sqlmap/sqlmap.conf

# At least one of these options has to be specified to set the source to
# get target urls from.
[Target]

# Direct connection to the database.
# Examples:
#   mysql://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME
#   oracle://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_SID
direct = 

# Target URL.
# Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2
url = 

# Parse targets from Burp or WebScarab logs
# Valid: Burp proxy (http://portswigger.net/suite/) requests log file path
# or WebScarab proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)
# 'conversations/' folder path
logFile = 

# Load HTTP request from a file
# Example (file content): POST /login.jsp HTTP/1.1\nHost: example.com\nUser-Agent: Mozilla/4.0\n\nuserid=joe&password=guessme
requestFile = 

# Rather than providing a target url, let Google return target
# hosts as result of your Google dork expression. For a list of Google
# dorks see Johnny Long Google Hacking Database at
# http://johnny.ihackstuff.com/ghdb.php.
# Example: +ext:php +inurl:"&id=" +intext:"powered by "
googleDork = 


# These options can be used to specify how to connect to the target url.
[Request]

# Data string to be sent through POST.
data = 

# Character used for splitting cookie values
pDel = 

# HTTP Cookie header.
cookie = 

# File containing cookies in Netscape/wget format
loC = 

# URL-encode generated cookie injections.
# Valid: True or False
cookieUrlencode = False

# Ignore Set-Cookie header from response
# Valid: True or False
dropSetCookie = False

# HTTP User-Agent header. Useful to fake the HTTP User-Agent header value
# at each HTTP request
# sqlmap will also test for SQL injection on the HTTP User-Agent value.
agent =

# Use randomly selected HTTP User-Agent header
# Valid: True or False
randomAgent = False

# HTTP Host header.
host = 

# HTTP Referer header. Useful to fake the HTTP Referer header value at
# each HTTP request.
referer = 

# Randomly change value for the given parameter
rParam = 

# Force usage of SSL/HTTPS requests
# Valid: True or False
forceSSL = False

# Extra HTTP headers
headers = Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
 Accept-Language: en-us,en;q=0.5
 Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7

# HTTP Authentication type. Useful only if the target url requires
# HTTP Basic, Digest or NTLM authentication and you have such data.
# Valid: Basic, Digest or NTLM
aType = 

# HTTP authentication credentials. Useful only if the target url requires
# HTTP Basic, Digest or NTLM authentication and you have such data.
# Syntax: username:password
aCred = 

# HTTP Authentication certificate. Useful only if the target url requires
# logon certificate and you have such data.
# Syntax: key_file,cert_file
aCert = 

# Use a HTTP proxy to connect to the target url.
# Syntax: http://address:port
proxy = 

# HTTP proxy authentication credentials. Useful only if the proxy requires
# HTTP Basic or Digest authentication and you have such data.
# Syntax: username:password
pCred =

# Ignore system default HTTP proxy.
# Valid: True or False
ignoreProxy = False

# Delay in seconds between each HTTP request.
# Valid: float
# Default: 0
delay = 0

# Seconds to wait before timeout connection.
# Valid: float
# Default: 30
timeout = 30

# Maximum number of retries when the HTTP connection timeouts.
# Valid: integer
# Default: 3
retries = 3

# Regular expression for filtering targets from provided Burp.
# or WebScarab proxy log.
# Example: (google|yahoo)
scope = 

# Url address to visit frequently during testing.
# Example: http://192.168.1.121/index.html
safUrl = 

# Test requests between two visits to a given safe url (default 0).
# Valid: integer
# Default: 0
saFreq = 0

# Skip URL encoding of POST data
# Valid: True or False
skipUrlEncode = False

# Evaluate provided Python code before the request.
# Example: import hashlib;id2=hashlib.md5(id).hexdigest()
evalCode = 


# These options can be used to optimize the performance of sqlmap.
[Optimization]

# Use all optimization options.
# Valid: True or False
optimize = False

# Predict common queries output.
# Valid: True or False
predictOutput = False

# Use persistent HTTP(s) connections.
keepAlive = False

# Retrieve page length without actual HTTP response body.
# Valid: True or False
nullConnection = False

# Maximum number of concurrent HTTP(s) requests (handled with Python threads)
# to be used in the inference SQL injection attack.
# Valid: integer
# Default: 1
threads = 1


# These options can be used to specify which parameters to test for,
# provide custom injection payloads and optional tampering scripts.
[Injection]

# Testable parameter(s) comma separated. By default all GET/POST/Cookie
# parameters and HTTP User-Agent are tested by sqlmap.
testParameter = 

# Force back-end DBMS to this value. If this option is set, the back-end
# DBMS identification process will be minimized as needed.
# If not set, sqlmap will detect back-end DBMS automatically by default.
# Valid: mssql, mysql, mysql 4, mysql 5, oracle, pgsql, sqlite, sqlite3,
# access, firebird, maxdb, sybase
dbms = 

# Force back-end DBMS operating system to this value. If this option is
# set, the back-end DBMS identification process will be minimized as
# needed.
# If not set, sqlmap will detect back-end DBMS operating system
# automatically by default.
# Valid: linux, windows
os = 

# Use big numbers for invalidating values.
# Valid: True or False
invalidBignum = False

# Use logical operations for invalidating values.
# Valid: True or False
invalidLogical = False

# Turn off payload casting mechanism
# Valid: True or False
noCast = False

# Injection payload prefix string.
prefix = 

# Injection payload suffix string.
suffix = 

# Skip testing for given parameter(s).
skip =

# Use given script(s) for tampering injection data.
tamper = 


# These options can be used to specify how to parse and compare page
# content from HTTP responses when using blind SQL injection technique.
[Detection]

# Level of tests to perform.
# The higher the value is, the higher the number of HTTP(s) requests are
# as well as the better chances to detect a tricky SQL injection.
# Valid: Integer between 1 and 5
# Default: 1
level = 1

# Risk of tests to perform.
# Note: boolean-based blind SQL injection tests with AND are considered
# risk 1, with OR are considered risk 3.
# Valid: Integer between 0 and 3
# Default: 1
risk = 1

# String to match within the raw response when the query is valid, only
# needed if the page content dynamically changes at each refresh.
# Refer to the user's manual for further details.
string = 

# Regular expression to match within the raw response when the query is
# valid, only needed if the needed if the page content dynamically changes
# at each refresh.
# Refer to the user's manual for further details.
# Valid: regular expression with Python syntax
# (http://www.python.org/doc/2.5.2/lib/re-syntax.html)
regexp = 

# HTTP response code to match when the query is valid.
# Valid: Integer
# Example: 200 (assuming any False statement returns a different response
# code)
# code = 

# Compare pages based only on the textual content.
# Valid: True or False
textOnly = False

# Compare pages based only on their titles.
# Valid: True or False
titles = False


# These options can be used to tweak testing of specific SQL injection
# techniques.
[Techniques]

# SQL injection techniques to test for.
# Valid: a string composed by B, E, U, S and T where:
# B: Boolean-based blind SQL injection
# E: Error-based SQL injection
# U: UNION query SQL injection
# S: Stacked queries SQL injection
# T: Time-based blind SQL injection
# Example: ES (means test for error-based and stacked queries SQL
# injection types only)
# Default: BEUST (means test for all SQL injection types - recommended)
tech = BEUST

# Seconds to delay the response from the DBMS.
# Valid: integer
# Default: 5
timeSec = 5

# Range of columns to test for
# Valid: range of integers
# Example: 1-10
uCols = 

# Character to use for bruteforcing number of columns
# Valid: string
# Example: NULL
uChar = 


[Fingerprint]

# Perform an extensive back-end database management system fingerprint
# based on various techniques.
# Valid: True or False
extensiveFp = False


# These options can be used to enumerate the back-end database
# management system information, structure and data contained in the
# tables. Moreover you can run your own SQL statements.
[Enumeration]

# Retrieve back-end database management system banner.
# Valid: True or False
getBanner = False

# Retrieve back-end database management system current user.
# Valid: True or False
getCurrentUser = False

# Retrieve back-end database management system current database.
# Valid: True or False
getCurrentDb = False

# Detect if the DBMS current user is DBA.
# Valid: True or False
isDba = False

# Enumerate back-end database management system users.
# Valid: True or False
getUsers = False

# Enumerate back-end database management system users password hashes.
# Valid: True or False
getPasswordHashes = False

# Enumerate back-end database management system users privileges.
# Valid: True or False
getPrivileges = False

# Enumerate back-end database management system users roles.
# Valid: True or False
getRoles = False

# Enumerate back-end database management system databases.
# Valid: True or False
getDbs = False

# Enumerate back-end database management system database tables.
# Optional: db
# Valid: True or False
getTables = False

# Enumerate back-end database management system database table columns.
# Optional: db, tbl, col
# Valid: True or False
getColumns = False

# Enumerate back-end database management system schema.
# Valid: True or False
getSchema = False

# Retrieve number of entries for table(s).
# Valid: True or False
getCount = False

# Dump back-end database management system database table entries.
# Requires: tbl and/or col
# Optional: db
# Valid: True or False
dumpTable = False

# Dump all back-end database management system databases tables entries.
# Valid: True or False
dumpAll = False

# Search column(s), table(s) and/or database name(s).
# Requires: db, tbl or col
# Valid: True or False
search = False

# Back-end database management system database to enumerate.
db = 

# Back-end database management system database table to enumerate.
tbl = 

# Back-end database management system database table column to enumerate.
col = 

# Back-end database management system database user to enumerate.
user = 

# Exclude DBMS system databases when enumerating tables.
# Valid: True or False
excludeSysDbs = False

# First query output entry to retrieve
# Valid: integer
# Default: 0 (sqlmap will start to retrieve the query output entries from
# the first)
limitStart = 0

# Last query output entry to retrieve
# Valid: integer
# Default: 0 (sqlmap will detect the number of query output entries and
# retrieve them until the last)
limitStop = 0

# First query output word character to retrieve
# Valid: integer
# Default: 0 (sqlmap will enumerate the query output from the first
# character)
firstChar = 0

# Last query output word character to retrieve
# Valid: integer
# Default: 0 (sqlmap will enumerate the query output until the last
# character)
lastChar = 0

# SQL statement to be executed.
# Example: SELECT 'foo', 'bar'
query = 

# Prompt for an interactive SQL shell.
# Valid: True or False
sqlShell = False


# These options can be used to run brute force checks.
[Brute force]

# Check existence of common tables.
# Valid: True or False
commonTables = False

# Check existence of common columns.
# Valid: True or False
commonColumns = False


# These options can be used to create custom user-defined functions.
[User-defined function]

# Inject custom user-defined functions
# Valid: True or False
udfInject = False

# Local path of the shared library
shLib = 


# These options can be used to access the back-end database management
# system underlying file system.
[File system]

# Read a specific file from the back-end DBMS underlying file system.
# Examples: /etc/passwd or C:\boot.ini
rFile = 

# Write a local file to a specific path on the back-end DBMS underlying
# file system.
# Example: /tmp/sqlmap.txt or C:\WINNT\Temp\sqlmap.txt
wFile = 

# Back-end DBMS absolute filepath to write the file to.
dFile = 


# These options can be used to access the back-end database management
# system underlying operating system.
[Takeover]

# Execute an operating system command.
# Valid: operating system command
osCmd = 

# Prompt for an interactive operating system shell.
# Valid: True or False
osShell = False

# Prompt for an out-of-band shell, meterpreter or VNC.
# Valid: True or False
osPwn = False

# One click prompt for an out-of-band shell, meterpreter or VNC.
# Valid: True or False
osSmb = False

# Microsoft SQL Server 2000 and 2005 'sp_replwritetovarbin' stored
# procedure heap-based buffer overflow (MS09-004) exploitation.
# Valid: True or False
osBof = False

# Database process' user privilege escalation.
# Note: Use in conjunction with osPwn, osSmb or osBof. It will force the
# payload to be Meterpreter.
privEsc = False

# Local path where Metasploit Framework is installed.
# Valid: file system path
msfPath = 

# Remote absolute path of temporary files directory.
# Valid: absolute file system path
tmpPath = 


# These options can be used to access the back-end database management
# system Windows registry.
[Windows]

# Read a Windows registry key value.
# Valid: True or False
regRead = False

# Write a Windows registry key value data.
# Valid: True or False
regAdd = False

# Delete a Windows registry key value.
# Valid: True or False
regDel = False

# Windows registry key.
regKey = 

# Windows registry key value.
regVal = 

# Windows registry key value data.
regData = 

# Windows registry key value type.
regType = 


# These options can be used to set some general working parameters.
[General]

# Save and resume all data retrieved on a session file.
sessionFile = 

# Log all HTTP traffic into a textual file.
trafficFile = 

# Never ask for user input, use the default behaviour.
# Valid: True or False
batch = False

# Force character encoding used for data retrieval.
charset = 

# Check to see if Tor is used properly.
# Valid: True or False
checkTor = False

# Crawl the website starting from the target url.
# Valid: integer
# Default: 0
crawlDepth = 0

# Delimiting character used in CSV output.
# Default: ,
csvDel = ,

# Retrieve each query output length and calculate the estimated time of
# arrival in real time.
# Valid: True or False
eta = False

# Flush session file for current target.
# Valid: True or False
flushSession = False

# Parse and test forms on target url.
# Valid: True or False
forms = False

# Ignores query results stored in session file.
# Valid: True or False
freshQueries = False

# Uses DBMS hex function(s) for data retrieval.
# Valid: True or False
hexConvert = False

# Parse and display DBMS error messages from responses.
# Valid: True or False
parseErrors = False

# Replicate dumped data into a sqlite3 database.
# Valid: True or False
replicate = False

# Use Use Tor anonymity network.
# Valid: True or False
tor = False

# Set Tor proxy port other than default.
# Valid: integer
# torPort =

# Set Tor proxy type.
# Valid: HTTP, SOCKS4, SOCKS5
torType = HTTP

# Update sqlmap.
# Valid: True or False
updateAll = False


[Miscellaneous]

# Sound alert when SQL injection found.
beep = False

# Offline WAF/IPS/IDS payload detection testing.
checkPayload = False

# Check for existence of WAF/IPS/IDS protection.
checkWaf = False

# Clean up the DBMS by sqlmap specific UDF and tables.
# Valid: True or False
cleanup = False

# Show which sqlmap dependencies are not available.
# Valid: True or False
dependencies = False

# Use Google dork results from specified page number.
# Valid: integer
# Default: 1
googlePage = 1

# Imitate smartphone through HTTP User-Agent header.
# Valid: True or False
mobile = False

# Display page rank (PR) for Google dork results.
# Valid: True or False
pageRank = False

# Conduct through tests only if positive heuristic(s).
# Valid: True or False
smart = False

# Simple wizard interface for beginner users.
# Valid: True or False
wizard = False

# Verbosity level.
# Valid: integer between 0 and 6
# 0: Show only error and critical messages
# 1: Show also warning and info messages
# 2: Show also debug messages
# 3: Show also payloads injected
# 4: Show also HTTP requests
# 5: Show also HTTP responses' headers
# 6: Show also HTTP responses' page content
# Default: 1
verbose = 1