mirror of
synced 2025-03-19 09:32:25 +03:00
1. there's kitrap0d (MS10-015) which is far more reliable, just recently fixed 2. works only to priv esc basically on MSSQL when it runs as NETWORK SERVICE and the machine is not patched against MS09-012 which is "rare" (hopefully) nowadays. Now sqlmap relies on kitrap0d and incognito to privilege escalate the database process' user privileges to SYSTEM, both via Meterpreter. Minor layout adjustments.
459 lines
12 KiB
459 lines
12 KiB
# At least one of these options has to be specified to set the source to
# get target urls from.
# Target URL.
# Example:
url =
# Parse targets from Burp or WebScarab logs
# Valid: Burp proxy (http://portswigger.net/suite/) requests log file path
# or WebScarab proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)
# 'conversations/' folder path
list =
# Load HTTP request from a file
# Example (file content): POST /login.jsp HTTP/1.1\nHost: example.com\nUser-Agent: Mozilla/4.0\n\nuserid=joe&password=guessme
requestFile =
# Rather than providing a target url, let Google return target
# hosts as result of your Google dork expression. For a list of Google
# dorks see Johnny Long Google Hacking Database at
# http://johnny.ihackstuff.com/ghdb.php.
# Example: +ext:php +inurl:"&id=" +intext:"powered by "
googleDork =
# These options can be used to specify how to connect to the target url.
# HTTP method to perform HTTP requests.
# Valid: GET or POST
# Default: GET
method = GET
# Data string to be sent through POST. It is mandatory only when
# HTTP method is set to POST.
data =
# HTTP Cookie header.
cookie =
# URL-encode generated cookie injections.
# Valid: True or False
cookieUrlencode = False
# Ignore Set-Cookie header from response
# Valid: True or False
dropSetCookie = False
# HTTP User-Agent header. Useful to fake the HTTP User-Agent header value
# at each HTTP request
# sqlmap will also test for SQL injection on the HTTP User-Agent value.
agent =
# Load a random HTTP User-Agent header from file
# Example: ./txt/user-agents.txt
userAgentsFile =
# HTTP Referer header. Useful to fake the HTTP Referer header value at
# each HTTP request.
referer =
# Extra HTTP headers
# Note: There must be a space at the beginning of each header line.
headers = Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
# HTTP Authentication type. Useful only if the target url requires
# HTTP Basic, Digest or NTLM authentication and you have such data.
# Valid: Basic, Digest or NTLM
aType =
# HTTP Authentication credentials. Useful only if the target url requires
# HTTP Basic, Digest or NTLM authentication and you have such data.
# Syntax: username:password
aCred =
# HTTP Authentication certificate. Useful only if the target url requires
# logon certificate and you have such data.
# Syntax: key_file,cert_file
aCert =
# Use a HTTP proxy to connect to the target url.
# Syntax: http://address:port
proxy =
# Ignore system default HTTP proxy
# Valid: True or False
ignoreProxy = False
# Maximum number of concurrent HTTP requests (handled with Python threads)
# to be used in the inference SQL injection attack.
# Valid: integer
# Default: 1
threads = 1
# Delay in seconds between each HTTP request.
# Valid: float
# Default: 0
delay = 0
# Seconds to wait before timeout connection.
# Valid: float
# Default: 30
timeout = 30
# Maximum number of retries when the HTTP connection timeouts.
# Valid: integer
# Default: 3
retries = 3
# Regular expression for filtering targets from provided Burp
# or WebScarab proxy log.
# Example: (google|yahoo)
scope =
# These options can be used to specify which parameters to test for,
# provide custom injection payloads and how to parse and compare HTTP
# responses page content when using the blind SQL injection technique.
# Testable parameter(s) comma separated. By default all GET/POST/Cookie
# parameters and HTTP User-Agent are tested by sqlmap.
testParameter =
# Force back-end DBMS to this value. If this option is set, the back-end
# DBMS identification process will be minimized as needed.
# If not set, sqlmap will detect back-end DBMS automatically by default.
# Valid: mssql, mysql, mysql 4, mysql 5, oracle, pgsql
dbms =
# Force back-end DBMS operating system to this value. If this option is
# set, the back-end DBMS identification process will be minimized as
# needed.
# If not set, sqlmap will detect back-end DBMS operating system
# automatically by default.
# Valid: linux, windows
os =
# Injection payload prefix string
prefix =
# Injection payload postfix string
postfix =
# String to match within the page content when the query is valid, only
# needed if the page content dynamically changes at each refresh,
# consequently changing the MD5 hash of the page which is the method used
# by default to determine if a query was valid or not. Refer to the user's
# manual for further details.
string =
# Regular expression to match within the page content when the query is
# valid, only needed if the needed if the page content dynamically changes
# at each refresh, consequently changing the MD5 hash of the page which is
# the method used by default to determine if a query was valid or not.
# Refer to the user's manual for further details.
# Valid: regular expression with Python syntax
# (http://www.python.org/doc/2.5.2/lib/re-syntax.html)
regexp =
# String to be excluded by the page content before calculating the page
# MD5 hash
eString =
# Regular expression matches to be excluded by the page content before
# calculating the page MD5 hash
# Valid: regular expression with Python syntax
# (http://www.python.org/doc/2.5.2/lib/re-syntax.html)
eRegexp =
# These options can be used to test for specific SQL injection technique
# or to use one of them to exploit the affected parameter(s) rather than
# using the default blind SQL injection technique.
# Test for stacked queries (multiple statements) support.
# Valid: True or False
stackedTest = False
# Test for time based blind SQL injection.
# Valid: True or False
timeTest = False
# Seconds to delay the response from the DBMS.
# Valid: integer
# Default: 5
timeSec = 5
# Test for UNION query (inband) SQL injection.
# Valid: True or False
unionTest = False
# Technique to test for UNION query SQL injection
# The possible techniques are by NULL bruteforcing (bf) or by ORDER BY
# clause (ob)
# Valid: NULL, OrderBy
# Default: NULL
uTech = NULL
# Use the UNION query (inband) SQL injection to retrieve the queries
# output. No need to go blind.
# Valid: True or False
unionUse = False
# Perform an extensive back-end database management system fingerprint
# based on various techniques.
# Valid: True or False
extensiveFp = False
# These options can be used to enumerate the back-end database
# management system information, structure and data contained in the
# tables. Moreover you can run your own SQL statements.
# Retrieve back-end database management system banner.
# Valid: True or False
getBanner = False
# Retrieve back-end database management system current user.
# Valid: True or False
getCurrentUser = False
# Retrieve back-end database management system current database.
# Valid: True or False
getCurrentDb = False
# Detect if the DBMS current user is DBA.
# Valid: True or False
isDba = False
# Enumerate back-end database management system users.
# Valid: True or False
getUsers = False
# Enumerate back-end database management system users password hashes.
# Valid: True or False
getPasswordHashes = False
# Enumerate back-end database management system users privileges.
# Valid: True or False
getPrivileges = False
# Enumerate back-end database management system databases.
# Valid: True or False
getDbs = False
# Enumerate back-end database management system database tables.
# Optional: db
# Valid: True or False
getTables = False
# Enumerate back-end database management system database table columns.
# Requires: tbl
# Optional: db, col
# Valid: True or False
getColumns = False
# Dump back-end database management system database table entries.
# Requires: tbl and/or col
# Optional: db
# Valid: True or False
dumpTable = False
# Dump all back-end database management system databases tables entries.
# Valid: True or False
dumpAll = False
# Back-end database management system database to enumerate.
db =
# Back-end database management system database table to enumerate.
tbl =
# Back-end database management system database table column to enumerate.
col =
# Back-end database management system database user to enumerate.
user =
# Exclude DBMS system databases when enumerating tables.
# Valid: True or False
excludeSysDbs = False
# First query output entry to retrieve
# Valid: integer
# Default: 0 (sqlmap will start to retrieve the query output entries from
# the first)
limitStart = 0
# Last query output entry to retrieve
# Valid: integer
# Default: 0 (sqlmap will detect the number of query output entries and
# retrieve them until the last)
limitStop = 0
# First query output word character to retrieve
# Valid: integer
# Default: 0 (sqlmap will enumerate the query output from the first
# character)
firstChar = 0
# Last query output word character to retrieve
# Valid: integer
# Default: 0 (sqlmap will enumerate the query output until the last
# character)
lastChar = 0
# SQL statement to be executed.
# Example: SELECT 'foo', 'bar'
query =
# Prompt for an interactive SQL shell.
# Valid: True or False
sqlShell = False
# These options can be used to create custom user-defined functions.
[User-defined function]
# Inject custom user-defined functions
# Valid: True or False
udfInject = False
# Local path of the shared library
shLib =
# These options can be used to access the back-end database management
# system underlying file system.
[File system]
# Read a specific file from the back-end DBMS underlying file system.
# Examples: /etc/passwd or C:\boot.ini
rFile =
# Write a local file to a specific path on the back-end DBMS underlying
# file system.
# Example: /tmp/sqlmap.txt or C:\WINNT\Temp\sqlmap.txt
wFile =
# Back-end DBMS absolute filepath to write the file to.
dFile =
# These options can be used to access the back-end database management
# system underlying operating system.
# Execute an operating system command.
# Valid: operating system command
osCmd =
# Prompt for an interactive operating system shell.
# Valid: True or False
osShell = False
# Prompt for an out-of-band shell, meterpreter or VNC.
# Valid: True or False
osPwn = False
# One click prompt for an out-of-band shell, meterpreter or VNC.
# Valid: True or False
osSmb = False
# Microsoft SQL Server 2000 and 2005 'sp_replwritetovarbin' stored
# procedure heap-based buffer overflow (MS09-004) exploitation.
# Valid: True or False
osBof = False
# Database process' user privilege escalation.
# Note: Use in conjunction with osPwn, osSmb or osBof. It will force the
# payload to be Meterpreter.
privEsc = False
# Local path where Metasploit Framework 3 is installed.
# Valid: file system path
msfPath =
# Remote absolute path of temporary files directory.
# Valid: absolute file system path
tmpPath =
# These options can be used to access the back-end database management
# system Windows registry.
# Read a Windows registry key value
regRead = False
# Write a Windows registry key value data
regAdd = False
# Delete a Windows registry key value
regDel = False
# Windows registry key
regKey =
# Windows registry key value
regVal =
# Windows registry key value data
regData =
# Windows registry key value type
regType =
# Save and resume all data retrieved on a session file.
sessionFile =
# Flush session file for current target.
flushSession = False
# Retrieve each query output length and calculate the estimated time of
# arrival in real time.
# Valid: True or False
eta = False
# Use google dork results from specified page number
# Valid: integer
# Default: 1
googlePage = 1
# Update sqlmap.
# Valid: True or False
updateAll = False
# Never ask for user input, use the default behaviour.
# Valid: True or False
batch = False
# Clean up the DBMS by sqlmap specific UDF and tables
# Valid: True or False
cleanup = False
# Verbosity level.
# Valid: integer between 0 and 5
# 0: Show only warning and error messages
# 1: Show also info messages
# 2: Show also debug messages
# 3: Show also HTTP requests
# 4: Show also HTTP responses headers
# 5: Show also HTTP responses page content
# Default: 1
verbose = 1