[Target] # Target URL. # Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2 # PHP and MySQL (local) #url = http://127.0.0.1/sqlmap/mysql/get_int.php?id=1 url = http://127.0.0.1/sqlmap/mysql/get_int_partialunion.php?id=1 # PHP and Oracle (local) #url = http://127.0.0.1/sqlmap/oracle/get_int.php?id=1 # PHP and PostgreSQL (local) #url = http://127.0.0.1/sqlmap/pgsql/get_int.php?id=1 # PHP and Microsoft SQL Server (remote) #url = http://127.0.0.1/sqlmap/mssql/get_int.php?id=1 # PHP and MySQL (remote on Windows) #url = http://127.0.0.1/sqlmap/mysql/win_get_int.php?id=1 # ASP and Microsoft SQL Server (local) #url = http://192.168.192.10/sqlmap/get_str.asp?name=luther # ASP and MySQL (local) #url = http://192.168.192.10/sqlmap/get_int.asp?id=1 # ASP.NET and MySQL (local) #url = http://192.168.192.10/sqlmap/get_int.aspx?id=1 #url = # Parse targets from Burp or WebScarab logs # Valid: Burp proxy (http://portswigger.net/suite/) requests log file path # or WebScarab proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project) # 'conversations/' folder path list = # Rather than providing a target url, let Google return target # hosts as result of your Google dork expression. For a list of Google # dorks see Johnny Long Google Hacking Database at # http://johnny.ihackstuff.com/ghdb.php. # Example: +ext:php +inurl:"&id=" +intext:"powered by " googleDork = [Request] # HTTP method to perform HTTP requests. # Valid: GET or POST # Default: GET method = GET # Data string to be sent through POST. It is mandatory only when # HTTP method is set to POST. data = # HTTP Cookie header. cookie = # HTTP Referer header. Useful to fake the HTTP Referer header value at # each HTTP request. referer = # HTTP User-Agent header. Useful to fake the HTTP User-Agent header value # at each HTTP request # sqlmap will also test for SQL injection on the HTTP User-Agent value. agent = # Load a random HTTP User-Agent header from file # Example: ./txt/user-agents.txt userAgentsFile = # HTTP Authentication type. Useful only if the target url requires # HTTP Basic or Digest authentication and you have such data. # Valid: Basic or Digest aType = # HTTP Authentication credentials. Useful only if the target url requires # HTTP Basic or Digest authentication and you have such data. # Syntax: username:password aCred = # Use a HTTP proxy to connect to the target url. # Syntax: http://url:port proxy = # Maximum number of concurrent HTTP requests (handled with Python threads) # to be used in the inference SQL injection attack. # Valid: integer # Default: 1 threads = 1 # Delay in seconds between each HTTP request. # Valid: float # Default: 0 delay = 0 # Seconds to wait before timeout connection. # Valid: float # Default: 10 timeout = 10 [Injection] # Testable parameter(s) comma separated. By default all GET/POST/Cookie # parameters and HTTP User-Agent are tested by sqlmap. testParameter = # Force back-end DBMS to this value. If this option is set, the back-end # DBMS identification process will be minimized as needed. # If not set, sqlmap will detect back-end DBMS automatically by default. # Valid: mssql, mysql, mysql 4, mysql 5, oracle, pgsql dbms = # String to match within the page content when the query is valid, only # needed if the page content dynamically changes at each refresh, # consequently changing the MD5 hash of the page which is the method used # by default to determine if a query was valid or not. Refer to the user's # manual for further details. string = # Regular expression to match within the page content when the query is # valid, only needed if the needed if the page content dynamically changes # at each refresh, consequently changing the MD5 hash of the page which is # the method used by default to determine if a query was valid or not. # Refer to the user's manual for further details. # Valid: regular expression with Python syntax # (http://www.python.org/doc/2.5.2/lib/re-syntax.html) regexp = # String to be excluded by the page content before calculating the page # MD5 hash eString = # Regular expression matches to be excluded by the page content before # calculating the page MD5 hash # Valid: regular expression with Python syntax # (http://www.python.org/doc/2.5.2/lib/re-syntax.html) eRegexp = [Techniques] # Test for Time based blind SQL injection. # Valid: True or False timeTest = False # Test for UNION query (inband) SQL injection. # Valid: True or False unionTest = False # Use the UNION query (inband) SQL injection to retrieve the queries # output. No need to go blind. # Valid: True or False unionUse = False [Fingerprint] # Perform an extensive back-end database management system fingerprint # based on various techniques. # Valid: True or False extensiveFp = False [Enumeration] # Retrieve back-end database management system banner. # Valid: True or False getBanner = False # Retrieve back-end database management system current user. # Valid: True or False getCurrentUser = False # Retrieve back-end database management system current database. # Valid: True or False getCurrentDb = False # Enumerate back-end database management system users. # Valid: True or False getUsers = False # Enumerate back-end database management system users password hashes. # Valid: True or False getPasswordHashes = False # Enumerate back-end database management system users privileges. # Valid: True or False getPrivileges = False # Enumerate back-end database management system databases. # Valid: True or False getDbs = False # Enumerate back-end database management system database tables. # Optional: db # Valid: True or False getTables = False # Enumerate back-end database management system database table columns. # Requires: db and tbl # Valid: True or False getColumns = False # Dump back-end database management system database table entries. # Requires: db and tbl # Optional: col # Valid: True or False dumpTable = False # Dump all back-end database management system databases tables entries. # Valid: True or False dumpAll = False # Back-end database management system database to enumerate. db = # Back-end database management system database table to enumerate. tbl = # Back-end database management system database table column to enumerate. col = # Back-end database management system database user to enumerate. user = # Exclude DBMS system databases when enumerating tables. # Valid: True or False excludeSysDbs = False # First table entry to dump (cursor start) # Valid: integer # Default: 0 (sqlmap will start to dump the table entries from the first) limitStart = 0 # Last table entry to dump (cursor stop) # Valid: integer # Default: 0 (sqlmap will detect the number of table entries and dump # until the last) limitStop = 0 # SQL SELECT query to be executed. # Example: SELECT 'foo', 'bar' query = # Prompt for an interactive SQL shell. # Valid: True or False sqlShell = False [File system] # Read a specific OS file content (only on MySQL). # Examples: /etc/passwd or C:\boot.ini rFile = # Write to a specific OS file (not yet available). # Example: /tmp/sqlmap.txt or C:\WINNT\Temp\sqlmap.txt wFile = [Takeover] # Prompt for an interactive OS shell (only on PHP/MySQL environment with a # writable directory within the web server document root for the moment). # Valid: True or False osShell = False [Miscellaneous] # Retrieve each query output length and calculate the estimated time of # arrival in real time. # Valid: True or False eta = False # Verbosity level. # Valid: integer between 0 and 5 # 0: Show only warning and error messages # 1: Show also info messages # 2: Show also debug messages # 3: Show also HTTP requests # 4: Show also HTTP responses headers # 5: Show also HTTP responses page content # Default: 1 verbose = 1 # Update sqlmap to the latest stable version. # Valid: True or False updateAll = False # Save and resume all data retrieved on a session file. sessionFile = # Never ask for user input, use the default behaviour. # Valid: True or False batch = False