.\" DO NOT MODIFY THIS FILE!  It was generated by help2man 1.47.2.
.TH SQLMAP "1" "December 2015" "sqlmap.py v0.9" "User Commands"
.SH NAME
sqlmap \- automatic SQL injection tool
.SH SYNOPSIS
.B python
\fI\,sqlmap \/\fR[\fI\,options\/\fR]
.SH OPTIONS
.TP
\fB\-h\fR, \fB\-\-help\fR
Show basic help message and exit
.TP
\fB\-hh\fR
Show advanced help message and exit
.TP
\fB\-\-version\fR
Show program's version number and exit
.TP
\fB\-v\fR VERBOSE
Verbosity level: 0\-6 (default 1)
.IP
Target:
.IP
At least one of these options has to be provided to define the
target(s)
.TP
\fB\-d\fR DIRECT
Connection string for direct database connection
.TP
\fB\-u\fR URL, \fB\-\-url\fR=\fI\,URL\/\fR
Target URL (e.g. "http://www.site.com/vuln.php?id=1")
.TP
\fB\-l\fR LOGFILE
Parse target(s) from Burp or WebScarab proxy log file
.TP
\fB\-x\fR SITEMAPURL
Parse target(s) from remote sitemap(.xml) file
.TP
\fB\-m\fR BULKFILE
Scan multiple targets given in a textual file
.TP
\fB\-r\fR REQUESTFILE
Load HTTP request from a file
.TP
\fB\-g\fR GOOGLEDORK
Process Google dork results as target URLs
.TP
\fB\-c\fR CONFIGFILE
Load options from a configuration INI file
.IP
Request:
.IP
These options can be used to specify how to connect to the target URL
.TP
\fB\-\-method\fR=\fI\,METHOD\/\fR
Force usage of given HTTP method (e.g. PUT)
.TP
\fB\-\-data\fR=\fI\,DATA\/\fR
Data string to be sent through POST
.TP
\fB\-\-param\-del\fR=\fI\,PARA\/\fR..
Character used for splitting parameter values
.TP
\fB\-\-cookie\fR=\fI\,COOKIE\/\fR
HTTP Cookie header value
.TP
\fB\-\-cookie\-del\fR=\fI\,COO\/\fR..
Character used for splitting cookie values
.TP
\fB\-\-load\-cookies\fR=\fI\,L\/\fR..
File containing cookies in Netscape/wget format
.TP
\fB\-\-drop\-set\-cookie\fR
Ignore Set\-Cookie header from response
.TP
\fB\-\-user\-agent\fR=\fI\,AGENT\/\fR
HTTP User\-Agent header value
.TP
\fB\-\-random\-agent\fR
Use randomly selected HTTP User\-Agent header value
.TP
\fB\-\-host\fR=\fI\,HOST\/\fR
HTTP Host header value
.TP
\fB\-\-referer\fR=\fI\,REFERER\/\fR
HTTP Referer header value
.TP
\fB\-H\fR HEADER, \fB\-\-hea\fR..
Extra header (e.g. "X\-Forwarded\-For: 127.0.0.1")
.TP
\fB\-\-headers\fR=\fI\,HEADERS\/\fR
Extra headers (e.g. "Accept\-Language: fr\enETag: 123")
.TP
\fB\-\-auth\-type\fR=\fI\,AUTH\/\fR..
HTTP authentication type (Basic, Digest, NTLM or PKI)
.TP
\fB\-\-auth\-cred\fR=\fI\,AUTH\/\fR..
HTTP authentication credentials (name:password)
.TP
\fB\-\-auth\-file\fR=\fI\,AUTH\/\fR..
HTTP authentication PEM cert/private key file
.TP
\fB\-\-ignore\-401\fR
Ignore HTTP Error 401 (Unauthorized)
.TP
\fB\-\-proxy\fR=\fI\,PROXY\/\fR
Use a proxy to connect to the target URL
.TP
\fB\-\-proxy\-cred\fR=\fI\,PRO\/\fR..
Proxy authentication credentials (name:password)
.TP
\fB\-\-proxy\-file\fR=\fI\,PRO\/\fR..
Load proxy list from a file
.TP
\fB\-\-ignore\-proxy\fR
Ignore system default proxy settings
.TP
\fB\-\-tor\fR
Use Tor anonymity network
.TP
\fB\-\-tor\-port\fR=\fI\,TORPORT\/\fR
Set Tor proxy port other than default
.TP
\fB\-\-tor\-type\fR=\fI\,TORTYPE\/\fR
Set Tor proxy type (HTTP (default), SOCKS4 or SOCKS5)
.TP
\fB\-\-check\-tor\fR
Check to see if Tor is used properly
.TP
\fB\-\-delay\fR=\fI\,DELAY\/\fR
Delay in seconds between each HTTP request
.TP
\fB\-\-timeout\fR=\fI\,TIMEOUT\/\fR
Seconds to wait before timeout connection (default 30)
.TP
\fB\-\-retries\fR=\fI\,RETRIES\/\fR
Retries when the connection timeouts (default 3)
.TP
\fB\-\-randomize\fR=\fI\,RPARAM\/\fR
Randomly change value for given parameter(s)
.TP
\fB\-\-safe\-url\fR=\fI\,SAFEURL\/\fR
URL address to visit frequently during testing
.TP
\fB\-\-safe\-post\fR=\fI\,SAFE\/\fR..
POST data to send to a safe URL
.TP
\fB\-\-safe\-req\fR=\fI\,SAFER\/\fR..
Load safe HTTP request from a file
.TP
\fB\-\-safe\-freq\fR=\fI\,SAFE\/\fR..
Test requests between two visits to a given safe URL
.TP
\fB\-\-skip\-urlencode\fR
Skip URL encoding of payload data
.TP
\fB\-\-csrf\-token\fR=\fI\,CSR\/\fR..
Parameter used to hold anti\-CSRF token
.TP
\fB\-\-csrf\-url\fR=\fI\,CSRFURL\/\fR
URL address to visit to extract anti\-CSRF token
.TP
\fB\-\-force\-ssl\fR
Force usage of SSL/HTTPS
.TP
\fB\-\-hpp\fR
Use HTTP parameter pollution method
.TP
\fB\-\-eval\fR=\fI\,EVALCODE\/\fR
Evaluate provided Python code before the request (e.g.
"import hashlib;id2=hashlib.md5(id).hexdigest()")
.IP
Optimization:
.IP
These options can be used to optimize the performance of sqlmap
.TP
\fB\-o\fR
Turn on all optimization switches
.TP
\fB\-\-predict\-output\fR
Predict common queries output
.TP
\fB\-\-keep\-alive\fR
Use persistent HTTP(s) connections
.TP
\fB\-\-null\-connection\fR
Retrieve page length without actual HTTP response body
.TP
\fB\-\-threads\fR=\fI\,THREADS\/\fR
Max number of concurrent HTTP(s) requests (default 1)
.IP
Injection:
.IP
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts
.TP
\fB\-p\fR TESTPARAMETER
Testable parameter(s)
.TP
\fB\-\-skip\fR=\fI\,SKIP\/\fR
Skip testing for given parameter(s)
.TP
\fB\-\-skip\-static\fR
Skip testing parameters that not appear dynamic
.TP
\fB\-\-dbms\fR=\fI\,DBMS\/\fR
Force back\-end DBMS to this value
.TP
\fB\-\-dbms\-cred\fR=\fI\,DBMS\/\fR..
DBMS authentication credentials (user:password)
.TP
\fB\-\-os\fR=\fI\,OS\/\fR
Force back\-end DBMS operating system to this value
.TP
\fB\-\-invalid\-bignum\fR
Use big numbers for invalidating values
.TP
\fB\-\-invalid\-logical\fR
Use logical operations for invalidating values
.TP
\fB\-\-invalid\-string\fR
Use random strings for invalidating values
.TP
\fB\-\-no\-cast\fR
Turn off payload casting mechanism
.TP
\fB\-\-no\-escape\fR
Turn off string escaping mechanism
.TP
\fB\-\-prefix\fR=\fI\,PREFIX\/\fR
Injection payload prefix string
.TP
\fB\-\-suffix\fR=\fI\,SUFFIX\/\fR
Injection payload suffix string
.TP
\fB\-\-tamper\fR=\fI\,TAMPER\/\fR
Use given script(s) for tampering injection data
.IP
Detection:
.IP
These options can be used to customize the detection phase
.TP
\fB\-\-level\fR=\fI\,LEVEL\/\fR
Level of tests to perform (1\-5, default 1)
.TP
\fB\-\-risk\fR=\fI\,RISK\/\fR
Risk of tests to perform (1\-3, default 1)
.TP
\fB\-\-string\fR=\fI\,STRING\/\fR
String to match when query is evaluated to True
.TP
\fB\-\-not\-string\fR=\fI\,NOT\/\fR..
String to match when query is evaluated to False
.TP
\fB\-\-regexp\fR=\fI\,REGEXP\/\fR
Regexp to match when query is evaluated to True
.TP
\fB\-\-code\fR=\fI\,CODE\/\fR
HTTP code to match when query is evaluated to True
.TP
\fB\-\-text\-only\fR
Compare pages based only on the textual content
.TP
\fB\-\-titles\fR
Compare pages based only on their titles
.IP
Techniques:
.IP
These options can be used to tweak testing of specific SQL injection
techniques
.TP
\fB\-\-technique\fR=\fI\,TECH\/\fR
SQL injection techniques to use (default "BEUSTQ")
.TP
\fB\-\-time\-sec\fR=\fI\,TIMESEC\/\fR
Seconds to delay the DBMS response (default 5)
.TP
\fB\-\-union\-cols\fR=\fI\,UCOLS\/\fR
Range of columns to test for UNION query SQL injection
.TP
\fB\-\-union\-char\fR=\fI\,UCHAR\/\fR
Character to use for bruteforcing number of columns
.TP
\fB\-\-union\-from\fR=\fI\,UFROM\/\fR
Table to use in FROM part of UNION query SQL injection
.TP
\fB\-\-dns\-domain\fR=\fI\,DNS\/\fR..
Domain name used for DNS exfiltration attack
.TP
\fB\-\-second\-order\fR=\fI\,S\/\fR..
Resulting page URL searched for second\-order response
.IP
Fingerprint:
.TP
\fB\-f\fR, \fB\-\-fingerprint\fR
Perform an extensive DBMS version fingerprint
.IP
Enumeration:
.IP
These options can be used to enumerate the back\-end database
management system information, structure and data contained in the
tables. Moreover you can run your own SQL statements
.TP
\fB\-a\fR, \fB\-\-all\fR
Retrieve everything
.TP
\fB\-b\fR, \fB\-\-banner\fR
Retrieve DBMS banner
.TP
\fB\-\-current\-user\fR
Retrieve DBMS current user
.TP
\fB\-\-current\-db\fR
Retrieve DBMS current database
.TP
\fB\-\-hostname\fR
Retrieve DBMS server hostname
.TP
\fB\-\-is\-dba\fR
Detect if the DBMS current user is DBA
.TP
\fB\-\-users\fR
Enumerate DBMS users
.TP
\fB\-\-passwords\fR
Enumerate DBMS users password hashes
.TP
\fB\-\-privileges\fR
Enumerate DBMS users privileges
.TP
\fB\-\-roles\fR
Enumerate DBMS users roles
.TP
\fB\-\-dbs\fR
Enumerate DBMS databases
.TP
\fB\-\-tables\fR
Enumerate DBMS database tables
.TP
\fB\-\-columns\fR
Enumerate DBMS database table columns
.TP
\fB\-\-schema\fR
Enumerate DBMS schema
.TP
\fB\-\-count\fR
Retrieve number of entries for table(s)
.TP
\fB\-\-dump\fR
Dump DBMS database table entries
.TP
\fB\-\-dump\-all\fR
Dump all DBMS databases tables entries
.TP
\fB\-\-search\fR
Search column(s), table(s) and/or database name(s)
.TP
\fB\-\-comments\fR
Retrieve DBMS comments
.TP
\fB\-D\fR DB
DBMS database to enumerate
.TP
\fB\-T\fR TBL
DBMS database table(s) to enumerate
.TP
\fB\-C\fR COL
DBMS database table column(s) to enumerate
.TP
\fB\-X\fR EXCLUDECOL
DBMS database table column(s) to not enumerate
.TP
\fB\-U\fR USER
DBMS user to enumerate
.TP
\fB\-\-exclude\-sysdbs\fR
Exclude DBMS system databases when enumerating tables
.TP
\fB\-\-where\fR=\fI\,DUMPWHERE\/\fR
Use WHERE condition while table dumping
.TP
\fB\-\-start\fR=\fI\,LIMITSTART\/\fR
First query output entry to retrieve
.TP
\fB\-\-stop\fR=\fI\,LIMITSTOP\/\fR
Last query output entry to retrieve
.TP
\fB\-\-first\fR=\fI\,FIRSTCHAR\/\fR
First query output word character to retrieve
.TP
\fB\-\-last\fR=\fI\,LASTCHAR\/\fR
Last query output word character to retrieve
.TP
\fB\-\-sql\-query\fR=\fI\,QUERY\/\fR
SQL statement to be executed
.TP
\fB\-\-sql\-shell\fR
Prompt for an interactive SQL shell
.TP
\fB\-\-sql\-file\fR=\fI\,SQLFILE\/\fR
Execute SQL statements from given file(s)
.IP
Brute force:
.IP
These options can be used to run brute force checks
.TP
\fB\-\-common\-tables\fR
Check existence of common tables
.TP
\fB\-\-common\-columns\fR
Check existence of common columns
.IP
User\-defined function injection:
.IP
These options can be used to create custom user\-defined functions
.TP
\fB\-\-udf\-inject\fR
Inject custom user\-defined functions
.TP
\fB\-\-shared\-lib\fR=\fI\,SHLIB\/\fR
Local path of the shared library
.IP
File system access:
.IP
These options can be used to access the back\-end database management
system underlying file system
.TP
\fB\-\-file\-read\fR=\fI\,RFILE\/\fR
Read a file from the back\-end DBMS file system
.TP
\fB\-\-file\-write\fR=\fI\,WFILE\/\fR
Write a local file on the back\-end DBMS file system
.TP
\fB\-\-file\-dest\fR=\fI\,DFILE\/\fR
Back\-end DBMS absolute filepath to write to
.IP
Operating system access:
.IP
These options can be used to access the back\-end database management
system underlying operating system
.TP
\fB\-\-os\-cmd\fR=\fI\,OSCMD\/\fR
Execute an operating system command
.TP
\fB\-\-os\-shell\fR
Prompt for an interactive operating system shell
.TP
\fB\-\-os\-pwn\fR
Prompt for an OOB shell, Meterpreter or VNC
.TP
\fB\-\-os\-smbrelay\fR
One click prompt for an OOB shell, Meterpreter or VNC
.TP
\fB\-\-os\-bof\fR
Stored procedure buffer overflow exploitation
.TP
\fB\-\-priv\-esc\fR
Database process user privilege escalation
.TP
\fB\-\-msf\-path\fR=\fI\,MSFPATH\/\fR
Local path where Metasploit Framework is installed
.TP
\fB\-\-tmp\-path\fR=\fI\,TMPPATH\/\fR
Remote absolute path of temporary files directory
.IP
Windows registry access:
.IP
These options can be used to access the back\-end database management
system Windows registry
.TP
\fB\-\-reg\-read\fR
Read a Windows registry key value
.TP
\fB\-\-reg\-add\fR
Write a Windows registry key value data
.TP
\fB\-\-reg\-del\fR
Delete a Windows registry key value
.TP
\fB\-\-reg\-key\fR=\fI\,REGKEY\/\fR
Windows registry key
.TP
\fB\-\-reg\-value\fR=\fI\,REGVAL\/\fR
Windows registry key value
.TP
\fB\-\-reg\-data\fR=\fI\,REGDATA\/\fR
Windows registry key value data
.TP
\fB\-\-reg\-type\fR=\fI\,REGTYPE\/\fR
Windows registry key value type
.IP
General:
.IP
These options can be used to set some general working parameters
.TP
\fB\-s\fR SESSIONFILE
Load session from a stored (.sqlite) file
.TP
\fB\-t\fR TRAFFICFILE
Log all HTTP traffic into a textual file
.TP
\fB\-\-batch\fR
Never ask for user input, use the default behaviour
.TP
\fB\-\-charset\fR=\fI\,CHARSET\/\fR
Force character encoding used for data retrieval
.TP
\fB\-\-crawl\fR=\fI\,CRAWLDEPTH\/\fR
Crawl the website starting from the target URL
.TP
\fB\-\-crawl\-exclude=\fR..
Regexp to exclude pages from crawling (e.g. "logout")
.TP
\fB\-\-csv\-del\fR=\fI\,CSVDEL\/\fR
Delimiting character used in CSV output (default ",")
.TP
\fB\-\-dump\-format\fR=\fI\,DU\/\fR..
Format of dumped data (CSV (default), HTML or SQLITE)
.TP
\fB\-\-eta\fR
Display for each output the estimated time of arrival
.TP
\fB\-\-flush\-session\fR
Flush session files for current target
.TP
\fB\-\-forms\fR
Parse and test forms on target URL
.TP
\fB\-\-fresh\-queries\fR
Ignore query results stored in session file
.TP
\fB\-\-hex\fR
Use DBMS hex function(s) for data retrieval
.TP
\fB\-\-output\-dir\fR=\fI\,OUT\/\fR..
Custom output directory path
.TP
\fB\-\-parse\-errors\fR
Parse and display DBMS error messages from responses
.TP
\fB\-\-pivot\-column\fR=\fI\,P\/\fR..
Pivot column name
.TP
\fB\-\-save\fR=\fI\,SAVECONFIG\/\fR
Save options to a configuration INI file
.TP
\fB\-\-scope\fR=\fI\,SCOPE\/\fR
Regexp to filter targets from provided proxy log
.TP
\fB\-\-test\-filter\fR=\fI\,TE\/\fR..
Select tests by payloads and/or titles (e.g. ROW)
.TP
\fB\-\-test\-skip\fR=\fI\,TEST\/\fR..
Skip tests by payloads and/or titles (e.g. BENCHMARK)
.TP
\fB\-\-update\fR
Update sqlmap
.IP
Miscellaneous:
.TP
\fB\-z\fR MNEMONICS
Use short mnemonics (e.g. "flu,bat,ban,tec=EU")
.TP
\fB\-\-alert\fR=\fI\,ALERT\/\fR
Run host OS command(s) when SQL injection is found
.TP
\fB\-\-answers\fR=\fI\,ANSWERS\/\fR
Set question answers (e.g. "quit=N,follow=N")
.TP
\fB\-\-beep\fR
Beep on question and/or when SQL injection is found
.TP
\fB\-\-cleanup\fR
Clean up the DBMS from sqlmap specific UDF and tables
.TP
\fB\-\-dependencies\fR
Check for missing (non\-core) sqlmap dependencies
.TP
\fB\-\-disable\-coloring\fR
Disable console output coloring
.TP
\fB\-\-gpage\fR=\fI\,GOOGLEPAGE\/\fR
Use Google dork results from specified page number
.TP
\fB\-\-identify\-waf\fR
Make a thorough testing for a WAF/IPS/IDS protection
.TP
\fB\-\-skip\-waf\fR
Skip heuristic detection of WAF/IPS/IDS protection
.TP
\fB\-\-mobile\fR
Imitate smartphone through HTTP User\-Agent header
.TP
\fB\-\-offline\fR
Work in offline mode (only use session data)
.TP
\fB\-\-page\-rank\fR
Display page rank (PR) for Google dork results
.TP
\fB\-\-purge\-output\fR
Safely remove all content from output directory
.TP
\fB\-\-smart\fR
Conduct thorough tests only if positive heuristic(s)
.TP
\fB\-\-sqlmap\-shell\fR
Prompt for an interactive sqlmap shell
.TP
\fB\-\-wizard\fR
Simple wizard interface for beginner users