mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2025-01-24 16:24:25 +03:00
7d8cc1a482
1. there's kitrap0d (MS10-015) which is far more reliable, just recently fixed 2. works only to priv esc basically on MSSQL when it runs as NETWORK SERVICE and the machine is not patched against MS09-012 which is "rare" (hopefully) nowadays. Now sqlmap relies on kitrap0d and incognito to privilege escalate the database process' user privileges to SYSTEM, both via Meterpreter. Minor layout adjustments.
459 lines
12 KiB
Plaintext
459 lines
12 KiB
Plaintext
# At least one of these options has to be specified to set the source to
|
|
# get target urls from.
|
|
[Target]
|
|
|
|
# Target URL.
|
|
# Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2
|
|
url =
|
|
|
|
# Parse targets from Burp or WebScarab logs
|
|
# Valid: Burp proxy (http://portswigger.net/suite/) requests log file path
|
|
# or WebScarab proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)
|
|
# 'conversations/' folder path
|
|
list =
|
|
|
|
# Load HTTP request from a file
|
|
# Example (file content): POST /login.jsp HTTP/1.1\nHost: example.com\nUser-Agent: Mozilla/4.0\n\nuserid=joe&password=guessme
|
|
requestFile =
|
|
|
|
# Rather than providing a target url, let Google return target
|
|
# hosts as result of your Google dork expression. For a list of Google
|
|
# dorks see Johnny Long Google Hacking Database at
|
|
# http://johnny.ihackstuff.com/ghdb.php.
|
|
# Example: +ext:php +inurl:"&id=" +intext:"powered by "
|
|
googleDork =
|
|
|
|
|
|
# These options can be used to specify how to connect to the target url.
|
|
[Request]
|
|
|
|
# HTTP method to perform HTTP requests.
|
|
# Valid: GET or POST
|
|
# Default: GET
|
|
method = GET
|
|
|
|
# Data string to be sent through POST. It is mandatory only when
|
|
# HTTP method is set to POST.
|
|
data =
|
|
|
|
# HTTP Cookie header.
|
|
cookie =
|
|
|
|
# URL-encode generated cookie injections.
|
|
# Valid: True or False
|
|
cookieUrlencode = False
|
|
|
|
# Ignore Set-Cookie header from response
|
|
# Valid: True or False
|
|
dropSetCookie = False
|
|
|
|
# HTTP User-Agent header. Useful to fake the HTTP User-Agent header value
|
|
# at each HTTP request
|
|
# sqlmap will also test for SQL injection on the HTTP User-Agent value.
|
|
agent =
|
|
|
|
# Load a random HTTP User-Agent header from file
|
|
# Example: ./txt/user-agents.txt
|
|
userAgentsFile =
|
|
|
|
# HTTP Referer header. Useful to fake the HTTP Referer header value at
|
|
# each HTTP request.
|
|
referer =
|
|
|
|
# Extra HTTP headers
|
|
# Note: There must be a space at the beginning of each header line.
|
|
headers = Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
|
Accept-Language: en-us,en;q=0.5
|
|
Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
|
|
|
|
# HTTP Authentication type. Useful only if the target url requires
|
|
# HTTP Basic, Digest or NTLM authentication and you have such data.
|
|
# Valid: Basic, Digest or NTLM
|
|
aType =
|
|
|
|
# HTTP Authentication credentials. Useful only if the target url requires
|
|
# HTTP Basic, Digest or NTLM authentication and you have such data.
|
|
# Syntax: username:password
|
|
aCred =
|
|
|
|
# HTTP Authentication certificate. Useful only if the target url requires
|
|
# logon certificate and you have such data.
|
|
# Syntax: key_file,cert_file
|
|
aCert =
|
|
|
|
# Use a HTTP proxy to connect to the target url.
|
|
# Syntax: http://address:port
|
|
proxy =
|
|
|
|
# Ignore system default HTTP proxy
|
|
# Valid: True or False
|
|
ignoreProxy = False
|
|
|
|
# Maximum number of concurrent HTTP requests (handled with Python threads)
|
|
# to be used in the inference SQL injection attack.
|
|
# Valid: integer
|
|
# Default: 1
|
|
threads = 1
|
|
|
|
# Delay in seconds between each HTTP request.
|
|
# Valid: float
|
|
# Default: 0
|
|
delay = 0
|
|
|
|
# Seconds to wait before timeout connection.
|
|
# Valid: float
|
|
# Default: 30
|
|
timeout = 30
|
|
|
|
# Maximum number of retries when the HTTP connection timeouts.
|
|
# Valid: integer
|
|
# Default: 3
|
|
retries = 3
|
|
|
|
# Regular expression for filtering targets from provided Burp
|
|
# or WebScarab proxy log.
|
|
# Example: (google|yahoo)
|
|
scope =
|
|
|
|
|
|
# These options can be used to specify which parameters to test for,
|
|
# provide custom injection payloads and how to parse and compare HTTP
|
|
# responses page content when using the blind SQL injection technique.
|
|
[Injection]
|
|
|
|
# Testable parameter(s) comma separated. By default all GET/POST/Cookie
|
|
# parameters and HTTP User-Agent are tested by sqlmap.
|
|
testParameter =
|
|
|
|
# Force back-end DBMS to this value. If this option is set, the back-end
|
|
# DBMS identification process will be minimized as needed.
|
|
# If not set, sqlmap will detect back-end DBMS automatically by default.
|
|
# Valid: mssql, mysql, mysql 4, mysql 5, oracle, pgsql
|
|
dbms =
|
|
|
|
# Force back-end DBMS operating system to this value. If this option is
|
|
# set, the back-end DBMS identification process will be minimized as
|
|
# needed.
|
|
# If not set, sqlmap will detect back-end DBMS operating system
|
|
# automatically by default.
|
|
# Valid: linux, windows
|
|
os =
|
|
|
|
# Injection payload prefix string
|
|
prefix =
|
|
|
|
# Injection payload postfix string
|
|
postfix =
|
|
|
|
# String to match within the page content when the query is valid, only
|
|
# needed if the page content dynamically changes at each refresh,
|
|
# consequently changing the MD5 hash of the page which is the method used
|
|
# by default to determine if a query was valid or not. Refer to the user's
|
|
# manual for further details.
|
|
string =
|
|
|
|
# Regular expression to match within the page content when the query is
|
|
# valid, only needed if the needed if the page content dynamically changes
|
|
# at each refresh, consequently changing the MD5 hash of the page which is
|
|
# the method used by default to determine if a query was valid or not.
|
|
# Refer to the user's manual for further details.
|
|
# Valid: regular expression with Python syntax
|
|
# (http://www.python.org/doc/2.5.2/lib/re-syntax.html)
|
|
regexp =
|
|
|
|
# String to be excluded by the page content before calculating the page
|
|
# MD5 hash
|
|
eString =
|
|
|
|
# Regular expression matches to be excluded by the page content before
|
|
# calculating the page MD5 hash
|
|
# Valid: regular expression with Python syntax
|
|
# (http://www.python.org/doc/2.5.2/lib/re-syntax.html)
|
|
eRegexp =
|
|
|
|
|
|
# These options can be used to test for specific SQL injection technique
|
|
# or to use one of them to exploit the affected parameter(s) rather than
|
|
# using the default blind SQL injection technique.
|
|
[Techniques]
|
|
|
|
# Test for stacked queries (multiple statements) support.
|
|
# Valid: True or False
|
|
stackedTest = False
|
|
|
|
# Test for time based blind SQL injection.
|
|
# Valid: True or False
|
|
timeTest = False
|
|
|
|
# Seconds to delay the response from the DBMS.
|
|
# Valid: integer
|
|
# Default: 5
|
|
timeSec = 5
|
|
|
|
# Test for UNION query (inband) SQL injection.
|
|
# Valid: True or False
|
|
unionTest = False
|
|
|
|
# Technique to test for UNION query SQL injection
|
|
# The possible techniques are by NULL bruteforcing (bf) or by ORDER BY
|
|
# clause (ob)
|
|
# Valid: NULL, OrderBy
|
|
# Default: NULL
|
|
uTech = NULL
|
|
|
|
# Use the UNION query (inband) SQL injection to retrieve the queries
|
|
# output. No need to go blind.
|
|
# Valid: True or False
|
|
unionUse = False
|
|
|
|
|
|
[Fingerprint]
|
|
|
|
# Perform an extensive back-end database management system fingerprint
|
|
# based on various techniques.
|
|
# Valid: True or False
|
|
extensiveFp = False
|
|
|
|
|
|
# These options can be used to enumerate the back-end database
|
|
# management system information, structure and data contained in the
|
|
# tables. Moreover you can run your own SQL statements.
|
|
[Enumeration]
|
|
|
|
# Retrieve back-end database management system banner.
|
|
# Valid: True or False
|
|
getBanner = False
|
|
|
|
# Retrieve back-end database management system current user.
|
|
# Valid: True or False
|
|
getCurrentUser = False
|
|
|
|
# Retrieve back-end database management system current database.
|
|
# Valid: True or False
|
|
getCurrentDb = False
|
|
|
|
# Detect if the DBMS current user is DBA.
|
|
# Valid: True or False
|
|
isDba = False
|
|
|
|
# Enumerate back-end database management system users.
|
|
# Valid: True or False
|
|
getUsers = False
|
|
|
|
# Enumerate back-end database management system users password hashes.
|
|
# Valid: True or False
|
|
getPasswordHashes = False
|
|
|
|
# Enumerate back-end database management system users privileges.
|
|
# Valid: True or False
|
|
getPrivileges = False
|
|
|
|
# Enumerate back-end database management system databases.
|
|
# Valid: True or False
|
|
getDbs = False
|
|
|
|
# Enumerate back-end database management system database tables.
|
|
# Optional: db
|
|
# Valid: True or False
|
|
getTables = False
|
|
|
|
# Enumerate back-end database management system database table columns.
|
|
# Requires: tbl
|
|
# Optional: db, col
|
|
# Valid: True or False
|
|
getColumns = False
|
|
|
|
# Dump back-end database management system database table entries.
|
|
# Requires: tbl and/or col
|
|
# Optional: db
|
|
# Valid: True or False
|
|
dumpTable = False
|
|
|
|
# Dump all back-end database management system databases tables entries.
|
|
# Valid: True or False
|
|
dumpAll = False
|
|
|
|
# Back-end database management system database to enumerate.
|
|
db =
|
|
|
|
# Back-end database management system database table to enumerate.
|
|
tbl =
|
|
|
|
# Back-end database management system database table column to enumerate.
|
|
col =
|
|
|
|
# Back-end database management system database user to enumerate.
|
|
user =
|
|
|
|
# Exclude DBMS system databases when enumerating tables.
|
|
# Valid: True or False
|
|
excludeSysDbs = False
|
|
|
|
# First query output entry to retrieve
|
|
# Valid: integer
|
|
# Default: 0 (sqlmap will start to retrieve the query output entries from
|
|
# the first)
|
|
limitStart = 0
|
|
|
|
# Last query output entry to retrieve
|
|
# Valid: integer
|
|
# Default: 0 (sqlmap will detect the number of query output entries and
|
|
# retrieve them until the last)
|
|
limitStop = 0
|
|
|
|
# First query output word character to retrieve
|
|
# Valid: integer
|
|
# Default: 0 (sqlmap will enumerate the query output from the first
|
|
# character)
|
|
firstChar = 0
|
|
|
|
# Last query output word character to retrieve
|
|
# Valid: integer
|
|
# Default: 0 (sqlmap will enumerate the query output until the last
|
|
# character)
|
|
lastChar = 0
|
|
|
|
# SQL statement to be executed.
|
|
# Example: SELECT 'foo', 'bar'
|
|
query =
|
|
|
|
# Prompt for an interactive SQL shell.
|
|
# Valid: True or False
|
|
sqlShell = False
|
|
|
|
|
|
# These options can be used to create custom user-defined functions.
|
|
[User-defined function]
|
|
|
|
# Inject custom user-defined functions
|
|
# Valid: True or False
|
|
udfInject = False
|
|
|
|
# Local path of the shared library
|
|
shLib =
|
|
|
|
|
|
# These options can be used to access the back-end database management
|
|
# system underlying file system.
|
|
[File system]
|
|
|
|
# Read a specific file from the back-end DBMS underlying file system.
|
|
# Examples: /etc/passwd or C:\boot.ini
|
|
rFile =
|
|
|
|
# Write a local file to a specific path on the back-end DBMS underlying
|
|
# file system.
|
|
# Example: /tmp/sqlmap.txt or C:\WINNT\Temp\sqlmap.txt
|
|
wFile =
|
|
|
|
# Back-end DBMS absolute filepath to write the file to.
|
|
dFile =
|
|
|
|
|
|
# These options can be used to access the back-end database management
|
|
# system underlying operating system.
|
|
[Takeover]
|
|
|
|
# Execute an operating system command.
|
|
# Valid: operating system command
|
|
osCmd =
|
|
|
|
# Prompt for an interactive operating system shell.
|
|
# Valid: True or False
|
|
osShell = False
|
|
|
|
# Prompt for an out-of-band shell, meterpreter or VNC.
|
|
# Valid: True or False
|
|
osPwn = False
|
|
|
|
# One click prompt for an out-of-band shell, meterpreter or VNC.
|
|
# Valid: True or False
|
|
osSmb = False
|
|
|
|
# Microsoft SQL Server 2000 and 2005 'sp_replwritetovarbin' stored
|
|
# procedure heap-based buffer overflow (MS09-004) exploitation.
|
|
# Valid: True or False
|
|
osBof = False
|
|
|
|
# Database process' user privilege escalation.
|
|
# Note: Use in conjunction with osPwn, osSmb or osBof. It will force the
|
|
# payload to be Meterpreter.
|
|
privEsc = False
|
|
|
|
# Local path where Metasploit Framework 3 is installed.
|
|
# Valid: file system path
|
|
msfPath =
|
|
|
|
# Remote absolute path of temporary files directory.
|
|
# Valid: absolute file system path
|
|
tmpPath =
|
|
|
|
|
|
# These options can be used to access the back-end database management
|
|
# system Windows registry.
|
|
[Windows]
|
|
|
|
# Read a Windows registry key value
|
|
regRead = False
|
|
|
|
# Write a Windows registry key value data
|
|
regAdd = False
|
|
|
|
# Delete a Windows registry key value
|
|
regDel = False
|
|
|
|
# Windows registry key
|
|
regKey =
|
|
|
|
# Windows registry key value
|
|
regVal =
|
|
|
|
# Windows registry key value data
|
|
regData =
|
|
|
|
# Windows registry key value type
|
|
regType =
|
|
|
|
|
|
[Miscellaneous]
|
|
|
|
# Save and resume all data retrieved on a session file.
|
|
sessionFile =
|
|
|
|
|
|
# Flush session file for current target.
|
|
flushSession = False
|
|
|
|
# Retrieve each query output length and calculate the estimated time of
|
|
# arrival in real time.
|
|
# Valid: True or False
|
|
eta = False
|
|
|
|
# Use google dork results from specified page number
|
|
# Valid: integer
|
|
# Default: 1
|
|
googlePage = 1
|
|
|
|
# Update sqlmap.
|
|
# Valid: True or False
|
|
updateAll = False
|
|
|
|
# Never ask for user input, use the default behaviour.
|
|
# Valid: True or False
|
|
batch = False
|
|
|
|
# Clean up the DBMS by sqlmap specific UDF and tables
|
|
# Valid: True or False
|
|
cleanup = False
|
|
|
|
# Verbosity level.
|
|
# Valid: integer between 0 and 5
|
|
# 0: Show only warning and error messages
|
|
# 1: Show also info messages
|
|
# 2: Show also debug messages
|
|
# 3: Show also HTTP requests
|
|
# 4: Show also HTTP responses headers
|
|
# 5: Show also HTTP responses page content
|
|
# Default: 1
|
|
verbose = 1
|