# At least one of these options has to be specified to set the source to # get target URLs from. [Target] # Direct connection to the database. # Examples: # mysql://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME # oracle://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_SID direct = # Target URL. # Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2 url = # Parse targets from Burp or WebScarab logs # Valid: Burp proxy (http://portswigger.net/suite/) requests log file path # or WebScarab proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project) # 'conversations/' folder path logFile = # Load HTTP request from a file # Example (file content): POST /login.jsp HTTP/1.1\nHost: example.com\nUser-Agent: Mozilla/4.0\n\nuserid=joe&password=guessme requestFile = # Rather than providing a target URL, let Google return target # hosts as result of your Google dork expression. For a list of Google # dorks see Johnny Long Google Hacking Database at # http://johnny.ihackstuff.com/ghdb.php. # Example: +ext:php +inurl:"&id=" +intext:"powered by " googleDork = # These options can be used to specify how to connect to the target URL. [Request] # Data string to be sent through POST. data = # Character used for splitting cookie values pDel = # HTTP Cookie header. cookie = # File containing cookies in Netscape/wget format loadCookies = # Ignore Set-Cookie header from response # Valid: True or False dropSetCookie = False # HTTP User-Agent header. Useful to fake the HTTP User-Agent header value # at each HTTP request # sqlmap will also test for SQL injection on the HTTP User-Agent value. agent = # Use randomly selected HTTP User-Agent header # Valid: True or False randomAgent = False # HTTP Host header. host = # HTTP Referer header. Useful to fake the HTTP Referer header value at # each HTTP request. referer = # Extra HTTP headers headers = Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 # HTTP Authentication type. Useful only if the target URL requires # HTTP Basic, Digest or NTLM authentication and you have such data. # Valid: Basic, Digest or NTLM aType = # HTTP authentication credentials. Useful only if the target URL requires # HTTP Basic, Digest or NTLM authentication and you have such data. # Syntax: username:password aCred = # HTTP Authentication certificate. Useful only if the target URL requires # logon certificate and you have such data. # Syntax: key_file,cert_file aCert = # Use a HTTP proxy to connect to the target URL. # Syntax: http://address:port proxy = # HTTP proxy authentication credentials. Useful only if the proxy requires # HTTP Basic or Digest authentication and you have such data. # Syntax: username:password pCred = # Ignore system default HTTP proxy. # Valid: True or False ignoreProxy = False # Use Tor anonymity network. # Valid: True or False tor = False # Set Tor proxy port other than default. # Valid: integer # torPort = # Set Tor proxy type. # Valid: HTTP, SOCKS4, SOCKS5 torType = HTTP # Check to see if Tor is used properly. # Valid: True or False checkTor = False # Delay in seconds between each HTTP request. # Valid: float # Default: 0 delay = 0 # Seconds to wait before timeout connection. # Valid: float # Default: 30 timeout = 30 # Maximum number of retries when the HTTP connection timeouts. # Valid: integer # Default: 3 retries = 3 # Randomly change value for the given parameter. rParam = # URL address to visit frequently during testing. # Example: http://192.168.1.121/index.html safUrl = # Test requests between two visits to a given safe URL (default 0). # Valid: integer # Default: 0 saFreq = 0 # Skip URL encoding of payload data # Valid: True or False skipUrlEncode = False # Force usage of SSL/HTTPS # Valid: True or False forceSSL = False # Use HTTP parameter pollution. # Valid: True or False hpp = False # Evaluate provided Python code before the request. # Example: import hashlib;id2=hashlib.md5(id).hexdigest() evalCode = # These options can be used to optimize the performance of sqlmap. [Optimization] # Use all optimization options. # Valid: True or False optimize = False # Predict common queries output. # Valid: True or False predictOutput = False # Use persistent HTTP(s) connections. keepAlive = False # Retrieve page length without actual HTTP response body. # Valid: True or False nullConnection = False # Maximum number of concurrent HTTP(s) requests (handled with Python threads) # to be used in the inference SQL injection attack. # Valid: integer # Default: 1 threads = 1 # These options can be used to specify which parameters to test for, # provide custom injection payloads and optional tampering scripts. [Injection] # Testable parameter(s) comma separated. By default all GET/POST/Cookie # parameters and HTTP User-Agent are tested by sqlmap. testParameter = # Skip testing for given parameter(s). skip = # Force back-end DBMS to this value. If this option is set, the back-end # DBMS identification process will be minimized as needed. # If not set, sqlmap will detect back-end DBMS automatically by default. # Valid: mssql, mysql, mysql 4, mysql 5, oracle, pgsql, sqlite, sqlite3, # access, firebird, maxdb, sybase dbms = # DBMS authentication credentials (user:password). Useful if you want to # run SQL statements as another user, the back-end database management # system is PostgreSQL or Microsoft SQL Server and the parameter is # vulnerable by stacked queries SQL injection or you are connecting directly # to the DBMS (-d switch). # Syntax: username:password dbmsCred = # Force back-end DBMS operating system to this value. If this option is # set, the back-end DBMS identification process will be minimized as # needed. # If not set, sqlmap will detect back-end DBMS operating system # automatically by default. # Valid: linux, windows os = # Use big numbers for invalidating values. # Valid: True or False invalidBignum = False # Use logical operations for invalidating values. # Valid: True or False invalidLogical = False # Turn off payload casting mechanism # Valid: True or False noCast = False # Turn off string escaping mechanism # Valid: True or False noEscape = False # Injection payload prefix string. prefix = # Injection payload suffix string. suffix = # Use given script(s) for tampering injection data. tamper = # These options can be used to specify how to parse and compare page # content from HTTP responses when using blind SQL injection technique. [Detection] # Level of tests to perform. # The higher the value is, the higher the number of HTTP(s) requests are # as well as the better chances to detect a tricky SQL injection. # Valid: Integer between 1 and 5 # Default: 1 level = 1 # Risk of tests to perform. # Note: boolean-based blind SQL injection tests with AND are considered # risk 1, with OR are considered risk 3. # Valid: Integer between 0 and 3 # Default: 1 risk = 1 # String to match within the raw response when the query is evaluated to # True, only needed if the page content dynamically changes at each refresh. # Refer to the user's manual for further details. string = # String to match within the raw response when the query is evaluated to # False, only needed if the page content dynamically changes at each refresh. # Refer to the user's manual for further details. notString = # Regular expression to match within the raw response when the query is # evaluated to True, only needed if the needed if the page content # dynamically changes at each refresh. # Refer to the user's manual for further details. # Valid: regular expression with Python syntax # (http://www.python.org/doc/2.5.2/lib/re-syntax.html) regexp = # HTTP response code to match when the query is True. # Valid: Integer # Example: 200 (assuming any False statement returns a different response # code) # code = # Compare pages based only on the textual content. # Valid: True or False textOnly = False # Compare pages based only on their titles. # Valid: True or False titles = False # These options can be used to tweak testing of specific SQL injection # techniques. [Techniques] # SQL injection techniques to use. # Valid: a string composed by B, E, U, S, T and Q where: # B: Boolean-based blind SQL injection # E: Error-based SQL injection # U: UNION query SQL injection # S: Stacked queries SQL injection # T: Time-based blind SQL injection # Q: Inline SQL injection # Example: ES (means test for error-based and stacked queries SQL # injection types only) # Default: BEUSTQ (means test for all SQL injection types - recommended) tech = BEUSTQ # Seconds to delay the response from the DBMS. # Valid: integer # Default: 5 timeSec = 5 # Range of columns to test for # Valid: range of integers # Example: 1-10 uCols = # Character to use for bruteforcing number of columns # Valid: string # Example: NULL uChar = # Table to use in FROM part of UNION query SQL injection # Valid: string # Example: INFORMATION_SCHEMA.COLLATIONS uFrom = # Domain name used for DNS exfiltration attack # Valid: string dnsName = # Resulting page URL searched for second-order response # Valid: string secondOrder = [Fingerprint] # Perform an extensive back-end database management system fingerprint # based on various techniques. # Valid: True or False extensiveFp = False # These options can be used to enumerate the back-end database # management system information, structure and data contained in the # tables. Moreover you can run your own SQL statements. [Enumeration] # Retrieve everything # Valid: True or False getAll = False # Retrieve back-end database management system banner. # Valid: True or False getBanner = False # Retrieve back-end database management system current user. # Valid: True or False getCurrentUser = False # Retrieve back-end database management system current database. # Valid: True or False getCurrentDb = False # Retrieve back-end database management system server hostname. # Valid: True or False getHostname = False # Detect if the DBMS current user is DBA. # Valid: True or False isDba = False # Enumerate back-end database management system users. # Valid: True or False getUsers = False # Enumerate back-end database management system users password hashes. # Valid: True or False getPasswordHashes = False # Enumerate back-end database management system users privileges. # Valid: True or False getPrivileges = False # Enumerate back-end database management system users roles. # Valid: True or False getRoles = False # Enumerate back-end database management system databases. # Valid: True or False getDbs = False # Enumerate back-end database management system database tables. # Optional: db # Valid: True or False getTables = False # Enumerate back-end database management system database table columns. # Optional: db, tbl, col # Valid: True or False getColumns = False # Enumerate back-end database management system schema. # Valid: True or False getSchema = False # Retrieve number of entries for table(s). # Valid: True or False getCount = False # Dump back-end database management system database table entries. # Requires: tbl and/or col # Optional: db # Valid: True or False dumpTable = False # Dump all back-end database management system databases tables entries. # Valid: True or False dumpAll = False # Search column(s), table(s) and/or database name(s). # Requires: db, tbl or col # Valid: True or False search = False # Back-end database management system database to enumerate. db = # Back-end database management system database table to enumerate. tbl = # Back-end database management system database table column to enumerate. col = # Back-end database management system database user to enumerate. user = # Exclude DBMS system databases when enumerating tables. # Valid: True or False excludeSysDbs = False # First query output entry to retrieve # Valid: integer # Default: 0 (sqlmap will start to retrieve the query output entries from # the first) limitStart = 0 # Last query output entry to retrieve # Valid: integer # Default: 0 (sqlmap will detect the number of query output entries and # retrieve them until the last) limitStop = 0 # First query output word character to retrieve # Valid: integer # Default: 0 (sqlmap will enumerate the query output from the first # character) firstChar = 0 # Last query output word character to retrieve # Valid: integer # Default: 0 (sqlmap will enumerate the query output until the last # character) lastChar = 0 # SQL statement to be executed. # Example: SELECT 'foo', 'bar' query = # Prompt for an interactive SQL shell. # Valid: True or False sqlShell = False # Execute SQL statements from given file(s). sqlFile = # These options can be used to run brute force checks. [Brute force] # Check existence of common tables. # Valid: True or False commonTables = False # Check existence of common columns. # Valid: True or False commonColumns = False # These options can be used to create custom user-defined functions. [User-defined function] # Inject custom user-defined functions # Valid: True or False udfInject = False # Local path of the shared library shLib = # These options can be used to access the back-end database management # system underlying file system. [File system] # Read a specific file from the back-end DBMS underlying file system. # Examples: /etc/passwd or C:\boot.ini rFile = # Write a local file to a specific path on the back-end DBMS underlying # file system. # Example: /tmp/sqlmap.txt or C:\WINNT\Temp\sqlmap.txt wFile = # Back-end DBMS absolute filepath to write the file to. dFile = # These options can be used to access the back-end database management # system underlying operating system. [Takeover] # Execute an operating system command. # Valid: operating system command osCmd = # Prompt for an interactive operating system shell. # Valid: True or False osShell = False # Prompt for an out-of-band shell, meterpreter or VNC. # Valid: True or False osPwn = False # One click prompt for an out-of-band shell, meterpreter or VNC. # Valid: True or False osSmb = False # Microsoft SQL Server 2000 and 2005 'sp_replwritetovarbin' stored # procedure heap-based buffer overflow (MS09-004) exploitation. # Valid: True or False osBof = False # Database process' user privilege escalation. # Note: Use in conjunction with osPwn, osSmb or osBof. It will force the # payload to be Meterpreter. privEsc = False # Local path where Metasploit Framework is installed. # Valid: file system path msfPath = # Remote absolute path of temporary files directory. # Valid: absolute file system path tmpPath = # These options can be used to access the back-end database management # system Windows registry. [Windows] # Read a Windows registry key value. # Valid: True or False regRead = False # Write a Windows registry key value data. # Valid: True or False regAdd = False # Delete a Windows registry key value. # Valid: True or False regDel = False # Windows registry key. regKey = # Windows registry key value. regVal = # Windows registry key value data. regData = # Windows registry key value type. regType = # These options can be used to set some general working parameters. [General] # Load session from a stored (.sqlite) file # Example: output/www.target.com/session.sqlite sessionFile = # Log all HTTP traffic into a textual file. trafficFile = # Never ask for user input, use the default behaviour. # Valid: True or False batch = False # Force character encoding used for data retrieval. charset = # Crawl the website starting from the target URL. # Valid: integer # Default: 0 crawlDepth = 0 # Delimiting character used in CSV output. # Default: , csvDel = , # Format of dumped data # Valid: CSV, HTML or SQLITE dumpFormat = CSV # Retrieve each query output length and calculate the estimated time of # arrival in real time. # Valid: True or False eta = False # Flush session files for current target. # Valid: True or False flushSession = False # Parse and test forms on target URL. # Valid: True or False forms = False # Ignore query results stored in session file. # Valid: True or False freshQueries = False # Use DBMS hex function(s) for data retrieval. # Valid: True or False hexConvert = False # Custom output directory path. oDir = # Parse and display DBMS error messages from responses. # Valid: True or False parseErrors = False # Pivot column name. pivotColumn = # Regular expression for filtering targets from provided Burp. # or WebScarab proxy log. # Example: (google|yahoo) scope = # Select tests by payloads and/or titles (e.g. ROW) testFilter = # Update sqlmap. # Valid: True or False updateAll = False [Miscellaneous] # Use short mnemonics (e.g. "flu,bat,ban,tec=EU"). mnemonics = # Run shell command(s) when SQL injection is found. alert = # Set question answers (e.g. "quit=N,follow=N"). answers = # Make a beep sound when SQL injection is found. # Valid: True or False beep = False # Offline WAF/IPS/IDS payload detection testing. # Valid: True or False checkPayload = False # Heuristically check for WAF/IPS/IDS protection. # Valid: True or False checkWaf = False # Clean up the DBMS by sqlmap specific UDF and tables. # Valid: True or False cleanup = False # Check for missing (non-core) sqlmap dependencies. # Valid: True or False dependencies = False # Disable console output coloring. # Valid: True or False disableColoring = False # Use Google dork results from specified page number. # Valid: integer # Default: 1 googlePage = 1 # Make a through testing for a WAF/IPS/IDS protection. # Valid: True or False identifyWaf = False # Imitate smartphone through HTTP User-Agent header. # Valid: True or False mobile = False # Display page rank (PR) for Google dork results. # Valid: True or False pageRank = False # Conduct through tests only if positive heuristic(s). # Valid: True or False smart = False # Simple wizard interface for beginner users. # Valid: True or False wizard = False # Verbosity level. # Valid: integer between 0 and 6 # 0: Show only error and critical messages # 1: Show also warning and info messages # 2: Show also debug messages # 3: Show also payloads injected # 4: Show also HTTP requests # 5: Show also HTTP responses' headers # 6: Show also HTTP responses' page content # Default: 1 verbose = 1