# At least one of these options has to be specified to set the source to # get target urls from. [Target] # Direct connection to the database. # Examples: # mysql://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME # oracle://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_SID direct = # Target URL. # Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2 url = # Parse targets from Burp or WebScarab logs # Valid: Burp proxy (http://portswigger.net/suite/) requests log file path # or WebScarab proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project) # 'conversations/' folder path logFile = # Load HTTP request from a file # Example (file content): POST /login.jsp HTTP/1.1\nHost: example.com\nUser-Agent: Mozilla/4.0\n\nuserid=joe&password=guessme requestFile = # Rather than providing a target url, let Google return target # hosts as result of your Google dork expression. For a list of Google # dorks see Johnny Long Google Hacking Database at # http://johnny.ihackstuff.com/ghdb.php. # Example: +ext:php +inurl:"&id=" +intext:"powered by " googleDork = # These options can be used to specify how to connect to the target url. [Request] # Data string to be sent through POST. data = # Character used for splitting cookie values pDel = # HTTP Cookie header. cookie = # File containing cookies in Netscape/wget format loC = # URL-encode generated cookie injections. # Valid: True or False cookieUrlencode = False # Ignore Set-Cookie header from response # Valid: True or False dropSetCookie = False # HTTP User-Agent header. Useful to fake the HTTP User-Agent header value # at each HTTP request # sqlmap will also test for SQL injection on the HTTP User-Agent value. agent = # Use randomly selected HTTP User-Agent header # Valid: True or False randomAgent = False # HTTP Host header. host = # HTTP Referer header. Useful to fake the HTTP Referer header value at # each HTTP request. referer = # Randomly change value for the given parameter rParam = # Force usage of SSL/HTTPS requests # Valid: True or False forceSSL = False # Extra HTTP headers headers = Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 # HTTP Authentication type. Useful only if the target url requires # HTTP Basic, Digest or NTLM authentication and you have such data. # Valid: Basic, Digest or NTLM aType = # HTTP authentication credentials. Useful only if the target url requires # HTTP Basic, Digest or NTLM authentication and you have such data. # Syntax: username:password aCred = # HTTP Authentication certificate. Useful only if the target url requires # logon certificate and you have such data. # Syntax: key_file,cert_file aCert = # Use a HTTP proxy to connect to the target url. # Syntax: http://address:port proxy = # HTTP proxy authentication credentials. Useful only if the proxy requires # HTTP Basic or Digest authentication and you have such data. # Syntax: username:password pCred = # Ignore system default HTTP proxy. # Valid: True or False ignoreProxy = False # Delay in seconds between each HTTP request. # Valid: float # Default: 0 delay = 0 # Seconds to wait before timeout connection. # Valid: float # Default: 30 timeout = 30 # Maximum number of retries when the HTTP connection timeouts. # Valid: integer # Default: 3 retries = 3 # Regular expression for filtering targets from provided Burp. # or WebScarab proxy log. # Example: (google|yahoo) scope = # Url address to visit frequently during testing. # Example: http://192.168.1.121/index.html safUrl = # Test requests between two visits to a given safe url (default 0). # Valid: integer # Default: 0 saFreq = 0 # Skip URL encoding of POST data # Valid: True or False skipUrlEncode = False # Evaluate provided Python code before the request. # Example: import hashlib;id2=hashlib.md5(id).hexdigest() evalCode = # These options can be used to optimize the performance of sqlmap. [Optimization] # Use all optimization options. # Valid: True or False optimize = False # Predict common queries output. # Valid: True or False predictOutput = False # Use persistent HTTP(s) connections. keepAlive = False # Retrieve page length without actual HTTP response body. # Valid: True or False nullConnection = False # Maximum number of concurrent HTTP(s) requests (handled with Python threads) # to be used in the inference SQL injection attack. # Valid: integer # Default: 1 threads = 1 # These options can be used to specify which parameters to test for, # provide custom injection payloads and optional tampering scripts. [Injection] # Testable parameter(s) comma separated. By default all GET/POST/Cookie # parameters and HTTP User-Agent are tested by sqlmap. testParameter = # Force back-end DBMS to this value. If this option is set, the back-end # DBMS identification process will be minimized as needed. # If not set, sqlmap will detect back-end DBMS automatically by default. # Valid: mssql, mysql, mysql 4, mysql 5, oracle, pgsql, sqlite, sqlite3, # access, firebird, maxdb, sybase dbms = # Force back-end DBMS operating system to this value. If this option is # set, the back-end DBMS identification process will be minimized as # needed. # If not set, sqlmap will detect back-end DBMS operating system # automatically by default. # Valid: linux, windows os = # Use big numbers for invalidating values. # Valid: True or False invalidBignum = False # Use logical operations for invalidating values. # Valid: True or False invalidLogical = False # Turn off payload casting mechanism # Valid: True or False noCast = False # Injection payload prefix string. prefix = # Injection payload suffix string. suffix = # Skip testing for given parameter(s). skip = # Use given script(s) for tampering injection data. tamper = # These options can be used to specify how to parse and compare page # content from HTTP responses when using blind SQL injection technique. [Detection] # Level of tests to perform. # The higher the value is, the higher the number of HTTP(s) requests are # as well as the better chances to detect a tricky SQL injection. # Valid: Integer between 1 and 5 # Default: 1 level = 1 # Risk of tests to perform. # Note: boolean-based blind SQL injection tests with AND are considered # risk 1, with OR are considered risk 3. # Valid: Integer between 0 and 3 # Default: 1 risk = 1 # String to match within the raw response when the query is valid, only # needed if the page content dynamically changes at each refresh. # Refer to the user's manual for further details. string = # Regular expression to match within the raw response when the query is # valid, only needed if the needed if the page content dynamically changes # at each refresh. # Refer to the user's manual for further details. # Valid: regular expression with Python syntax # (http://www.python.org/doc/2.5.2/lib/re-syntax.html) regexp = # HTTP response code to match when the query is valid. # Valid: Integer # Example: 200 (assuming any False statement returns a different response # code) # code = # Compare pages based only on the textual content. # Valid: True or False textOnly = False # Compare pages based only on their titles. # Valid: True or False titles = False # These options can be used to tweak testing of specific SQL injection # techniques. [Techniques] # SQL injection techniques to test for. # Valid: a string composed by B, E, U, S and T where: # B: Boolean-based blind SQL injection # E: Error-based SQL injection # U: UNION query SQL injection # S: Stacked queries SQL injection # T: Time-based blind SQL injection # Example: ES (means test for error-based and stacked queries SQL # injection types only) # Default: BEUST (means test for all SQL injection types - recommended) tech = BEUST # Seconds to delay the response from the DBMS. # Valid: integer # Default: 5 timeSec = 5 # Range of columns to test for # Valid: range of integers # Example: 1-10 uCols = # Character to use for bruteforcing number of columns # Valid: string # Example: NULL uChar = # Domain name used for DNS exfiltration attack # Valid: string dnsDomain = [Fingerprint] # Perform an extensive back-end database management system fingerprint # based on various techniques. # Valid: True or False extensiveFp = False # These options can be used to enumerate the back-end database # management system information, structure and data contained in the # tables. Moreover you can run your own SQL statements. [Enumeration] # Retrieve back-end database management system banner. # Valid: True or False getBanner = False # Retrieve back-end database management system current user. # Valid: True or False getCurrentUser = False # Retrieve back-end database management system current database. # Valid: True or False getCurrentDb = False # Detect if the DBMS current user is DBA. # Valid: True or False isDba = False # Enumerate back-end database management system users. # Valid: True or False getUsers = False # Enumerate back-end database management system users password hashes. # Valid: True or False getPasswordHashes = False # Enumerate back-end database management system users privileges. # Valid: True or False getPrivileges = False # Enumerate back-end database management system users roles. # Valid: True or False getRoles = False # Enumerate back-end database management system databases. # Valid: True or False getDbs = False # Enumerate back-end database management system database tables. # Optional: db # Valid: True or False getTables = False # Enumerate back-end database management system database table columns. # Optional: db, tbl, col # Valid: True or False getColumns = False # Enumerate back-end database management system schema. # Valid: True or False getSchema = False # Retrieve number of entries for table(s). # Valid: True or False getCount = False # Dump back-end database management system database table entries. # Requires: tbl and/or col # Optional: db # Valid: True or False dumpTable = False # Dump all back-end database management system databases tables entries. # Valid: True or False dumpAll = False # Search column(s), table(s) and/or database name(s). # Requires: db, tbl or col # Valid: True or False search = False # Back-end database management system database to enumerate. db = # Back-end database management system database table to enumerate. tbl = # Back-end database management system database table column to enumerate. col = # Back-end database management system database user to enumerate. user = # Exclude DBMS system databases when enumerating tables. # Valid: True or False excludeSysDbs = False # First query output entry to retrieve # Valid: integer # Default: 0 (sqlmap will start to retrieve the query output entries from # the first) limitStart = 0 # Last query output entry to retrieve # Valid: integer # Default: 0 (sqlmap will detect the number of query output entries and # retrieve them until the last) limitStop = 0 # First query output word character to retrieve # Valid: integer # Default: 0 (sqlmap will enumerate the query output from the first # character) firstChar = 0 # Last query output word character to retrieve # Valid: integer # Default: 0 (sqlmap will enumerate the query output until the last # character) lastChar = 0 # SQL statement to be executed. # Example: SELECT 'foo', 'bar' query = # Prompt for an interactive SQL shell. # Valid: True or False sqlShell = False # These options can be used to run brute force checks. [Brute force] # Check existence of common tables. # Valid: True or False commonTables = False # Check existence of common columns. # Valid: True or False commonColumns = False # These options can be used to create custom user-defined functions. [User-defined function] # Inject custom user-defined functions # Valid: True or False udfInject = False # Local path of the shared library shLib = # These options can be used to access the back-end database management # system underlying file system. [File system] # Read a specific file from the back-end DBMS underlying file system. # Examples: /etc/passwd or C:\boot.ini rFile = # Write a local file to a specific path on the back-end DBMS underlying # file system. # Example: /tmp/sqlmap.txt or C:\WINNT\Temp\sqlmap.txt wFile = # Back-end DBMS absolute filepath to write the file to. dFile = # These options can be used to access the back-end database management # system underlying operating system. [Takeover] # Execute an operating system command. # Valid: operating system command osCmd = # Prompt for an interactive operating system shell. # Valid: True or False osShell = False # Prompt for an out-of-band shell, meterpreter or VNC. # Valid: True or False osPwn = False # One click prompt for an out-of-band shell, meterpreter or VNC. # Valid: True or False osSmb = False # Microsoft SQL Server 2000 and 2005 'sp_replwritetovarbin' stored # procedure heap-based buffer overflow (MS09-004) exploitation. # Valid: True or False osBof = False # Database process' user privilege escalation. # Note: Use in conjunction with osPwn, osSmb or osBof. It will force the # payload to be Meterpreter. privEsc = False # Local path where Metasploit Framework is installed. # Valid: file system path msfPath = # Remote absolute path of temporary files directory. # Valid: absolute file system path tmpPath = # These options can be used to access the back-end database management # system Windows registry. [Windows] # Read a Windows registry key value. # Valid: True or False regRead = False # Write a Windows registry key value data. # Valid: True or False regAdd = False # Delete a Windows registry key value. # Valid: True or False regDel = False # Windows registry key. regKey = # Windows registry key value. regVal = # Windows registry key value data. regData = # Windows registry key value type. regType = # These options can be used to set some general working parameters. [General] # Save and resume all data retrieved on a session file. sessionFile = # Log all HTTP traffic into a textual file. trafficFile = # Never ask for user input, use the default behaviour. # Valid: True or False batch = False # Force character encoding used for data retrieval. charset = # Check to see if Tor is used properly. # Valid: True or False checkTor = False # Crawl the website starting from the target url. # Valid: integer # Default: 0 crawlDepth = 0 # Delimiting character used in CSV output. # Default: , csvDel = , # Retrieve each query output length and calculate the estimated time of # arrival in real time. # Valid: True or False eta = False # Flush session file for current target. # Valid: True or False flushSession = False # Parse and test forms on target url. # Valid: True or False forms = False # Ignores query results stored in session file. # Valid: True or False freshQueries = False # Uses DBMS hex function(s) for data retrieval. # Valid: True or False hexConvert = False # Parse and display DBMS error messages from responses. # Valid: True or False parseErrors = False # Replicate dumped data into a sqlite3 database. # Valid: True or False replicate = False # Use Use Tor anonymity network. # Valid: True or False tor = False # Set Tor proxy port other than default. # Valid: integer # torPort = # Set Tor proxy type. # Valid: HTTP, SOCKS4, SOCKS5 torType = HTTP # Update sqlmap. # Valid: True or False updateAll = False [Miscellaneous] # Sound alert when SQL injection found. beep = False # Offline WAF/IPS/IDS payload detection testing. checkPayload = False # Check for existence of WAF/IPS/IDS protection. checkWaf = False # Clean up the DBMS by sqlmap specific UDF and tables. # Valid: True or False cleanup = False # Show which sqlmap dependencies are not available. # Valid: True or False dependencies = False # Use Google dork results from specified page number. # Valid: integer # Default: 1 googlePage = 1 # Imitate smartphone through HTTP User-Agent header. # Valid: True or False mobile = False # Display page rank (PR) for Google dork results. # Valid: True or False pageRank = False # Conduct through tests only if positive heuristic(s). # Valid: True or False smart = False # Simple wizard interface for beginner users. # Valid: True or False wizard = False # Verbosity level. # Valid: integer between 0 and 6 # 0: Show only error and critical messages # 1: Show also warning and info messages # 2: Show also debug messages # 3: Show also payloads injected # 4: Show also HTTP requests # 5: Show also HTTP responses' headers # 6: Show also HTTP responses' page content # Default: 1 verbose = 1