SQLmap command Detailed
From the network, delete infringement please let me know, please do not reprint *
Options (Options):
--version display version number and exit
-h, --help show this help message and exit
-v VERBOSE level of detail: 0-6 (default is 1)
Target (target):
at least one of these options needs to be set, set the target the URL of .
-d DIRECT directly connected to the database.
-u URL, --url = URL target URL.
-l LIST resolve the destination or from WebScarab Burp proxy log.
-r REQUESTFILE loading a file from the HTTP request.
-g GOOGLEDORK processing results Google dork as the target URL.
-c CONFIGFILE Load option from the INI configuration file.
Request (request) ::
These options can be used to specify how to connect to the target URL.
Data String --data = DATA transmitted via the POST
--cookie = COOKIE the HTTP header cookies
--cookie-urlencode URL encoded cookie generated injection
--drop-set-cookie negligible response Set - Cookie header
--user- agent = AGENT specified HTTP User - Agent header
--random-agent selected random HTTP User - Agent header
--referer = REFERER specify the Referer HTTP header
--headers = HEADERS newline separated, add other HTTP headers
--auth- type = ATYPE HTTP authentication type (basic, digest, or NTLM) (basic, digest or NTLM)
--auth-cred = ACRED HTTP authentication credentials (username: password)
--auth ACERT = HTTP-CERT certification (key_file , cert_file)
--proxy = pROXY use HTTP proxy to connect to target the URL of
--proxy-cred = PCRED HTTP proxy authentication credentials (username: password)
--ignore-proxy ignore the default HTTP proxy
--delay = DELAY in a delay time between each HTTP request, in seconds
--timeout = TIMEOUT latency connection timeout (default 30 seconds)
--retries = time after reconnection RETRIES connection timeout (default 3)
n --scope = SCOPE agent log provided from the filter is expressed target formula
--safe-url = url address SAFURL during testing frequently accessed
--safe-freq = SAFREQ test request between two accesses, given safe URL
Optimization (optimize):
These options can be used to optimize the performance of SqlMap.
Open all switches -o optimization
--predict-output common prediction query output
--keep-alive using persistent HTTP (S) is connected
--null-connection body length from the search page without actual HTTP response
--threads = THREADS maximum HTTP (S) requests concurrency value (default 1)
Injection (injection):
These options can be used to specify which test parameters, providing tamper with injection payloads and optional custom scripts .
parameter (S) -p TESTPARAMETER testable
--dbms = DBMS backend DBMS forced to this value
--os = OS operating system, DBMS backend forced to this value
--prefix = PREFIX injection payload string prefix
--suffix = sUFFIX suffix string injection payload
--tamper = tAMPER given script (S) data tampering injection
Detection (Detection):
These options can be used to specify how to parse and compare the contents of the HTTP response page when SQL blinds.
--level = LEVEL execution level tested (1-5, default is 1)
--risk = risk of executing tests RISK (0-3, default is 1)
--string = effective when in a page matching the query string when STRING
--regexp = REGEXP when the query is valid in the page match the regular expression
--text-only text-based content comparison website only
Techniques (skills):
These options can be used to adjust the specific SQL injection test.
--technique = TECH SQL injection technical tests (default Beust)
--time = TIMESEC the DBMS sec-response time delay (default 5 seconds)
--union cols = UCOLS-range for a given column test UNION queries injection
--union character -char = UCHAR for violence guess the number of columns
Fingerprint (fingerprint):
-f, --fingerprint perform a wide range of DBMS version fingerprint check
The Enumeration (enumeration):
These options can include information used to back-end database management system, data structures and tables. In addition, you can also run your own SQL statements.
-b, --banner retrieval database management system identification
--current-user database management system to retrieve the current user
in the current database --current-db retrieval database management system
--is-dba DBMS detecting the current user is the DBA
--users enumeration database management system user
--passwords enumerate database management system user password hashes
rights --privileges enumerate database management system users
--roles role enumerate database management system users
--dbs enumerate database management system database
--tables enumeration of DBMS tables in the database
--columns enumerate DBMS database table column
entry --dump dump the database management system database
--dump-all DBMS database dump all entries in the table
--search search column (S), sheet (S) and / or the database name (S)
-D DB name of the database to be enumerated
-T TBL database table to be enumerated
-C COL to database columns enumerated
-U USER used to enumerate the database user
to exclude --exclude-sysdbs enumeration table when the system database
--start = LIMITSTART first output entry search query
--stop = output LIMITSTOP into the final query retrieves
--first = character search FIRSTCHAR first query output word
--last = output word LASTCHAR last character search query
--sql-query = SQL QUERY statement to be executed
- -sql-shell prompt of the interactive SQL shell
Brute force (brute force):
These options can be used to run brute force checks.
--common-tables to check the existence of common table
--common-columns to check the presence of a common column
User-defined functioninjection (user-defined function injection):
These options can be used to create user-defined functions.
--udf-inject injection UDF
local path --shared-lib = SHLIB shared library
File system access (access to the file system):
These options can be used to access back-end database management system underlying file system.
--file-read = RFILE read files from the back-end database management system file system
--file-write = WFILE edit local files on the back-end database management system file system
--file-dest = DFILE back-end database management system written absolute path to the file
Operating system access (operating system access):
These options can be used to access the back-end database management system of the underlying operating system.
--os-cmd = OSCMD execute operating system commands
--os-shell interactive operating system that the shell
- OS-PWN obtain a OOB shell, meterpreter or the VNC
- OS-SMBRelay a key obtaining a OOB shell, meterpreter or VNC
- OS-bof stored procedures buffer overflow exploits
--priv-esc database processes elevated user rights
--msf-path = MSFPATH Metasploit Framework local installation path
--tmp-path = tMPPATH remote temporary file directory absolute path
Windows Registry Access:
These options can be used to access back-end database management system Windows registry .
--reg-read read a Windows registry key value
--reg-add write a Windows registry key value data
--reg-del delete Windows registry keys
--reg-key = REGKEY Windows registry keys
--reg -value = REGVAL Windows registry key values
--reg-data = REGDATA Windows registry key data
--reg-type = rEGTYPE Windows registry key value types general (general):
these options can be used to set some general work parameter.
-t TRAFFICFILE log all HTTP traffic to a text file
-s SESSIONFILE retrieve the session file to save and restore all data
--flush-session refresh the current target session file
--fresh-queries ignore the query results are stored in a session file
- -eta display each output estimated time of arrival
--update update Setting up the SqlMap
--save file option to save the configuration INI file
--batch never ask the user to enter, with all the default configuration.
Miscellaneous (Miscellaneous):
--beep reminder when found SQL injection
--check-payload IDS detection test inject payloads of
--cleanup SqlMap UDF and the specific DBMS tables clean up
analytical and test forms --forms to the target URL
--gpage = GOOGLEPAGE use Google dork results from a specified page
--page-rank Google dork results show page rank (PR)
--parse-page response errors parsing database management system error messages from the
data --replicate copy the dump to a sqlite3 database
--tor default Tor (Vidalia / Privoxy / Polipo) proxy address
--wizard to the primary user's simple wizard interface