Security And SQL Injection Tools

News

* May 8, 2009: sqlmap version 0.6.4 Debian package has been officially accepted in Debian repository! Read details on my blog post.
* April 22, 2009: sqlmap 0.7 release candidate 1 is out with all of the new features described during my presentation at Black Hat Europe 2009. The presentation whitepaper and slides are also available.
* April 3, 2009: sqlmap 0.7 will be released at Black Hat Europe 2009 during my presentation titled Advanced SQL Injection exploitation to operating system full control.
* March 11, 2009: my presentation titled SQL injection: Not only AND 1=1 is online on SlideShare site.
* February 3, 2009: sqlmap 0.6.4 is out with many new enhancements and a few major bugs fixed.
* January 9, 2009: my presentation titled SQL injection exploitation internals is online on SlideShare site.
* December 18, 2008: sqlmap 0.6.3 is out with many new enhancements and some major bugs fixed.
* November 21, 2008: posted three positions for contributing to sqlmap development on SourceForge Project Help page. If you'd like to contribute, check them out and get back by e-mail.
* November 9, 2008: sqlmap Subversion repository is now online on https://svn.sqlmap.org/sqlmap/trunk/sqlmap/. You can checkout it if you want to give a try to the development version.
* November 4, 2008: sqlmap 0.6.2 is out with some major bugs fixed and a few minor enhancements.
* October 24, 2008: sqlmap auxiliary module commited on the official Metasploit Framework 3 Subversion repository. Thanks Efrain Torres!
* October 20, 2008: sqlmap 0.6.1 is out with the integration with Metasploit, a few new features and some bugs fixed.
* September 1, 2008: sqlmap 0.6 is out with many new features, complete code refactoring and many bugs fixed.

Introduction

sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.
Features

Some of the major features implemented in sqlmap include:

* Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server back-end database management systems. Besides these four database management systems software. sqlmap can also identify Microsoft Access, DB2, Informix, Sybase and Interbase.
* Full support for three SQL injection techniques: inferential blind SQL injection, UNION query (inband) SQL injection and batched queries support. sqlmap can also test for time based blind SQL injection.
* Extensive back-end database management system software and underlying operating system fingerprint based upon inband error messages, banner parsing, functions output comparison and specific features such as MySQL comment injection. It is also possible to force the back-end database management system name if you already know it. sqlmap is also able to fingerprint the web server operating system, the web application technology and, in some circumstances, the back-end DBMS operating system.
* Support to retrieve on all four back-end database management system banner, current user, current database, check if the current user is a database administrator, enumerate users, users password hashes, users privileges, databases, tables, columns, dump tables entries, dump whole database management system and run user's own SQL statement.
* Support to read either text or binary files from the database server underlying file system when the database software is MySQL, PostgreSQL and Microsoft SQL Server.
* Support to execute arbitrary commands on the database server underlying operating system when the database software is MySQL, PostgreSQL via user-defined function injection and Microsoft SQL Server via xp_cmdshell() stored procedure.
* Support to establish an out-of-band stateful connection between the attacker box and the database server underlying operating system via:
o Stand-alone payload stager created by Metasploit and supporting Meterpreter, shell and VNC payloads for both Windows and Linux;
o Microsoft SQL Server 2000 and 2005 sp_replwritetovarbin stored procedure heap-based buffer overflow (MS09-004) exploitation with multi-stage Metasploit payload support;
o SMB reflection attack with UNC path request from the database server to the attacker box by using the Metasploit smb_relay exploit on the attacker box.
* Support for database process' user privilege escalation via Windows Access Tokens kidnapping on MySQL and Microsoft SQL Server via either Meterpreter's incognito extension or Churrasco stand-alone executable.

Download

sqlmap 0.7 release candidate 1 version can be downloaded as a source gzip compressed file or as a source zip compressed file.
WARNING: This release is a candidate, it only works on Linux so please do not complain that it does not work on your Windows or Mac OS X systems.

sqlmap can be downloaded from its SourceForge File List page. It is available in various formats:

* Source gzip compressed operating system independent.
* Source bzip2 compressed operating system independent.
* Source zip compressed operating system independent.
* DEB binary package architecture independent for Debian and any other Debian derivated GNU/Linux distribution.
* RPM binary package architecture independent for Fedora and any other operating system that can install RPM packages.
* Portable executable for Windows that does not require the Python interpreter to be installed on the operating system.

You can also checkout the source code from the sqlmap Subversion repository to give a try to the development release:
$ svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap/
Documentation

* sqlmap user's manual (HTML and PDF)
* sqlmap developer's documentation
* sqlmap ChangeLog
* SQL injection exploitation internals slides presented at a private Conference in London (UK) on January 9, 2009
* SQL injection: Not only AND 1=1 slides presented at Front Range OWASP Conference in Denver (USA) on March 5, 2009
* Advanced SQL injection to operating system full control whitepaper and slides presented at Black Hat Europe 2009 in Amsterdam (The Netherlands) on April 16, 2009