# At least one of these options has to be specified to set the source to # get target urls from. [Target] # Direct connection to the database. # Example: mysql://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME direct = # Target URL. # Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2 url = # Parse targets from Burp or WebScarab logs # Valid: Burp proxy (http://portswigger.net/suite/) requests log file path # or WebScarab proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project) # 'conversations/' folder path list = # Load HTTP request from a file # Example (file content): POST /login.jsp HTTP/1.1\nHost: example.com\nUser-Agent: Mozilla/4.0\n\nuserid=joe&password=guessme requestFile = # Rather than providing a target url, let Google return target # hosts as result of your Google dork expression. For a list of Google # dorks see Johnny Long Google Hacking Database at # http://johnny.ihackstuff.com/ghdb.php. # Example: +ext:php +inurl:"&id=" +intext:"powered by " googleDork = # These options can be used to specify how to connect to the target url. [Request] # HTTP method to perform HTTP requests. # Valid: GET or POST # Default: GET method = GET # Data string to be sent through POST. It is mandatory only when # HTTP method is set to POST. data = # HTTP Cookie header. cookie = # URL-encode generated cookie injections. # Valid: True or False cookieUrlencode = False # Ignore Set-Cookie header from response # Valid: True or False dropSetCookie = False # HTTP User-Agent header. Useful to fake the HTTP User-Agent header value # at each HTTP request # sqlmap will also test for SQL injection on the HTTP User-Agent value. agent = # Load a random HTTP User-Agent header from file # Example: ./txt/user-agents.txt userAgentsFile = # HTTP Referer header. Useful to fake the HTTP Referer header value at # each HTTP request. referer = # Extra HTTP headers # Note: There must be a space at the beginning of each header line. headers = Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 # HTTP Authentication type. Useful only if the target url requires # HTTP Basic, Digest or NTLM authentication and you have such data. # Valid: Basic, Digest or NTLM aType = # HTTP authentication credentials. Useful only if the target url requires # HTTP Basic, Digest or NTLM authentication and you have such data. # Syntax: username:password aCred = # HTTP Authentication certificate. Useful only if the target url requires # logon certificate and you have such data. # Syntax: key_file,cert_file aCert = # Use a HTTP proxy to connect to the target url. # Syntax: http://address:port proxy = # HTTP proxy authentication credentials. Useful only if the proxy requires # HTTP Basic or Digest authentication and you have such data. # Syntax: username:password pCred = # Ignore system default HTTP proxy # Valid: True or False ignoreProxy = False # Delay in seconds between each HTTP request. # Valid: float # Default: 0 delay = 0 # Seconds to wait before timeout connection. # Valid: float # Default: 30 timeout = 30 # Maximum number of retries when the HTTP connection timeouts. # Valid: integer # Default: 3 retries = 3 # Regular expression for filtering targets from provided Burp # or WebScarab proxy log. # Example: (google|yahoo) scope = # Url address to visit frequently during testing # Example: http://192.168.1.121/index.html safUrl = # Test requests between two visits to a given safe url (default 0) # Valid: integer # Default: 0 saFreq = 0 # These options can be used to optimize the performance of sqlmap. [Optimization] # Use all optimization options. # Valid: True or False optimize = False # Predict common queries output. # Valid: True or False predictOutput = False # Use persistent HTTP(s) connections. keepAlive = False # Retrieve page length without actual HTTP response body. # Valid: True or False nullConnection = False # Maximum number of concurrent HTTP(s) requests (handled with Python threads) # to be used in the inference SQL injection attack. # Valid: integer # Default: 1 threads = 1 # These options can be used to specify which parameters to test for, # provide custom injection payloads and optional tampering scripts. [Injection] # Testable parameter(s) comma separated. By default all GET/POST/Cookie # parameters and HTTP User-Agent are tested by sqlmap. testParameter = # Force back-end DBMS to this value. If this option is set, the back-end # DBMS identification process will be minimized as needed. # If not set, sqlmap will detect back-end DBMS automatically by default. # Valid: mssql, mysql, mysql 4, mysql 5, oracle, pgsql, sqlite, sqlite3, # access, firebird, maxdb, sybase dbms = # Force back-end DBMS operating system to this value. If this option is # set, the back-end DBMS identification process will be minimized as # needed. # If not set, sqlmap will detect back-end DBMS operating system # automatically by default. # Valid: linux, windows os = # Injection payload prefix string prefix = # Injection payload postfix string postfix = # Use given script(s) for tampering injection data tamper = # These options can be used to specify how to parse and compare page # content from HTTP responses when using blind SQL injection technique. [Detection] # String to match within the page content when the query is valid, only # needed if the page content dynamically changes at each refresh, # consequently changing the MD5 hash of the page which is the method used # by default to determine if a query was valid or not. Refer to the user's # manual for further details. string = # Regular expression to match within the page content when the query is # valid, only needed if the needed if the page content dynamically changes # at each refresh, consequently changing the MD5 hash of the page which is # the method used by default to determine if a query was valid or not. # Refer to the user's manual for further details. # Valid: regular expression with Python syntax # (http://www.python.org/doc/2.5.2/lib/re-syntax.html) regexp = # String to be excluded by the page content before calculating the page # MD5 hash. eString = # Regular expression matches to be excluded by the page content before # calculating the page MD5 hash # Valid: regular expression with Python syntax # (http://www.python.org/doc/2.5.2/lib/re-syntax.html) eRegexp = # Page comparison threshold value. # Valid: 0.0-1.0 thold = # Compare pages based only on their textual content # Valid: True or False textOnly = False # Compare pages based on their longest common match # Valid: True or False longestCommon = False # These options can be used to test for specific SQL injection technique # or to use one of them to exploit the affected parameter(s) rather than # using the default blind SQL injection technique. [Techniques] # Test for and use error based SQL injection. # Valid: True or False errorTest = False # Test for and use stacked queries (multiple statements). # Valid: True or False stackedTest = False # Test for time based blind SQL injection. # Valid: True or False timeTest = False # Seconds to delay the response from the DBMS. # Valid: integer # Default: 5 timeSec = 5 # Test for and use UNION query (inband) SQL injection. # Valid: True or False unionTest = False # Technique to test for UNION query SQL injection # The possible techniques are by NULL bruteforcing (bf) or by ORDER BY # clause (ob) # Valid: NULL, OrderBy # Default: NULL uTech = NULL [Fingerprint] # Perform an extensive back-end database management system fingerprint # based on various techniques. # Valid: True or False extensiveFp = False # These options can be used to enumerate the back-end database # management system information, structure and data contained in the # tables. Moreover you can run your own SQL statements. [Enumeration] # Retrieve back-end database management system banner. # Valid: True or False getBanner = False # Retrieve back-end database management system current user. # Valid: True or False getCurrentUser = False # Retrieve back-end database management system current database. # Valid: True or False getCurrentDb = False # Detect if the DBMS current user is DBA. # Valid: True or False isDba = False # Enumerate back-end database management system users. # Valid: True or False getUsers = False # Enumerate back-end database management system users password hashes. # Valid: True or False getPasswordHashes = False # Enumerate back-end database management system users privileges. # Valid: True or False getPrivileges = False # Enumerate back-end database management system users roles. # Valid: True or False getRoles = False # Enumerate back-end database management system databases. # Valid: True or False getDbs = False # Enumerate back-end database management system database tables. # Optional: db # Valid: True or False getTables = False # Enumerate back-end database management system database table columns. # Requires: tbl # Optional: db, col # Valid: True or False getColumns = False # Dump back-end database management system database table entries. # Requires: tbl and/or col # Optional: db # Valid: True or False dumpTable = False # Dump all back-end database management system databases tables entries. # Valid: True or False dumpAll = False # Search column(s), table(s) and/or database name(s). # Requires: db, tbl or col # Valid: True or False search = False # Back-end database management system database to enumerate. db = # Back-end database management system database table to enumerate. tbl = # Back-end database management system database table column to enumerate. col = # Back-end database management system database user to enumerate. user = # Exclude DBMS system databases when enumerating tables. # Valid: True or False excludeSysDbs = False # First query output entry to retrieve # Valid: integer # Default: 0 (sqlmap will start to retrieve the query output entries from # the first) limitStart = 0 # Last query output entry to retrieve # Valid: integer # Default: 0 (sqlmap will detect the number of query output entries and # retrieve them until the last) limitStop = 0 # First query output word character to retrieve # Valid: integer # Default: 0 (sqlmap will enumerate the query output from the first # character) firstChar = 0 # Last query output word character to retrieve # Valid: integer # Default: 0 (sqlmap will enumerate the query output until the last # character) lastChar = 0 # SQL statement to be executed. # Example: SELECT 'foo', 'bar' query = # Prompt for an interactive SQL shell. # Valid: True or False sqlShell = False # These options can be used to run brute force checks. [Brute force] # Check existence of common tables. # Valid: True or False commonTables = False # Check existence of common columns. # Valid: True or False commonColumns = False # These options can be used to create custom user-defined functions. [User-defined function] # Inject custom user-defined functions # Valid: True or False udfInject = False # Local path of the shared library shLib = # These options can be used to access the back-end database management # system underlying file system. [File system] # Read a specific file from the back-end DBMS underlying file system. # Examples: /etc/passwd or C:\boot.ini rFile = # Write a local file to a specific path on the back-end DBMS underlying # file system. # Example: /tmp/sqlmap.txt or C:\WINNT\Temp\sqlmap.txt wFile = # Back-end DBMS absolute filepath to write the file to. dFile = # These options can be used to access the back-end database management # system underlying operating system. [Takeover] # Execute an operating system command. # Valid: operating system command osCmd = # Prompt for an interactive operating system shell. # Valid: True or False osShell = False # Prompt for an out-of-band shell, meterpreter or VNC. # Valid: True or False osPwn = False # One click prompt for an out-of-band shell, meterpreter or VNC. # Valid: True or False osSmb = False # Microsoft SQL Server 2000 and 2005 'sp_replwritetovarbin' stored # procedure heap-based buffer overflow (MS09-004) exploitation. # Valid: True or False osBof = False # Database process' user privilege escalation. # Note: Use in conjunction with osPwn, osSmb or osBof. It will force the # payload to be Meterpreter. privEsc = False # Local path where Metasploit Framework 3 is installed. # Valid: file system path msfPath = # Remote absolute path of temporary files directory. # Valid: absolute file system path tmpPath = # These options can be used to access the back-end database management # system Windows registry. [Windows] # Read a Windows registry key value # Valid: True or False regRead = False # Write a Windows registry key value data # Valid: True or False regAdd = False # Delete a Windows registry key value # Valid: True or False regDel = False # Windows registry key regKey = # Windows registry key value regVal = # Windows registry key value data regData = # Windows registry key value type regType = [Miscellaneous] # Dump the data into an XML file. xmlFile = # Save and resume all data retrieved on a session file. sessionFile = # Log all HTTP traffic into a textual file. trafficFile = # Flush session file for current target. # Valid: True or False flushSession = False # Parse and test forms on target url # Valid: True or False forms = False # Retrieve each query output length and calculate the estimated time of # arrival in real time. # Valid: True or False eta = False # Use google dork results from specified page number # Valid: integer # Default: 1 googlePage = 1 # Update sqlmap. # Valid: True or False updateAll = False # Never ask for user input, use the default behaviour. # Valid: True or False batch = False # Clean up the DBMS by sqlmap specific UDF and tables # Valid: True or False cleanup = False # Replicate dumped data into a sqlite3 database. # Valid: True or False replicate = False # IDS detection testing of injection payload. checkPayload = False # Alert with audio beep when sql injection found. beep = False # Verbosity level. # Valid: integer between 0 and 6 # 0: Show only critical messages # 1: Show also warning and info messages # 2: Show also debug messages and query # 3: Show also each payload injected # 4: Show also HTTP requests # 5: Show also HTTP responses headers # 6: Show also HTTP responses page content # Default: 1 verbose = 1