sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-04-21 01:22:04 +03:00
Code Issues Packages Projects Releases Wiki Activity

Updated sqlmap user's manual (markdown)

Browse Source
This commit is contained in:
stamparm 2012-07-14 09:11:12 -07:00
parent 5f09e7f25e
commit f85839cce1
1 changed files with 509 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

510
sqlmap-user's-manual.md
View File

@ -563,4 +563,512 @@ sqlmap by default does **not** URL-encode generated cookie payloads, but you can
Note that also the HTTP `Cookie` header is tested against SQL injection if the `--level` is set to **2** or above. Read below for details.
### HTTP `User-Agent` header
[TODO]
Switches: `--user-agent` and `--random-agent`
By default sqlmap performs HTTP requests with the following `User-Agent` header value:
sqlmap/0.9 (http://www.sqlmap.org)
However, it is possible to fake it with the `--user-agent` switch by providing custom User-Agent as the switch argument.
Moreover, by providing the `--random-agent` switch, sqlmap will randomly select a `User-Agent` from the `./txt/user-agents.txt` textual file and use it for all HTTP requests within the session.
Some sites perform a server-side check on the HTTP `User-Agent` header value and fail the HTTP response if a valid `User-Agent` is not provided, its value is not expected or is blacklisted by a web application firewall or similar intrusion prevention system. In this case sqlmap will show you a message as follows:
[hh:mm:20] [ERROR] the target url responded with an unknown HTTP status code, try to
force the HTTP User-Agent header with option --user-agent or --random-agent
Note that also the HTTP `User-Agent` header is tested against SQL injection if the `--level` is set to **3** or above.
Read below for details.
### HTTP `Referer` header
Switch: `--referer`
It is possible to fake the HTTP `Referer` header value. By default **no** HTTP `Referer` header is sent in HTTP requests if not explicitly set.
Note that also the HTTP `Referer` header is tested against SQL injection if the `--level` is set to **3** or above. Read below for details.
### Extra HTTP headers
Switch: `--headers`
It is possible to provide extra HTTP headers by setting the `--headers` switch. Each header must be separated by a newline and it is much easier to provide them from the configuration INI file. Have a look at the sample `sqlmap.conf` file for an example.
### HTTP protocol authentication
Switches: `--auth-type` and `--auth-cred`
These options can be used to specify which HTTP protocol authentication the web server implements and the valid credentials to be used to perform all HTTP requests to the target application.
The three supported HTTP protocol authentication mechanisms are:
* `Basic`
* `Digest`
* `NTLM`
While the credentials' syntax is `username:password`.
Example of valid syntax:
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/basic/get_int.php?id=1" \
--auth-type Basic --auth-cred "testuser:testpass"
### HTTP protocol certificate authentication
Switch: `--auth-cert`
This switch should be used in cases when the web server requires proper client-side certificate for authentication. Supplied values should be in the form: `key_file,cert_file`, where `key_file` should be the name of a PEM formatted file that contains your private key, while `cert_file` should be the name for a PEM formatted certificate chain file.
### HTTP(S) proxy
Switches: `--proxy`, `--proxy-cred`, `--ignore-proxy` and `--tor`
It is possible to provide an HTTP(S) proxy address to pass by the HTTP(S) requests to the target URL. The syntax of HTTP(S) proxy value is `http://url:port`.
If the HTTP(S) proxy requires authentication, you can provide the credentials in the format `username:password` to the
`--proxy-cred` switch.
If, for any reason, you need to stay anonymous, instead of passing by a single predefined HTTP(S) proxy server, you can configure a [Tor client](http://www.torproject.org/) together with [Privoxy](http://www.privoxy.org) (or similar) on your machine as explained on the Tor client guide and use the Privoxy daemon, by default listening on `127.0.0.1:8118`, as the sqlmap proxy by simply providing the tool with the `--tor` switch instead of `--proxy`.
The switch `--ignore-proxy` should be used when you want to run sqlmap against a target part of a local area network by ignoring the system-wide set HTTP(S) proxy server setting.
### Delay between each HTTP request
Switch: `--delay`
It is possible to specify a number of seconds to hold between each HTTP(S) request. The valid value is a float, for instance `0.5` means half a second. By default, no delay is set.
### Seconds to wait before timeout connection
Switch: `--timeout`
It is possible to specify a number of seconds to wait before considering the HTTP(S) request timed out. The valid value is a float, for instance 10.5 means ten seconds and a half. By default **30 seconds** are set.
### Maximum number of retries when the HTTP connection timeouts
Switch: `--retries`
It is possible to specify the maximum number of retries when the HTTP(S) connection timeouts. By default it retries up to **three times**.
### Filtering targets from provided proxy log using regular expression
Switch: `--scope`
Rather than using all hosts parsed from provided logs with switch `-l`, you can specify valid Python regular expression to be used for filtering desired ones.
Example of valid syntax:
$ python sqlmap.py -l burp.log --scope="(www)?\.target\.(com|net|org)"
### Avoid your session to be destroyed after too many unsuccessful requests
Switches: `--safe-url` and `--safe-freq`
Sometimes web applications or inspection technology in between destroys the session if a certain number of unsuccessful requests is performed. This might occur during the detection phase of sqlmap or when it exploits any of the blind SQL injection types. Reason why is that the SQL payload does not necessarily returns output and might therefore raise a signal to either the application session management or the inspection technology.
To bypass this limitation set by the target, you can provide two switches:
* `--safe-url`: Url address to visit frequently during testing.
* `--safe-freq`: Test requests between two visits to a given safe url.
This way, sqlmap will visit every a predefined number of requests a certain _safe_ URL without performing any kind of injection against it.
## Optimization
These switches can be used to optimize the performance of sqlmap.
### Bundle optimization
Switch: `-o`
This switch is an alias that implicitly sets the following switches:
* `--keep-alive`
* `--null-connection`
* `--threads 3` if not set to a higher value.
Read below for details about each switch.
### Output prediction
Switch: `--predict-output`
This switch is used in inference algorithm for sequential statistical prediction of characters of value being retrieved. Statistical table with the most promising character values is being built based on items given in `txt/common-outputs.txt` combined with the knowledge of current enumeration used. In case that the value can be found among the common output values, as the process progresses, subsequent character tables are being narrowed more and more. If used in combination with retrieval of common DBMS entities, as with system table names and privileges, speed up is significant. Of course, you can edit the common outputs file according to your needs if, for instance, you notice common patterns in database table names or similar.
Note that this switch is not compatible with `--threads` switch.
### HTTP Keep-Alive
Switch: `--keep-alive`
This switch instructs sqlmap to use persistent HTTP(s) connections.
Note that this switch is incompatible with `--proxy` switch.
### HTTP NULL connection
Switch: `--null-connection`
There are special HTTP request types which can be used to retrieve HTTP response's size without getting the HTTP body. This knowledge can be used in blind injection technique to distinguish `True` from `False` responses. When this switch is provided, sqlmap will try to test and exploit two different _NULL connection_ techniques: `Range` and `HEAD`. If any of these is supported by the target web server, speed up will come from the obvious saving of used bandwidth.
These techniques are detailed in the white paper [Bursting Performances in Blind SQL Injection - Take 2 (Bandwidth)](http://www.wisec.it/sectou.php?id=472f952d79293).
Note that this switch is incompatible with `--text-only` switch.
### Concurrent HTTP(S) requests
Switch: `--threads`
It is possible to specify the maximum number of concurrent HTTP(S) requests that sqlmap is allowed to do.
This feature relies on the [multi-threading](http://en.wikipedia.org/wiki/Multithreading) concept and inherits both its pro and its cons.
This features applies to the brute-force switches and when the data fetching is done through any of the blind SQL injection techniques. For the latter case, sqlmap first calculates the length of the query output in a single thread, then starts the multi-threading. Each thread is assigned to retrieve one character of the query output. The thread ends when that character is retrieved - it takes up to 7 HTTP(S) requests with the bisection algorithm implemented in sqlmap.
The maximum number of concurrent requests is set to **10** for performance and site reliability reasons.
Note that this switch is not compatible with `--predict-output` switch.
## Injection
These options can be used to specify which parameters to test for, provide custom injection payloads and optional tampering scripts.
### Testable parameter(s)
Switch: `-p`
By default sqlmap tests all `GET` parameters and `POST` parameters. When the value of `--level` is >= **2** it tests also HTTP `Cookie` header values. When this value is >= **3** it tests also HTTP `User-Agent` and HTTP `Referer` header value for SQL injections. It is however possible to manually specify a comma-separated list of parameter(s) that you want sqlmap to test. This will bypass the dependence on the value of `--level` too.
For instance, to test for GET parameter `id` and for HTTP `User-Agent` only, provide `-p id,user-agent`.
### URI injection point
There are special cases when injection point is within the URI itself. sqlmap does not perform any automatic test against URI paths, unless manually pointed to. You have to specify these injection points in the command line by appending an asterisk (`*`) after each URI point that you want sqlmap to test for and exploit a SQL injection.
This is particularly useful when, for instance, Apache web server's [mod_rewrite](http://httpd.apache.org/docs/current/mod/mod_rewrite.html) module is in use or other similar technologies.
An example of valid command line would be:
$ python sqlmap.py -u "http://targeturl/param1/value1*/param2/value2/"
### Force the database management system name
Switch: `--dbms`
By default sqlmap automatically detects the web application's back-end database management system. As of version **0.9**, sqlmap fully supports the following database management systems:
* MySQL
* Oracle
* PostgreSQL
* Microsoft SQL Server
* Microsoft Access
* SQLite
* Firebird
* Sybase
* SAP MaxDB
If for any reason sqlmap fails to detect the back-end DBMS once a SQL injection has been identified or if you want to avoid an active fingeprint, you can provide the name of the back-end DBMS yourself (e.g. `postgresql`). For MySQL and Microsoft SQL Server provide them respectively in the form `MySQL <version>` and `Microsoft SQL Server <version> `, where `<version>` is a valid version for the DBMS; for instance `5.0` for MySQL and `2005` for Microsoft SQL Server.
In case you provide `--fingerprint` together with `--dbms`, sqlmap will only perform the extensive fingerprint for the specified database management system only, read below for further details.
Note that this option is **not** mandatory and it is strongly recommended to use it **only if you are absolutely sure** about the back-end database management system. If you do not know it, let sqlmap automatically fingerprint it for you.
### Force the database management system operating system name
Switch: `--os`
By default sqlmap automatically detects the web application's back-end database management system underlying operating system when this information is a dependence of any other provided switch. At the moment the fully supported operating systems are two:
* Linux
* Windows
It is possible to force the operating system name if you already know it so that sqlmap will avoid doing it itself.
Note that this option is **not** mandatory and it is strongly recommended to use it **only if you are absolutely sure** about the back-end database management system underlying operating system. If you do not know it, let sqlmap automatically identify it for you.
### Custom injection payload
Switches: `--prefix` and `--suffix`
In some circumstances the vulnerable parameter is exploitable only if the user provides a specific suffix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and suffix.
Example of vulnerable source code:
$query = "SELECT * FROM users WHERE id=('" . $_GET['id'] . "') LIMIT 0, 1";
To detect and exploit this SQL injection, you can either let sqlmap detect the **boundaries** (as in combination of SQL payload prefix and suffix) for you during the detection phase, or provide them on your own.
For example:
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_str_brackets.php?id=1" \
-p id --prefix "')" --suffix "AND ('abc'='abc"
[...]
This will result in all sqlmap requests to end up in a query as follows:
$query = "SELECT * FROM users WHERE id=('1') <PAYLOAD> AND ('abc'='abc') LIMIT 0, 1";
Which makes the query syntactically correct.
In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide custom boundaries, but sometimes in real world application it is necessary to provide it when the injection point is within nested `JOIN` queries for instance.
### Tamper injection data
Switch: `--tamper`
sqlmap itself does no obfuscation of the payload sent, except for strings between single quotes replaced by their `CHAR()`-alike representation.
This switch can be very useful and powerful in situations where there is a weak input validation mechanism between you and the back-end database management system. This mechanism usually is a self-developed input validation routine called by the application source code, an expensive enterprise-grade IPS appliance or a web application firewall (WAF). All buzzwords to define the same concept, implemented in a different way and costing lots of money, usually.
To take advantage of this switch, provide sqlmap with a comma-separated list of tamper scripts and this will process the payload and return it transformed. You can define your own tamper scripts, use sqlmap ones from the `tamper/` folder or edit them as long as you concatenate them comma-separated as the argument of `--tamper` switch.
The format of a valid tamper script is as follows:
# Needed imports
from lib.core.enums import PRIORITY
# Define which is the order of application of tamper scripts against the payload
__priority__ = PRIORITY.NORMAL
def tamper(payload):
'''
Description of your tamper script
'''
retVal = payload
# your code to tamper the original payload
# return the tampered payload
return retVal
You can check valid and usable tamper scripts in the `tamper/` directory.
Example against a MySQL target assuming that `&gt;` character, spaces and capital `SELECT` string are banned:
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_int.php?id=1" --tamper \
tamper/between.py,tamper/randomcase.py,tamper/space2comment.py -v 3
[hh:mm:03] [DEBUG] cleaning up configuration parameters
[hh:mm:03] [INFO] loading tamper script 'between'
[hh:mm:03] [INFO] loading tamper script 'randomcase'
[hh:mm:03] [INFO] loading tamper script 'space2comment'
[...]
[hh:mm:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[hh:mm:04] [PAYLOAD] 1)/**/And/**/1369=7706/**/And/**/(4092=4092
[hh:mm:04] [PAYLOAD] 1)/**/AND/**/9267=9267/**/AND/**/(4057=4057
[hh:mm:04] [PAYLOAD] 1/**/AnD/**/950=7041
[...]
[hh:mm:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[hh:mm:04] [PAYLOAD] 1/**/anD/**/(SELeCt/**/9921/**/fROm(SELeCt/**/counT(*),CONCAT(cHar(
58,117,113,107,58),(SELeCt/**/(case/**/whEN/**/(9921=9921)/**/THeN/**/1/**/elsE/**/0/**/
ENd)),cHar(58,106,104,104,58),FLOOR(RanD(0)*2))x/**/fROm/**/information_schema.tables/**/
group/**/bY/**/x)a)
[hh:mm:04] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING
clause' injectable
[...]
## Detection
These options can be used to specify how to parse and compare page
content from HTTP responses when using blind SQL injection technique.
### Level
Switch: `--level`
This switch requires an argument which specifies the level of tests to perform. There are **five** levels. The default value is **1** where limited number of tests (requests) are performed. Vice versa, level **5** will test verbosely for a much larger number of payloads and boundaries (as in pair of SQL payload prefix and suffix). The payloads used by sqlmap are specified in the textual file `xml/payloads.xml`. Following the instructions on top of the file, if sqlmap misses an injection, you should be able to add your own payload(s) to test for too!
Not only this switch affects which payload sqlmap tries, but also which injection points are taken in exam: GET and POST parameters are **always** tested, HTTP Cookie header values are tested from level **2** and HTTP User-Agent/Referer headers' value is tested from level **3**.
All in all, the harder it is to detect a SQL injection, the higher the `--level` must be set.
It is strongly recommended to higher this value before reporting to the mailing list that sqlmap is not able to detect a certain injection point.
### Risk
Switch: `--risk`
This switch requires an argument which specifies the risk of tests to perform. There are **four** risk values. The default value is **1** which is innocuous for the majority of SQL injection points. Risk value 2 adds to the default level the tests for heavy query time-based SQL injections and value 3 adds also `OR`-based SQL injection tests.
In some instances, like a SQL injection in an `UPDATE` statement, injecting an `OR`-based payload can lead to an update of all the entries of the table, which is certainly not what the attacker wants. For this reason and others this switch has been introduced: the user has control over which payloads get tested, the user can arbitrarily choose to use also potentially dangerous ones. As per the previous switch, the payloads used by sqlmap are specified in the textual file `xml/payloads.xml` and you are free to edit and add your owns.
### Page comparison
Switches: `--string`, `--regexp` and `--text-only`
By default the distinction of a `True` query by a `False` one (rough concept behind boolean-based blind SQL injection vulnerabilities) is done by comparing the injected requests page content with the original not injected page content.
Not always this concept works because sometimes the page content changes at each refresh even not injecting anything, for instance when the page has a counter, a dynamic advertisement banner or any other part of the HTML which is rendered dynamically and might change in time not only consequently to user's input. To bypass this limit, sqlmap tries hard to identify these snippets of the response bodies and deal accordingly. Sometimes it may fail, that is why the user can provide a string (`--string` switch) which is **always** present on the not injected page **and** on all True injected query pages, but that it is **not** on the False ones. As an alternative to a static string, the user can provide a regular expression (`--regexp` switch).
Such data is easy for an user to retrieve, simply try to inject on the affected parameter an invalid value and compare manually the original (not injected) page content with the injected wrong page content. This way the distinction will be based upon string presence or regular expression match.
In cases with lot of active content (e.g. scripts, embeds, etc.) in the HTTP responses' body, you can filter pages (`--text-only` switch) just for their textual content. This way, in a good number of cases, you can automatically tune the detection engine.
## Techniques
These options can be used to tweak testing of specific SQL injection techniques.
### SQL injection techniques to test for
Switch: `--technique`
This switch can be used to specify which SQL injection type to test for. By default sqlmap tests for **all** types/techniques it supports.
In certain situations you may want to test only for one or few specific types of SQL injection thought and this is where this switch comes into play.
This switch requires an argument. Such argument is a string composed by any combination of `B`, `E`, `U`, `S` and `T` characters where each letter stands for a different technique:
* `B`: Boolean-based blind SQL injection
* `E`: Error-based SQL injection
* `U`: UNION query SQL injection
* `S`: Stacked queries SQL injection
* `T`: Time-based blind SQL injection
For instance, you can provide `ES` if you want to test for and exploit error-based and stacked queries SQL injection types only. The default value is `BEUST`.
Note that the string must include stacked queries technique letter, `S`, when you want to access the file system, takeover the operating system or access Windows registry hives.
### Seconds to delay the DBMS response for time-based blind SQL injection
Switch: `--time-sec`
It is possible to set the seconds to delay the response when testing for time-based blind SQL injection, by providing the `--time-sec` option followed by an integer. By default delay is set to **5 seconds**.
### Number of columns in UNION query SQL injection
Switch: `--union-cols`
By default sqlmap tests for UNION query SQL injection technique using 1 to 10 columns. However, this range can be increased up to 50 columns by providing an higher `-`-`level` value. See the relevant paragraph for details.
You can manually tell sqlmap to test for this type of SQL injection with a specific range of columns by providing the tool with the `--union-cols` switch followed by a range of integers. For instance, `12-16` means tests for UNION query SQL injection by using 12 up to 16 columns.
### Character to use to test for UNION query SQL injection
Switch: `--union-char`
By default sqlmap tests for UNION query SQL injection technique using `NULL` character. However, by providing an higher `-`-`level` value sqlmap will performs tests also with a random number because there are some corner cases where UNION query tests with `NULL` fail whereas with a random integer they succeed.
You can manually tell sqlmap to test for this type of SQL injection with a specific character by providing the tool with the `--union-char` switch followed by a string.
## Fingerprint
### Extensive database management system fingerprint
Switches: `-f` or `--fingerprint`
By default the web application's back-end database management system fingerprint is handled automatically by sqlmap. Just after the detection phase finishes and the user is eventually prompted with a choice of which vulnerable parameter to use further on, sqlmap fingerprints the back-end database management system and carries on the injection by knowing which SQL syntax, dialect and queries to use to proceed with the attack within the limits of the database architecture.
If for any instance you want to perform an extensive database management system fingerprint based on various techniques like specific SQL dialects and inband error messages, you can provide the `--fingerprint` switch. sqlmap will perform a lot more requests and fingerprint the exact DBMS version and, where possible, operating system, architecture and patch level.
If you want the fingerprint to be even more accurate result, you can also provide the `-b` or `--banner` switch.
## Enumeration
These options can be used to enumerate the back-end database management system information, structure and data contained in the tables. Moreover you can run your own SQL statements.
### Banner
Switch: `-b` or `--banner`
Most of the modern database management systems have a function and/or an environment variable which returns the database management system version and eventually details on its patch level, the underlying system. Usually the function is `version()` and the environment variable is `@@version`, but this vary depending on the target DBMS.
### Session user
Switch: `--current-user`
On the majority of modern DBMSes is possible to retrieve the database management system's user which is effectively performing the query against the back-end DBMS from the web application.
### Current database
Switch: `--current-db`
It is possible to retrieve the database management system's database name that the web application is connected to.
### Detect whether or not the session user is a database administrator
Switch: `--is-dba`
It is possible to detect if the current database management system session user is a database administrator, also known as DBA. sqlmap will return `True` if it is, viceversa `False`.
### List database management system users
Switch: `--users`
When the session user has read access to the system table containing information about the DBMS users, it is possible to enumerate the list of users.
### List and crack database management system users password hashes
Switches: `--passwords` and `-U`
When the session user has read access to the system table containing information about the DBMS users' passwords, it is possible to enumerate the password hashes for each database management system user. sqlmap will first enumerate the users, then the different password hashes for each of them.
Example against a PostgreSQL target:
$ python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" --passwords -v 1
[...]
back-end DBMS: PostgreSQL
[hh:mm:38] [INFO] fetching database users password hashes
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
[hh:mm:42] [INFO] using hash method: 'postgres_passwd'
what's the dictionary's location? [/software/sqlmap/txt/wordlist.txt]
[hh:mm:46] [INFO] loading dictionary from: '/software/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] n
[hh:mm:48] [INFO] starting dictionary attack (postgres_passwd)
[hh:mm:49] [INFO] found: 'testpass' for user: 'testuser'
[hh:mm:50] [INFO] found: 'testpass' for user: 'postgres'
database management system users password hashes:
[*] postgres [1]:
password hash: md5d7d880f96044b72d0bba108ace96d1e4
clear-text password: testpass
[*] testuser [1]:
password hash: md599e5ea7a6f7c3269995cba3927fd0093
clear-text password: testpass
Not only sqlmap enumerated the DBMS users and their passwords, but it also recognized the hash format to be PostgreSQL, asked the user whether or not to test the hashes against a dictionary file and identified the clear-text password for the `postgres` user, which is usually a DBA along the other user, `testuser`, password.
This feature has been implemented for all DBMS where it is possible to enumerate users' password hashes, including Oracle and Microsoft SQL Server pre and post 2005.
You can also provide the `-U` option to specify the specific user who you want to enumerate and eventually crack the password hash(es). If you provide `CU` as username it will consider it as an alias for current user and will retrieve the password hash(es) for this user.
### List database management system users privileges
Switches: `--privileges` and `-U`
When the session user has read access to the system table containing information about the DBMS users, it is possible to enumerate the privileges for each database management system user. By the privileges, sqlmap will also show you which are database administrators.
You can also provide the `-U` option to specify the user who you want to enumerate the privileges.
If you provide `CU` as username it will consider it as an alias for current user and will enumerate the privileges for this user.
On Microsoft SQL Server, this feature will display you whether or not each user is a database administrator rather than the list of privileges for all users.
### List database management system users roles
Switches: `--roles` and `-U`
When the session user has read access to the system table containing information about the DBMS users, it is possible to enumerate the roles for each database management system user.
You can also provide the `-U` option to specify the user who you want to enumerate the privileges.
If you provide `CU` as username it will consider it as an alias for current user and will enumerate the privileges for this user.
This feature is only available when the DBMS is Oracle.
### List database management system's databases
Switch: `--dbs`
When the session user has read access to the system table containing information about available databases, it is possible to enumerate the list of databases.
### Enumerate database's tables
Switches: `--tables`, `-D` and `--exclude-sysdbs`
When the session user has read access to the system table containing information about databases' tables, it is possible to enumerate the list of tables for a specific database management system's databases.
If you do not provide a specific database with switch `-D`, sqlmap will enumerate the tables for all DBMS databases.