API tools faq
paste
Advertisement
rupakita

SQLMap Usage

rupakita
Nov 17th, 2016
349
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 13.31 KB | None | 0 0
raw download clone embed print report
  1. Usage: python sqlmap.py [options]
  2.  
  3. Options:
  4.   -h, --help            Show basic help message and exit
  5.   -hh                   Show advanced help message and exit
  6.   --version             Show program's version number and exit
  7.  -v VERBOSE            Verbosity level: 0-6 (default 1)
  8.  
  9.  Target:
  10.    At least one of these options has to be provided to define the
  11.    target(s)
  12.  
  13.    -d DIRECT           Connection string for direct database connection
  14.    -u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")
  15.    -l LOGFILE          Parse target(s) from Burp or WebScarab proxy log file
  16.    -x SITEMAPURL       Parse target(s) from remote sitemap(.xml) file
  17.    -m BULKFILE         Scan multiple targets given in a textual file
  18.    -r REQUESTFILE      Load HTTP request from a file
  19.    -g GOOGLEDORK       Process Google dork results as target URLs
  20.    -c CONFIGFILE       Load options from a configuration INI file
  21.  
  22.  Request:
  23.    These options can be used to specify how to connect to the target URL
  24.  
  25.    --method=METHOD     Force usage of given HTTP method (e.g. PUT)
  26.    --data=DATA         Data string to be sent through POST
  27.    --param-del=PARA..  Character used for splitting parameter values
  28.    --cookie=COOKIE     HTTP Cookie header value
  29.    --cookie-del=COO..  Character used for splitting cookie values
  30.    --load-cookies=L..  File containing cookies in Netscape/wget format
  31.    --drop-set-cookie   Ignore Set-Cookie header from response
  32.    --user-agent=AGENT  HTTP User-Agent header value
  33.    --random-agent      Use randomly selected HTTP User-Agent header value
  34.    --host=HOST         HTTP Host header value
  35.    --referer=REFERER   HTTP Referer header value
  36.    -H HEADER, --hea..  Extra header (e.g. "X-Forwarded-For: 127.0.0.1")
  37.    --headers=HEADERS   Extra headers (e.g. "Accept-Language: fr\nETag: 123")
  38.    --auth-type=AUTH..  HTTP authentication type (Basic, Digest, NTLM or PKI)
  39.    --auth-cred=AUTH..  HTTP authentication credentials (name:password)
  40.    --auth-file=AUTH..  HTTP authentication PEM cert/private key file
  41.    --ignore-401        Ignore HTTP Error 401 (Unauthorized)
  42.    --proxy=PROXY       Use a proxy to connect to the target URL
  43.    --proxy-cred=PRO..  Proxy authentication credentials (name:password)
  44.    --proxy-file=PRO..  Load proxy list from a file
  45.    --ignore-proxy      Ignore system default proxy settings
  46.    --tor               Use Tor anonymity network
  47.    --tor-port=TORPORT  Set Tor proxy port other than default
  48.    --tor-type=TORTYPE  Set Tor proxy type (HTTP (default), SOCKS4 or SOCKS5)
  49.    --check-tor         Check to see if Tor is used properly
  50.    --delay=DELAY       Delay in seconds between each HTTP request
  51.    --timeout=TIMEOUT   Seconds to wait before timeout connection (default 30)
  52.    --retries=RETRIES   Retries when the connection timeouts (default 3)
  53.    --randomize=RPARAM  Randomly change value for given parameter(s)
  54.    --safe-url=SAFEURL  URL address to visit frequently during testing
  55.    --safe-post=SAFE..  POST data to send to a safe URL
  56.    --safe-req=SAFER..  Load safe HTTP request from a file
  57.    --safe-freq=SAFE..  Test requests between two visits to a given safe URL
  58.    --skip-urlencode    Skip URL encoding of payload data
  59.    --csrf-token=CSR..  Parameter used to hold anti-CSRF token
  60.    --csrf-url=CSRFURL  URL address to visit to extract anti-CSRF token
  61.    --force-ssl         Force usage of SSL/HTTPS
  62.    --hpp               Use HTTP parameter pollution method
  63.    --eval=EVALCODE     Evaluate provided Python code before the request (e.g.
  64.                        "import hashlib;id2=hashlib.md5(id).hexdigest()")
  65.  
  66.  Optimization:
  67.    These options can be used to optimize the performance of sqlmap
  68.  
  69.    -o                  Turn on all optimization switches
  70.    --predict-output    Predict common queries output
  71.    --keep-alive        Use persistent HTTP(s) connections
  72.    --null-connection   Retrieve page length without actual HTTP response body
  73.    --threads=THREADS   Max number of concurrent HTTP(s) requests (default 1)
  74.  
  75.  Injection:
  76.    These options can be used to specify which parameters to test for,
  77.    provide custom injection payloads and optional tampering scripts
  78.  
  79.    -p TESTPARAMETER    Testable parameter(s)
  80.    --skip=SKIP         Skip testing for given parameter(s)
  81.    --skip-static       Skip testing parameters that not appear dynamic
  82.    --dbms=DBMS         Force back-end DBMS to this value
  83.    --dbms-cred=DBMS..  DBMS authentication credentials (user:password)
  84.    --os=OS             Force back-end DBMS operating system to this value
  85.    --invalid-bignum    Use big numbers for invalidating values
  86.    --invalid-logical   Use logical operations for invalidating values
  87.    --invalid-string    Use random strings for invalidating values
  88.    --no-cast           Turn off payload casting mechanism
  89.    --no-escape         Turn off string escaping mechanism
  90.    --prefix=PREFIX     Injection payload prefix string
  91.    --suffix=SUFFIX     Injection payload suffix string
  92.    --tamper=TAMPER     Use given script(s) for tampering injection data
  93.  
  94.  Detection:
  95.    These options can be used to customize the detection phase
  96.  
  97.    --level=LEVEL       Level of tests to perform (1-5, default 1)
  98.    --risk=RISK         Risk of tests to perform (1-3, default 1)
  99.    --string=STRING     String to match when query is evaluated to True
  100.    --not-string=NOT..  String to match when query is evaluated to False
  101.    --regexp=REGEXP     Regexp to match when query is evaluated to True
  102.    --code=CODE         HTTP code to match when query is evaluated to True
  103.    --text-only         Compare pages based only on the textual content
  104.    --titles            Compare pages based only on their titles
  105.  
  106.  Techniques:
  107.    These options can be used to tweak testing of specific SQL injection
  108.    techniques
  109.  
  110.    --technique=TECH    SQL injection techniques to use (default "BEUSTQ")
  111.    --time-sec=TIMESEC  Seconds to delay the DBMS response (default 5)
  112.    --union-cols=UCOLS  Range of columns to test for UNION query SQL injection
  113.    --union-char=UCHAR  Character to use for bruteforcing number of columns
  114.    --union-from=UFROM  Table to use in FROM part of UNION query SQL injection
  115.    --dns-domain=DNS..  Domain name used for DNS exfiltration attack
  116.    --second-order=S..  Resulting page URL searched for second-order response
  117.  
  118.  Fingerprint:
  119.    -f, --fingerprint   Perform an extensive DBMS version fingerprint
  120.  
  121.  Enumeration:
  122.    These options can be used to enumerate the back-end database
  123.    management system information, structure and data contained in the
  124.    tables. Moreover you can run your own SQL statements
  125.  
  126.    -a, --all           Retrieve everything
  127.    -b, --banner        Retrieve DBMS banner
  128.    --current-user      Retrieve DBMS current user
  129.    --current-db        Retrieve DBMS current database
  130.    --hostname          Retrieve DBMS server hostname
  131.    --is-dba            Detect if the DBMS current user is DBA
  132.    --users             Enumerate DBMS users
  133.    --passwords         Enumerate DBMS users password hashes
  134.    --privileges        Enumerate DBMS users privileges
  135.    --roles             Enumerate DBMS users roles
  136.    --dbs               Enumerate DBMS databases
  137.    --tables            Enumerate DBMS database tables
  138.    --columns           Enumerate DBMS database table columns
  139.    --schema            Enumerate DBMS schema
  140.    --count             Retrieve number of entries for table(s)
  141.    --dump              Dump DBMS database table entries
  142.    --dump-all          Dump all DBMS databases tables entries
  143.    --search            Search column(s), table(s) and/or database name(s)
  144.    --comments          Retrieve DBMS comments
  145.    -D DB               DBMS database to enumerate
  146.    -T TBL              DBMS database table(s) to enumerate
  147.    -C COL              DBMS database table column(s) to enumerate
  148.    -X EXCLUDECOL       DBMS database table column(s) to not enumerate
  149.    -U USER             DBMS user to enumerate
  150.    --exclude-sysdbs    Exclude DBMS system databases when enumerating tables
  151.    --pivot-column=P..  Pivot column name
  152.    --where=DUMPWHERE   Use WHERE condition while table dumping
  153.    --start=LIMITSTART  First query output entry to retrieve
  154.    --stop=LIMITSTOP    Last query output entry to retrieve
  155.    --first=FIRSTCHAR   First query output word character to retrieve
  156.    --last=LASTCHAR     Last query output word character to retrieve
  157.    --sql-query=QUERY   SQL statement to be executed
  158.    --sql-shell         Prompt for an interactive SQL shell
  159.    --sql-file=SQLFILE  Execute SQL statements from given file(s)
  160.  
  161.  Brute force:
  162.    These options can be used to run brute force checks
  163.  
  164.    --common-tables     Check existence of common tables
  165.    --common-columns    Check existence of common columns
  166.  
  167.  User-defined function injection:
  168.    These options can be used to create custom user-defined functions
  169.  
  170.    --udf-inject        Inject custom user-defined functions
  171.    --shared-lib=SHLIB  Local path of the shared library
  172.  
  173.  File system access:
  174.    These options can be used to access the back-end database management
  175.    system underlying file system
  176.  
  177.    --file-read=RFILE   Read a file from the back-end DBMS file system
  178.    --file-write=WFILE  Write a local file on the back-end DBMS file system
  179.    --file-dest=DFILE   Back-end DBMS absolute filepath to write to
  180.  
  181.  Operating system access:
  182.    These options can be used to access the back-end database management
  183.    system underlying operating system
  184.  
  185.    --os-cmd=OSCMD      Execute an operating system command
  186.    --os-shell          Prompt for an interactive operating system shell
  187.    --os-pwn            Prompt for an OOB shell, Meterpreter or VNC
  188.    --os-smbrelay       One click prompt for an OOB shell, Meterpreter or VNC
  189.    --os-bof            Stored procedure buffer overflow exploitation
  190.    --priv-esc          Database process user privilege escalation
  191.    --msf-path=MSFPATH  Local path where Metasploit Framework is installed
  192.    --tmp-path=TMPPATH  Remote absolute path of temporary files directory
  193.  
  194.  Windows registry access:
  195.    These options can be used to access the back-end database management
  196.    system Windows registry
  197.  
  198.    --reg-read          Read a Windows registry key value
  199.    --reg-add           Write a Windows registry key value data
  200.    --reg-del           Delete a Windows registry key value
  201.    --reg-key=REGKEY    Windows registry key
  202.    --reg-value=REGVAL  Windows registry key value
  203.    --reg-data=REGDATA  Windows registry key value data
  204.    --reg-type=REGTYPE  Windows registry key value type
  205.  
  206.  General:
  207.    These options can be used to set some general working parameters
  208.  
  209.    -s SESSIONFILE      Load session from a stored (.sqlite) file
  210.    -t TRAFFICFILE      Log all HTTP traffic into a textual file
  211.    --batch             Never ask for user input, use the default behaviour
  212.    --binary-fields=..  Result fields having binary values (e.g. "digest")
  213.    --charset=CHARSET   Force character encoding used for data retrieval
  214.    --crawl=CRAWLDEPTH  Crawl the website starting from the target URL
  215.    --crawl-exclude=..  Regexp to exclude pages from crawling (e.g. "logout")
  216.    --csv-del=CSVDEL    Delimiting character used in CSV output (default ",")
  217.    --dump-format=DU..  Format of dumped data (CSV (default), HTML or SQLITE)
  218.    --eta               Display for each output the estimated time of arrival
  219.    --flush-session     Flush session files for current target
  220.    --forms             Parse and test forms on target URL
  221.    --fresh-queries     Ignore query results stored in session file
  222.    --hex               Use DBMS hex function(s) for data retrieval
  223.    --output-dir=OUT..  Custom output directory path
  224.    --parse-errors      Parse and display DBMS error messages from responses
  225.    --save=SAVECONFIG   Save options to a configuration INI file
  226.    --scope=SCOPE       Regexp to filter targets from provided proxy log
  227.    --test-filter=TE..  Select tests by payloads and/or titles (e.g. ROW)
  228.    --test-skip=TEST..  Skip tests by payloads and/or titles (e.g. BENCHMARK)
  229.    --update            Update sqlmap
  230.  
  231.  Miscellaneous:
  232.    -z MNEMONICS        Use short mnemonics (e.g. "flu,bat,ban,tec=EU")
  233.    --alert=ALERT       Run host OS command(s) when SQL injection is found
  234.    --answers=ANSWERS   Set question answers (e.g. "quit=N,follow=N")
  235.    --beep              Beep on question and/or when SQL injection is found
  236.    --cleanup           Clean up the DBMS from sqlmap specific UDF and tables
  237.    --dependencies      Check for missing (non-core) sqlmap dependencies
  238.    --disable-coloring  Disable console output coloring
  239.    --gpage=GOOGLEPAGE  Use Google dork results from specified page number
  240.    --identify-waf      Make a thorough testing for a WAF/IPS/IDS protection
  241.    --skip-waf          Skip heuristic detection of WAF/IPS/IDS protection
  242.    --mobile            Imitate smartphone through HTTP User-Agent header
  243.    --offline           Work in offline mode (only use session data)
  244.    --page-rank         Display page rank (PR) for Google dork results
  245.    --purge-output      Safely remove all content from output directory
  246.    --smart             Conduct thorough tests only if positive heuristic(s)
  247.    --sqlmap-shell      Prompt for an interactive sqlmap shell
  248.    --wizard            Simple wizard interface for beginner users
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!