mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-23 01:56:36 +03:00
7e3b24afe6
All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
590 lines
15 KiB
Plaintext
590 lines
15 KiB
Plaintext
# At least one of these options has to be specified to set the source to
|
|
# get target urls from.
|
|
[Target]
|
|
|
|
# Direct connection to the database.
|
|
# Examples:
|
|
# mysql://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME
|
|
# oracle://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_SID
|
|
direct =
|
|
|
|
# Target URL.
|
|
# Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2
|
|
url =
|
|
|
|
# Parse targets from Burp or WebScarab logs
|
|
# Valid: Burp proxy (http://portswigger.net/suite/) requests log file path
|
|
# or WebScarab proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)
|
|
# 'conversations/' folder path
|
|
list =
|
|
|
|
# Load HTTP request from a file
|
|
# Example (file content): POST /login.jsp HTTP/1.1\nHost: example.com\nUser-Agent: Mozilla/4.0\n\nuserid=joe&password=guessme
|
|
requestFile =
|
|
|
|
# Rather than providing a target url, let Google return target
|
|
# hosts as result of your Google dork expression. For a list of Google
|
|
# dorks see Johnny Long Google Hacking Database at
|
|
# http://johnny.ihackstuff.com/ghdb.php.
|
|
# Example: +ext:php +inurl:"&id=" +intext:"powered by "
|
|
googleDork =
|
|
|
|
|
|
# These options can be used to specify how to connect to the target url.
|
|
[Request]
|
|
|
|
# HTTP method to perform HTTP requests.
|
|
# Valid: GET or POST
|
|
# Default: GET
|
|
method = GET
|
|
|
|
# Data string to be sent through POST. It is mandatory only when
|
|
# HTTP method is set to POST.
|
|
data =
|
|
|
|
# HTTP Cookie header.
|
|
cookie =
|
|
|
|
# URL-encode generated cookie injections.
|
|
# Valid: True or False
|
|
cookieUrlencode = False
|
|
|
|
# Ignore Set-Cookie header from response
|
|
# Valid: True or False
|
|
dropSetCookie = False
|
|
|
|
# HTTP User-Agent header. Useful to fake the HTTP User-Agent header value
|
|
# at each HTTP request
|
|
# sqlmap will also test for SQL injection on the HTTP User-Agent value.
|
|
agent =
|
|
|
|
# Load a random HTTP User-Agent header from file
|
|
# Example: ./txt/user-agents.txt
|
|
userAgentsFile =
|
|
|
|
# HTTP Referer header. Useful to fake the HTTP Referer header value at
|
|
# each HTTP request.
|
|
referer =
|
|
|
|
# Extra HTTP headers
|
|
# Note: There must be a space at the beginning of each header line.
|
|
headers = Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
|
|
Accept-Language: en-us,en;q=0.5
|
|
Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
|
|
|
|
# HTTP Authentication type. Useful only if the target url requires
|
|
# HTTP Basic, Digest or NTLM authentication and you have such data.
|
|
# Valid: Basic, Digest or NTLM
|
|
aType =
|
|
|
|
# HTTP authentication credentials. Useful only if the target url requires
|
|
# HTTP Basic, Digest or NTLM authentication and you have such data.
|
|
# Syntax: username:password
|
|
aCred =
|
|
|
|
# HTTP Authentication certificate. Useful only if the target url requires
|
|
# logon certificate and you have such data.
|
|
# Syntax: key_file,cert_file
|
|
aCert =
|
|
|
|
# Use a HTTP proxy to connect to the target url.
|
|
# Syntax: http://address:port
|
|
proxy =
|
|
|
|
# HTTP proxy authentication credentials. Useful only if the proxy requires
|
|
# HTTP Basic or Digest authentication and you have such data.
|
|
# Syntax: username:password
|
|
pCred =
|
|
|
|
# Ignore system default HTTP proxy
|
|
# Valid: True or False
|
|
ignoreProxy = False
|
|
|
|
# Delay in seconds between each HTTP request.
|
|
# Valid: float
|
|
# Default: 0
|
|
delay = 0
|
|
|
|
# Seconds to wait before timeout connection.
|
|
# Valid: float
|
|
# Default: 30
|
|
timeout = 30
|
|
|
|
# Maximum number of retries when the HTTP connection timeouts.
|
|
# Valid: integer
|
|
# Default: 3
|
|
retries = 3
|
|
|
|
# Regular expression for filtering targets from provided Burp
|
|
# or WebScarab proxy log.
|
|
# Example: (google|yahoo)
|
|
scope =
|
|
|
|
# Url address to visit frequently during testing
|
|
# Example: http://192.168.1.121/index.html
|
|
safUrl =
|
|
|
|
# Test requests between two visits to a given safe url (default 0)
|
|
# Valid: integer
|
|
# Default: 0
|
|
saFreq = 0
|
|
|
|
|
|
# These options can be used to optimize the performance of sqlmap.
|
|
[Optimization]
|
|
|
|
# Use all optimization options.
|
|
# Valid: True or False
|
|
optimize = False
|
|
|
|
# Predict common queries output.
|
|
# Valid: True or False
|
|
predictOutput = False
|
|
|
|
# Use persistent HTTP(s) connections.
|
|
keepAlive = False
|
|
|
|
# Retrieve page length without actual HTTP response body.
|
|
# Valid: True or False
|
|
nullConnection = False
|
|
|
|
# Maximum number of concurrent HTTP(s) requests (handled with Python threads)
|
|
# to be used in the inference SQL injection attack.
|
|
# Valid: integer
|
|
# Default: 1
|
|
threads = 1
|
|
|
|
|
|
# These options can be used to specify which parameters to test for,
|
|
# provide custom injection payloads and optional tampering scripts.
|
|
[Injection]
|
|
|
|
# Testable parameter(s) comma separated. By default all GET/POST/Cookie
|
|
# parameters and HTTP User-Agent are tested by sqlmap.
|
|
testParameter =
|
|
|
|
# Force back-end DBMS to this value. If this option is set, the back-end
|
|
# DBMS identification process will be minimized as needed.
|
|
# If not set, sqlmap will detect back-end DBMS automatically by default.
|
|
# Valid: mssql, mysql, mysql 4, mysql 5, oracle, pgsql, sqlite, sqlite3,
|
|
# access, firebird, maxdb, sybase
|
|
dbms =
|
|
|
|
# Force back-end DBMS operating system to this value. If this option is
|
|
# set, the back-end DBMS identification process will be minimized as
|
|
# needed.
|
|
# If not set, sqlmap will detect back-end DBMS operating system
|
|
# automatically by default.
|
|
# Valid: linux, windows
|
|
os =
|
|
|
|
# Injection payload prefix string
|
|
prefix =
|
|
|
|
# Injection payload suffix string
|
|
suffix =
|
|
|
|
# Use given script(s) for tampering injection data
|
|
tamper =
|
|
|
|
|
|
# These options can be used to specify how to parse and compare page
|
|
# content from HTTP responses when using blind SQL injection technique.
|
|
[Detection]
|
|
|
|
# Level of tests to perform
|
|
# The higher the value is, the higher the number of HTTP(s) requests are
|
|
# as well as the better chances to detect a tricky SQL injection.
|
|
# Valid: Integer between 1 and 5
|
|
# Default: 1
|
|
level = 1
|
|
|
|
# Risk of tests to perform
|
|
# Note: boolean-based blind SQL injection tests with AND are considered
|
|
# risk 1, with OR are considered risk 3.
|
|
# Valid: Integer between 0 and 3
|
|
# Default: 1
|
|
risk = 1
|
|
|
|
# String to match within the page content when the query is valid, only
|
|
# needed if the page content dynamically changes at each refresh.
|
|
# Refer to the user's manual for further details.
|
|
string =
|
|
|
|
# Regular expression to match within the page content when the query is
|
|
# valid, only needed if the needed if the page content dynamically changes
|
|
# at each refresh.
|
|
# Refer to the user's manual for further details.
|
|
# Valid: regular expression with Python syntax
|
|
# (http://www.python.org/doc/2.5.2/lib/re-syntax.html)
|
|
regexp =
|
|
|
|
# String to be excluded by the page content before comparing to the original page
|
|
eString =
|
|
|
|
# Regular expression matches to be excluded by the page content before
|
|
# comparing to the original page
|
|
# Valid: regular expression with Python syntax
|
|
# (http://www.python.org/doc/2.5.2/lib/re-syntax.html)
|
|
eRegexp =
|
|
|
|
# Page comparison threshold value.
|
|
# Valid: 0.0-1.0
|
|
thold =
|
|
|
|
# Compare pages based only on their textual content
|
|
# Valid: True or False
|
|
textOnly = False
|
|
|
|
# Compare pages based on their longest common match
|
|
# Valid: True or False
|
|
longestCommon = False
|
|
|
|
|
|
# These options can be used to test for specific SQL injection technique
|
|
# or to use one of them to exploit the affected parameter(s) rather than
|
|
# using the default blind SQL injection technique.
|
|
[Techniques]
|
|
|
|
# Test for and use error based SQL injection.
|
|
# Valid: True or False
|
|
errorTest = False
|
|
|
|
# Test for and use stacked queries (multiple statements).
|
|
# Valid: True or False
|
|
stackedTest = False
|
|
|
|
# Test for time based blind SQL injection.
|
|
# Valid: True or False
|
|
timeTest = False
|
|
|
|
# Seconds to delay the response from the DBMS.
|
|
# Valid: integer
|
|
# Default: 5
|
|
timeSec = 5
|
|
|
|
# Test for and use UNION query (inband) SQL injection.
|
|
# Valid: True or False
|
|
unionTest = False
|
|
|
|
# Technique to test for UNION query SQL injection
|
|
# The possible techniques are by NULL bruteforcing (bf) or by ORDER BY
|
|
# clause (ob)
|
|
# Valid: char, OrderBy
|
|
# Default: char
|
|
uTech = char
|
|
|
|
# Range of columns to test for
|
|
# Valid: range of integers
|
|
# Default: 1-20
|
|
uCols = 1-20
|
|
|
|
# Character to use to bruteforce number of columns
|
|
# Valid: string
|
|
# Default: NULL
|
|
uChar = NULL
|
|
|
|
|
|
[Fingerprint]
|
|
|
|
# Perform an extensive back-end database management system fingerprint
|
|
# based on various techniques.
|
|
# Valid: True or False
|
|
extensiveFp = False
|
|
|
|
|
|
# These options can be used to enumerate the back-end database
|
|
# management system information, structure and data contained in the
|
|
# tables. Moreover you can run your own SQL statements.
|
|
[Enumeration]
|
|
|
|
# Retrieve back-end database management system banner.
|
|
# Valid: True or False
|
|
getBanner = False
|
|
|
|
# Retrieve back-end database management system current user.
|
|
# Valid: True or False
|
|
getCurrentUser = False
|
|
|
|
# Retrieve back-end database management system current database.
|
|
# Valid: True or False
|
|
getCurrentDb = False
|
|
|
|
# Detect if the DBMS current user is DBA.
|
|
# Valid: True or False
|
|
isDba = False
|
|
|
|
# Enumerate back-end database management system users.
|
|
# Valid: True or False
|
|
getUsers = False
|
|
|
|
# Enumerate back-end database management system users password hashes.
|
|
# Valid: True or False
|
|
getPasswordHashes = False
|
|
|
|
# Enumerate back-end database management system users privileges.
|
|
# Valid: True or False
|
|
getPrivileges = False
|
|
|
|
# Enumerate back-end database management system users roles.
|
|
# Valid: True or False
|
|
getRoles = False
|
|
|
|
# Enumerate back-end database management system databases.
|
|
# Valid: True or False
|
|
getDbs = False
|
|
|
|
# Enumerate back-end database management system database tables.
|
|
# Optional: db
|
|
# Valid: True or False
|
|
getTables = False
|
|
|
|
# Enumerate back-end database management system database table columns.
|
|
# Requires: tbl
|
|
# Optional: db, col
|
|
# Valid: True or False
|
|
getColumns = False
|
|
|
|
# Dump back-end database management system database table entries.
|
|
# Requires: tbl and/or col
|
|
# Optional: db
|
|
# Valid: True or False
|
|
dumpTable = False
|
|
|
|
# Dump all back-end database management system databases tables entries.
|
|
# Valid: True or False
|
|
dumpAll = False
|
|
|
|
# Search column(s), table(s) and/or database name(s).
|
|
# Requires: db, tbl or col
|
|
# Valid: True or False
|
|
search = False
|
|
|
|
# Back-end database management system database to enumerate.
|
|
db =
|
|
|
|
# Back-end database management system database table to enumerate.
|
|
tbl =
|
|
|
|
# Back-end database management system database table column to enumerate.
|
|
col =
|
|
|
|
# Back-end database management system database user to enumerate.
|
|
user =
|
|
|
|
# Exclude DBMS system databases when enumerating tables.
|
|
# Valid: True or False
|
|
excludeSysDbs = False
|
|
|
|
# First query output entry to retrieve
|
|
# Valid: integer
|
|
# Default: 0 (sqlmap will start to retrieve the query output entries from
|
|
# the first)
|
|
limitStart = 0
|
|
|
|
# Last query output entry to retrieve
|
|
# Valid: integer
|
|
# Default: 0 (sqlmap will detect the number of query output entries and
|
|
# retrieve them until the last)
|
|
limitStop = 0
|
|
|
|
# First query output word character to retrieve
|
|
# Valid: integer
|
|
# Default: 0 (sqlmap will enumerate the query output from the first
|
|
# character)
|
|
firstChar = 0
|
|
|
|
# Last query output word character to retrieve
|
|
# Valid: integer
|
|
# Default: 0 (sqlmap will enumerate the query output until the last
|
|
# character)
|
|
lastChar = 0
|
|
|
|
# SQL statement to be executed.
|
|
# Example: SELECT 'foo', 'bar'
|
|
query =
|
|
|
|
# Prompt for an interactive SQL shell.
|
|
# Valid: True or False
|
|
sqlShell = False
|
|
|
|
|
|
# These options can be used to run brute force checks.
|
|
[Brute force]
|
|
|
|
# Check existence of common tables.
|
|
# Valid: True or False
|
|
commonTables = False
|
|
|
|
# Check existence of common columns.
|
|
# Valid: True or False
|
|
commonColumns = False
|
|
|
|
|
|
# These options can be used to create custom user-defined functions.
|
|
[User-defined function]
|
|
|
|
# Inject custom user-defined functions
|
|
# Valid: True or False
|
|
udfInject = False
|
|
|
|
# Local path of the shared library
|
|
shLib =
|
|
|
|
|
|
# These options can be used to access the back-end database management
|
|
# system underlying file system.
|
|
[File system]
|
|
|
|
# Read a specific file from the back-end DBMS underlying file system.
|
|
# Examples: /etc/passwd or C:\boot.ini
|
|
rFile =
|
|
|
|
# Write a local file to a specific path on the back-end DBMS underlying
|
|
# file system.
|
|
# Example: /tmp/sqlmap.txt or C:\WINNT\Temp\sqlmap.txt
|
|
wFile =
|
|
|
|
# Back-end DBMS absolute filepath to write the file to.
|
|
dFile =
|
|
|
|
|
|
# These options can be used to access the back-end database management
|
|
# system underlying operating system.
|
|
[Takeover]
|
|
|
|
# Execute an operating system command.
|
|
# Valid: operating system command
|
|
osCmd =
|
|
|
|
# Prompt for an interactive operating system shell.
|
|
# Valid: True or False
|
|
osShell = False
|
|
|
|
# Prompt for an out-of-band shell, meterpreter or VNC.
|
|
# Valid: True or False
|
|
osPwn = False
|
|
|
|
# One click prompt for an out-of-band shell, meterpreter or VNC.
|
|
# Valid: True or False
|
|
osSmb = False
|
|
|
|
# Microsoft SQL Server 2000 and 2005 'sp_replwritetovarbin' stored
|
|
# procedure heap-based buffer overflow (MS09-004) exploitation.
|
|
# Valid: True or False
|
|
osBof = False
|
|
|
|
# Database process' user privilege escalation.
|
|
# Note: Use in conjunction with osPwn, osSmb or osBof. It will force the
|
|
# payload to be Meterpreter.
|
|
privEsc = False
|
|
|
|
# Local path where Metasploit Framework 3 is installed.
|
|
# Valid: file system path
|
|
msfPath =
|
|
|
|
# Remote absolute path of temporary files directory.
|
|
# Valid: absolute file system path
|
|
tmpPath =
|
|
|
|
|
|
# These options can be used to access the back-end database management
|
|
# system Windows registry.
|
|
[Windows]
|
|
|
|
# Read a Windows registry key value
|
|
# Valid: True or False
|
|
regRead = False
|
|
|
|
# Write a Windows registry key value data
|
|
# Valid: True or False
|
|
regAdd = False
|
|
|
|
# Delete a Windows registry key value
|
|
# Valid: True or False
|
|
regDel = False
|
|
|
|
# Windows registry key
|
|
regKey =
|
|
|
|
# Windows registry key value
|
|
regVal =
|
|
|
|
# Windows registry key value data
|
|
regData =
|
|
|
|
# Windows registry key value type
|
|
regType =
|
|
|
|
|
|
# These options can be used to set some general working parameters.
|
|
[General]
|
|
|
|
# Dump the data into an XML file.
|
|
xmlFile =
|
|
|
|
# Save and resume all data retrieved on a session file.
|
|
sessionFile =
|
|
|
|
# Log all HTTP traffic into a textual file.
|
|
trafficFile =
|
|
|
|
# Flush session file for current target.
|
|
# Valid: True or False
|
|
flushSession = False
|
|
|
|
# Retrieve each query output length and calculate the estimated time of
|
|
# arrival in real time.
|
|
# Valid: True or False
|
|
eta = False
|
|
|
|
# Update sqlmap.
|
|
# Valid: True or False
|
|
updateAll = False
|
|
|
|
# Never ask for user input, use the default behaviour.
|
|
# Valid: True or False
|
|
batch = False
|
|
|
|
|
|
[Miscellaneous]
|
|
|
|
# Alert with audio beep when sql injection found.
|
|
beep = False
|
|
|
|
# IDS detection testing of injection payload.
|
|
checkPayload = False
|
|
|
|
# Clean up the DBMS by sqlmap specific UDF and tables
|
|
# Valid: True or False
|
|
cleanup = False
|
|
|
|
# Parse and test forms on target url
|
|
# Valid: True or False
|
|
forms = False
|
|
|
|
# Use google dork results from specified page number
|
|
# Valid: integer
|
|
# Default: 1
|
|
googlePage = 1
|
|
|
|
# Parse DBMS error messages from response pages
|
|
# Valid: True or False
|
|
parseErrors = False
|
|
|
|
# Replicate dumped data into a sqlite3 database.
|
|
# Valid: True or False
|
|
replicate = False
|
|
|
|
# Verbosity level.
|
|
# Valid: integer between 0 and 6
|
|
# 0: Show only critical messages
|
|
# 1: Show also warning and info messages
|
|
# 2: Show also debug messages and query
|
|
# 3: Show also each payload injected
|
|
# 4: Show also HTTP requests
|
|
# 5: Show also HTTP responses headers
|
|
# 6: Show also HTTP responses page content
|
|
# Default: 1
|
|
verbose = 1
|