Scroll to navigation
SQLMAP(1) |
User Commands |
SQLMAP(1) |
NAME¶
sqlmap - automatic SQL injection tool
SYNOPSIS¶
python sqlmap [options]
OPTIONS¶
- -h, --help
- Show basic help message and exit
- -hh
- Show advanced help message and exit
- --version
- Show program's version number and exit
- -v VERBOSE
- Verbosity level: 0-6 (default 1)
- Target:
- At least one of these options has to be provided to define the
target(s)
- -d DIRECT
- Connection string for direct database connection
- -u URL, --url=URL
- Target URL (e.g. "http://www.site.com/vuln.php?id=1")
- -l LOGFILE
- Parse target(s) from Burp or WebScarab proxy log file
- -x SITEMAPURL
- Parse target(s) from remote sitemap(.xml) file
- -m BULKFILE
- Scan multiple targets given in a textual file
- -r REQUESTFILE
- Load HTTP request from a file
- -g GOOGLEDORK
- Process Google dork results as target URLs
- -c CONFIGFILE
- Load options from a configuration INI file
- Request:
- These options can be used to specify how to connect to the target URL
- --method=METHOD
- Force usage of given HTTP method (e.g. PUT)
- --data=DATA
- Data string to be sent through POST
- --param-del=PARA..
- Character used for splitting parameter values
- --cookie=COOKIE
- HTTP Cookie header value
- --cookie-del=COO..
- Character used for splitting cookie values
- --load-cookies=L..
- File containing cookies in Netscape/wget format
- --drop-set-cookie
- Ignore Set-Cookie header from response
- --user-agent=AGENT
- HTTP User-Agent header value
- --random-agent
- Use randomly selected HTTP User-Agent header value
- --host=HOST
- HTTP Host header value
- --referer=REFERER
- HTTP Referer header value
- -H HEADER, --hea..
- Extra header (e.g. "X-Forwarded-For: 127.0.0.1")
- --headers=HEADERS
- Extra headers (e.g. "Accept-Language: fr\nETag: 123")
- --auth-type=AUTH..
- HTTP authentication type (Basic, Digest, NTLM or PKI)
- --auth-cred=AUTH..
- HTTP authentication credentials (name:password)
- --auth-file=AUTH..
- HTTP authentication PEM cert/private key file
- --ignore-401
- Ignore HTTP Error 401 (Unauthorized)
- --proxy=PROXY
- Use a proxy to connect to the target URL
- --proxy-cred=PRO..
- Proxy authentication credentials (name:password)
- --proxy-file=PRO..
- Load proxy list from a file
- --ignore-proxy
- Ignore system default proxy settings
- --tor
- Use Tor anonymity network
- --tor-port=TORPORT
- Set Tor proxy port other than default
- --tor-type=TORTYPE
- Set Tor proxy type (HTTP (default), SOCKS4 or SOCKS5)
- --check-tor
- Check to see if Tor is used properly
- --delay=DELAY
- Delay in seconds between each HTTP request
- --timeout=TIMEOUT
- Seconds to wait before timeout connection (default 30)
- --retries=RETRIES
- Retries when the connection timeouts (default 3)
- --randomize=RPARAM
- Randomly change value for given parameter(s)
- --safe-url=SAFEURL
- URL address to visit frequently during testing
- --safe-post=SAFE..
- POST data to send to a safe URL
- --safe-req=SAFER..
- Load safe HTTP request from a file
- --safe-freq=SAFE..
- Test requests between two visits to a given safe URL
- --skip-urlencode
- Skip URL encoding of payload data
- --csrf-token=CSR..
- Parameter used to hold anti-CSRF token
- --csrf-url=CSRFURL
- URL address to visit to extract anti-CSRF token
- --force-ssl
- Force usage of SSL/HTTPS
- --hpp
- Use HTTP parameter pollution method
- --eval=EVALCODE
- Evaluate provided Python code before the request (e.g. "import
hashlib;id2=hashlib.md5(id).hexdigest()")
- Optimization:
- These options can be used to optimize the performance of sqlmap
- -o
- Turn on all optimization switches
- --predict-output
- Predict common queries output
- --keep-alive
- Use persistent HTTP(s) connections
- --null-connection
- Retrieve page length without actual HTTP response body
- --threads=THREADS
- Max number of concurrent HTTP(s) requests (default 1)
- Injection:
- These options can be used to specify which parameters to test for, provide
custom injection payloads and optional tampering scripts
- -p TESTPARAMETER
- Testable parameter(s)
- --skip=SKIP
- Skip testing for given parameter(s)
- --skip-static
- Skip testing parameters that not appear dynamic
- --dbms=DBMS
- Force back-end DBMS to this value
- --dbms-cred=DBMS..
- DBMS authentication credentials (user:password)
- --os=OS
- Force back-end DBMS operating system to this value
- --invalid-bignum
- Use big numbers for invalidating values
- --invalid-logical
- Use logical operations for invalidating values
- --invalid-string
- Use random strings for invalidating values
- --no-cast
- Turn off payload casting mechanism
- --no-escape
- Turn off string escaping mechanism
- --prefix=PREFIX
- Injection payload prefix string
- --suffix=SUFFIX
- Injection payload suffix string
- --tamper=TAMPER
- Use given script(s) for tampering injection data
- Detection:
- These options can be used to customize the detection phase
- --level=LEVEL
- Level of tests to perform (1-5, default 1)
- --risk=RISK
- Risk of tests to perform (1-3, default 1)
- --string=STRING
- String to match when query is evaluated to True
- --not-string=NOT..
- String to match when query is evaluated to False
- --regexp=REGEXP
- Regexp to match when query is evaluated to True
- --code=CODE
- HTTP code to match when query is evaluated to True
- --text-only
- Compare pages based only on the textual content
- --titles
- Compare pages based only on their titles
- Techniques:
- These options can be used to tweak testing of specific SQL injection
techniques
- --technique=TECH
- SQL injection techniques to use (default "BEUSTQ")
- --time-sec=TIMESEC
- Seconds to delay the DBMS response (default 5)
- --union-cols=UCOLS
- Range of columns to test for UNION query SQL injection
- --union-char=UCHAR
- Character to use for bruteforcing number of columns
- --union-from=UFROM
- Table to use in FROM part of UNION query SQL injection
- --dns-domain=DNS..
- Domain name used for DNS exfiltration attack
- --second-order=S..
- Resulting page URL searched for second-order response
- Fingerprint:
- -f, --fingerprint
- Perform an extensive DBMS version fingerprint
- Enumeration:
- These options can be used to enumerate the back-end database management
system information, structure and data contained in the tables. Moreover
you can run your own SQL statements
- -a, --all
- Retrieve everything
- -b, --banner
- Retrieve DBMS banner
- --current-user
- Retrieve DBMS current user
- --current-db
- Retrieve DBMS current database
- --hostname
- Retrieve DBMS server hostname
- --is-dba
- Detect if the DBMS current user is DBA
- --users
- Enumerate DBMS users
- --passwords
- Enumerate DBMS users password hashes
- --privileges
- Enumerate DBMS users privileges
- --roles
- Enumerate DBMS users roles
- --dbs
- Enumerate DBMS databases
- --tables
- Enumerate DBMS database tables
- --columns
- Enumerate DBMS database table columns
- --schema
- Enumerate DBMS schema
- --count
- Retrieve number of entries for table(s)
- --dump
- Dump DBMS database table entries
- --dump-all
- Dump all DBMS databases tables entries
- --search
- Search column(s), table(s) and/or database name(s)
- --comments
- Retrieve DBMS comments
- -D DB
- DBMS database to enumerate
- -T TBL
- DBMS database table(s) to enumerate
- -C COL
- DBMS database table column(s) to enumerate
- -X EXCLUDECOL
- DBMS database table column(s) to not enumerate
- -U USER
- DBMS user to enumerate
- --exclude-sysdbs
- Exclude DBMS system databases when enumerating tables
- --where=DUMPWHERE
- Use WHERE condition while table dumping
- --start=LIMITSTART
- First query output entry to retrieve
- --stop=LIMITSTOP
- Last query output entry to retrieve
- --first=FIRSTCHAR
- First query output word character to retrieve
- --last=LASTCHAR
- Last query output word character to retrieve
- --sql-query=QUERY
- SQL statement to be executed
- --sql-shell
- Prompt for an interactive SQL shell
- --sql-file=SQLFILE
- Execute SQL statements from given file(s)
- Brute force:
- These options can be used to run brute force checks
- --common-tables
- Check existence of common tables
- --common-columns
- Check existence of common columns
- User-defined function injection:
- These options can be used to create custom user-defined functions
- --udf-inject
- Inject custom user-defined functions
- --shared-lib=SHLIB
- Local path of the shared library
- File system access:
- These options can be used to access the back-end database management
system underlying file system
- --file-read=RFILE
- Read a file from the back-end DBMS file system
- --file-write=WFILE
- Write a local file on the back-end DBMS file system
- --file-dest=DFILE
- Back-end DBMS absolute filepath to write to
- Operating system access:
- These options can be used to access the back-end database management
system underlying operating system
- --os-cmd=OSCMD
- Execute an operating system command
- --os-shell
- Prompt for an interactive operating system shell
- --os-pwn
- Prompt for an OOB shell, Meterpreter or VNC
- --os-smbrelay
- One click prompt for an OOB shell, Meterpreter or VNC
- --os-bof
- Stored procedure buffer overflow exploitation
- --priv-esc
- Database process user privilege escalation
- --msf-path=MSFPATH
- Local path where Metasploit Framework is installed
- --tmp-path=TMPPATH
- Remote absolute path of temporary files directory
- Windows registry access:
- These options can be used to access the back-end database management
system Windows registry
- --reg-read
- Read a Windows registry key value
- --reg-add
- Write a Windows registry key value data
- --reg-del
- Delete a Windows registry key value
- --reg-key=REGKEY
- Windows registry key
- --reg-value=REGVAL
- Windows registry key value
- --reg-data=REGDATA
- Windows registry key value data
- --reg-type=REGTYPE
- Windows registry key value type
- General:
- These options can be used to set some general working parameters
- -s SESSIONFILE
- Load session from a stored (.sqlite) file
- -t TRAFFICFILE
- Log all HTTP traffic into a textual file
- --batch
- Never ask for user input, use the default behaviour
- --charset=CHARSET
- Force character encoding used for data retrieval
- --crawl=CRAWLDEPTH
- Crawl the website starting from the target URL
- --crawl-exclude=..
- Regexp to exclude pages from crawling (e.g. "logout")
- --csv-del=CSVDEL
- Delimiting character used in CSV output (default ",")
- --dump-format=DU..
- Format of dumped data (CSV (default), HTML or SQLITE)
- --eta
- Display for each output the estimated time of arrival
- --flush-session
- Flush session files for current target
- --forms
- Parse and test forms on target URL
- --fresh-queries
- Ignore query results stored in session file
- --hex
- Use DBMS hex function(s) for data retrieval
- --output-dir=OUT..
- Custom output directory path
- --parse-errors
- Parse and display DBMS error messages from responses
- --pivot-column=P..
- Pivot column name
- --save=SAVECONFIG
- Save options to a configuration INI file
- --scope=SCOPE
- Regexp to filter targets from provided proxy log
- --test-filter=TE..
- Select tests by payloads and/or titles (e.g. ROW)
- --test-skip=TEST..
- Skip tests by payloads and/or titles (e.g. BENCHMARK)
- --update
- Update sqlmap
- Miscellaneous:
- -z MNEMONICS
- Use short mnemonics (e.g. "flu,bat,ban,tec=EU")
- --alert=ALERT
- Run host OS command(s) when SQL injection is found
- --answers=ANSWERS
- Set question answers (e.g. "quit=N,follow=N")
- --beep
- Beep on question and/or when SQL injection is found
- --cleanup
- Clean up the DBMS from sqlmap specific UDF and tables
- --dependencies
- Check for missing (non-core) sqlmap dependencies
- --disable-coloring
- Disable console output coloring
- --gpage=GOOGLEPAGE
- Use Google dork results from specified page number
- --identify-waf
- Make a thorough testing for a WAF/IPS/IDS protection
- --skip-waf
- Skip heuristic detection of WAF/IPS/IDS protection
- --mobile
- Imitate smartphone through HTTP User-Agent header
- --offline
- Work in offline mode (only use session data)
- --page-rank
- Display page rank (PR) for Google dork results
- --purge-output
- Safely remove all content from output directory
- --smart
- Conduct thorough tests only if positive heuristic(s)
- --sqlmap-shell
- Prompt for an interactive sqlmap shell
- --wizard
- Simple wizard interface for beginner users