sqlmap-users

[sqlmap-users] my stand on sqlmap

[Joe \Pragmatk\ <pra...@gm...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a quick email to the sqlmap hard core

Although I have used sqlmap for no more than three holes - three holes
it failed to exploit - I have been following the project for some time.
A friend of mine recently encouraged me to give it another chance, so I
have some questions:

- - Does sqlmap support exporting to some sort of binary-safe export
format (sqlite, csv, .sql format, heck - even urlencoded or
c-string-escaped)? I found the text-only output options greatly
disappointing :-(

- - http://sqlmap.sourceforge.net/features.html states that:

"Each dynamic parameter is tested for numeric, single quoted string,
double quoted string and all of these three data-types with zero to two
parenthesis to correctly detect which is the SELECT statement syntax to
perform further injections with"

- --- Is there an easy way to extend this sparse selection of test cases,
or will I have to set up my own patch repo for modifications?

"Option to specify the maximum number of concurrent HTTP requests to
speed up the inferential blind SQL injection algorithms (multi-threading)."

- --- multi-threading is - of course - very nice, but does sqlmap support
"persistent" http connections (reuse of existing tcp-connections using
the Keep-Alive HTTP-header)? I implemented this for my own tool and the
speed gain was enormous. Last time I asked about this, both the
developers and I were unable to find a Python module that supported this
relatively simple feature.

"Automatic support to save the session (queries and their output, even
if partially retrieved) in real time while fetching the data on a text
file and resume the injection from this file in a second time. "

- --- Has the off-by-one when resuming blind queries been fixed?

I think the post exploitation-stuff that you have implemented,
especially the tie-in with msf, is really cool. Respect!

joe





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBAgAGBQJMBNboAAoJEBoJnpcyPHg3XGYP/0fXmIqjQepueDlLyQexUFJ+
rdvLeXxMazd2y0B33T7y7cBNRQUU8pK4X1gIIeFuAJQsl7SUu2UoFThMGRwTPvkL
iQhFjzZ0jnN9qM438NxiarFT77/ytL1nU7Bw+MgT0LyK8EmQHhaMD+G3DLDzI9J0
498Y+nvLVOzeinrw1VvonUlky+FD7Icnl/ufwy4q51QNOZ8jWK3D3Tm8+fvzpSIi
ES4qnEeM2NbNUqQRcusjR5Zu5XXVL0iHjK5fM0FcFM0Zzl2nqLyhN71SHm6606eb
1YQWBKPbezMh4+U+4cnKShwOrJnLWwkCifPHuBfl32CDXGrts+9QrZasCdXHhSYd
sI9QmiSR5ibNcmPaCXNIz4L45llHsJi4Gnm9SrgCl0RXQsohYIaEZE3R9la8L4qv
P8rQhX3pQBl8/o6tVC8pK0H3EL/uZ4jGJP+iPd3Kb+D2UaKurcBiO/p4+WdEtqF+
UkXWss0WRYEqbGKxXhEHp7KR9e4uVRVa/LiReNOAtCUrW2nDJPi0yDMgb47czmnd
tnPCGOT3KSot0ch1fiDbwaNNGeZSI3iTLjVW+/GV6q4IRZPe3YrHomV8+ZjKBJmT
aS0Ttwawm2/s5HslMvO1SB9MnjpSgQkQ87VIZofbBDmgt24/e4SPbAij1grFuodI
jqalOBKQ8ADXwaOEu4su
=9bGj
-----END PGP SIGNATURE-----

Re: [sqlmap-users] my stand on sqlmap

[Bernardo D. A. G. <ber...@gm...>]

Joe,

On Tue, Jun 1, 2010 at 10:46, Joe "Pragmatk" <pra...@gm...> wrote:
> ...
> - - Does sqlmap support exporting to some sort of binary-safe export
> format (sqlite, csv, .sql format, heck - even urlencoded or
> c-string-escaped)? I found the text-only output options greatly
> disappointing :-(

Recently we merged into trunk a patch to save results to a XML file
(-x switch). This is still in early development, but for basic cases,
it works. As usual, bug reports are welcome. The XML is validated
against a XSD file (xml/sqlmap.xsd) too.
We recently added support to fetch unicode data, this included lots of
enhancements in terms of dealing with files (session, log, .csv dump
file, etc) too.
CSV files are created when you --dump tables, you can see their path
with --verbose is >= 1.

> - --- Is there an easy way to extend this sparse selection of test cases,
> or will I have to set up my own patch repo for modifications?

Detection engine is weak. It will be rewritten from scratch in the
upcoming months.
You (all!) can supply your patches any time, we really appreciate that
and encourage you to send them all. No need to comment the code
(appreciated though), we can dig into it ourselves.

> - --- multi-threading is - of course - very nice, but does sqlmap support
> "persistent" http connections (reuse of existing tcp-connections using
> the Keep-Alive HTTP-header)? I implemented this for my own tool and the
> speed gain was enormous. Last time I asked about this, both the
> developers and I were unable to find a Python module that supported this
> relatively simple feature.

We fixed a couple of major bugs in multi-threading and improved it
quite a lot since the release of 0.8. I recommend you always give a
try to the development version from subversion repository.
To answer your question, as far as I know Python urllib2 library does
not support effectively Keep-Alive, we will research more in this
direction.

> - --- Has the off-by-one when resuming blind queries been fixed?

Automatic saving to session file works in real time when
multi-threading is not specified. Vice versa if multi-threading is
specified (--threads > 1), the query output is stored in the session
file once the whole output is fetched.
Resume always work, regardless of the technique used by sqlmap to
retrieve the data. The off-by-one should be also fixed now.

> I think the post exploitation-stuff that you have implemented,
> especially the tie-in with msf, is really cool. Respect!

Thanks.


-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
PGP Key ID: 0x05F5A30F