sqlmap(1)
automatic SQL injection tool
SYNOPSIS
python
,sqlmap /[,options/]
OPTIONS
- -h, --help
-
Show basic help message and exit
- -hh
-
Show advanced help message and exit
- --version
-
Show program's version number and exit
- -v VERBOSE
-
Verbosity level: 0-6 (default 1)
-
Target:
-
At least one of these options has to be provided to define the
target(s)
- -d DIRECT
-
Connection string for direct database connection
- -u URL, --url=,URL/
-
Target URL (e.g. "http://www.site.com/vuln.php?id=1")
- -l LOGFILE
-
Parse target(s) from Burp or WebScarab proxy log file
- -x SITEMAPURL
-
Parse target(s) from remote sitemap(.xml) file
- -m BULKFILE
-
Scan multiple targets given in a textual file
- -r REQUESTFILE
-
Load HTTP request from a file
- -g GOOGLEDORK
-
Process Google dork results as target URLs
- -c CONFIGFILE
-
Load options from a configuration INI file
-
Request:
-
These options can be used to specify how to connect to the target URL
- --method=,METHOD/
-
Force usage of given HTTP method (e.g. PUT)
- --data=,DATA/
-
Data string to be sent through POST
- --param-del=,PARA/..
-
Character used for splitting parameter values
- --cookie=,COOKIE/
-
HTTP Cookie header value
- --cookie-del=,COO/..
-
Character used for splitting cookie values
- --load-cookies=,L/..
-
File containing cookies in Netscape/wget format
- --drop-set-cookie
-
Ignore Set-Cookie header from response
- --user-agent=,AGENT/
-
HTTP User-Agent header value
- --random-agent
-
Use randomly selected HTTP User-Agent header value
- --host=,HOST/
-
HTTP Host header value
- --referer=,REFERER/
-
HTTP Referer header value
- -H HEADER, --hea..
-
Extra header (e.g. "X-Forwarded-For: 127.0.0.1")
- --headers=,HEADERS/
-
Extra headers (e.g. "Accept-Language: fr\nETag: 123")
- --auth-type=,AUTH/..
-
HTTP authentication type (Basic, Digest, NTLM or PKI)
- --auth-cred=,AUTH/..
-
HTTP authentication credentials (name:password)
- --auth-file=,AUTH/..
-
HTTP authentication PEM cert/private key file
- --ignore-401
-
Ignore HTTP Error 401 (Unauthorized)
- --proxy=,PROXY/
-
Use a proxy to connect to the target URL
- --proxy-cred=,PRO/..
-
Proxy authentication credentials (name:password)
- --proxy-file=,PRO/..
-
Load proxy list from a file
- --ignore-proxy
-
Ignore system default proxy settings
- --tor
-
Use Tor anonymity network
- --tor-port=,TORPORT/
-
Set Tor proxy port other than default
- --tor-type=,TORTYPE/
-
Set Tor proxy type (HTTP (default), SOCKS4 or SOCKS5)
- --check-tor
-
Check to see if Tor is used properly
- --delay=,DELAY/
-
Delay in seconds between each HTTP request
- --timeout=,TIMEOUT/
-
Seconds to wait before timeout connection (default 30)
- --retries=,RETRIES/
-
Retries when the connection timeouts (default 3)
- --randomize=,RPARAM/
-
Randomly change value for given parameter(s)
- --safe-url=,SAFEURL/
-
URL address to visit frequently during testing
- --safe-post=,SAFE/..
-
POST data to send to a safe URL
- --safe-req=,SAFER/..
-
Load safe HTTP request from a file
- --safe-freq=,SAFE/..
-
Test requests between two visits to a given safe URL
- --skip-urlencode
-
Skip URL encoding of payload data
- --csrf-token=,CSR/..
-
Parameter used to hold anti-CSRF token
- --csrf-url=,CSRFURL/
-
URL address to visit to extract anti-CSRF token
- --force-ssl
-
Force usage of SSL/HTTPS
- --hpp
-
Use HTTP parameter pollution method
- --eval=,EVALCODE/
-
Evaluate provided Python code before the request (e.g.
"import hashlib;id2=hashlib.md5(id).hexdigest()")
-
Optimization:
-
These options can be used to optimize the performance of sqlmap
- -o
-
Turn on all optimization switches
- --predict-output
-
Predict common queries output
- --keep-alive
-
Use persistent HTTP(s) connections
- --null-connection
-
Retrieve page length without actual HTTP response body
- --threads=,THREADS/
-
Max number of concurrent HTTP(s) requests (default 1)
-
Injection:
-
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts
- -p TESTPARAMETER
-
Testable parameter(s)
- --skip=,SKIP/
-
Skip testing for given parameter(s)
- --skip-static
-
Skip testing parameters that not appear dynamic
- --dbms=,DBMS/
-
Force back-end DBMS to this value
- --dbms-cred=,DBMS/..
-
DBMS authentication credentials (user:password)
- --os=,OS/
-
Force back-end DBMS operating system to this value
- --invalid-bignum
-
Use big numbers for invalidating values
- --invalid-logical
-
Use logical operations for invalidating values
- --invalid-string
-
Use random strings for invalidating values
- --no-cast
-
Turn off payload casting mechanism
- --no-escape
-
Turn off string escaping mechanism
- --prefix=,PREFIX/
-
Injection payload prefix string
- --suffix=,SUFFIX/
-
Injection payload suffix string
- --tamper=,TAMPER/
-
Use given script(s) for tampering injection data
-
Detection:
-
These options can be used to customize the detection phase
- --level=,LEVEL/
-
Level of tests to perform (1-5, default 1)
- --risk=,RISK/
-
Risk of tests to perform (1-3, default 1)
- --string=,STRING/
-
String to match when query is evaluated to True
- --not-string=,NOT/..
-
String to match when query is evaluated to False
- --regexp=,REGEXP/
-
Regexp to match when query is evaluated to True
- --code=,CODE/
-
HTTP code to match when query is evaluated to True
- --text-only
-
Compare pages based only on the textual content
- --titles
-
Compare pages based only on their titles
-
Techniques:
-
These options can be used to tweak testing of specific SQL injection
techniques
- --technique=,TECH/
-
SQL injection techniques to use (default "BEUSTQ")
- --time-sec=,TIMESEC/
-
Seconds to delay the DBMS response (default 5)
- --union-cols=,UCOLS/
-
Range of columns to test for UNION query SQL injection
- --union-char=,UCHAR/
-
Character to use for bruteforcing number of columns
- --union-from=,UFROM/
-
Table to use in FROM part of UNION query SQL injection
- --dns-domain=,DNS/..
-
Domain name used for DNS exfiltration attack
- --second-order=,S/..
-
Resulting page URL searched for second-order response
-
Fingerprint:
- -f, --fingerprint
-
Perform an extensive DBMS version fingerprint
-
Enumeration:
-
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables. Moreover you can run your own SQL statements
- -a, --all
-
Retrieve everything
- -b, --banner
-
Retrieve DBMS banner
- --current-user
-
Retrieve DBMS current user
- --current-db
-
Retrieve DBMS current database
- --hostname
-
Retrieve DBMS server hostname
- --is-dba
-
Detect if the DBMS current user is DBA
- --users
-
Enumerate DBMS users
- --passwords
-
Enumerate DBMS users password hashes
- --privileges
-
Enumerate DBMS users privileges
- --roles
-
Enumerate DBMS users roles
- --dbs
-
Enumerate DBMS databases
- --tables
-
Enumerate DBMS database tables
- --columns
-
Enumerate DBMS database table columns
- --schema
-
Enumerate DBMS schema
- --count
-
Retrieve number of entries for table(s)
- --dump
-
Dump DBMS database table entries
- --dump-all
-
Dump all DBMS databases tables entries
- --search
-
Search column(s), table(s) and/or database name(s)
- --comments
-
Retrieve DBMS comments
- -D DB
-
DBMS database to enumerate
- -T TBL
-
DBMS database table(s) to enumerate
- -C COL
-
DBMS database table column(s) to enumerate
- -X EXCLUDECOL
-
DBMS database table column(s) to not enumerate
- -U USER
-
DBMS user to enumerate
- --exclude-sysdbs
-
Exclude DBMS system databases when enumerating tables
- --where=,DUMPWHERE/
-
Use WHERE condition while table dumping
- --start=,LIMITSTART/
-
First query output entry to retrieve
- --stop=,LIMITSTOP/
-
Last query output entry to retrieve
- --first=,FIRSTCHAR/
-
First query output word character to retrieve
- --last=,LASTCHAR/
-
Last query output word character to retrieve
- --sql-query=,QUERY/
-
SQL statement to be executed
- --sql-shell
-
Prompt for an interactive SQL shell
- --sql-file=,SQLFILE/
-
Execute SQL statements from given file(s)
-
Brute force:
-
These options can be used to run brute force checks
- --common-tables
-
Check existence of common tables
- --common-columns
-
Check existence of common columns
-
User-defined function injection:
-
These options can be used to create custom user-defined functions
- --udf-inject
-
Inject custom user-defined functions
- --shared-lib=,SHLIB/
-
Local path of the shared library
-
File system access:
-
These options can be used to access the back-end database management
system underlying file system
- --file-read=,RFILE/
-
Read a file from the back-end DBMS file system
- --file-write=,WFILE/
-
Write a local file on the back-end DBMS file system
- --file-dest=,DFILE/
-
Back-end DBMS absolute filepath to write to
-
Operating system access:
-
These options can be used to access the back-end database management
system underlying operating system
- --os-cmd=,OSCMD/
-
Execute an operating system command
- --os-shell
-
Prompt for an interactive operating system shell
- --os-pwn
-
Prompt for an OOB shell, Meterpreter or VNC
- --os-smbrelay
-
One click prompt for an OOB shell, Meterpreter or VNC
- --os-bof
-
Stored procedure buffer overflow exploitation
- --priv-esc
-
Database process user privilege escalation
- --msf-path=,MSFPATH/
-
Local path where Metasploit Framework is installed
- --tmp-path=,TMPPATH/
-
Remote absolute path of temporary files directory
-
Windows registry access:
-
These options can be used to access the back-end database management
system Windows registry
- --reg-read
-
Read a Windows registry key value
- --reg-add
-
Write a Windows registry key value data
- --reg-del
-
Delete a Windows registry key value
- --reg-key=,REGKEY/
-
Windows registry key
- --reg-value=,REGVAL/
-
Windows registry key value
- --reg-data=,REGDATA/
-
Windows registry key value data
- --reg-type=,REGTYPE/
-
Windows registry key value type
-
General:
-
These options can be used to set some general working parameters
- -s SESSIONFILE
-
Load session from a stored (.sqlite) file
- -t TRAFFICFILE
-
Log all HTTP traffic into a textual file
- --batch
-
Never ask for user input, use the default behaviour
- --charset=,CHARSET/
-
Force character encoding used for data retrieval
- --crawl=,CRAWLDEPTH/
-
Crawl the website starting from the target URL
- --crawl-exclude=..
-
Regexp to exclude pages from crawling (e.g. "logout")
- --csv-del=,CSVDEL/
-
Delimiting character used in CSV output (default ",")
- --dump-format=,DU/..
-
Format of dumped data (CSV (default), HTML or SQLITE)
- --eta
-
Display for each output the estimated time of arrival
- --flush-session
-
Flush session files for current target
- --forms
-
Parse and test forms on target URL
- --fresh-queries
-
Ignore query results stored in session file
- --hex
-
Use DBMS hex function(s) for data retrieval
- --output-dir=,OUT/..
-
Custom output directory path
- --parse-errors
-
Parse and display DBMS error messages from responses
- --pivot-column=,P/..
-
Pivot column name
- --save=,SAVECONFIG/
-
Save options to a configuration INI file
- --scope=,SCOPE/
-
Regexp to filter targets from provided proxy log
- --test-filter=,TE/..
-
Select tests by payloads and/or titles (e.g. ROW)
- --test-skip=,TEST/..
-
Skip tests by payloads and/or titles (e.g. BENCHMARK)
- --update
-
Update sqlmap
-
Miscellaneous:
- -z MNEMONICS
-
Use short mnemonics (e.g. "flu,bat,ban,tec=EU")
- --alert=,ALERT/
-
Run host OS command(s) when SQL injection is found
- --answers=,ANSWERS/
-
Set question answers (e.g. "quit=N,follow=N")
- --beep
-
Beep on question and/or when SQL injection is found
- --cleanup
-
Clean up the DBMS from sqlmap specific UDF and tables
- --dependencies
-
Check for missing (non-core) sqlmap dependencies
- --disable-coloring
-
Disable console output coloring
- --gpage=,GOOGLEPAGE/
-
Use Google dork results from specified page number
- --identify-waf
-
Make a thorough testing for a WAF/IPS/IDS protection
- --skip-waf
-
Skip heuristic detection of WAF/IPS/IDS protection
- --mobile
-
Imitate smartphone through HTTP User-Agent header
- --offline
-
Work in offline mode (only use session data)
- --page-rank
-
Display page rank (PR) for Google dork results
- --purge-output
-
Safely remove all content from output directory
- --smart
-
Conduct thorough tests only if positive heuristic(s)
- --sqlmap-shell
-
Prompt for an interactive sqlmap shell
- --wizard
-
Simple wizard interface for beginner users