This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

SpoC 007 - SQLMap - Progress Page

From OWASP
Revision as of 10:34, 30 July 2007 by Inquis (talk | contribs)

Jump to: navigation, search

Objectives for OWASP Spring of Code 2007

Accomplished objectives at 30th of July 2007

  • [100%] Extend inband SQL injection functionality to all other possible queries
  • [100%] Add Microsoft SQL Server database fingerprint
  • [100%] Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting
  • [100%] Add support for query ETA (Estimated Time of Arrival) real time calculation
  • [100%] Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
  • [100%] Improve logging functionality

Ongoing work at 30th of July 2007

  • [20%] Add support for Oracle database management system
  • [60%] Add support to extract database users password hash (done for MySQL and PostgreSQL, in progress for Microsoft SQL Server)
  • [0%] Add support for SQL injection on HTTP Cookie and User-Agent headers


Changes in sqlmap during OWASP Spring of Code 2007

May 2007

  • [SpoC] Added support to extract database users password hash on MySQL and PostgreSQL
  • [SpoC] Improved Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
  • [SpoC] Added support for query ETA (Estimated Time of Arrival) real time calculation (--eta)
  • [SpoC] Added Microsoft SQL Server extensive DBMS fingerprint checks based upon extensive infogathering on @@version matching on an XML file to get also the exact patching level of the DBMS
  • [SpoC] Improved logging functionality: passed from banal print to Python native logging library
  • Added DBMS fingerprint based also upon HTML error messages parsing by a xml.sax function/class (defined in lib/parser.py) which read an XML file defining default error messages for each supported DBMS
  • Added the possibility to specify mssql, pgsql as --remote-dbms values

June 2007

  • [SpoC] Improved UNION SELECT check so now it works with five different DBMS because it uses the xml/errors.xml file to recognize HTML error messages and correctly identify if the inband SQL injection performed provided good results or not
  • Updated documentation
  • Layout fixes

July 2007

  • [SpoC] Extended inband SQL injection functionality (--union-use) to all other possible queries since it only worked with -e and --file on all DMBS plugins
  • [SpoC] Added a fuzzer function with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting (txt/fuzz_vectors.txt, Common.passiveFuzzing(), lib/settings.py and DBMS plugins)
  • [SpoC] Reviewed HTTP request library (lib/request.py) to support the extended inband SQL injection functionality. Splitted getValue() into getInband() and getBlind()
  • [SpoC] Major enhancements in common library and added checkForBrackets() method to check if the bracket(s) are needed to perform a UNION query SQL injection attack
  • Implemented --dump-all functionality to dump entire DBMS data from all databases tables
  • Imlemented in Dump.dbTableValues() method the CSV file dumped data automatic saving in csv/ folder by default
  • Added DB2, Informix and Sybase DBMS error messages and minor improvements in xml/errors.xml
  • Renamed DMBS plugins


Links