pen-test December 2008 archive
Main Archive Page > Month Archives  > pen-test archives
pen-test: Re: [Full-disclosure] [Tool] sqlmap 0.6.3 released

Re: [Full-disclosure] [Tool] sqlmap 0.6.3 released

From: Taras Ivashchenko <naplanetu_at_nospam>
Date: Thu Dec 18 2008 - 12:57:31 GMT
To: "Bernardo Damele A. G." <bernardo.damele@gmail.com>


Hello, Bernardo!

Great news! It's one of my favorite hacker's tools :)

Тарас Иващенко (Taras Ivashchenko) -- "Software is like sex: it's better when it's free.", - Linus Torvalds. 2008/12/18 Bernardo Damele A. G. <bernardo.damele@gmail.com>
> Hi,
>
> I am glad to release sqlmap version 0.6.3.
>
> Introduction
> ============
>
> sqlmap is an automatic SQL injection tool developed in Python. Its goal
> is to detect and take advantage of SQL injection vulnerabilities on web
> applications. Once it detects one or more SQL injections on the target
> host, the user can choose among a variety of options to perform an
> extensive back end database management system fingerprint, retrieve DBMS
> session user and database, enumerate users, password hashes, privileges,
> databases, dump entire or user's specific DBMS tables/columns, run his
> own SQL SELECT statement, read specific files on the file system and
> much more.
>
>
> Changes
> =======
>
> Some of the new features include:
>
> * Major enhancement to get list of targets to test from Burp proxy
> (http://portswigger.net/suite/) requests log file path or WebScarab
> proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)
> 'conversations/' folder path by providing option -l <filepath>;
> * Major enhancement to support Partial UNION query SQL injection
> technique too;
> * Major enhancement to test if the web application technology supports
> stacked queries (multiple statements) by providing option --stacked-test
> which will be then used someday also by takeover functionality;
> * Major enhancement to test if the injectable parameter is affected by a
> time based blind SQL injection technique by providing option --time-test;
> * Major bug fix to correctly enumerate columns on Microsoft SQL Server;
> * Major bug fix so that when the user provide a SELECT statement to be
> processed with an asterisk as columns, now it also work if in the FROM
> there is no database name specified;
>
>
> Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.
>
>
> Download
> ========
>
> You can download it in various formats:
>
> * Source gzip compressed,
> http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.3.tar.gz
>
> * Source bzip2 compressed,
> http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.3.tar.bz2
>
> * Source zip compressed,
> http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.3.zip
>
> * DEB binary package,
> http://downloads.sourceforge.net/sqlmap/sqlmap_0.6.3-1_all.deb
>
> * RPM binary package,
> http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.3-1.noarch.rpm
>
> * Portable executable for Windows that does not require the Python
> interpreter to be installed on the operating system,
> http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.3_exe.zip
>
>
> Documentation
> =============
>
> * sqlmap user's manual: http://sqlmap.sourceforge.net/doc/README.pdf
>
> * sqlmap developer's documentation: http://sqlmap.sourceforge.net/dev/
>
>
> Happy hacking!
>
> --
> Bernardo Damele A. G.
>
> E-mail / Jabber: bernardo.damele (at) gmail.com
> Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
> PGP Key ID: 0x05F5A30F
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------
>
>

_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/