lunes, 27 de julio de 2009

Tool: sqlmap 0.7 released

sqlmap is an open source command-line automatic SQL injection tool.

Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.

Along all the takeover features introduced in sqlmap 0.7 release candidate 1, some of the new features include:
* Adapted Metasploit wrapping functions to work with latest 3.3 development version too.
* Adjusted code to make sqlmap 0.7 to work again on Mac OSX too.
* Reset takeover OOB features (if any of --os-pwn, --os-smbrelay or --os-bof is selected) when running under Windows because msfconsole and msfcli are not supported on the native Windows Ruby interpreter.
This make sqlmap 0.7 to work again on Windows too.
* Minor improvement so that sqlmap tests also all parameters with no value (eg. par=).
* HTTPS requests over HTTP proxy now work on either Python 2.4, 2.5 and 2.6+.
Complete list of changes

You can download it in various formats:
* Source gzip compressed,

* Source bzip2 compressed,

* Source zip compressed,

* DEB binary package,

* RPM binary package,

* Portable executable for Windows that does not require the Python interpreter to be installed on the operating system,

* sqlmap user's manual
* sqlmap developer's documentation

Link relacionado:
- 17 herramientas indispensables para analizar problemas de inyección SQL

No hay comentarios: