sqlmap/sqlmap.conf

873 lines
21 KiB
Plaintext
Raw Permalink Normal View History

2010-03-12 02:54:07 +03:00
# At least one of these options has to be specified to set the source to
2013-03-15 20:00:01 +04:00
# get target URLs from.
[Target]
2008-10-15 19:38:22 +04:00
2019-11-21 13:36:13 +03:00
# Target URL.
# Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2
url =
# Direct connection to the database.
# Examples:
# mysql://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME
# oracle://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_SID
direct =
# Parse targets from Burp or WebScarab logs
# Valid: Burp proxy (http://portswigger.net/suite/) requests log file path
# or WebScarab proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)
# 'conversations/' folder path
logFile =
2008-10-15 19:38:22 +04:00
2013-08-09 16:13:48 +04:00
# Scan multiple targets enlisted in a given textual file
bulkFile =
2010-01-14 23:42:45 +03:00
# Load HTTP request from a file
# Example (file content): POST /login.jsp HTTP/1.1\nHost: example.com\nUser-Agent: Mozilla/4.0\n\nuserid=joe&password=guessme
requestFile =
2013-03-15 20:00:01 +04:00
# Rather than providing a target URL, let Google return target
2008-10-15 19:38:22 +04:00
# hosts as result of your Google dork expression. For a list of Google
# dorks see Johnny Long Google Hacking Database at
# http://johnny.ihackstuff.com/ghdb.php.
# Example: +ext:php +inurl:"&id=" +intext:"powered by "
googleDork =
2010-03-12 02:54:07 +03:00
2013-03-15 20:00:01 +04:00
# These options can be used to specify how to connect to the target URL.
[Request]
2008-10-15 19:38:22 +04:00
2014-11-21 11:41:39 +03:00
# Force usage of given HTTP method (e.g. PUT).
method =
2018-10-15 03:15:05 +03:00
# Data string to be sent through POST (e.g. "id=1").
2008-10-15 19:38:22 +04:00
data =
2018-10-15 03:15:05 +03:00
# Character used for splitting parameter values (e.g. &).
2014-04-06 18:48:46 +04:00
paramDel =
2018-10-15 03:15:05 +03:00
# HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..").
2008-10-15 19:38:22 +04:00
cookie =
2018-10-15 03:15:05 +03:00
# Character used for splitting cookie values (e.g. ;).
2014-04-06 18:50:58 +04:00
cookieDel =
2013-07-31 22:41:19 +04:00
# Live cookies file used for loading up-to-date values.
liveCookies =
2014-11-21 11:41:39 +03:00
# File containing cookies in Netscape/wget format.
2012-07-24 17:34:50 +04:00
loadCookies =
2012-03-07 18:48:45 +04:00
2014-11-21 11:41:39 +03:00
# Ignore Set-Cookie header from response.
# Valid: True or False
dropSetCookie = False
2008-10-15 19:38:22 +04:00
2014-04-01 18:38:50 +04:00
# HTTP User-Agent header value. Useful to fake the HTTP User-Agent header value
2014-11-21 11:41:39 +03:00
# at each HTTP request.
2008-10-15 19:38:22 +04:00
# sqlmap will also test for SQL injection on the HTTP User-Agent value.
2011-02-02 17:51:12 +03:00
agent =
2019-08-13 15:55:26 +03:00
# Imitate smartphone through HTTP User-Agent header.
# Valid: True or False
mobile = False
2014-11-21 11:41:39 +03:00
# Use randomly selected HTTP User-Agent header value.
2011-02-02 17:51:12 +03:00
# Valid: True or False
randomAgent = False
2008-10-15 19:38:22 +04:00
2014-04-01 18:38:50 +04:00
# HTTP Host header value.
host =
2008-10-15 19:38:22 +04:00
# HTTP Referer header. Useful to fake the HTTP Referer header value at
# each HTTP request.
referer =
# Extra HTTP headers
headers = Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
2013-03-15 20:00:01 +04:00
# HTTP Authentication type. Useful only if the target URL requires
# HTTP Basic, Digest, Bearer or NTLM authentication and you have such data.
# Valid: Basic, Digest, Bearer, NTLM or PKI
2013-08-09 16:13:48 +04:00
authType =
2008-10-15 19:38:22 +04:00
2013-03-15 20:00:01 +04:00
# HTTP authentication credentials. Useful only if the target URL requires
# HTTP Basic, Digest, Token or NTLM authentication and you have such data.
2008-10-15 19:38:22 +04:00
# Syntax: username:password
2013-08-09 16:13:48 +04:00
authCred =
2008-10-15 19:38:22 +04:00
2015-09-27 16:59:17 +03:00
# HTTP Authentication PEM private/cert key file. Useful only if the target URL requires
# PKI authentication and you have such data.
# Syntax: key_file
2015-09-27 16:59:17 +03:00
authFile =
2010-01-07 15:59:09 +03:00
2018-10-15 03:15:05 +03:00
# Ignore (problematic) HTTP error code (e.g. 401).
2017-08-23 14:17:37 +03:00
# Valid: integer
ignoreCode =
2016-10-14 00:17:54 +03:00
# Ignore system default proxy settings.
# Valid: True or False
ignoreProxy = False
# Ignore redirection attempts.
# Valid: True or False
ignoreRedirects = False
2016-10-14 00:17:54 +03:00
# Ignore connection timeouts.
# Valid: True or False
ignoreTimeouts = False
# Use a proxy to connect to the target URL.
2014-04-06 19:13:23 +04:00
# Syntax: (http|https|socks4|socks5)://address:port
2008-10-15 19:38:22 +04:00
proxy =
# Proxy authentication credentials. Useful only if the proxy requires
# Basic or Digest authentication and you have such data.
2010-10-15 14:28:06 +04:00
# Syntax: username:password
2013-08-09 16:13:48 +04:00
proxyCred =
# Load proxy list from a file
proxyFile =
2010-10-15 14:28:06 +04:00
2013-04-30 16:11:56 +04:00
# Use Tor anonymity network.
# Valid: True or False
tor = False
# Set Tor proxy port other than default.
# Valid: integer
# torPort =
# Set Tor proxy type.
# Valid: HTTP, SOCKS4, SOCKS5
torType = SOCKS5
2013-04-30 16:11:56 +04:00
# Check to see if Tor is used properly.
# Valid: True or False
checkTor = False
# Delay in seconds between each HTTP request.
# Valid: float
# Default: 0
delay = 0
# Seconds to wait before timeout connection.
# Valid: float
# Default: 30
timeout = 30
# Maximum number of retries when the HTTP connection timeouts.
# Valid: integer
# Default: 3
retries = 3
2021-11-01 23:50:16 +03:00
# Retry request on regexp matching content.
2021-11-02 00:00:26 +03:00
retryOn =
2021-11-01 23:50:16 +03:00
2013-04-02 19:34:56 +04:00
# Randomly change value for the given parameter.
rParam =
2013-03-15 20:00:01 +04:00
# URL address to visit frequently during testing.
# Example: http://192.168.1.121/index.html
2015-04-21 01:02:47 +03:00
safeUrl =
2015-04-21 00:55:59 +03:00
# POST data to send to a safe URL.
# Example: username=admin&password=passw0rd!
2015-04-21 01:02:47 +03:00
safePost =
2015-04-21 00:55:59 +03:00
2015-04-22 17:28:54 +03:00
# Load safe HTTP request from a file.
safeReqFile =
2020-01-07 13:48:02 +03:00
# Regular requests between visits to a safe URL (default 0).
# Valid: integer
# Default: 0
2015-04-21 01:02:47 +03:00
safeFreq = 0
2019-09-09 14:56:37 +03:00
# Skip URL encoding of payload data.
# Valid: True or False
skipUrlEncode = False
2019-09-09 14:56:37 +03:00
# Parameter used to hold anti-CSRF token.
2014-11-17 13:50:05 +03:00
csrfToken =
# URL address to visit to extract anti-CSRF token
csrfUrl =
2019-09-09 14:56:37 +03:00
# HTTP method to use during anti-CSRF token page visit.
csrfMethod =
# Retries for anti-CSRF token retrieval.
csrfRetries =
2013-04-30 15:56:38 +04:00
# Force usage of SSL/HTTPS
# Valid: True or False
forceSSL = False
2010-03-12 02:54:07 +03:00
2019-03-19 16:48:12 +03:00
# Use HTTP chunked transfer encoded requests.
2019-03-19 16:07:39 +03:00
# Valid: True or False
chunked = False
2013-04-30 16:32:11 +04:00
# Use HTTP parameter pollution.
# Valid: True or False
hpp = False
2013-04-30 15:59:44 +04:00
# Evaluate provided Python code before the request.
# Example: import hashlib;id2=hashlib.md5(id).hexdigest()
evalCode =
# These options can be used to optimize the performance of sqlmap.
[Optimization]
# Use all optimization options.
# Valid: True or False
optimize = False
# Predict common queries output.
# Valid: True or False
predictOutput = False
# Use persistent HTTP(s) connections.
keepAlive = False
# Retrieve page length without actual HTTP response body.
# Valid: True or False
nullConnection = False
# Maximum number of concurrent HTTP(s) requests (handled with Python threads)
# to be used in the inference SQL injection attack.
# Valid: integer
# Default: 1
threads = 1
2010-03-12 02:54:07 +03:00
# These options can be used to specify which parameters to test for,
2010-11-08 13:11:43 +03:00
# provide custom injection payloads and optional tampering scripts.
2008-10-15 19:38:22 +04:00
[Injection]
# Testable parameter(s) comma separated. By default all GET/POST/Cookie
# parameters and HTTP User-Agent are tested by sqlmap.
testParameter =
2013-04-04 16:21:57 +04:00
# Skip testing for given parameter(s).
skip =
2016-10-26 22:41:57 +03:00
# Skip testing parameters that not appear to be dynamic.
2015-05-18 21:57:15 +03:00
# Valid: True or False
skipStatic = False
# Regexp to exclude parameters from testing (e.g. "ses").
paramExclude =
2019-05-17 12:00:51 +03:00
# Select testable parameter(s) by place (e.g. "POST").
paramFilter =
2018-06-07 01:24:29 +03:00
# Force back-end DBMS to provided value. If this option is set, the back-end
2008-10-15 19:38:22 +04:00
# DBMS identification process will be minimized as needed.
# If not set, sqlmap will detect back-end DBMS automatically by default.
# Valid: mssql, mysql, mysql 4, mysql 5, oracle, pgsql, sqlite, sqlite3,
# access, firebird, maxdb, sybase
2008-10-15 19:38:22 +04:00
dbms =
2013-04-30 16:05:50 +04:00
# DBMS authentication credentials (user:password). Useful if you want to
# run SQL statements as another user, the back-end database management
# system is PostgreSQL or Microsoft SQL Server and the parameter is
# vulnerable by stacked queries SQL injection or you are connecting directly
# to the DBMS (-d switch).
# Syntax: username:password
dbmsCred =
2018-06-07 01:24:29 +03:00
# Force back-end DBMS operating system to provided value. If this option is
# set, the back-end DBMS identification process will be minimized as
# needed.
# If not set, sqlmap will detect back-end DBMS operating system
# automatically by default.
# Valid: linux, windows
os =
# Use big numbers for invalidating values.
# Valid: True or False
invalidBignum = False
# Use logical operations for invalidating values.
2011-10-24 04:40:06 +04:00
# Valid: True or False
invalidLogical = False
2014-01-24 00:56:06 +04:00
# Use random strings for invalidating values.
# Valid: True or False
invalidString = False
# Turn off payload casting mechanism
# Valid: True or False
noCast = False
2011-10-24 04:40:06 +04:00
2013-01-18 18:40:37 +04:00
# Turn off string escaping mechanism
2012-07-16 13:07:47 +04:00
# Valid: True or False
2013-01-18 18:40:37 +04:00
noEscape = False
2012-07-16 13:07:47 +04:00
# Injection payload prefix string.
prefix =
# Injection payload suffix string.
suffix =
# Use given script(s) for tampering injection data.
2010-11-08 13:11:43 +03:00
tamper =
# These options can be used to specify how to parse and compare page
# content from HTTP responses when using blind SQL injection technique.
[Detection]
# Level of tests to perform.
# The higher the value is, the higher the number of HTTP(s) requests are
# as well as the better chances to detect a tricky SQL injection.
# Valid: Integer between 1 and 5
# Default: 1
level = 1
# Risk of tests to perform.
# Note: boolean-based blind SQL injection tests with AND are considered
# risk 1, with OR are considered risk 3.
2015-03-30 12:58:09 +03:00
# Valid: Integer between 1 and 3
# Default: 1
risk = 1
2012-07-07 13:41:52 +04:00
# String to match within the raw response when the query is evaluated to
# True, only needed if the page content dynamically changes at each refresh.
2010-11-17 12:15:40 +03:00
# Refer to the user's manual for further details.
string =
2012-07-26 14:06:02 +04:00
# String to match within the raw response when the query is evaluated to
# False, only needed if the page content dynamically changes at each refresh.
# Refer to the user's manual for further details.
notString =
# Regular expression to match within the raw response when the query is
2012-07-07 13:41:52 +04:00
# evaluated to True, only needed if the needed if the page content
# dynamically changes at each refresh.
# Refer to the user's manual for further details.
# Valid: regular expression with Python syntax
# (http://www.python.org/doc/2.5.2/lib/re-syntax.html)
regexp =
2012-07-07 13:41:52 +04:00
# HTTP response code to match when the query is True.
2012-01-05 14:24:27 +04:00
# Valid: Integer
# Example: 200 (assuming any False statement returns a different response
# code)
2012-01-05 14:24:27 +04:00
# code =
2019-08-13 15:55:26 +03:00
# Conduct thorough tests only if positive heuristic(s).
# Valid: True or False
smart = False
# Compare pages based only on the textual content.
# Valid: True or False
textOnly = False
# Compare pages based only on their titles.
# Valid: True or False
titles = False
2010-03-12 02:54:07 +03:00
2011-03-08 01:04:17 +03:00
# These options can be used to tweak testing of specific SQL injection
# techniques.
[Techniques]
2013-03-15 19:37:52 +04:00
# SQL injection techniques to use.
2013-03-15 19:55:27 +04:00
# Valid: a string composed by B, E, U, S, T and Q where:
2011-04-07 14:00:47 +04:00
# B: Boolean-based blind SQL injection
# E: Error-based SQL injection
# U: UNION query SQL injection
# S: Stacked queries SQL injection
# T: Time-based blind SQL injection
2013-03-15 19:55:27 +04:00
# Q: Inline SQL injection
2011-04-07 14:00:47 +04:00
# Example: ES (means test for error-based and stacked queries SQL
# injection types only)
2012-12-05 13:45:17 +04:00
# Default: BEUSTQ (means test for all SQL injection types - recommended)
2019-06-07 01:21:43 +03:00
technique = BEUSTQ
# Seconds to delay the response from the DBMS.
# Valid: integer
# Default: 5
timeSec = 5
2018-06-19 17:23:17 +03:00
# Range of columns to test for.
# Valid: range of integers
# Example: 1-10
uCols =
2018-06-19 17:23:17 +03:00
# Character to use for bruteforcing number of columns.
# Valid: string
# Example: NULL
uChar =
2018-06-19 17:23:17 +03:00
# Table to use in FROM part of UNION query SQL injection.
2013-03-21 14:28:44 +04:00
# Valid: string
# Example: INFORMATION_SCHEMA.COLLATIONS
uFrom =
2018-06-19 17:23:17 +03:00
# Domain name used for DNS exfiltration attack.
2012-05-27 22:41:06 +04:00
# Valid: string
2016-10-22 22:52:18 +03:00
dnsDomain =
2012-05-27 22:41:06 +04:00
2018-06-19 17:23:17 +03:00
# Resulting page URL searched for second-order response.
2012-07-26 16:07:05 +04:00
# Valid: string
2018-06-19 17:11:49 +03:00
secondUrl =
2012-07-26 16:07:05 +04:00
2018-06-19 17:23:17 +03:00
# Load second-order HTTP request from file.
# Valid: string
secondReq =
2008-10-15 19:38:22 +04:00
[Fingerprint]
# Perform an extensive back-end database management system fingerprint
# based on various techniques.
# Valid: True or False
extensiveFp = False
2010-03-12 02:54:07 +03:00
# These options can be used to enumerate the back-end database
# management system information, structure and data contained in the
# tables. Moreover you can run your own SQL statements.
2008-10-15 19:38:22 +04:00
[Enumeration]
2012-10-05 12:24:09 +04:00
# Retrieve everything
# Valid: True or False
getAll = False
2008-10-15 19:38:22 +04:00
# Retrieve back-end database management system banner.
# Valid: True or False
getBanner = False
# Retrieve back-end database management system current user.
# Valid: True or False
getCurrentUser = False
# Retrieve back-end database management system current database.
# Valid: True or False
getCurrentDb = False
# Retrieve back-end database management system server hostname.
# Valid: True or False
getHostname = False
# Detect if the DBMS current user is DBA.
# Valid: True or False
isDba = False
2008-10-15 19:38:22 +04:00
# Enumerate back-end database management system users.
# Valid: True or False
getUsers = False
# Enumerate back-end database management system users password hashes.
# Valid: True or False
getPasswordHashes = False
# Enumerate back-end database management system users privileges.
# Valid: True or False
getPrivileges = False
# Enumerate back-end database management system users roles.
# Valid: True or False
getRoles = False
2008-10-15 19:38:22 +04:00
# Enumerate back-end database management system databases.
# Valid: True or False
getDbs = False
# Enumerate back-end database management system database tables.
# Optional: db
# Valid: True or False
getTables = False
# Enumerate back-end database management system database table columns.
# Optional: db, tbl, col
2008-10-15 19:38:22 +04:00
# Valid: True or False
getColumns = False
# Enumerate back-end database management system schema.
# Valid: True or False
getSchema = False
# Retrieve number of entries for table(s).
# Valid: True or False
getCount = False
2008-10-15 19:38:22 +04:00
# Dump back-end database management system database table entries.
2010-03-12 02:54:07 +03:00
# Requires: tbl and/or col
# Optional: db
2008-10-15 19:38:22 +04:00
# Valid: True or False
dumpTable = False
# Dump all back-end database management system databases tables entries.
# Valid: True or False
dumpAll = False
# Search column(s), table(s) and/or database name(s).
# Requires: db, tbl or col
# Valid: True or False
search = False
2018-06-07 01:46:54 +03:00
# Check for database management system database comments during enumeration.
2013-07-29 20:25:27 +04:00
# Valid: True or False
getComments = False
2019-05-29 16:52:33 +03:00
# Retrieve SQL statements being run on database management system.
# Valid: True or False
getStatements = False
2008-10-15 19:38:22 +04:00
# Back-end database management system database to enumerate.
db =
2014-01-13 13:05:49 +04:00
# Back-end database management system database table(s) to enumerate.
2008-10-15 19:38:22 +04:00
tbl =
2014-01-13 13:05:49 +04:00
# Back-end database management system database table column(s) to enumerate.
2008-10-15 19:38:22 +04:00
col =
2018-02-13 17:53:50 +03:00
# Back-end database management system identifiers (database(s), table(s) and column(s)) to not enumerate.
exclude =
2014-01-13 13:05:49 +04:00
2016-05-03 13:37:10 +03:00
# Pivot column name.
pivotColumn =
# Use WHERE condition while table dumping (e.g. "id=1").
dumpWhere =
2008-10-15 19:38:22 +04:00
# Back-end database management system database user to enumerate.
user =
# Exclude DBMS system databases when enumerating tables.
# Valid: True or False
excludeSysDbs = False
2009-04-25 00:12:52 +04:00
# First query output entry to retrieve
# Valid: integer
2017-03-01 13:09:55 +03:00
# Default: 0 (sqlmap will start to retrieve the table dump entries from
# first one)
limitStart = 0
2008-10-15 19:38:22 +04:00
2009-04-25 00:12:52 +04:00
# Last query output entry to retrieve
# Valid: integer
2017-03-01 13:09:55 +03:00
# Default: 0 (sqlmap will detect the number of table dump entries and
2009-04-25 00:12:52 +04:00
# retrieve them until the last)
limitStop = 0
2008-10-15 19:38:22 +04:00
# First query output word character to retrieve
# Valid: integer
# Default: 0 (sqlmap will enumerate the query output from the first
# character)
firstChar = 0
# Last query output word character to retrieve
# Valid: integer
# Default: 0 (sqlmap will enumerate the query output until the last
# character)
lastChar = 0
# SQL statement to be executed.
2008-10-15 19:38:22 +04:00
# Example: SELECT 'foo', 'bar'
2019-04-30 15:04:39 +03:00
sqlQuery =
2008-10-15 19:38:22 +04:00
# Prompt for an interactive SQL shell.
# Valid: True or False
sqlShell = False
2012-07-10 03:27:08 +04:00
# Execute SQL statements from given file(s).
sqlFile =
2010-11-09 19:59:36 +03:00
# These options can be used to run brute force checks.
[Brute force]
2010-10-15 19:37:15 +04:00
# Check existence of common tables.
# Valid: True or False
commonTables = False
2010-10-15 19:37:15 +04:00
2010-11-09 19:59:36 +03:00
# Check existence of common columns.
# Valid: True or False
commonColumns = False
2008-10-15 19:38:22 +04:00
2019-06-27 18:28:43 +03:00
# Check existence of common files.
# Valid: True or False
commonFiles = False
2010-03-12 02:54:07 +03:00
# These options can be used to create custom user-defined functions.
[User-defined function]
# Inject custom user-defined functions
# Valid: True or False
udfInject = False
# Local path of the shared library
shLib =
2010-03-12 02:54:07 +03:00
# These options can be used to access the back-end database management
# system underlying file system.
2008-10-15 19:38:22 +04:00
[File system]
# Read a specific file from the back-end DBMS underlying file system.
# Examples: /etc/passwd or C:\boot.ini
2018-08-28 15:31:20 +03:00
fileRead =
2008-10-15 19:38:22 +04:00
# Write a local file to a specific path on the back-end DBMS underlying
# file system.
2008-10-15 19:38:22 +04:00
# Example: /tmp/sqlmap.txt or C:\WINNT\Temp\sqlmap.txt
2018-08-28 15:31:20 +03:00
fileWrite =
2008-10-15 19:38:22 +04:00
# Back-end DBMS absolute filepath to write the file to.
2018-08-28 15:31:20 +03:00
fileDest =
2008-10-15 19:38:22 +04:00
2010-03-12 02:54:07 +03:00
# These options can be used to access the back-end database management
# system underlying operating system.
2008-10-15 19:38:22 +04:00
[Takeover]
# Execute an operating system command.
# Valid: operating system command
osCmd =
# Prompt for an interactive operating system shell.
2008-10-15 19:38:22 +04:00
# Valid: True or False
osShell = False
2014-04-06 20:12:59 +04:00
# Prompt for an out-of-band shell, Meterpreter or VNC.
# Valid: True or False
osPwn = False
2014-04-06 20:12:59 +04:00
# One click prompt for an out-of-band shell, Meterpreter or VNC.
# Valid: True or False
osSmb = False
# Microsoft SQL Server 2000 and 2005 'sp_replwritetovarbin' stored
# procedure heap-based buffer overflow (MS09-004) exploitation.
# Valid: True or False
osBof = False
# Database process' user privilege escalation.
# Note: Use in conjunction with osPwn, osSmb or osBof. It will force the
# payload to be Meterpreter.
privEsc = False
# Local path where Metasploit Framework is installed.
# Valid: file system path
msfPath =
# Remote absolute path of temporary files directory.
# Valid: absolute file system path
tmpPath =
2008-10-15 19:38:22 +04:00
2010-03-12 02:54:07 +03:00
# These options can be used to access the back-end database management
# system Windows registry.
[Windows]
# Read a Windows registry key value.
# Valid: True or False
regRead = False
# Write a Windows registry key value data.
# Valid: True or False
regAdd = False
# Delete a Windows registry key value.
# Valid: True or False
regDel = False
# Windows registry key.
regKey =
# Windows registry key value.
regVal =
# Windows registry key value data.
regData =
# Windows registry key value type.
regType =
2010-11-16 17:11:32 +03:00
# These options can be used to set some general working parameters.
[General]
2013-03-15 20:22:33 +04:00
# Load session from a stored (.sqlite) file
# Example: output/www.target.com/session.sqlite
sessionFile =
# Log all HTTP traffic into a textual file.
trafficFile =
2010-11-16 17:11:32 +03:00
2019-08-13 15:55:26 +03:00
# Set predefined answers (e.g. "quit=N,follow=N").
answers =
2020-04-16 00:32:15 +03:00
# Parameter(s) containing Base64 encoded data
base64Parameter =
2020-08-10 23:26:03 +03:00
# Use URL and filename safe Base64 alphabet (Reference: https://en.wikipedia.org/wiki/Base64#URL_applications).
# Valid: True or False
base64Safe = False
# Never ask for user input, use the default behaviour.
# Valid: True or False
batch = False
2016-05-03 13:52:46 +03:00
# Result fields having binary values (e.g. "digest").
binaryFields =
2017-05-08 00:12:42 +03:00
# Check Internet connection before assessing the target.
checkInternet = False
2019-08-13 15:55:26 +03:00
# Clean up the DBMS from sqlmap specific UDF and tables.
# Valid: True or False
cleanup = False
2013-03-15 20:00:01 +04:00
# Crawl the website starting from the target URL.
# Valid: integer
# Default: 0
crawlDepth = 0
2015-04-06 23:07:22 +03:00
# Regexp to exclude pages from crawling (e.g. "logout").
crawlExclude =
2011-11-30 21:39:41 +04:00
# Delimiting character used in CSV output.
# Default: ,
csvDel = ,
2012-11-28 13:58:18 +04:00
# Format of dumped data
# Valid: CSV, HTML or SQLITE
dumpFormat = CSV
# Force character encoding used for data retrieval.
encoding =
# Retrieve each query output length and calculate the estimated time of
# arrival in real time.
# Valid: True or False
eta = False
2010-11-16 17:11:32 +03:00
2012-07-04 22:28:18 +04:00
# Flush session files for current target.
2010-11-16 17:11:32 +03:00
# Valid: True or False
flushSession = False
2013-03-15 20:00:01 +04:00
# Parse and test forms on target URL.
# Valid: True or False
forms = False
2013-04-24 14:10:06 +04:00
# Ignore query results stored in session file.
2011-03-24 13:08:47 +03:00
# Valid: True or False
freshQueries = False
2019-08-13 15:55:26 +03:00
# Use Google dork results from specified page number.
# Valid: integer
# Default: 1
googlePage = 1
2018-06-07 01:46:54 +03:00
# Use hex conversion during data retrieval.
# Valid: True or False
hexConvert = False
2012-07-03 02:50:23 +04:00
# Custom output directory path.
2014-04-06 18:54:46 +04:00
outputDir =
2012-07-03 02:50:23 +04:00
# Parse and display DBMS error messages from responses.
# Valid: True or False
parseErrors = False
2020-09-21 18:04:44 +03:00
# Use given script(s) for preprocessing of request.
2019-03-04 17:58:24 +03:00
preprocess =
2020-09-21 18:04:44 +03:00
# Use given script(s) for postprocessing of response data.
postprocess =
# Redump entries having unknown character marker (?).
# Valid: True or False
repair = False
2013-04-30 16:32:11 +04:00
# Regular expression for filtering targets from provided Burp.
# or WebScarab proxy log.
# Example: (google|yahoo)
scope =
2020-11-10 00:11:11 +03:00
# Skip heuristic detection of SQLi/XSS vulnerabilities.
# Valid: True or False
skipHeuristics = False
2019-08-13 15:55:26 +03:00
# Skip heuristic detection of WAF/IPS protection.
# Valid: True or False
skipWaf = False
2019-08-13 16:22:02 +03:00
# Prefix used for temporary tables.
# Default: sqlmap
tablePrefix = sqlmap
2013-04-30 16:32:11 +04:00
# Select tests by payloads and/or titles (e.g. ROW)
testFilter =
2015-10-01 12:57:33 +03:00
# Skip tests by payloads and/or titles (e.g. BENCHMARK)
testSkip =
2019-08-13 15:55:26 +03:00
# Web server document root directory (e.g. "/var/www").
webRoot =
2010-11-16 17:11:32 +03:00
2008-10-15 19:38:22 +04:00
[Miscellaneous]
2013-09-11 17:05:37 +04:00
# Run host OS command(s) when SQL injection is found.
2012-12-11 15:48:58 +04:00
alert =
# Beep on question and/or when SQL injection is found.
2012-12-11 15:02:06 +04:00
# Valid: True or False
beep = False
2018-12-28 19:54:58 +03:00
# Offline WAF/IPS payload detection testing.
2012-12-11 15:02:06 +04:00
# Valid: True or False
2010-11-16 17:09:09 +03:00
checkPayload = False
2018-10-15 01:56:23 +03:00
# Check for missing (optional) sqlmap dependencies.
# Valid: True or False
dependencies = False
2012-08-16 00:31:25 +04:00
# Disable console output coloring.
# Valid: True or False
disableColoring = False
2018-07-31 03:18:33 +03:00
# Display list of available tamper scripts
# Valid: True or False
listTampers = False
# Work in offline mode (only use session data)
# Valid: True or False
offline = False
# Location of CSV results file in multiple targets mode.
resultsFile =
2016-05-31 15:55:56 +03:00
# Local directory for storing temporary files.
tmpDir =
2019-10-23 15:41:14 +03:00
# Adjust options for unstable connections.
# Valid: True or False
2019-10-23 15:41:14 +03:00
unstable = False
2019-08-13 15:55:26 +03:00
# Update sqlmap.
# Valid: True or False
updateAll = False
2019-10-23 15:41:14 +03:00
# Simple wizard interface for beginner users.
# Valid: True or False
wizard = False
# Verbosity level.
# Valid: integer between 0 and 6
# 0: Show only error and critical messages
# 1: Show also warning and info messages
2011-01-21 00:49:34 +03:00
# 2: Show also debug messages
# 3: Show also payloads injected
# 4: Show also HTTP requests
2011-01-21 00:49:34 +03:00
# 5: Show also HTTP responses' headers
# 6: Show also HTTP responses' page content
# Default: 1
verbose = 1