sqlmap help

Usage: python sqlmap.py [options]

 

Options:

  -h, --help            Show basic help message and exit

  -hh                   Show advanced help message and exit

  --version             Show program‘s version number and exit

  -v VERBOSE            Verbosity level: 0-6 (default 1)

 

  Target:

    At least one of these options has to be provided to define the

    target(s)

 

    -u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")

    -g GOOGLEDORK       Process Google dork results as target URLs

 

  Request:

    These options can be used to specify how to connect to the target URL

 

    --data=DATA         Data string to be sent through POST

    --cookie=COOKIE     HTTP Cookie header value

    --random-agent      Use randomly selected HTTP User-Agent header value

    --proxy=PROXY       Use a proxy to connect to the target URL

    --tor               Use Tor anonymity network

    --check-tor         Check to see if Tor is used properly

 

  Injection:

    These options can be used to specify which parameters to test for,

    provide custom injection payloads and optional tampering scripts

 

    -p TESTPARAMETER    Testable parameter(s)

    --dbms=DBMS         Force back-end DBMS to this value

 

  Detection:

    These options can be used to customize the detection phase

 

    --level=LEVEL       Level of tests to perform (1-5, default 1)

    --risk=RISK         Risk of tests to perform (1-3, default 1)

 

  Techniques:

    These options can be used to tweak testing of specific SQL injection

    techniques

 

    --technique=TECH    SQL injection techniques to use (default "BEUSTQ")

 

  Enumeration:

    These options can be used to enumerate the back-end database

    management system information, structure and data contained in the

    tables. Moreover you can run your own SQL statements

 

    -a, --all           Retrieve everything

    -b, --banner        Retrieve DBMS banner

    --current-user      Retrieve DBMS current user

    --current-db        Retrieve DBMS current database

    --passwords         Enumerate DBMS users password hashes

    --tables            Enumerate DBMS database tables

    --columns           Enumerate DBMS database table columns

    --schema            Enumerate DBMS schema

    --dump              Dump DBMS database table entries

    --dump-all          Dump all DBMS databases tables entries

    -D DB               DBMS database to enumerate

    -T TBL              DBMS database table(s) to enumerate

    -C COL              DBMS database table column(s) to enumerate

 

  Operating system access:

    These options can be used to access the back-end database management

    system underlying operating system

 

    --os-shell          Prompt for an interactive operating system shell

    --os-pwn            Prompt for an OOB shell, Meterpreter or VNC

 

  General:

    These options can be used to set some general working parameters

 

    --batch             Never ask for user input, use the default behaviour

    --flush-session     Flush session files for current target

 

  Miscellaneous:

    --sqlmap-shell      Prompt for an interactive sqlmap shell

    --wizard            Simple wizard interface for beginner users

 

[!] to see full list of options run with ‘-hh‘

Misaki:sqlmap Misaki$ python sqlmap.py -hh

Usage: python sqlmap.py [options]

 

Options:

  -h, --help            Show basic help message and exit

  -hh                   Show advanced help message and exit

  --version             Show program‘s version number and exit

  -v VERBOSE            Verbosity level: 0-6 (default 1)

 

  Target:

    At least one of these options has to be provided to define the

    target(s)

 

    -d DIRECT           Connection string for direct database connection

    -u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")

    -l LOGFILE          Parse target(s) from Burp or WebScarab proxy log file

    -x SITEMAPURL       Parse target(s) from remote sitemap(.xml) file

    -m BULKFILE         Scan multiple targets given in a textual file

    -r REQUESTFILE      Load HTTP request from a file

    -g GOOGLEDORK       Process Google dork results as target URLs

    -c CONFIGFILE       Load options from a configuration INI file

 

  Request:

    These options can be used to specify how to connect to the target URL

 

    --method=METHOD     Force usage of given HTTP method (e.g. PUT)

    --data=DATA         Data string to be sent through POST

    --param-del=PARA..  Character used for splitting parameter values

    --cookie=COOKIE     HTTP Cookie header value

    --cookie-del=COO..  Character used for splitting cookie values

    --load-cookies=L..  File containing cookies in Netscape/wget format

    --drop-set-cookie   Ignore Set-Cookie header from response

    --user-agent=AGENT  HTTP User-Agent header value

    --random-agent      Use randomly selected HTTP User-Agent header value

    --host=HOST         HTTP Host header value

    --referer=REFERER   HTTP Referer header value

    --headers=HEADERS   Extra headers (e.g. "Accept-Language: fr\nETag: 123")

    --auth-type=AUTH..  HTTP authentication type (Basic, Digest, NTLM or PKI)

    --auth-cred=AUTH..  HTTP authentication credentials (name:password)

    --auth-private=A..  HTTP authentication PEM private key file

    --ignore-401        Ignore HTTP Error 401 (Unauthorized)

    --proxy=PROXY       Use a proxy to connect to the target URL

    --proxy-cred=PRO..  Proxy authentication credentials (name:password)

    --proxy-file=PRO..  Load proxy list from a file

    --ignore-proxy      Ignore system default proxy settings

    --tor               Use Tor anonymity network

    --tor-port=TORPORT  Set Tor proxy port other than default

    --tor-type=TORTYPE  Set Tor proxy type (HTTP (default), SOCKS4 or SOCKS5)

    --check-tor         Check to see if Tor is used properly

    --delay=DELAY       Delay in seconds between each HTTP request

    --timeout=TIMEOUT   Seconds to wait before timeout connection (default 30)

    --retries=RETRIES   Retries when the connection timeouts (default 3)

    --randomize=RPARAM  Randomly change value for given parameter(s)

    --safe-url=SAFEURL  URL address to visit frequently during testing

    --safe-post=SAFE..  POST data to send to a safe URL

    --safe-req=SAFER..  Load safe HTTP request from a file

    --safe-freq=SAFE..  Test requests between two visits to a given safe URL

    --skip-urlencode    Skip URL encoding of payload data

    --csrf-token=CSR..  Parameter used to hold anti-CSRF token

    --csrf-url=CSRFURL  URL address to visit to extract anti-CSRF token

    --force-ssl         Force usage of SSL/HTTPS

    --hpp               Use HTTP parameter pollution method

    --eval=EVALCODE     Evaluate provided Python code before the request (e.g.

                        "import hashlib;id2=hashlib.md5(id).hexdigest()")

 

  Optimization:

    These options can be used to optimize the performance of sqlmap

 

    -o                  Turn on all optimization switches

    --predict-output    Predict common queries output

    --keep-alive        Use persistent HTTP(s) connections

    --null-connection   Retrieve page length without actual HTTP response body

    --threads=THREADS   Max number of concurrent HTTP(s) requests (default 1)

 

  Injection:

    These options can be used to specify which parameters to test for,

    provide custom injection payloads and optional tampering scripts

 

    -p TESTPARAMETER    Testable parameter(s)

    --skip=SKIP         Skip testing for given parameter(s)

    --dbms=DBMS         Force back-end DBMS to this value

    --dbms-cred=DBMS..  DBMS authentication credentials (user:password)

    --os=OS             Force back-end DBMS operating system to this value

    --invalid-bignum    Use big numbers for invalidating values

    --invalid-logical   Use logical operations for invalidating values

    --invalid-string    Use random strings for invalidating values

    --no-cast           Turn off payload casting mechanism

    --no-escape         Turn off string escaping mechanism

    --prefix=PREFIX     Injection payload prefix string

    --suffix=SUFFIX     Injection payload suffix string

    --tamper=TAMPER     Use given script(s) for tampering injection data

 

  Detection:

    These options can be used to customize the detection phase

 

    --level=LEVEL       Level of tests to perform (1-5, default 1)

    --risk=RISK         Risk of tests to perform (1-3, default 1)

    --string=STRING     String to match when query is evaluated to True

    --not-string=NOT..  String to match when query is evaluated to False

    --regexp=REGEXP     Regexp to match when query is evaluated to True

    --code=CODE         HTTP code to match when query is evaluated to True

    --text-only         Compare pages based only on the textual content

    --titles            Compare pages based only on their titles

 

  Techniques:

    These options can be used to tweak testing of specific SQL injection

    techniques

 

    --technique=TECH    SQL injection techniques to use (default "BEUSTQ")

    --time-sec=TIMESEC  Seconds to delay the DBMS response (default 5)

    --union-cols=UCOLS  Range of columns to test for UNION query SQL injection

    --union-char=UCHAR  Character to use for bruteforcing number of columns

    --union-from=UFROM  Table to use in FROM part of UNION query SQL injection

    --dns-domain=DNS..  Domain name used for DNS exfiltration attack

    --second-order=S..  Resulting page URL searched for second-order response

 

  Fingerprint:

    -f, --fingerprint   Perform an extensive DBMS version fingerprint

 

  Enumeration:

    These options can be used to enumerate the back-end database

    management system information, structure and data contained in the

    tables. Moreover you can run your own SQL statements

 

    -a, --all           Retrieve everything

    -b, --banner        Retrieve DBMS banner

    --current-user      Retrieve DBMS current user

    --current-db        Retrieve DBMS current database

    --hostname          Retrieve DBMS server hostname

    --is-dba            Detect if the DBMS current user is DBA

    --users             Enumerate DBMS users

    --passwords         Enumerate DBMS users password hashes

    --privileges        Enumerate DBMS users privileges

    --roles             Enumerate DBMS users roles

    --dbs               Enumerate DBMS databases

    --tables            Enumerate DBMS database tables

    --columns           Enumerate DBMS database table columns

    --schema            Enumerate DBMS schema

    --count             Retrieve number of entries for table(s)

    --dump              Dump DBMS database table entries

    --dump-all          Dump all DBMS databases tables entries

    --search            Search column(s), table(s) and/or database name(s)

    --comments          Retrieve DBMS comments

    -D DB               DBMS database to enumerate

    -T TBL              DBMS database table(s) to enumerate

    -C COL              DBMS database table column(s) to enumerate

    -X EXCLUDECOL       DBMS database table column(s) to not enumerate

    -U USER             DBMS user to enumerate

    --exclude-sysdbs    Exclude DBMS system databases when enumerating tables

    --where=DUMPWHERE   Use WHERE condition while table dumping

    --start=LIMITSTART  First query output entry to retrieve

    --stop=LIMITSTOP    Last query output entry to retrieve

    --first=FIRSTCHAR   First query output word character to retrieve

    --last=LASTCHAR     Last query output word character to retrieve

    --sql-query=QUERY   SQL statement to be executed

    --sql-shell         Prompt for an interactive SQL shell

    --sql-file=SQLFILE  Execute SQL statements from given file(s)

 

  Brute force:

    These options can be used to run brute force checks

 

    --common-tables     Check existence of common tables

    --common-columns    Check existence of common columns

 

  User-defined function injection:

    These options can be used to create custom user-defined functions

 

    --udf-inject        Inject custom user-defined functions

    --shared-lib=SHLIB  Local path of the shared library

 

  File system access:

    These options can be used to access the back-end database management

    system underlying file system

 

    --file-read=RFILE   Read a file from the back-end DBMS file system

    --file-write=WFILE  Write a local file on the back-end DBMS file system

    --file-dest=DFILE   Back-end DBMS absolute filepath to write to

 

  Operating system access:

    These options can be used to access the back-end database management

    system underlying operating system

 

    --os-cmd=OSCMD      Execute an operating system command

    --os-shell          Prompt for an interactive operating system shell

    --os-pwn            Prompt for an OOB shell, Meterpreter or VNC

    --os-smbrelay       One click prompt for an OOB shell, Meterpreter or VNC

    --os-bof            Stored procedure buffer overflow exploitation

    --priv-esc          Database process user privilege escalation

    --msf-path=MSFPATH  Local path where Metasploit Framework is installed

    --tmp-path=TMPPATH  Remote absolute path of temporary files directory

 

  Windows registry access:

    These options can be used to access the back-end database management

    system Windows registry

 

    --reg-read          Read a Windows registry key value

    --reg-add           Write a Windows registry key value data

    --reg-del           Delete a Windows registry key value

    --reg-key=REGKEY    Windows registry key

    --reg-value=REGVAL  Windows registry key value

    --reg-data=REGDATA  Windows registry key value data

    --reg-type=REGTYPE  Windows registry key value type

 

  General:

    These options can be used to set some general working parameters

 

    -s SESSIONFILE      Load session from a stored (.sqlite) file

    -t TRAFFICFILE      Log all HTTP traffic into a textual file

    --batch             Never ask for user input, use the default behaviour

    --charset=CHARSET   Force character encoding used for data retrieval

    --crawl=CRAWLDEPTH  Crawl the website starting from the target URL

    --crawl-exclude=..  Regexp to exclude pages from crawling (e.g. "logout")

    --csv-del=CSVDEL    Delimiting character used in CSV output (default ",")

    --dump-format=DU..  Format of dumped data (CSV (default), HTML or SQLITE)

    --eta               Display for each output the estimated time of arrival

    --flush-session     Flush session files for current target

    --forms             Parse and test forms on target URL

    --fresh-queries     Ignore query results stored in session file

    --hex               Use DBMS hex function(s) for data retrieval

    --output-dir=OUT..  Custom output directory path

    --parse-errors      Parse and display DBMS error messages from responses

    --pivot-column=P..  Pivot column name

    --save              Save options to a configuration INI file

    --scope=SCOPE       Regexp to filter targets from provided proxy log

    --test-filter=TE..  Select tests by payloads and/or titles (e.g. ROW)

    --update            Update sqlmap

 

  Miscellaneous:

    -z MNEMONICS        Use short mnemonics (e.g. "flu,bat,ban,tec=EU")

    --alert=ALERT       Run host OS command(s) when SQL injection is found

    --answers=ANSWERS   Set question answers (e.g. "quit=N,follow=N")

    --beep              Make a beep sound when SQL injection is found

    --cleanup           Clean up the DBMS from sqlmap specific UDF and tables

    --dependencies      Check for missing (non-core) sqlmap dependencies

    --disable-coloring  Disable console output coloring

    --gpage=GOOGLEPAGE  Use Google dork results from specified page number

    --identify-waf      Make a thorough testing for a WAF/IPS/IDS protection

    --mobile            Imitate smartphone through HTTP User-Agent header

    --page-rank         Display page rank (PR) for Google dork results

    --purge-output      Safely remove all content from output directory

    --smart             Conduct thorough tests only if positive heuristic(s)

    --sqlmap-shell      Prompt for an interactive sqlmap shell

    --wizard            Simple wizard interface for beginner users

Misaki:sqlmap Misaki$ 

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。