# At least one of these options has to be specified to set the source to # get target urls from. [Target] # Direct connection to the database. # Example: mysql://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME direct = # Target URL. # Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2 url = # Parse targets from Burp or WebScarab logs # Valid: Burp proxy (http://portswigger.net/suite/) requests log file path # or WebScarab proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project) # 'conversations/' folder path list = # Load HTTP request from a file # Example (file content): POST /login.jsp HTTP/1.1\nHost: example.com\nUser-Agent: Mozilla/4.0\n\nuserid=joe&password=guessme requestFile = # Rather than providing a target url, let Google return target # hosts as result of your Google dork expression. For a list of Google # dorks see Johnny Long Google Hacking Database at # http://johnny.ihackstuff.com/ghdb.php. # Example: +ext:php +inurl:"&id=" +intext:"powered by " googleDork = # These options can be used to specify how to connect to the target url. [Request] # HTTP method to perform HTTP requests. # Valid: GET or POST # Default: GET method = GET # Data string to be sent through POST. It is mandatory only when # HTTP method is set to POST. data = # HTTP Cookie header. cookie = # URL-encode generated cookie injections. # Valid: True or False cookieUrlencode = False # Ignore Set-Cookie header from response # Valid: True or False dropSetCookie = False # HTTP User-Agent header. Useful to fake the HTTP User-Agent header value # at each HTTP request # sqlmap will also test for SQL injection on the HTTP User-Agent value. agent = # Load a random HTTP User-Agent header from file # Example: ./txt/user-agents.txt userAgentsFile = # HTTP Referer header. Useful to fake the HTTP Referer header value at # each HTTP request. referer = # Extra HTTP headers # Note: There must be a space at the beginning of each header line. headers = Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 # HTTP Authentication type. Useful only if the target url requires # HTTP Basic, Digest or NTLM authentication and you have such data. # Valid: Basic, Digest or NTLM aType = # HTTP Authentication credentials. Useful only if the target url requires # HTTP Basic, Digest or NTLM authentication and you have such data. # Syntax: username:password aCred = # HTTP Authentication certificate. Useful only if the target url requires # logon certificate and you have such data. # Syntax: key_file,cert_file aCert = # Use a HTTP proxy to connect to the target url. # Syntax: http://address:port proxy = # Ignore system default HTTP proxy # Valid: True or False ignoreProxy = False # Maximum number of concurrent HTTP requests (handled with Python threads) # to be used in the inference SQL injection attack. # Valid: integer # Default: 1 threads = 1 # Delay in seconds between each HTTP request. # Valid: float # Default: 0 delay = 0 # Seconds to wait before timeout connection. # Valid: float # Default: 30 timeout = 30 # Maximum number of retries when the HTTP connection timeouts. # Valid: integer # Default: 3 retries = 3 # Regular expression for filtering targets from provided Burp # or WebScarab proxy log. # Example: (google|yahoo) scope = # Url address to visit frequently during testing # Example: http://192.168.1.121/index.html safUrl = # Test requests between two visits to a given safe url (default 0) # Valid: integer # Default: 0 saFreq = 0 # These options can be used to specify which parameters to test for, # provide custom injection payloads and how to parse and compare HTTP # responses page content when using the blind SQL injection technique. [Injection] # Testable parameter(s) comma separated. By default all GET/POST/Cookie # parameters and HTTP User-Agent are tested by sqlmap. testParameter = # Force back-end DBMS to this value. If this option is set, the back-end # DBMS identification process will be minimized as needed. # If not set, sqlmap will detect back-end DBMS automatically by default. # Valid: mssql, mysql, mysql 4, mysql 5, oracle, pgsql dbms = # Force back-end DBMS operating system to this value. If this option is # set, the back-end DBMS identification process will be minimized as # needed. # If not set, sqlmap will detect back-end DBMS operating system # automatically by default. # Valid: linux, windows os = # Injection payload prefix string prefix = # Injection payload postfix string postfix = # String to match within the page content when the query is valid, only # needed if the page content dynamically changes at each refresh, # consequently changing the MD5 hash of the page which is the method used # by default to determine if a query was valid or not. Refer to the user's # manual for further details. string = # Regular expression to match within the page content when the query is # valid, only needed if the needed if the page content dynamically changes # at each refresh, consequently changing the MD5 hash of the page which is # the method used by default to determine if a query was valid or not. # Refer to the user's manual for further details. # Valid: regular expression with Python syntax # (http://www.python.org/doc/2.5.2/lib/re-syntax.html) regexp = # String to be excluded by the page content before calculating the page # MD5 hash eString = # Regular expression matches to be excluded by the page content before # calculating the page MD5 hash # Valid: regular expression with Python syntax # (http://www.python.org/doc/2.5.2/lib/re-syntax.html) eRegexp = # Use operator BETWEEN instead of default '>' # Valid: True or False useBetween = False # These options can be used to test for specific SQL injection technique # or to use one of them to exploit the affected parameter(s) rather than # using the default blind SQL injection technique. [Techniques] # Test for stacked queries (multiple statements) support. # Valid: True or False stackedTest = False # Test for time based blind SQL injection. # Valid: True or False timeTest = False # Seconds to delay the response from the DBMS. # Valid: integer # Default: 5 timeSec = 5 # Test for UNION query (inband) SQL injection. # Valid: True or False unionTest = False # Technique to test for UNION query SQL injection # The possible techniques are by NULL bruteforcing (bf) or by ORDER BY # clause (ob) # Valid: NULL, OrderBy # Default: NULL uTech = NULL # Use the UNION query (inband) SQL injection to retrieve the queries # output. No need to go blind. # Valid: True or False unionUse = False [Fingerprint] # Perform an extensive back-end database management system fingerprint # based on various techniques. # Valid: True or False extensiveFp = False # These options can be used to enumerate the back-end database # management system information, structure and data contained in the # tables. Moreover you can run your own SQL statements. [Enumeration] # Retrieve back-end database management system banner. # Valid: True or False getBanner = False # Retrieve back-end database management system current user. # Valid: True or False getCurrentUser = False # Retrieve back-end database management system current database. # Valid: True or False getCurrentDb = False # Detect if the DBMS current user is DBA. # Valid: True or False isDba = False # Enumerate back-end database management system users. # Valid: True or False getUsers = False # Enumerate back-end database management system users password hashes. # Valid: True or False getPasswordHashes = False # Enumerate back-end database management system users privileges. # Valid: True or False getPrivileges = False # Enumerate back-end database management system users roles. # Valid: True or False getRoles = False # Enumerate back-end database management system databases. # Valid: True or False getDbs = False # Enumerate back-end database management system database tables. # Optional: db # Valid: True or False getTables = False # Enumerate back-end database management system database table columns. # Requires: tbl # Optional: db, col # Valid: True or False getColumns = False # Dump back-end database management system database table entries. # Requires: tbl and/or col # Optional: db # Valid: True or False dumpTable = False # Dump all back-end database management system databases tables entries. # Valid: True or False dumpAll = False # Search column(s), table(s) and/or database name(s). # Requires: db, tbl or col # Valid: True or False search = False # Back-end database management system database to enumerate. db = # Back-end database management system database table to enumerate. tbl = # Back-end database management system database table column to enumerate. col = # Back-end database management system database user to enumerate. user = # Exclude DBMS system databases when enumerating tables. # Valid: True or False excludeSysDbs = False # First query output entry to retrieve # Valid: integer # Default: 0 (sqlmap will start to retrieve the query output entries from # the first) limitStart = 0 # Last query output entry to retrieve # Valid: integer # Default: 0 (sqlmap will detect the number of query output entries and # retrieve them until the last) limitStop = 0 # First query output word character to retrieve # Valid: integer # Default: 0 (sqlmap will enumerate the query output from the first # character) firstChar = 0 # Last query output word character to retrieve # Valid: integer # Default: 0 (sqlmap will enumerate the query output until the last # character) lastChar = 0 # SQL statement to be executed. # Example: SELECT 'foo', 'bar' query = # Prompt for an interactive SQL shell. # Valid: True or False sqlShell = False # These options can be used to create custom user-defined functions. [User-defined function] # Inject custom user-defined functions # Valid: True or False udfInject = False # Local path of the shared library shLib = # These options can be used to access the back-end database management # system underlying file system. [File system] # Read a specific file from the back-end DBMS underlying file system. # Examples: /etc/passwd or C:\boot.ini rFile = # Write a local file to a specific path on the back-end DBMS underlying # file system. # Example: /tmp/sqlmap.txt or C:\WINNT\Temp\sqlmap.txt wFile = # Back-end DBMS absolute filepath to write the file to. dFile = # These options can be used to access the back-end database management # system underlying operating system. [Takeover] # Execute an operating system command. # Valid: operating system command osCmd = # Prompt for an interactive operating system shell. # Valid: True or False osShell = False # Prompt for an out-of-band shell, meterpreter or VNC. # Valid: True or False osPwn = False # One click prompt for an out-of-band shell, meterpreter or VNC. # Valid: True or False osSmb = False # Microsoft SQL Server 2000 and 2005 'sp_replwritetovarbin' stored # procedure heap-based buffer overflow (MS09-004) exploitation. # Valid: True or False osBof = False # Database process' user privilege escalation. # Note: Use in conjunction with osPwn, osSmb or osBof. It will force the # payload to be Meterpreter. privEsc = False # Local path where Metasploit Framework 3 is installed. # Valid: file system path msfPath = # Remote absolute path of temporary files directory. # Valid: absolute file system path tmpPath = # These options can be used to access the back-end database management # system Windows registry. [Windows] # Read a Windows registry key value regRead = False # Write a Windows registry key value data regAdd = False # Delete a Windows registry key value regDel = False # Windows registry key regKey = # Windows registry key value regVal = # Windows registry key value data regData = # Windows registry key value type regType = [Miscellaneous] # Dump the data into an XML file. xmlFile = # Save and resume all data retrieved on a session file. sessionFile = # Flush session file for current target. flushSession = False # Retrieve each query output length and calculate the estimated time of # arrival in real time. # Valid: True or False eta = False # Use google dork results from specified page number # Valid: integer # Default: 1 googlePage = 1 # Update sqlmap. # Valid: True or False updateAll = False # Never ask for user input, use the default behaviour. # Valid: True or False batch = False # Clean up the DBMS by sqlmap specific UDF and tables # Valid: True or False cleanup = False # Verbosity level. # Valid: integer between 0 and 5 # 0: Show only warning and error messages # 1: Show also info messages # 2: Show also debug messages # 3: Show also HTTP requests # 4: Show also HTTP responses headers # 5: Show also HTTP responses page content # Default: 1 verbose = 1