Skip to content

Commit fe16360

Browse files
bdamelebdamele
committed
more doc updates
1 parent 723a744 commit fe16360

4 files changed

Lines changed: 88 additions & 20 deletions

File tree

doc/ChangeLog

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,11 +43,12 @@ sqlmap (0.9-1) stable; urgency=low
4343
* Added --text-only switch to strip from the HTTP response body the
4444
HTML/JS code and compare pages based only on their textual content
4545
(Miroslav).
46+
* Implemented few other features and switches (Bernardo and Miroslav).
4647
* Over 100 bugs fixed (Bernardo and Miroslav).
4748
* Major code refactoring (Bernardo and Miroslav).
4849
* User's manual updated (Bernardo).
4950

50-
-- Bernardo Damele A. G. <bernardo.damele@gmail.com> Day, DD MMM 2010 10:00:00 +0000
51+
-- Bernardo Damele A. G. <bernardo.damele@gmail.com> Sun, 10 Apr 2011 21:00:00 +0000
5152

5253
sqlmap (0.8-1) stable; urgency=low
5354

doc/README.html

Lines changed: 45 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ <H1>sqlmap user's manual</H1>
99

1010
<H2>by
1111
<A HREF="mailto:bernardo.damele@gmail.com">Bernardo Damele A. G.</A>,
12-
<A HREF="mailto:miroslav.stampar@gmail.com">Miroslav Stampar</A></H2>version 0.9, April XX, 2011
12+
<A HREF="mailto:miroslav.stampar@gmail.com">Miroslav Stampar</A></H2>version 0.9, April 10, 2011
1313
<HR>
1414
<EM>This document is the user's manual to use
1515
<A HREF="http://sqlmap.sourceforge.net">sqlmap</A>.</EM>
@@ -561,7 +561,7 @@ <H2><A NAME="ss3.1">3.1</A> <A HREF="#toc3.1">2011</A>
561561

562562
<P>
563563
<UL>
564-
<LI><B>April XX</B>,
564+
<LI><B>April 10</B>,
565565
<A HREF="http://sqlmap.sourceforge.net/#developers">Bernardo and Miroslav</A> release sqlmap
566566
<B>0.9</B> featuring a totally rewritten and powerful SQL injection
567567
detection engine, the possibility to connect directly to a database
@@ -1444,23 +1444,49 @@ <H3>Output prediction</H3>
14441444

14451445
<P>Switch: <CODE>-</CODE><CODE>-predict-output</CODE></P>
14461446

1447-
<P>TODO</P>
1447+
<P>This switch is used in inference algorithm for sequential statistical
1448+
prediction of characters of value being retrieved. Based on items given in
1449+
<CODE>txt/common-outputs.txt</CODE> together with the knowledge of current
1450+
enumeration used statistical table with the most promising values is being
1451+
built. In case that the value can be found among the common output values,
1452+
as the process progresses, subsequent character tables are being narrowed
1453+
more and more. If used in combination with retrieval of common DBMS
1454+
entities, as with system table names and privileges, speed up is
1455+
significant. Of course, you can edit the common outputs file according to
1456+
your needs if, for instance, you notice common patterns in database table
1457+
names or similar.</P>
1458+
1459+
<P>Note that this switch is not compatible with <CODE>-</CODE><CODE>-threads</CODE>
1460+
switch.</P>
14481461

14491462

14501463
<H3>HTTP Keep-Alive</H3>
14511464

14521465
<P>Switch: <CODE>-</CODE><CODE>-keep-alive</CODE></P>
14531466

1454-
<P>This switch instructs sqlmap to use persistent HTTP(s) connections.
1455-
Note that this switch is incompatible with <CODE>-</CODE><CODE>-proxy</CODE> switch.</P>
1467+
<P>This switch instructs sqlmap to use persistent HTTP(s) connections.</P>
1468+
1469+
<P>Note that this switch is incompatible with <CODE>-</CODE><CODE>-proxy</CODE>
1470+
switch.</P>
14561471

14571472

14581473
<H3>HTTP NULL connection</H3>
14591474

14601475
<P>Switch: <CODE>-</CODE><CODE>-null-connection</CODE></P>
14611476

1462-
<P>TODO
1463-
Note that this switch is incompatible with <CODE>-</CODE><CODE>-text-only</CODE>
1477+
<P>There are special HTTP request types which can be used to retrieve
1478+
HTTP response's size without getting the HTTP body. This knowledge can be
1479+
used in blind injection technique to distinguish <CODE>True</CODE> from
1480+
<CODE>False</CODE> responses. When this switch is provided, sqlmap will try to
1481+
test and exploit two different <EM>NULL connection</EM> techniques:
1482+
<CODE>Range</CODE> and <CODE>HEAD</CODE>.
1483+
If any of these is supported by the target web server, speed up will come
1484+
from the obvious saving of used bandwidth.</P>
1485+
1486+
<P>These techniques are detailed in the white paper
1487+
<A HREF="http://www.wisec.it/sectou.php?id=472f952d79293">Bursting Performances in Blind SQL Injection - Take 2 (Bandwidth)</A>.</P>
1488+
1489+
<P>Note that this switch is incompatible with <CODE>-</CODE><CODE>-text-only</CODE>
14641490
switch.</P>
14651491

14661492

@@ -1485,6 +1511,9 @@ <H3>Concurrent HTTP(S) requests</H3>
14851511
injection technique. The maximum number of concurrent requests is set to
14861512
<B>10</B> for performance and site reliability reasons.</P>
14871513

1514+
<P>Note that this switch is not compatible with
1515+
<CODE>-</CODE><CODE>-predict-output</CODE> switch.</P>
1516+
14881517

14891518
<H2><A NAME="ss5.5">5.5</A> <A HREF="#toc5.5">Injection</A>
14901519
</H2>
@@ -1787,7 +1816,10 @@ <H3>Page comparison</H3>
17871816
This way the distinction will be based upon string presence or regular
17881817
expression match.</P>
17891818

1790-
<P>TODO: --text-only</P>
1819+
<P>In cases with lot of active (e.g. scripts, embeds, etc.) content in the
1820+
HTTP responses' body, you can filter pages (<CODE>-</CODE><CODE>-text-only</CODE>
1821+
switch) just for their textual content. This way, in a good number of
1822+
cases, you can automatically tune the detection engine.</P>
17911823

17921824

17931825
<H2><A NAME="ss5.7">5.7</A> <A HREF="#toc5.7">Techniques</A>
@@ -2313,7 +2345,8 @@ <H3>Brute force tables names</H3>
23132345
<UL>
23142346
<LI>The database management system is MySQL <B>&lt; 5.0</B> where
23152347
<CODE>information_schema</CODE> is not available.</LI>
2316-
<LI>The database management system is Microsoft Access where there TODO.</LI>
2348+
<LI>The database management system is Microsoft Access and system table
2349+
<CODE>MSysObjects</CODE> is not readable - default setting.</LI>
23172350
<LI>The session user does not have read privileges against the system
23182351
table storing the scheme of the databases.</LI>
23192352
</UL>
@@ -2343,7 +2376,8 @@ <H3>Brute force columns names</H3>
23432376
<UL>
23442377
<LI>The database management system is MySQL <B>&lt; 5.0</B> where
23452378
<CODE>information_schema</CODE> is not available.</LI>
2346-
<LI>The database management system is Microsoft Access where there TODO.</LI>
2379+
<LI>The database management system is Microsoft Access where this
2380+
kind of information is not available inside system tables.</LI>
23472381
<LI>The session user does not have read privileges against the system
23482382
table storing the scheme of the databases.</LI>
23492383
</UL>
@@ -2800,7 +2834,7 @@ <H3>Estimated time of arrival</H3>
28002834
<BLOCKQUOTE><CODE>
28012835
<PRE>
28022836
100% [===================================================] 64/64
2803-
[10:28:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod
2837+
[hh:mm:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod
28042838

28052839
web application technology: PHP 5.2.6, Apache 2.2.9
28062840
back-end DBMS: Oracle

doc/README.pdf

2.58 KB
Binary file not shown.

doc/README.sgml

Lines changed: 41 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44

55
<title>sqlmap user's manual
66
<author>by <htmlurl url="mailto:bernardo.damele@gmail.com" name="Bernardo Damele A. G.">, <htmlurl url="mailto:miroslav.stampar@gmail.com" name="Miroslav Stampar">
7-
<date>version 0.9, April XX, 2011
7+
<date>version 0.9, April 10, 2011
88
<abstract>
99
This document is the user's manual to use <htmlurl url="http://sqlmap.sourceforge.net" name="sqlmap">.
1010
</abstract>
@@ -487,7 +487,7 @@ name="MS10-015">).
487487

488488
<p>
489489
<itemize>
490-
<item><bf>April XX</bf>, <htmlurl name="Bernardo and Miroslav"
490+
<item><bf>April 10</bf>, <htmlurl name="Bernardo and Miroslav"
491491
url="http://sqlmap.sourceforge.net/#developers"> release sqlmap
492492
<bf>0.9</bf> featuring a totally rewritten and powerful SQL injection
493493
detection engine, the possibility to connect directly to a database
@@ -1402,7 +1402,21 @@ Read below for details about each switch.
14021402
Switch: <tt>-</tt><tt>-predict-output</tt>
14031403

14041404
<p>
1405-
TODO
1405+
This switch is used in inference algorithm for sequential statistical
1406+
prediction of characters of value being retrieved. Based on items given in
1407+
<tt>txt/common-outputs.txt</tt> together with the knowledge of current
1408+
enumeration used statistical table with the most promising values is being
1409+
built. In case that the value can be found among the common output values,
1410+
as the process progresses, subsequent character tables are being narrowed
1411+
more and more. If used in combination with retrieval of common DBMS
1412+
entities, as with system table names and privileges, speed up is
1413+
significant. Of course, you can edit the common outputs file according to
1414+
your needs if, for instance, you notice common patterns in database table
1415+
names or similar.
1416+
1417+
<p>
1418+
Note that this switch is not compatible with <tt>-</tt><tt>-threads</tt>
1419+
switch.
14061420

14071421

14081422
<sect2>HTTP Keep-Alive
@@ -1412,6 +1426,8 @@ Switch: <tt>-</tt><tt>-keep-alive</tt>
14121426

14131427
<p>
14141428
This switch instructs sqlmap to use persistent HTTP(s) connections.
1429+
1430+
<p>
14151431
Note that this switch is incompatible with <tt>-</tt><tt>-proxy</tt>
14161432
switch.
14171433

@@ -1422,7 +1438,21 @@ switch.
14221438
Switch: <tt>-</tt><tt>-null-connection</tt>
14231439

14241440
<p>
1425-
TODO
1441+
There are special HTTP request types which can be used to retrieve
1442+
HTTP response's size without getting the HTTP body. This knowledge can be
1443+
used in blind injection technique to distinguish <tt>True</tt> from
1444+
<tt>False</tt> responses. When this switch is provided, sqlmap will try to
1445+
test and exploit two different <em>NULL connection</em> techniques:
1446+
<tt>Range</tt> and <tt>HEAD</tt>.
1447+
If any of these is supported by the target web server, speed up will come
1448+
from the obvious saving of used bandwidth.
1449+
1450+
<p>
1451+
These techniques are detailed in the white paper
1452+
<htmlurl url="http://www.wisec.it/sectou.php?id=472f952d79293"
1453+
name="Bursting Performances in Blind SQL Injection - Take 2 (Bandwidth)">.
1454+
1455+
<p>
14261456
Note that this switch is incompatible with <tt>-</tt><tt>-text-only</tt>
14271457
switch.
14281458

@@ -1448,9 +1478,12 @@ when that character is retrieved - it takes up to 7 HTTP(S) requests with
14481478
the bisection algorithm implemented in sqlmap.
14491479

14501480
<p>
1451-
Note that the multi-threading switch does not affect any other SQL
1452-
injection technique. The maximum number of concurrent requests is set to
1453-
<bf>10</bf> for performance and site reliability reasons.
1481+
The maximum number of concurrent requests is set to <bf>10</bf> for
1482+
performance and site reliability reasons.
1483+
1484+
<p>
1485+
Note that this switch is not compatible with
1486+
<tt>-</tt><tt>-predict-output</tt> switch.
14541487

14551488

14561489
<sect1>Injection
@@ -2904,7 +2937,7 @@ Then:
29042937

29052938
<tscreen><verb>
29062939
100% [===================================================] 64/64
2907-
[10:28:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod
2940+
[hh:mm:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod
29082941

29092942
web application technology: PHP 5.2.6, Apache 2.2.9
29102943
back-end DBMS: Oracle

0 commit comments

Comments
 (0)