sqlmap
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers
Details
Category: Vulnerabilities
Publisher: trickest
Created Date: 9/7/2021
Container: quay.io/trickest/sqlmap:de66b69
Source URL: https://github.com/sqlmapproject/sqlmap
Parameters
os
string
Command:
--os
- Force back-end DBMS operating system to provided valueall
boolean
Command:
--all
- Retrieve everythingdbs
boolean
Command:
--dbs
- Enumerate DBMS databaseseta
boolean
Command:
--eta
- Display for each output the estimated time of arrivalhex
boolean
Command:
--hex
- Use hex conversion during data retrievalhpp
boolean
Command:
--hpp
- Use HTTP parameter pollution methodtor
boolean
Command:
--tor
- Use Tor anonymity networkurl
string
requiredCommand:
--url
- Target URL (e.g. http://www.site.com/vuln.php?id=1)code
string
Command:
--code
- HTTP code to match when query is evaluated to Truedata
string
Command:
--data
- Data string to be sent through POST (e.g. id=1)dbms
string
Command:
--dbms
- Force back-end DBMS to provided valuedump
boolean
Command:
--dump
- Dump DBMS database table entrieseval
string
Command:
--eval
- Evaluate provided Python code before the request (e.g. import hashlib;id2=hashlib.md5(id).hexdigest())host
string
Command:
--host
- HTTP Host header valuelast
string
Command:
--last
- Last query output word character to retrieverisk
string
Command:
--risk
- Risk of tests to perform (1-3, default 1)skip
string
Command:
--skip
- Skip testing for given parameter(s)stop
string
Command:
--stop
- Last dump table entry to retrieveuser
string
Command:
-U
- DBMS user to enumeratealert
string
Command:
--alert
- Run host OS command(s) when SQL injection is foundcount
boolean
Command:
--count
- Retrieve number of entries for table(s)crawl
string
Command:
--crawl
- Crawl the website starting from the target URLdelay
string
Command:
--delay
- Delay in seconds between each HTTP requestfirst
string
Command:
--first
- First query output word character to retrieveforms
boolean
Command:
--forms
- Parse and test forms on target URLgpage
string
Command:
--gpage
- Use Google dork results from specified page numberlevel
string
Command:
--level
- Level of tests to perform (1-5, default 1)proxy
string
Command:
--proxy
- Use a proxy to connect to the target URLpurge
boolean
Command:
--purge
- Safely remove all content from sqlmap data directoryroles
boolean
Command:
--roles
- Enumerate DBMS users rolesscope
string
Command:
--scope
- Regexp for filtering targetssmart
boolean
Command:
--smart
- Perform thorough tests only if positive heuristic(s)start
string
Command:
--start
- First dump table entry to retrievetable
string
Command:
-T
- DBMS database table(s) to enumerateusers
boolean
Command:
--users
- Enumerate DBMS userswhere
string
Command:
--where
- Use WHERE condition while table dumpingbanner
boolean
Command:
--banner
- Retrieve DBMS bannerbase64
string
Command:
--base64
- Parameter(s) containing Base64 encoded datacolumn
string
Command:
-C
- DBMS database table column(s) to enumeratecookie
string
Command:
--cookie
- HTTP Cookie header value (e.g. PHPSESSID=a8d127e..)header
string
Command:
--header
- Extra header (e.g. X-Forwarded-For: 127.0.0.1)is-dba
boolean
Command:
--is-dba
- Detect if the DBMS current user is DBAmethod
string
Command:
--method
- Force usage of given HTTP method (e.g. PUT)mobile
boolean
Command:
--mobile
- Imitate smartphone through HTTP User-Agent headeros-bof
boolean
Command:
--os-bof
- Stored procedure buffer overflow exploitationos-cmd
boolean
Command:
--os-cmd
- Execute an operating system commandos-pwn
boolean
Command:
--os-pwn
- Prompt for an OOB shell, Meterpreter or VNCprefix
string
Command:
--prefix
- Injection payload prefix stringregexp
string
Command:
--regexp
- Regexp to match when query is evaluated to Truerepair
boolean
Command:
--repair
- Redump entries having unknown character marker (?)schema
boolean
Command:
--schema
- Enumerate DBMS schemasearch
boolean
Command:
--search
- Search column(s), table(s) and/or database name(s)string
string
Command:
--string
- String to match when query is evaluated to Truesuffix
string
Command:
--suffix
- Injection payload suffix stringtables
boolean
Command:
--tables
- Enumerate DBMS database tablestamper
string
Command:
--tamper
- Use given script(s) for tampering injection datatitles
boolean
Command:
--titles
- Compare pages based only on their titlesanswers
string
Command:
--answers
- Set predefined answers (e.g. quit=N,follow=N)charset
string
Command:
--charset
- Blind SQL injection charset (e.g. 0123456789abcdef)chunked
boolean
Command:
--chunked
- Use HTTP chunked transfer encoded (POST) requestscleanup
boolean
Command:
--cleanup
- Clean up the DBMS from sqlmap specific UDF and tablescolumns
boolean
Command:
--columns
- Enumerate DBMS database table columnscsv-del
string
Command:
--csv-del
- Delimiting character used in CSV output (default ,)headers
string
Command:
--headers
- Extra headers (e.g. Accept-Language: fr
ETag: 123)no-cast
boolean
Command:
--no-cast
- Turn off payload casting mechanismoffline
boolean
Command:
--offline
- Work in offline mode (only use session data)referer
string
Command:
--referer
- HTTP Referer header valuereg-add
boolean
Command:
--reg-add
- Write a Windows registry key value datareg-del
boolean
Command:
--reg-del
- Delete a Windows registry key valuereg-key
string
Command:
--reg-key
- Windows registry keyretries
string
Command:
--retries
- Retries when the connection timeouts (default 3)threads
string
Command:
--threads
- Max number of concurrent HTTP(s) requests (default 1)timeout
string
Command:
--timeout
- Seconds to wait before timeout connection (default 30)comments
boolean
Command:
--comments
- Check for DBMS comments during enumerationcsrf-url
string
Command:
--csrf-url
- URL address to visit for extraction of anti-CSRF tokendatabase
string
Command:
-D
- DBMS database to enumeratedump-all
boolean
Command:
--dump-all
- Dump all DBMS databases tables entriesencoding
string
Command:
--encoding
- Character encoding used for data retrieval (e.g. GBK)hostname
boolean
Command:
--hostname
- Retrieve DBMS server hostnamelog-file
file
Command:
-l
- Parse target(s) from Burp or WebScarab proxy log fileos-shell
boolean
Command:
--os-shell
- Prompt for an interactive operating system shellpriv-esc
boolean
Command:
--priv-esc
- Database process user privilege escalationreg-data
string
Command:
--reg-data
- Windows registry key value datareg-read
boolean
Command:
--reg-read
- Read a Windows registry key valuereg-type
string
Command:
--reg-type
- Windows registry key value typeretry-on
string
Command:
--retry-on
- Retry request on regexp matching content (e.g. drop)safe-req
file
Command:
--safe-req
- Load safe HTTP request from a filesafe-url
string
Command:
--safe-url
- URL address to visit frequently during testingskip-waf
boolean
Command:
--skip-waf
- Skip heuristic detection of WAF/IPS protectionsql-file
file
Command:
--sql-file
- Execute SQL statements from given file(s)time-sec
string
Command:
--time-sec
- Seconds to delay the DBMS response (default 5)tmp-path
string
Command:
--tmp-path
- Remote absolute path of temporary files directorytor-port
string
Command:
--tor-port
- Set Tor proxy port other than defaulttor-type
string
Command:
--tor-type
- Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))unstable
boolean
Command:
--unstable
- Adjust options for unstable connectionsweb-root
string
Command:
--web-root
- Web server document root directory (e.g. /var/www)auth-cred
string
Command:
--auth-cred
- HTTP authentication credentials (name:password)auth-file
file
Command:
--auth-file
- HTTP authentication PEM cert/private key fileauth-type
string
Command:
--auth-type
- HTTP authentication type (Basic, Digest, Bearer, ...)bulk-file
file
requiredCommand:
-m
- Scan multiple targets given in a textual filecheck-tor
boolean
Command:
--check-tor
- Check to see if Tor is used properlycsrf-data
string
Command:
--csrf-data
- POST data to send during anti-CSRF token page visitdbms-cred
string
Command:
--dbms-cred
- DBMS authentication credentials (user:password)file-dest
string
Command:
--file-dest
- Back-end DBMS absolute filepath to write tofile-read
string
Command:
--file-read
- Read a file from the back-end DBMS file systemforce-ssl
boolean
Command:
--force-ssl
- Force usage of SSL/HTTPSmnemonics
string
Command:
-z
- Use short mnemonics (e.g. flu,bat,ban,tec=EU)no-escape
boolean
Command:
--no-escape
- Turn off string escaping mechanismparam-del
string
Command:
--param-del
- Character used for splitting parameter values (e.g. &)passwords
boolean
Command:
--passwords
- Enumerate DBMS users password hashesrandomize
string
Command:
--randomize
- Randomly change value for given parameter(s)reg-value
string
Command:
--reg-value
- Windows registry key valuesafe-freq
string
Command:
--safe-freq
- Regular requests between visits to a safe URLsafe-post
string
Command:
--safe-post
- POST data to send to a safe URLsql-query
string
Command:
--sql-query
- SQL statement to be executedsql-shell
boolean
Command:
--sql-shell
- Prompt for an interactive SQL shelltechnique
string
Command:
--technique
- SQL injection techniques to use (default BEUSTQ)test-skip
string
Command:
--test-skip
- Skip tests by payloads and/or titles (e.g. BENCHMARK)text-only
boolean
Command:
--text-only
- Compare pages based only on the textual contentverbosity
string
Command:
-v
- Verbosity level: 0-6 (default 1)abort-code
string
Command:
--abort-code
- Abort on (problematic) HTTP error code(s) (e.g. 401)cookie-del
string
Command:
--cookie-del
- Character used for splitting cookie values (e.g. ;)csrf-token
string
Command:
--csrf-token
- Parameter used to hold anti-CSRF tokencurrent-db
boolean
Command:
--current-db
- Retrieve DBMS current databasedns-domain
string
Command:
--dns-domain
- Domain name used for DNS exfiltration attackfile-write
file
Command:
--file-write
- Write a local file on the back-end DBMS file systemkeep-alive
boolean
Command:
--keep-alive
- Use persistent HTTP(s) connectionsnot-string
string
Command:
--not-string
- String to match when query is evaluated to Falsepreprocess
string
Command:
--preprocess
- Use given script(s) for preprocessing (request)privileges
boolean
Command:
--privileges
- Enumerate DBMS users privilegesproxy-cred
string
Command:
--proxy-cred
- Proxy authentication credentials (name:password)proxy-file
file
Command:
--proxy-file
- Load proxy list from a fileproxy-freq
string
Command:
--proxy-freq
- Requests between change of proxy from a given listsecond-req
file
Command:
--second-req
- Load second-order HTTP request from filesecond-url
string
Command:
--second-url
- Resulting page URL searched for second-order responseshared-lib
file
Command:
--shared-lib
- Local path of the shared librarystatements
boolean
Command:
--statements
- Retrieve SQL statements being run on DBMStime-limit
string
Command:
--time-limit
- Run with a time limit in seconds (e.g. 3600)udf-inject
boolean
Command:
--udf-inject
- Inject custom user-defined functionsunion-char
string
Command:
--union-char
- Character to use for bruteforcing number of columnsunion-cols
string
Command:
--union-cols
- Range of columns to test for UNION query SQL injectionunion-from
string
Command:
--union-from
- Table to use in FROM part of UNION query SQL injectionuser-agent
string
Command:
--user-agent
- HTTP User-Agent header valuebase64-safe
boolean
Command:
--base64-safe
- Use URL and filename safe Base64 alphabet (RFC 4648)config-file
file
Command:
-c
- Load options from a configuration INI filecsrf-method
string
Command:
--csrf-method
- HTTP method to use during anti-CSRF token page visitdump-format
string
Command:
--dump-format
- Format of dumped data (CSV (default), HTML or SQLITE)fingerprint
boolean
Command:
--fingerprint
- Perform an extensive DBMS version fingerprintgoogle-dork
string
Command:
-g
- Process Google dork results as target URLsignore-code
string
Command:
--ignore-code
- Ignore (problematic) HTTP error code(s) (e.g. 401)os-smbrelay
boolean
Command:
--os-smbrelay
- One click prompt for an OOB shell, Meterpreter or VNCpostprocess
string
Command:
--postprocess
- Use given script(s) for postprocessing (response)skip-static
boolean
Command:
--skip-static
- Skip testing parameters that not appear to be dynamictest-filter
string
Command:
--test-filter
- Select tests by payloads and/or titles (e.g. ROW)common-files
boolean
Command:
--common-files
- Check existence of common filescsrf-retries
string
Command:
--csrf-retries
- Retries for anti-CSRF token retrieval (default 0)current-user
boolean
Command:
--current-user
- Retrieve DBMS current userignore-proxy
boolean
Command:
--ignore-proxy
- Ignore system default proxy settingslive-cookies
string
Command:
--live-cookies
- Live cookies file used for loading up-to-date valuesload-cookies
string
Command:
--load-cookies
- File containing cookies in Netscape/wget formatoptimization
boolean
Command:
-o
- Turn on all optimization switchesparam-filter
string
Command:
--param-filter
- Select testable parameter(s) by place (e.g. POST)parse-errors
boolean
Command:
--parse-errors
- Parse and display DBMS error messages from responsespivot-column
string
Command:
--pivot-column
- Pivot column namerandom-agent
boolean
Command:
--random-agent
- Use randomly selected HTTP User-Agent header valuerequest-file
file
Command:
-r
- Load HTTP request from a filesession-file
file
Command:
-s
- Load session from a stored (.sqlite) filetable-prefix
string
Command:
--table-prefix
- Prefix used for temporary tables (default: sqlmap)union-values
string
Command:
--union-values
- Column values to use for UNION query SQL injectionbinary-fields
string
Command:
--binary-fields
- Result fields having binary values (e.g. digest)common-tables
boolean
Command:
--common-tables
- Check existence of common tablescrawl-exclude
string
Command:
--crawl-exclude
- Regexp to exclude pages from crawling (e.g. logout)flush-session
boolean
Command:
--flush-session
- Flush session files for current targetfresh-queries
boolean
Command:
--fresh-queries
- Ignore query results stored in session fileparam-exclude
string
Command:
--param-exclude
- Regexp to exclude parameters from testing (e.g. ses)abort-on-empty
boolean
Command:
--abort-on-empty
- Abort data retrieval on empty resultscheck-internet
boolean
Command:
--check-internet
- Check Internet connection before assessing the targetcommon-columns
boolean
Command:
--common-columns
- Check existence of common columnsexclude-sysdbs
boolean
Command:
--exclude-sysdbs
- Exclude DBMS system databases when enumerating tablesinvalid-bignum
boolean
Command:
--invalid-bignum
- Use big numbers for invalidating valuesinvalid-string
boolean
Command:
--invalid-string
- Use random strings for invalidating valuespredict-output
boolean
Command:
--predict-output
- Predict common queries outputskip-urlencode
boolean
Command:
--skip-urlencode
- Skip URL encoding of payload datadrop-set-cookie
boolean
Command:
--drop-set-cookie
- Ignore Set-Cookie header from responseignore-timeouts
boolean
Command:
--ignore-timeouts
- Ignore connection timeoutsinvalid-logical
boolean
Command:
--invalid-logical
- Use logical operations for invalidating valuesnull-connection
boolean
Command:
--null-connection
- Retrieve page length without actual HTTP response bodyskip-heuristics
boolean
Command:
--skip-heuristics
- Skip heuristic detection of vulnerabilitiestest-parameters
string
Command:
-p
- Testable parameter(s)disable-coloring
boolean
Command:
--disable-coloring
- Disable console output coloringignore-redirects
boolean
Command:
--ignore-redirects
- Ignore redirection attemptsconnection-string
string
Command:
-d
- Connection string for direct database connectionexclude-idnetifiers
string
Command:
-X
- DBMS database identifier(s) to not enumerate