS file system

--file-write=WFILE Write a local file on the back-end DBMS file system

--file-dest=DFILE Back-end DBMS absolute filepath to write to