Name:sqlmap
Category:Vulnerabilities
Publisher:trickest
Created:9/7/2021
Container:quay.io/trickest/sqlmap:de66b69
Output Type:
License:Unknown

Parameters

os
string
--osForce back-end DBMS operating system to provided value
all
boolean
--allRetrieve everything
dbs
boolean
--dbsEnumerate DBMS databases
eta
boolean
--etaDisplay for each output the estimated time of arrival
hex
boolean
--hexUse hex conversion during data retrieval
hpp
boolean
--hppUse HTTP parameter pollution method
tor
boolean
--torUse Tor anonymity network
url
string
required
--urlTarget URL (e.g. http://www.site.com/vuln.php?id=1)
code
string
--codeHTTP code to match when query is evaluated to True
data
string
--dataData string to be sent through POST (e.g. id=1)
dbms
string
--dbmsForce back-end DBMS to provided value
dump
boolean
--dumpDump DBMS database table entries
eval
string
--evalEvaluate provided Python code before the request (e.g. import hashlib;id2=hashlib.md5(id).hexdigest())
host
string
--hostHTTP Host header value
last
string
--lastLast query output word character to retrieve
risk
string
--riskRisk of tests to perform (1-3, default 1)
--skipSkip testing for given parameter(s)
stop
string
--stopLast dump table entry to retrieve
user
string
-UDBMS user to enumerate
alert
string
--alertRun host OS command(s) when SQL injection is found
count
boolean
--countRetrieve number of entries for table(s)
crawl
string
--crawlCrawl the website starting from the target URL
delay
string
--delayDelay in seconds between each HTTP request
first
string
--firstFirst query output word character to retrieve
forms
boolean
--formsParse and test forms on target URL
gpage
string
--gpageUse Google dork results from specified page number
level
string
--levelLevel of tests to perform (1-5, default 1)
proxy
string
--proxyUse a proxy to connect to the target URL
purge
boolean
--purgeSafely remove all content from sqlmap data directory
roles
boolean
--rolesEnumerate DBMS users roles
scope
string
--scopeRegexp for filtering targets
smart
boolean
--smartPerform thorough tests only if positive heuristic(s)
start
string
--startFirst dump table entry to retrieve
table
string
-TDBMS database table(s) to enumerate
users
boolean
--usersEnumerate DBMS users
where
string
--whereUse WHERE condition while table dumping
--bannerRetrieve DBMS banner
base64
string
--base64Parameter(s) containing Base64 encoded data
column
string
-CDBMS database table column(s) to enumerate
cookie
string
--cookieHTTP Cookie header value (e.g. PHPSESSID=a8d127e..)
header
string
--headerExtra header (e.g. X-Forwarded-For: 127.0.0.1)
is-dba
boolean
--is-dbaDetect if the DBMS current user is DBA
method
string
--methodForce usage of given HTTP method (e.g. PUT)
mobile
boolean
--mobileImitate smartphone through HTTP User-Agent header
os-bof
boolean
--os-bofStored procedure buffer overflow exploitation
os-cmd
boolean
--os-cmdExecute an operating system command
os-pwn
boolean
--os-pwnPrompt for an OOB shell, Meterpreter or VNC
prefix
string
--prefixInjection payload prefix string
regexp
string
--regexpRegexp to match when query is evaluated to True
repair
boolean
--repairRedump entries having unknown character marker (?)
schema
boolean
--schemaEnumerate DBMS schema
search
boolean
--searchSearch column(s), table(s) and/or database name(s)
string
string
--stringString to match when query is evaluated to True
suffix
string
--suffixInjection payload suffix string
tables
boolean
--tablesEnumerate DBMS database tables
tamper
string
--tamperUse given script(s) for tampering injection data
titles
boolean
--titlesCompare pages based only on their titles
answers
string
--answersSet predefined answers (e.g. quit=N,follow=N)
charset
string
--charsetBlind SQL injection charset (e.g. 0123456789abcdef)
chunked
boolean
--chunkedUse HTTP chunked transfer encoded (POST) requests
cleanup
boolean
--cleanupClean up the DBMS from sqlmap specific UDF and tables
columns
boolean
--columnsEnumerate DBMS database table columns
csv-del
string
--csv-delDelimiting character used in CSV output (default ,)
headers
string
--headersExtra headers (e.g. Accept-Language: fr ETag: 123)
no-cast
boolean
--no-castTurn off payload casting mechanism
offline
boolean
--offlineWork in offline mode (only use session data)
referer
string
--refererHTTP Referer header value
reg-add
boolean
--reg-addWrite a Windows registry key value data
reg-del
boolean
--reg-delDelete a Windows registry key value
reg-key
string
--reg-keyWindows registry key
retries
string
--retriesRetries when the connection timeouts (default 3)
threads
string
--threadsMax number of concurrent HTTP(s) requests (default 1)
timeout
string
--timeoutSeconds to wait before timeout connection (default 30)
comments
boolean
--commentsCheck for DBMS comments during enumeration
csrf-url
string
--csrf-urlURL address to visit for extraction of anti-CSRF token
database
string
-DDBMS database to enumerate
dump-all
boolean
--dump-allDump all DBMS databases tables entries
encoding
string
--encodingCharacter encoding used for data retrieval (e.g. GBK)
hostname
boolean
--hostnameRetrieve DBMS server hostname
log-file
file
-lParse target(s) from Burp or WebScarab proxy log file
os-shell
boolean
--os-shellPrompt for an interactive operating system shell
priv-esc
boolean
--priv-escDatabase process user privilege escalation
reg-data
string
--reg-dataWindows registry key value data
reg-read
boolean
--reg-readRead a Windows registry key value
reg-type
string
--reg-typeWindows registry key value type
retry-on
string
--retry-onRetry request on regexp matching content (e.g. drop)
safe-req
file
--safe-reqLoad safe HTTP request from a file
safe-url
string
--safe-urlURL address to visit frequently during testing
skip-waf
boolean
--skip-wafSkip heuristic detection of WAF/IPS protection
sql-file
file
--sql-fileExecute SQL statements from given file(s)
time-sec
string
--time-secSeconds to delay the DBMS response (default 5)
tmp-path
string
--tmp-pathRemote absolute path of temporary files directory
tor-port
string
--tor-portSet Tor proxy port other than default
tor-type
string
--tor-typeSet Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))
unstable
boolean
--unstableAdjust options for unstable connections
web-root
string
--web-rootWeb server document root directory (e.g. /var/www)
auth-cred
string
--auth-credHTTP authentication credentials (name:password)
auth-file
file
--auth-fileHTTP authentication PEM cert/private key file
auth-type
string
--auth-typeHTTP authentication type (Basic, Digest, Bearer, ...)
bulk-file
file
required
-mScan multiple targets given in a textual file
check-tor
boolean
--check-torCheck to see if Tor is used properly
csrf-data
string
--csrf-dataPOST data to send during anti-CSRF token page visit
dbms-cred
string
--dbms-credDBMS authentication credentials (user:password)
file-dest
string
--file-destBack-end DBMS absolute filepath to write to
file-read
string
--file-readRead a file from the back-end DBMS file system
force-ssl
boolean
--force-sslForce usage of SSL/HTTPS
mnemonics
string
-zUse short mnemonics (e.g. flu,bat,ban,tec=EU)
no-escape
boolean
--no-escapeTurn off string escaping mechanism
param-del
string
--param-delCharacter used for splitting parameter values (e.g. &)
passwords
boolean
--passwordsEnumerate DBMS users password hashes
randomize
string
--randomizeRandomly change value for given parameter(s)
reg-value
string
--reg-valueWindows registry key value
safe-freq
string
--safe-freqRegular requests between visits to a safe URL
safe-post
string
--safe-postPOST data to send to a safe URL
sql-query
string
--sql-querySQL statement to be executed
sql-shell
boolean
--sql-shellPrompt for an interactive SQL shell
technique
string
--techniqueSQL injection techniques to use (default BEUSTQ)
test-skip
string
--test-skipSkip tests by payloads and/or titles (e.g. BENCHMARK)
text-only
boolean
--text-onlyCompare pages based only on the textual content
verbosity
string
-vVerbosity level: 0-6 (default 1)
abort-code
string
--abort-codeAbort on (problematic) HTTP error code(s) (e.g. 401)
cookie-del
string
--cookie-delCharacter used for splitting cookie values (e.g. ;)
csrf-token
string
--csrf-tokenParameter used to hold anti-CSRF token
current-db
boolean
--current-dbRetrieve DBMS current database
dns-domain
string
--dns-domainDomain name used for DNS exfiltration attack
file-write
file
--file-writeWrite a local file on the back-end DBMS file system
keep-alive
boolean
--keep-aliveUse persistent HTTP(s) connections
not-string
string
--not-stringString to match when query is evaluated to False
preprocess
string
--preprocessUse given script(s) for preprocessing (request)
privileges
boolean
--privilegesEnumerate DBMS users privileges
proxy-cred
string
--proxy-credProxy authentication credentials (name:password)
proxy-file
file
--proxy-fileLoad proxy list from a file
proxy-freq
string
--proxy-freqRequests between change of proxy from a given list
second-req
file
--second-reqLoad second-order HTTP request from file
second-url
string
--second-urlResulting page URL searched for second-order response
shared-lib
file
--shared-libLocal path of the shared library
statements
boolean
--statementsRetrieve SQL statements being run on DBMS
time-limit
string
--time-limitRun with a time limit in seconds (e.g. 3600)
udf-inject
boolean
--udf-injectInject custom user-defined functions
union-char
string
--union-charCharacter to use for bruteforcing number of columns
union-cols
string
--union-colsRange of columns to test for UNION query SQL injection
union-from
string
--union-fromTable to use in FROM part of UNION query SQL injection
user-agent
string
--user-agentHTTP User-Agent header value
base64-safe
boolean
--base64-safeUse URL and filename safe Base64 alphabet (RFC 4648)
config-file
file
-cLoad options from a configuration INI file
csrf-method
string
--csrf-methodHTTP method to use during anti-CSRF token page visit
dump-format
string
--dump-formatFormat of dumped data (CSV (default), HTML or SQLITE)
fingerprint
boolean
--fingerprintPerform an extensive DBMS version fingerprint
google-dork
string
-gProcess Google dork results as target URLs
ignore-code
string
--ignore-codeIgnore (problematic) HTTP error code(s) (e.g. 401)
os-smbrelay
boolean
--os-smbrelayOne click prompt for an OOB shell, Meterpreter or VNC
postprocess
string
--postprocessUse given script(s) for postprocessing (response)
skip-static
boolean
--skip-staticSkip testing parameters that not appear to be dynamic
test-filter
string
--test-filterSelect tests by payloads and/or titles (e.g. ROW)
common-files
boolean
--common-filesCheck existence of common files
csrf-retries
string
--csrf-retriesRetries for anti-CSRF token retrieval (default 0)
current-user
boolean
--current-userRetrieve DBMS current user
ignore-proxy
boolean
--ignore-proxyIgnore system default proxy settings
live-cookies
string
--live-cookiesLive cookies file used for loading up-to-date values
load-cookies
string
--load-cookiesFile containing cookies in Netscape/wget format
optimization
boolean
-oTurn on all optimization switches
param-filter
string
--param-filterSelect testable parameter(s) by place (e.g. POST)
parse-errors
boolean
--parse-errorsParse and display DBMS error messages from responses
pivot-column
string
--pivot-columnPivot column name
random-agent
boolean
--random-agentUse randomly selected HTTP User-Agent header value
request-file
file
-rLoad HTTP request from a file
session-file
file
-sLoad session from a stored (.sqlite) file
table-prefix
string
--table-prefixPrefix used for temporary tables (default: sqlmap)
union-values
string
--union-valuesColumn values to use for UNION query SQL injection
binary-fields
string
--binary-fieldsResult fields having binary values (e.g. digest)
common-tables
boolean
--common-tablesCheck existence of common tables
crawl-exclude
string
--crawl-excludeRegexp to exclude pages from crawling (e.g. logout)
flush-session
boolean
--flush-sessionFlush session files for current target
fresh-queries
boolean
--fresh-queriesIgnore query results stored in session file
param-exclude
string
--param-excludeRegexp to exclude parameters from testing (e.g. ses)
abort-on-empty
boolean
--abort-on-emptyAbort data retrieval on empty results
check-internet
boolean
--check-internetCheck Internet connection before assessing the target
common-columns
boolean
--common-columnsCheck existence of common columns
exclude-sysdbs
boolean
--exclude-sysdbsExclude DBMS system databases when enumerating tables
invalid-bignum
boolean
--invalid-bignumUse big numbers for invalidating values
invalid-string
boolean
--invalid-stringUse random strings for invalidating values
predict-output
boolean
--predict-outputPredict common queries output
skip-urlencode
boolean
--skip-urlencodeSkip URL encoding of payload data
drop-set-cookie
boolean
--drop-set-cookieIgnore Set-Cookie header from response
ignore-timeouts
boolean
--ignore-timeoutsIgnore connection timeouts
invalid-logical
boolean
--invalid-logicalUse logical operations for invalidating values
null-connection
boolean
--null-connectionRetrieve page length without actual HTTP response body
skip-heuristics
boolean
--skip-heuristicsSkip heuristic detection of vulnerabilities
test-parameters
string
-pTestable parameter(s)
disable-coloring
boolean
--disable-coloringDisable console output coloring
ignore-redirects
boolean
--ignore-redirectsIgnore redirection attempts
connection-string
string
-dConnection string for direct database connection
exclude-idnetifiers
string
-XDBMS database identifier(s) to not enumerate