sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2026-01-12 11:41:05 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add --raw and --verbose flags to ensure CLI output matches sqlmap exactly

Browse Source 
Co-authored-by: GilbertKrantz <90319182+GilbertKrantz@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot] 2026-01-05 18:37:39 +00:00
parent cae2ca7da9
commit ef6622c6c5
3 changed files with 69 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
EXAMPLES.md
View File

@ -56,6 +56,19 @@ Limit the comprehensive scan to specific max values:
python sqlmapcli.py -u "https://demo.owasp-juice.shop/rest/products/search?q=test" --comprehensive --max-level 3 --max-risk 2 python sqlmapcli.py -u "https://demo.owasp-juice.shop/rest/products/search?q=test" --comprehensive --max-level 3 --max-risk 2
``` ```
### 6. Raw Output Mode
Get the exact same output as running sqlmap directly:
```bash
# Show raw sqlmap output without formatting
python sqlmapcli.py -u "https://demo.owasp-juice.shop/rest/user/login" --data='{"email":"test@example.com","password":"pass123"}' --level 2 --risk 2 --raw
# Increase verbosity for more details
python sqlmapcli.py -u "https://demo.owasp-juice.shop/rest/user/login" --data='{"email":"test@example.com","password":"pass123"}' --verbose 3 --raw
```
**Note**: The `--raw` flag ensures the CLI output matches sqlmap exactly, bypassing all formatting and parsing.
## Real-World Testing Example ## Real-World Testing Example
**Using OWASP Juice Shop Demo** (a legitimate vulnerable application for security testing): **Using OWASP Juice Shop Demo** (a legitimate vulnerable application for security testing):

5
README.md
View File

@ -76,9 +76,14 @@ python sqlmapcli.py --interactive
--max-level {1-5} Maximum level for comprehensive scan --max-level {1-5} Maximum level for comprehensive scan
--max-risk {1-3} Maximum risk for comprehensive scan --max-risk {1-3} Maximum risk for comprehensive scan
--technique SQL injection techniques (default: BEUSTQ) --technique SQL injection techniques (default: BEUSTQ)
--data POST data string (JSON or form data)
--raw Show raw sqlmap output (bypasses formatting)
--verbose {0-6} Sqlmap verbosity level (default: 1)
-i, --interactive Interactive mode -i, --interactive Interactive mode
``` ```
**Note**: Use `--raw` flag to see the exact same output as running sqlmap directly. This ensures you get all details that sqlmap provides without any formatting or parsing.
--- ---
### Original SQLMap Usage ### Original SQLMap Usage

67
sqlmapcli.py
View File

@ -80,7 +80,8 @@ class SQLMapCLI:
self.console.print() self.console.print()
def run_sqlmap_test(self, url: str, level: int, risk: int, technique: str = "BEUSTQ", def run_sqlmap_test(self, url: str, level: int, risk: int, technique: str = "BEUSTQ",
batch: bool = True, data: str = None, extra_args: List[str] = None) -> Tuple[bool, str]: batch: bool = True, data: str = None, verbose: int = 1,
extra_args: List[str] = None) -> Tuple[bool, str]:
"""Run sqlmap with specified parameters""" """Run sqlmap with specified parameters"""
cmd = [ cmd = [
sys.executable, sys.executable,
@ -89,7 +90,7 @@ class SQLMapCLI:
f"--level={level}", f"--level={level}",
f"--risk={risk}", f"--risk={risk}",
f"--technique={technique}", f"--technique={technique}",
"-v", "1" "-v", str(verbose)
] ]
if batch: if batch:
@ -153,7 +154,7 @@ class SQLMapCLI:
} }
def comprehensive_scan(self, url: str, max_level: int = 5, max_risk: int = 3, def comprehensive_scan(self, url: str, max_level: int = 5, max_risk: int = 3,
techniques: str = "BEUSTQ", data: str = None): techniques: str = "BEUSTQ", data: str = None, verbose: int = 1):
"""Run comprehensive scan with all levels and risks""" """Run comprehensive scan with all levels and risks"""
self.results['target'] = url self.results['target'] = url
self.results['start_time'] = datetime.now() self.results['start_time'] = datetime.now()
@ -191,7 +192,7 @@ class SQLMapCLI:
description=f"[cyan]Testing Level {level}, Risk {risk}..." description=f"[cyan]Testing Level {level}, Risk {risk}..."
) )
success, output = self.run_sqlmap_test(url, level, risk, techniques, data=data) success, output = self.run_sqlmap_test(url, level, risk, techniques, data=data, verbose=verbose)
parsed = self.parse_results(output) parsed = self.parse_results(output)
status = "" if success else "" status = "" if success else ""
@ -220,22 +221,31 @@ class SQLMapCLI:
self.console.print(results_table) self.console.print(results_table)
self.display_summary() self.display_summary()
def quick_scan(self, url: str, level: int = 1, risk: int = 1, data: str = None): def quick_scan(self, url: str, level: int = 1, risk: int = 1, data: str = None,
raw: bool = False, verbose: int = 1):
"""Run a quick scan with default settings""" """Run a quick scan with default settings"""
self.results['target'] = url self.results['target'] = url
self.results['start_time'] = datetime.now() self.results['start_time'] = datetime.now()
scan_info = f"[cyan]Running quick scan on:[/cyan]\n[yellow]{url}[/yellow]\n[dim]Level: {level}, Risk: {risk}[/dim]" if not raw:
if data: scan_info = f"[cyan]Running quick scan on:[/cyan]\n[yellow]{url}[/yellow]\n[dim]Level: {level}, Risk: {risk}[/dim]"
scan_info += f"\n[dim]POST Data: {data}[/dim]" if data:
scan_info += f"\n[dim]POST Data: {data}[/dim]"
self.console.print( self.console.print(
Panel( Panel(
scan_info, scan_info,
border_style="cyan", border_style="cyan",
box=box.ROUNDED box=box.ROUNDED
)
) )
)
if raw:
# Raw mode - just show sqlmap output directly
self.console.print("[cyan]Running sqlmap...[/cyan]\n")
success, output = self.run_sqlmap_test(url, level, risk, data=data, verbose=verbose)
self.console.print(output)
return
with Progress( with Progress(
SpinnerColumn(), SpinnerColumn(),
@ -245,7 +255,7 @@ class SQLMapCLI:
) as progress: ) as progress:
task = progress.add_task("[cyan]Scanning for vulnerabilities...", total=None) task = progress.add_task("[cyan]Scanning for vulnerabilities...", total=None)
success, output = self.run_sqlmap_test(url, level, risk, data=data) success, output = self.run_sqlmap_test(url, level, risk, data=data, verbose=verbose)
progress.update(task, completed=True) progress.update(task, completed=True)
parsed = self.parse_results(output) parsed = self.parse_results(output)
@ -414,6 +424,19 @@ Examples:
help='Data string to be sent through POST (e.g., "username=test&password=test")' help='Data string to be sent through POST (e.g., "username=test&password=test")'
) )
parser.add_argument(
'--raw',
action='store_true',
help='Show raw sqlmap output without formatting'
)
parser.add_argument(
'--verbose',
type=int,
choices=[0, 1, 2, 3, 4, 5, 6],
help='Sqlmap verbosity level (0-6, default: 1)'
)
parser.add_argument( parser.add_argument(
'-i', '--interactive', '-i', '--interactive',
action='store_true', action='store_true',
@ -446,16 +469,26 @@ Examples:
sys.exit(1) sys.exit(1)
# Run appropriate scan # Run appropriate scan
verbose_level = args.verbose if args.verbose is not None else 1
if args.comprehensive: if args.comprehensive:
cli.comprehensive_scan( cli.comprehensive_scan(
args.url, args.url,
max_level=args.max_level, max_level=args.max_level,
max_risk=args.max_risk, max_risk=args.max_risk,
techniques=args.technique, techniques=args.technique,
data=args.data data=args.data,
verbose=verbose_level
) )
else: else:
cli.quick_scan(args.url, level=args.level, risk=args.risk, data=args.data) cli.quick_scan(
args.url,
level=args.level,
risk=args.risk,
data=args.data,
raw=args.raw,
verbose=verbose_level
)
if __name__ == "__main__": if __name__ == "__main__":