Sqlmap 0.9

900913

http://sqlmap.sourceforge.net/

I've only had a quick test, But I'd be interested in details of the new features.

sqlmap (0.9-1) stable; urgency=low

* Rewritten SQL injection detection engine (Bernardo and Miroslav).
* Support to directly connect to the database without passing via a
SQL injection, -d switch (Bernardo and Miroslav).
* Added full support for both time-based blind SQL injection and
error-based SQL injection techniques (Bernardo and Miroslav).
* Implemented support for SQLite 2 and 3 (Bernardo and Miroslav).
* Implemented support for Firebird (Bernardo and Miroslav).
* Implemented support for Microsoft Access, Sybase and SAP MaxDB
(Miroslav).
* Extended old '--dump -C' functionality to be able to search for
specific database(s), table(s) and column(s), --search switch
(Bernardo).
* Added support to tamper injection data with --tamper switch (Bernardo
and Miroslav).
* Added automatic recognition of password hashes format and support to
crack them with a dictionary-based attack (Miroslav).
* Added support to enumerate roles on Oracle, --roles switch (Bernardo).
* Added support for SOAP based web services requests (Bernardo).
* Added support to fetch unicode data (Bernardo and Miroslav).
* Added support to use persistent HTTP(s) connection for speed
improvement, --keep-alive switch (Miroslav).
* Implemented several optimization switches to speed up the exploitation
of SQL injections (Bernardo and Miroslav).
* Support to test and inject against HTTP Referer header (Miroslav).
* Implemented HTTP(s) proxy authentication support, --proxy-cred switch
(Miroslav).
* Implemented feature to speedup the enumeration of table names
(Miroslav).
* Support for customizable HTTP(s) redirections (Bernardo).
* Support to replicate the back-end DBMS tables structure and entries
in a local SQLite 3 database, --replicate switch (Miroslav).
* Support to parse and test forms on target url, --forms switch
(Bernardo and Miroslav).
* Added switches to brute-force tables names and columns names with a
dictionary attack, --common-tables and --common-columns. Useful for
instance when system table 'information_schema' is not available on
MySQL (Miroslav).
* Basic support for REST-style URL parameters by using the asterisk (*)
to mark where to test for and exploit SQL injection (Miroslav).
* Added safe URL feature, --safe-url and --safe-freq (Miroslav).
* Added --text-only switch to strip from the HTTP response body the
HTML/JS code and compare pages based only on their textual content
(Miroslav).
* Implemented few other features and switches (Bernardo and Miroslav).
* Over 100 bugs fixed (Bernardo and Miroslav).
* Major code refactoring (Bernardo and Miroslav).
* User's manual updated (Bernardo).

-- Bernardo Damele A. G. <bernardo.damele@gmail.com> Sun, 10 Apr 2011 21:00:00 +0000

900913

The use random useragent has changed from:

./sqlmap.py -a c:\user_agents_file.txt -u "http://abc.com/a?id=1&quot;

TO

./sqlmap.py --random-agent -u "http://abc.com/a?id=1&quot;

It's a start..

dlofnep

I do love sqlmap.

h57xiucj2z946q

If you analyse the http(s) requests between havij and sqlmap, you can see that havij is far more optimized and smart. Has to send far less GET requests to grab the database/table/column details/data. You still see sqlmap doing lots of slow searching and using queries that don't always give the best return of data in a given go.

Which I guess is hard to believe when a Win32 GUI tool beats a *nix command line tool.. but hey try it yourself!

dlofnep

In fairness, SQLmap is just more thorough. Havij is decent, but it is nowhere near as powerful as sqlmap IMO.

900913

I think there are advantages and disadvantages with every automated tool.
Havij is really good with a point and click gui, but sqlmap has many more features.

But I still haven't found one that is good at filter evasion.

With havij you can put your evasion injection string into the "Syntax" box.

I've not even tried this on sqlmap yet.

Anyone know of any tools that are good at filter evasion besides brain power.