Difference between revisions of "SpoC 007 - SQLMap - Progress Page"

Revision as of 10:34, 30 July 2007

Objectives for OWASP Spring of Code 2007

Accomplished objectives at 30th of July 2007

• [100%] Extend inband SQL injection functionality to all other possible queries
• [100%] Add Microsoft SQL Server database fingerprint
• [100%] Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting
• [100%] Add support for query ETA (Estimated Time of Arrival) real time calculation
• [100%] Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
• [100%] Improve logging functionality

Ongoing work at 30th of July 2007

• [20%] Add support for Oracle database management system
• [60%] Add support to extract database users password hash (done for MySQL and PostgreSQL, in progress for Microsoft SQL Server)
• [0%] Add support for SQL injection on HTTP Cookie and User-Agent headers

Changes in sqlmap during OWASP Spring of Code 2007

May 2007

• [SpoC] Added support to extract database users password hash on MySQL and PostgreSQL
• [SpoC] Improved Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
• [SpoC] Added support for query ETA (Estimated Time of Arrival) real time calculation (--eta)
• [SpoC] Added Microsoft SQL Server extensive DBMS fingerprint checks based upon extensive infogathering on @@version matching on an XML file to get also the exact patching level of the DBMS
• [SpoC] Improved logging functionality: passed from banal print to Python native logging library
• Added DBMS fingerprint based also upon HTML error messages parsing by a xml.sax function/class (defined in lib/parser.py) which read an XML file defining default error messages for each supported DBMS
• Added the possibility to specify mssql, pgsql as --remote-dbms values

June 2007

• [SpoC] Improved UNION SELECT check so now it works with five different DBMS because it uses the xml/errors.xml file to recognize HTML error messages and correctly identify if the inband SQL injection performed provided good results or not
• Updated documentation
• Layout fixes

July 2007

• [SpoC] Extended inband SQL injection functionality (--union-use) to all other possible queries since it only worked with -e and --file on all DMBS plugins
• [SpoC] Added a fuzzer function with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting (txt/fuzz_vectors.txt, Common.passiveFuzzing(), lib/settings.py and DBMS plugins)
• [SpoC] Reviewed HTTP request library (lib/request.py) to support the extended inband SQL injection functionality. Splitted getValue() into getInband() and getBlind()
• [SpoC] Major enhancements in common library and added checkForBrackets() method to check if the bracket(s) are needed to perform a UNION query SQL injection attack
• Implemented --dump-all functionality to dump entire DBMS data from all databases tables
• Imlemented in Dump.dbTableValues() method the CSV file dumped data automatic saving in csv/ folder by default
• Added DB2, Informix and Sybase DBMS error messages and minor improvements in xml/errors.xml
• Renamed DMBS plugins

Links

• sqlmap ChangeLog
• sqlmap last SVN revision log message