Thread: [sqlmap-users] sqlmap state of art - 3 years later
Brought to you by:
inquisb
From: Bernardo D. A. G. <ber...@gm...> - 2009-12-15 13:59:38
|
Hi, A few months ago sqlmap has passed its 3rd year of virtual life. I would like to personally thank Daniele Bellucci for starting the project back in July 2006 and letting me to succeed him in sqlmap development since September 2006. During the last 12 months, sqlmap has seen a lot of improvements in (post-)exploitation functionalities[1][2][3] ranging from underlying file system read and write access to database buffer overflow exploitation with memory protection bypass passing by UDF injection to execute Metasploit payload in-memory or via payload stager executable and more[4] (thanks to Guido Landi for helping me out with some of these features). I've received tons of great feedback (dumb questions too) privately by email, face to face and via this mailing list from you all and I really appreciate it, thank you[5]! Sorry if I did not get back right away, I might have missed your email: send it again privately and I will try to get back promptly. The media/blogger attention to the tool and SQL injection as a vector not only to expose sensible data but also to own the whole underlying system and internal network in general has been higher in the last 12 months. Personally speaking, since my talk at Black Hat Europe[6][7][8] and the recent Corporate websites ownage[9]. Surprisingly sqlmap is the most downloaded SQL injection tool on SourceForge[10], however I've no statistics about the downloads from third-party mirrors so this information does *not* count globally. Also, a search on Google for "sql injection"[11] places sqlmap at the 21st place, first tool of its category to be mentioned: good to see that many whitepapers and tutorials showed up first, symptom maybe that many people do care about learning how it works before just firing up a tool. Now I see sqlmap development for 2010 going in two directions: 1. I would like to brainstorm with *you* then rewrite from scratch the detection engine, it's the weak part of sqlmap in my opinion, it upsets many users, requires reading and understanding of the user's manual for not-straightforward SQL injections and, sadly, is not as mature as some other tools (very few though[12] ;)). I've some thoughts about it and will share them soon. Please, do reply to this point if you've anything to say either publicly or privately, feel free to get in touch also via Jabber if you prefer. All comments, suggestions and critics will be answered, taken into account and eventually summarized afterwards in an email open to the mailing list. 2. It would be great that someone joins actively the development team (me, sigh..) to maintain the code, refactor it a bit, document it to ease new developers to code over it, fix bugs and add new features. I've a list of about 60 unique items in the ticketing system, so there's plenty of work to do, time permitting. Yes, you've got it right, I am looking for help as in code: software engineers experienced in Python development (no, I won't follow the Ruby hype so please don't ask for a change of technology) so if you ever thought it would be cool to join sqlmap development now it's your time to do so. I can provide you with write access to a personal branch on the sqlmap subversion repository, access to the project management interface (this include ticketing system) and if you show up in London area we can meet for a beer too or, if you prefer, a more typical English tea! ;) I hope this will bring a lot of good ideas and I am open to read all your thoughts. Thanks if you spent your time to the end of this email. [1] http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf [2] http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides [3] http://www.slideshare.net/inquis/expanding-the-control-over-the-operating-system-from-the-database [4] https://svn.sqlmap.org/sqlmap/trunk/sqlmap/doc/ChangeLog [5] https://svn.sqlmap.org/sqlmap/trunk/sqlmap/doc/THANKS [6] http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=216402297 [7] http://www.theregister.co.uk/2009/04/02/new_sql_injection_attack/ [8] http://www.h-online.com/security/SQL-injection-reloaded-access-to-the-operating-system--/news/113095 [9] http://www.theregister.co.uk/2009/11/23/symantec_website_security_snafu/ [10] http://sourceforge.net/search/?words=%22sql+injection%22&sort=num_downloads&sortdir=desc&offset=0&type_of_search=soft&pmode=0&form_cat=18 [11] http://www.google.com/search?hl=en&q=sql+injection&start=20&sa=N [12] http://code.google.com/p/sqlibench/ Cheers, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Bernardo D. A. G. <ber...@gm...> - 2010-01-06 11:27:02
|
Hi, Almost a month has passed since this call for developers and I've got few replies, not as many as I wished though. Some friends warned me it would have happen.. People (ab)use open source tools without giving anything back, it's the same story, nothing new. Some companies (try to) break open source licenses, it's a routine somewhere. It's as easy to congratulate as to criticize, but actively contribute with source code or donations is another story and to me this is a shame. Nevertheless one Python developer joined me in sqlmap development: Miroslav Stampar (stamparm on subversion repository). Thank you! Cheers, Bernardo On Tue, Dec 15, 2009 at 13:59, Bernardo Damele A. G. <ber...@gm...> wrote: > Hi, > > A few months ago sqlmap has passed its 3rd year of virtual life. I > would like to personally thank Daniele Bellucci for starting the > project back in July 2006 and letting me to succeed him in sqlmap > development since September 2006. > > During the last 12 months, sqlmap has seen a lot of improvements in > (post-)exploitation functionalities[1][2][3] ranging from underlying > file system read and write access to database buffer overflow > exploitation with memory protection bypass passing by UDF injection to > execute Metasploit payload in-memory or via payload stager executable > and more[4] (thanks to Guido Landi for helping me out with some of > these features). > > I've received tons of great feedback (dumb questions too) privately by > email, face to face and via this mailing list from you all and I > really appreciate it, thank you[5]! > Sorry if I did not get back right away, I might have missed your > email: send it again privately and I will try to get back promptly. > > The media/blogger attention to the tool and SQL injection as a vector > not only to expose sensible data but also to own the whole underlying > system and internal network in general has been higher in the last 12 > months. Personally speaking, since my talk at Black Hat > Europe[6][7][8] and the recent Corporate websites ownage[9]. > > Surprisingly sqlmap is the most downloaded SQL injection tool on > SourceForge[10], however I've no statistics about the downloads from > third-party mirrors so this information does *not* count globally. > Also, a search on Google for "sql injection"[11] places sqlmap at the > 21st place, first tool of its category to be mentioned: good to see > that many whitepapers and tutorials showed up first, symptom maybe > that many people do care about learning how it works before just > firing up a tool. > > Now I see sqlmap development for 2010 going in two directions: > > 1. I would like to brainstorm with *you* then rewrite from scratch the > detection engine, it's the weak part of sqlmap in my opinion, it > upsets many users, requires reading and understanding of the user's > manual for not-straightforward SQL injections and, sadly, is not as > mature as some other tools (very few though[12] ;)). I've some > thoughts about it and will share them soon. Please, do reply to this > point if you've anything to say either publicly or privately, feel > free to get in touch also via Jabber if you prefer. All comments, > suggestions and critics will be answered, taken into account and > eventually summarized afterwards in an email open to the mailing list. > > 2. It would be great that someone joins actively the development team > (me, sigh..) to maintain the code, refactor it a bit, document it to > ease new developers to code over it, fix bugs and add new features. > I've a list of about 60 unique items in the ticketing system, so > there's plenty of work to do, time permitting. > > Yes, you've got it right, I am looking for help as in code: software > engineers experienced in Python development (no, I won't follow the > Ruby hype so please don't ask for a change of technology) so if you > ever thought it would be cool to join sqlmap development now it's your > time to do so. I can provide you with write access to a personal > branch on the sqlmap subversion repository, access to the project > management interface (this include ticketing system) and if you show > up in London area we can meet for a beer too or, if you prefer, a more > typical English tea! ;) > > I hope this will bring a lot of good ideas and I am open to read all > your thoughts. Thanks if you spent your time to the end of this email. > > [1] http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf > [2] http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides > [3] http://www.slideshare.net/inquis/expanding-the-control-over-the-operating-system-from-the-database > [4] https://svn.sqlmap.org/sqlmap/trunk/sqlmap/doc/ChangeLog > [5] https://svn.sqlmap.org/sqlmap/trunk/sqlmap/doc/THANKS > [6] http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=216402297 > [7] http://www.theregister.co.uk/2009/04/02/new_sql_injection_attack/ > [8] http://www.h-online.com/security/SQL-injection-reloaded-access-to-the-operating-system--/news/113095 > [9] http://www.theregister.co.uk/2009/11/23/symantec_website_security_snafu/ > [10] http://sourceforge.net/search/?words=%22sql+injection%22&sort=num_downloads&sortdir=desc&offset=0&type_of_search=soft&pmode=0&form_cat=18 > [11] http://www.google.com/search?hl=en&q=sql+injection&start=20&sa=N > [12] http://code.google.com/p/sqlibench/ > > Cheers, > -- > Bernardo Damele A. G. > > E-mail / Jabber: bernardo.damele (at) gmail.com > Mobile: +447788962949 (UK 07788962949) > PGP Key ID: 0x05F5A30F > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |
From: Bernardo D. A. G. <ber...@gm...> - 2010-01-18 13:01:26
|
Just in case someone is wondering what skill set I am looking for, I posted them on the 'Help Wanted' page on SourceForge, http://sourceforge.net/people/?group_id=171598 -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |