sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 09:36:35 +03:00
Code Issues Packages Projects Releases Wiki Activity
7e3b24afe6
sqlmap/sqlmap.conf
Bernardo Damele 7e3b24afe6 Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. 
All (hopefully) functionalities should still be working.
Added two switches, --level and --risk to specify which injection tests and boundaries to use.
The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 18:10:54 +00:00

590 lines
15 KiB
Plaintext
Raw Blame History

# At least one of these options has to be specified to set the source to
# get target urls from.
[Target]
# Direct connection to the database.
# Examples:
# mysql://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME
# oracle://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_SID
direct =
# Target URL.
# Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2
url =
# Parse targets from Burp or WebScarab logs
# Valid: Burp proxy (http://portswigger.net/suite/) requests log file path
# or WebScarab proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)
# 'conversations/' folder path
list =
# Load HTTP request from a file
# Example (file content): POST /login.jsp HTTP/1.1\nHost: example.com\nUser-Agent: Mozilla/4.0\n\nuserid=joe&password=guessme
requestFile =
# Rather than providing a target url, let Google return target
# hosts as result of your Google dork expression. For a list of Google
# dorks see Johnny Long Google Hacking Database at
# http://johnny.ihackstuff.com/ghdb.php.
# Example: +ext:php +inurl:"&id=" +intext:"powered by "
googleDork =
# These options can be used to specify how to connect to the target url.
[Request]
# HTTP method to perform HTTP requests.
# Valid: GET or POST
# Default: GET
method = GET
# Data string to be sent through POST. It is mandatory only when
# HTTP method is set to POST.
data =
# HTTP Cookie header.
cookie =
# URL-encode generated cookie injections.
# Valid: True or False
cookieUrlencode = False
# Ignore Set-Cookie header from response
# Valid: True or False
dropSetCookie = False
# HTTP User-Agent header. Useful to fake the HTTP User-Agent header value
# at each HTTP request
# sqlmap will also test for SQL injection on the HTTP User-Agent value.
agent =
# Load a random HTTP User-Agent header from file
# Example: ./txt/user-agents.txt
userAgentsFile =
# HTTP Referer header. Useful to fake the HTTP Referer header value at
# each HTTP request.
referer =
# Extra HTTP headers
# Note: There must be a space at the beginning of each header line.
headers = Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
# HTTP Authentication type. Useful only if the target url requires
# HTTP Basic, Digest or NTLM authentication and you have such data.
# Valid: Basic, Digest or NTLM
aType =
# HTTP authentication credentials. Useful only if the target url requires
# HTTP Basic, Digest or NTLM authentication and you have such data.
# Syntax: username:password
aCred =
# HTTP Authentication certificate. Useful only if the target url requires
# logon certificate and you have such data.
# Syntax: key_file,cert_file
aCert =
# Use a HTTP proxy to connect to the target url.
# Syntax: http://address:port
proxy =
# HTTP proxy authentication credentials. Useful only if the proxy requires
# HTTP Basic or Digest authentication and you have such data.
# Syntax: username:password
pCred =
# Ignore system default HTTP proxy
# Valid: True or False
ignoreProxy = False
# Delay in seconds between each HTTP request.
# Valid: float
# Default: 0
delay = 0
# Seconds to wait before timeout connection.
# Valid: float
# Default: 30
timeout = 30
# Maximum number of retries when the HTTP connection timeouts.
# Valid: integer
# Default: 3
retries = 3
# Regular expression for filtering targets from provided Burp
# or WebScarab proxy log.
# Example: (google|yahoo)
scope =
# Url address to visit frequently during testing
# Example: http://192.168.1.121/index.html
safUrl =
# Test requests between two visits to a given safe url (default 0)
# Valid: integer
# Default: 0
saFreq = 0
# These options can be used to optimize the performance of sqlmap.
[Optimization]
# Use all optimization options.
# Valid: True or False
optimize = False
# Predict common queries output.
# Valid: True or False
predictOutput = False
# Use persistent HTTP(s) connections.
keepAlive = False
# Retrieve page length without actual HTTP response body.
# Valid: True or False
nullConnection = False
# Maximum number of concurrent HTTP(s) requests (handled with Python threads)
# to be used in the inference SQL injection attack.
# Valid: integer
# Default: 1
threads = 1
# These options can be used to specify which parameters to test for,
# provide custom injection payloads and optional tampering scripts.
[Injection]
# Testable parameter(s) comma separated. By default all GET/POST/Cookie
# parameters and HTTP User-Agent are tested by sqlmap.
testParameter =
# Force back-end DBMS to this value. If this option is set, the back-end
# DBMS identification process will be minimized as needed.
# If not set, sqlmap will detect back-end DBMS automatically by default.
# Valid: mssql, mysql, mysql 4, mysql 5, oracle, pgsql, sqlite, sqlite3,
# access, firebird, maxdb, sybase
dbms =
# Force back-end DBMS operating system to this value. If this option is
# set, the back-end DBMS identification process will be minimized as
# needed.
# If not set, sqlmap will detect back-end DBMS operating system
# automatically by default.
# Valid: linux, windows
os =
# Injection payload prefix string
prefix =
# Injection payload suffix string
suffix =
# Use given script(s) for tampering injection data
tamper =
# These options can be used to specify how to parse and compare page
# content from HTTP responses when using blind SQL injection technique.
[Detection]
# Level of tests to perform
# The higher the value is, the higher the number of HTTP(s) requests are
# as well as the better chances to detect a tricky SQL injection.
# Valid: Integer between 1 and 5
# Default: 1
level = 1
# Risk of tests to perform
# Note: boolean-based blind SQL injection tests with AND are considered
# risk 1, with OR are considered risk 3.
# Valid: Integer between 0 and 3
# Default: 1
risk = 1
# String to match within the page content when the query is valid, only
# needed if the page content dynamically changes at each refresh.
# Refer to the user's manual for further details.
string =
# Regular expression to match within the page content when the query is
# valid, only needed if the needed if the page content dynamically changes
# at each refresh.
# Refer to the user's manual for further details.
# Valid: regular expression with Python syntax
# (http://www.python.org/doc/2.5.2/lib/re-syntax.html)
regexp =
# String to be excluded by the page content before comparing to the original page
eString =
# Regular expression matches to be excluded by the page content before
# comparing to the original page
# Valid: regular expression with Python syntax
# (http://www.python.org/doc/2.5.2/lib/re-syntax.html)
eRegexp =
# Page comparison threshold value.
# Valid: 0.0-1.0
thold =
# Compare pages based only on their textual content
# Valid: True or False
textOnly = False
# Compare pages based on their longest common match
# Valid: True or False
longestCommon = False
# These options can be used to test for specific SQL injection technique
# or to use one of them to exploit the affected parameter(s) rather than
# using the default blind SQL injection technique.
[Techniques]
# Test for and use error based SQL injection.
# Valid: True or False
errorTest = False
# Test for and use stacked queries (multiple statements).
# Valid: True or False
stackedTest = False
# Test for time based blind SQL injection.
# Valid: True or False
timeTest = False
# Seconds to delay the response from the DBMS.
# Valid: integer
# Default: 5
timeSec = 5
# Test for and use UNION query (inband) SQL injection.
# Valid: True or False
unionTest = False
# Technique to test for UNION query SQL injection
# The possible techniques are by NULL bruteforcing (bf) or by ORDER BY
# clause (ob)
# Valid: char, OrderBy
# Default: char
uTech = char
# Range of columns to test for
# Valid: range of integers
# Default: 1-20
uCols = 1-20
# Character to use to bruteforce number of columns
# Valid: string
# Default: NULL
uChar = NULL
[Fingerprint]
# Perform an extensive back-end database management system fingerprint
# based on various techniques.
# Valid: True or False
extensiveFp = False
# These options can be used to enumerate the back-end database
# management system information, structure and data contained in the
# tables. Moreover you can run your own SQL statements.
[Enumeration]
# Retrieve back-end database management system banner.
# Valid: True or False
getBanner = False
# Retrieve back-end database management system current user.
# Valid: True or False
getCurrentUser = False
# Retrieve back-end database management system current database.
# Valid: True or False
getCurrentDb = False
# Detect if the DBMS current user is DBA.
# Valid: True or False
isDba = False
# Enumerate back-end database management system users.
# Valid: True or False
getUsers = False
# Enumerate back-end database management system users password hashes.
# Valid: True or False
getPasswordHashes = False
# Enumerate back-end database management system users privileges.
# Valid: True or False
getPrivileges = False
# Enumerate back-end database management system users roles.
# Valid: True or False
getRoles = False
# Enumerate back-end database management system databases.
# Valid: True or False
getDbs = False
# Enumerate back-end database management system database tables.
# Optional: db
# Valid: True or False
getTables = False
# Enumerate back-end database management system database table columns.
# Requires: tbl
# Optional: db, col
# Valid: True or False
getColumns = False
# Dump back-end database management system database table entries.
# Requires: tbl and/or col
# Optional: db
# Valid: True or False
dumpTable = False
# Dump all back-end database management system databases tables entries.
# Valid: True or False
dumpAll = False
# Search column(s), table(s) and/or database name(s).
# Requires: db, tbl or col
# Valid: True or False
search = False
# Back-end database management system database to enumerate.
db =
# Back-end database management system database table to enumerate.
tbl =
# Back-end database management system database table column to enumerate.
col =
# Back-end database management system database user to enumerate.
user =
# Exclude DBMS system databases when enumerating tables.
# Valid: True or False
excludeSysDbs = False
# First query output entry to retrieve
# Valid: integer
# Default: 0 (sqlmap will start to retrieve the query output entries from
# the first)
limitStart = 0
# Last query output entry to retrieve
# Valid: integer
# Default: 0 (sqlmap will detect the number of query output entries and
# retrieve them until the last)
limitStop = 0
# First query output word character to retrieve
# Valid: integer
# Default: 0 (sqlmap will enumerate the query output from the first
# character)
firstChar = 0
# Last query output word character to retrieve
# Valid: integer
# Default: 0 (sqlmap will enumerate the query output until the last
# character)
lastChar = 0
# SQL statement to be executed.
# Example: SELECT 'foo', 'bar'
query =
# Prompt for an interactive SQL shell.
# Valid: True or False
sqlShell = False
# These options can be used to run brute force checks.
[Brute force]
# Check existence of common tables.
# Valid: True or False
commonTables = False
# Check existence of common columns.
# Valid: True or False
commonColumns = False
# These options can be used to create custom user-defined functions.
[User-defined function]
# Inject custom user-defined functions
# Valid: True or False
udfInject = False
# Local path of the shared library
shLib =
# These options can be used to access the back-end database management
# system underlying file system.
[File system]
# Read a specific file from the back-end DBMS underlying file system.
# Examples: /etc/passwd or C:\boot.ini
rFile =
# Write a local file to a specific path on the back-end DBMS underlying
# file system.
# Example: /tmp/sqlmap.txt or C:\WINNT\Temp\sqlmap.txt
wFile =
# Back-end DBMS absolute filepath to write the file to.
dFile =
# These options can be used to access the back-end database management
# system underlying operating system.
[Takeover]
# Execute an operating system command.
# Valid: operating system command
osCmd =
# Prompt for an interactive operating system shell.
# Valid: True or False
osShell = False
# Prompt for an out-of-band shell, meterpreter or VNC.
# Valid: True or False
osPwn = False
# One click prompt for an out-of-band shell, meterpreter or VNC.
# Valid: True or False
osSmb = False
# Microsoft SQL Server 2000 and 2005 'sp_replwritetovarbin' stored
# procedure heap-based buffer overflow (MS09-004) exploitation.
# Valid: True or False
osBof = False
# Database process' user privilege escalation.
# Note: Use in conjunction with osPwn, osSmb or osBof. It will force the
# payload to be Meterpreter.
privEsc = False
# Local path where Metasploit Framework 3 is installed.
# Valid: file system path
msfPath =
# Remote absolute path of temporary files directory.
# Valid: absolute file system path
tmpPath =
# These options can be used to access the back-end database management
# system Windows registry.
[Windows]
# Read a Windows registry key value
# Valid: True or False
regRead = False
# Write a Windows registry key value data
# Valid: True or False
regAdd = False
# Delete a Windows registry key value
# Valid: True or False
regDel = False
# Windows registry key
regKey =
# Windows registry key value
regVal =
# Windows registry key value data
regData =
# Windows registry key value type
regType =
# These options can be used to set some general working parameters.
[General]
# Dump the data into an XML file.
xmlFile =
# Save and resume all data retrieved on a session file.
sessionFile =
# Log all HTTP traffic into a textual file.
trafficFile =
# Flush session file for current target.
# Valid: True or False
flushSession = False
# Retrieve each query output length and calculate the estimated time of
# arrival in real time.
# Valid: True or False
eta = False
# Update sqlmap.
# Valid: True or False
updateAll = False
# Never ask for user input, use the default behaviour.
# Valid: True or False
batch = False
[Miscellaneous]
# Alert with audio beep when sql injection found.
beep = False
# IDS detection testing of injection payload.
checkPayload = False
# Clean up the DBMS by sqlmap specific UDF and tables
# Valid: True or False
cleanup = False
# Parse and test forms on target url
# Valid: True or False
forms = False
# Use google dork results from specified page number
# Valid: integer
# Default: 1
googlePage = 1
# Parse DBMS error messages from response pages
# Valid: True or False
parseErrors = False
# Replicate dumped data into a sqlite3 database.
# Valid: True or False
replicate = False
# Verbosity level.
# Valid: integer between 0 and 6
# 0: Show only critical messages
# 1: Show also warning and info messages
# 2: Show also debug messages and query
# 3: Show also each payload injected
# 4: Show also HTTP requests
# 5: Show also HTTP responses headers
# 6: Show also HTTP responses page content
# Default: 1
verbose = 1
Reference in New Issue View Git Blame Copy Permalink