This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "SpoC 007 - SqlMap"

From OWASP
Jump to: navigation, search
Line 6: Line 6:
 
'''Project coordinator''': Dinis Cruz
 
'''Project coordinator''': Dinis Cruz
  
'''Project Progress''': 80% Complete, [[SpoC 007 - SQLMap - Progress Page|Progress Page]]
+
'''Project Progress''': 90% Complete, [[SpoC 007 - SQLMap - Progress Page|Progress Page]]
  
 
==  Bernardo Damele - SQLMap ==
 
==  Bernardo Damele - SQLMap ==

Revision as of 15:53, 23 October 2007

'Back to SpoC 007 Selection page


AoC Candidate: Bernardo Damele

Project coordinator: Dinis Cruz

Project Progress: 90% Complete, Progress Page

Bernardo Damele - SQLMap

Executive Summary

sqlmap is an automatic SQL injection tool entirely developed in Python. It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.

Objectives for OWASP Spring of Code 2007

  • Add support for Oracle database management system
  • Add support to extract database users password hash
  • Extend inband SQL injection functionality to all other possible queries
  • Add Microsoft SQL Server database fingerprint
  • Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting
  • Add support for SQL injection on HTTP Cookie and User-Agent headers
  • Add support for query ETA (Estimated Time of Arrival) real time calculation
  • Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
  • Improve logging functionality

Long-term vision for the project

Make sqlmap available as an easy-to-use enumeration and penetration testing tool to the OWASP community extending its functionality to exploit SQL injection vulnerabilities to provide a remote shell on the affected web application database server when possible. In the long run I would also like to develop a graphical user interface.

Why I should be sponsored for the project

I have good python programming skills and some years of experience in computer networks security. I spent most of the last year researching on web application insecurity taking over the sqlmap development since December 2006. Actually I work as software developer at an information security company in Italy where I mostly deal with vulnerability assessment.

Links


Back to SpoC 007 Selection page