sqlmap - Trickest Platform Documentation

Name:sqlmap

Category:Vulnerabilities

Publisher:trickest

Created:9/7/2021

Container:quay.io/trickest/sqlmap:v1.9-patch-1

Output Type:

License:Unknown

Source:View Source

Parameters

string

--osForce back-end DBMS operating system to provided value

all

boolean

--allRetrieve everything

dbs

boolean

--dbsEnumerate DBMS databases

eta

boolean

--etaDisplay for each output the estimated time of arrival

hex

boolean

--hexUse hex conversion during data retrieval

hpp

boolean

--hppUse HTTP parameter pollution method

tor

boolean

--torUse Tor anonymity network

url

string

required

--urlTarget URL (e.g. http://www.site.com/vuln.php?id=1)

code

string

--codeHTTP code to match when query is evaluated to True

data

string

--dataData string to be sent through POST (e.g. id=1)

dbms

string

--dbmsForce back-end DBMS to provided value

dump

boolean

--dumpDump DBMS database table entries

eval

string

--evalEvaluate provided Python code before the request (e.g. import hashlib;id2=hashlib.md5(id).hexdigest())

host

string

--hostHTTP Host header value

last

string

--lastLast query output word character to retrieve

risk

string

--riskRisk of tests to perform (1-3, default 1)

skip

string

--skipSkip testing for given parameter(s)

stop

string

--stopLast dump table entry to retrieve

user

string

-UDBMS user to enumerate

alert

string

--alertRun host OS command(s) when SQL injection is found

count

boolean

--countRetrieve number of entries for table(s)

crawl

string

--crawlCrawl the website starting from the target URL

delay

string

--delayDelay in seconds between each HTTP request

first

string

--firstFirst query output word character to retrieve

forms

boolean

--formsParse and test forms on target URL

gpage

string

--gpageUse Google dork results from specified page number

level

string

--levelLevel of tests to perform (1-5, default 1)

proxy

string

--proxyUse a proxy to connect to the target URL

purge

boolean

--purgeSafely remove all content from sqlmap data directory

roles

boolean

--rolesEnumerate DBMS users roles

scope

string

--scopeRegexp for filtering targets

smart

boolean

--smartPerform thorough tests only if positive heuristic(s)

start

string

--startFirst dump table entry to retrieve

table

string

-TDBMS database table(s) to enumerate

users

boolean

--usersEnumerate DBMS users

where

string

--whereUse WHERE condition while table dumping

banner

boolean

--bannerRetrieve DBMS banner

base64

string

--base64Parameter(s) containing Base64 encoded data

column

string

-CDBMS database table column(s) to enumerate

--cookieHTTP Cookie header value (e.g. PHPSESSID=a8d127e..)

header

string

--headerExtra header (e.g. X-Forwarded-For: 127.0.0.1)

is-dba

boolean

--is-dbaDetect if the DBMS current user is DBA

method

string

--methodForce usage of given HTTP method (e.g. PUT)

mobile

boolean

--mobileImitate smartphone through HTTP User-Agent header

os-bof

boolean

--os-bofStored procedure buffer overflow exploitation

os-cmd

boolean

--os-cmdExecute an operating system command

os-pwn

boolean

--os-pwnPrompt for an OOB shell, Meterpreter or VNC

prefix

string

--prefixInjection payload prefix string

regexp

string

--regexpRegexp to match when query is evaluated to True

repair

boolean

--repairRedump entries having unknown character marker (?)

schema

boolean

--schemaEnumerate DBMS schema

boolean

--searchSearch column(s), table(s) and/or database name(s)

string

--stringString to match when query is evaluated to True

suffix

string

--suffixInjection payload suffix string

tables

boolean

--tablesEnumerate DBMS database tables

tamper

string

--tamperUse given script(s) for tampering injection data

titles

boolean

--titlesCompare pages based only on their titles

answers

string

--answersSet predefined answers (e.g. quit=N,follow=N)

charset

string

--charsetBlind SQL injection charset (e.g. 0123456789abcdef)

chunked

boolean

--chunkedUse HTTP chunked transfer encoded (POST) requests

cleanup

boolean

--cleanupClean up the DBMS from sqlmap specific UDF and tables

columns

boolean

--columnsEnumerate DBMS database table columns

csv-del

string

--csv-delDelimiting character used in CSV output (default ,)

headers

string

--headersExtra headers (e.g. Accept-Language: fr ETag: 123)

no-cast

boolean

--no-castTurn off payload casting mechanism

offline

boolean

--offlineWork in offline mode (only use session data)

referer

string

--refererHTTP Referer header value

reg-add

boolean

--reg-addWrite a Windows registry key value data

reg-del

boolean

--reg-delDelete a Windows registry key value

reg-key

string

--reg-keyWindows registry key

retries

string

--retriesRetries when the connection timeouts (default 3)

threads

string

--threadsMax number of concurrent HTTP(s) requests (default 1)

timeout

string

--timeoutSeconds to wait before timeout connection (default 30)

comments

boolean

--commentsCheck for DBMS comments during enumeration

csrf-url

string

--csrf-urlURL address to visit for extraction of anti-CSRF token

database

string

-DDBMS database to enumerate

dump-all

boolean

--dump-allDump all DBMS databases tables entries

encoding

string

--encodingCharacter encoding used for data retrieval (e.g. GBK)

hostname

boolean

--hostnameRetrieve DBMS server hostname

log-file

file

-lParse target(s) from Burp or WebScarab proxy log file

os-shell

boolean

--os-shellPrompt for an interactive operating system shell

priv-esc

boolean

--priv-escDatabase process user privilege escalation

reg-data

string

--reg-dataWindows registry key value data

reg-read

boolean

--reg-readRead a Windows registry key value

reg-type

string

--reg-typeWindows registry key value type

retry-on

string

--retry-onRetry request on regexp matching content (e.g. drop)

safe-req

file

--safe-reqLoad safe HTTP request from a file

safe-url

string

--safe-urlURL address to visit frequently during testing

skip-waf

boolean

--skip-wafSkip heuristic detection of WAF/IPS protection

sql-file

file

--sql-fileExecute SQL statements from given file(s)

time-sec

string

--time-secSeconds to delay the DBMS response (default 5)

tmp-path

string

--tmp-pathRemote absolute path of temporary files directory

tor-port

string

--tor-portSet Tor proxy port other than default

tor-type

string

--tor-typeSet Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))

unstable

boolean

--unstableAdjust options for unstable connections

web-root

string

--web-rootWeb server document root directory (e.g. /var/www)

auth-cred

string

--auth-credHTTP authentication credentials (name:password)

auth-file

file

--auth-fileHTTP authentication PEM cert/private key file

auth-type

string

--auth-typeHTTP authentication type (Basic, Digest, Bearer, ...)

bulk-file

file

required

-mScan multiple targets given in a textual file

check-tor

boolean

--check-torCheck to see if Tor is used properly

csrf-data

string

--csrf-dataPOST data to send during anti-CSRF token page visit

dbms-cred

string

--dbms-credDBMS authentication credentials (user:password)

file-dest

string

--file-destBack-end DBMS absolute filepath to write to

file-read

string

--file-readRead a file from the back-end DBMS file system

force-ssl

boolean

--force-sslForce usage of SSL/HTTPS

mnemonics

string

-zUse short mnemonics (e.g. flu,bat,ban,tec=EU)

no-escape

boolean

--no-escapeTurn off string escaping mechanism

param-del

string

--param-delCharacter used for splitting parameter values (e.g. &)

passwords

boolean

--passwordsEnumerate DBMS users password hashes

randomize

string

--randomizeRandomly change value for given parameter(s)

reg-value

string

--reg-valueWindows registry key value

safe-freq

string

--safe-freqRegular requests between visits to a safe URL

safe-post

string

--safe-postPOST data to send to a safe URL

sql-query

string

--sql-querySQL statement to be executed

sql-shell

boolean

--sql-shellPrompt for an interactive SQL shell

technique

string

--techniqueSQL injection techniques to use (default BEUSTQ)

test-skip

string

--test-skipSkip tests by payloads and/or titles (e.g. BENCHMARK)

text-only

boolean

--text-onlyCompare pages based only on the textual content

verbosity

string

-vVerbosity level: 0-6 (default 1)

abort-code

string

--abort-codeAbort on (problematic) HTTP error code(s) (e.g. 401)

--cookie-delCharacter used for splitting cookie values (e.g. ;)

csrf-token

string

--csrf-tokenParameter used to hold anti-CSRF token

current-db

boolean

--current-dbRetrieve DBMS current database

dns-domain

string

--dns-domainDomain name used for DNS exfiltration attack

file-write

file

--file-writeWrite a local file on the back-end DBMS file system

keep-alive

boolean

--keep-aliveUse persistent HTTP(s) connections

not-string

string

--not-stringString to match when query is evaluated to False

preprocess

string

--preprocessUse given script(s) for preprocessing (request)

privileges

boolean

--privilegesEnumerate DBMS users privileges

proxy-cred

string

--proxy-credProxy authentication credentials (name:password)

proxy-file

file

--proxy-fileLoad proxy list from a file

proxy-freq

string

--proxy-freqRequests between change of proxy from a given list

second-req

file

--second-reqLoad second-order HTTP request from file

second-url

string

--second-urlResulting page URL searched for second-order response

shared-lib

file

--shared-libLocal path of the shared library

statements

boolean

--statementsRetrieve SQL statements being run on DBMS

time-limit

string

--time-limitRun with a time limit in seconds (e.g. 3600)

udf-inject

boolean

--udf-injectInject custom user-defined functions

union-char

string

--union-charCharacter to use for bruteforcing number of columns

union-cols

string

--union-colsRange of columns to test for UNION query SQL injection

union-from

string

--union-fromTable to use in FROM part of UNION query SQL injection

user-agent

string

--user-agentHTTP User-Agent header value

base64-safe

boolean

--base64-safeUse URL and filename safe Base64 alphabet (RFC 4648)

config-file

file

-cLoad options from a configuration INI file

csrf-method

string

--csrf-methodHTTP method to use during anti-CSRF token page visit

dump-format

string

--dump-formatFormat of dumped data (CSV (default), HTML or SQLITE)

fingerprint

boolean

--fingerprintPerform an extensive DBMS version fingerprint

google-dork

string

-gProcess Google dork results as target URLs

ignore-code

string

--ignore-codeIgnore (problematic) HTTP error code(s) (e.g. 401)

os-smbrelay

boolean

--os-smbrelayOne click prompt for an OOB shell, Meterpreter or VNC

postprocess

string

--postprocessUse given script(s) for postprocessing (response)

skip-static

boolean

--skip-staticSkip testing parameters that not appear to be dynamic

test-filter

string

--test-filterSelect tests by payloads and/or titles (e.g. ROW)

common-files

boolean

--common-filesCheck existence of common files

csrf-retries

string

--csrf-retriesRetries for anti-CSRF token retrieval (default 0)

current-user

boolean

--current-userRetrieve DBMS current user

ignore-proxy

boolean

--ignore-proxyIgnore system default proxy settings

live-cookies

string

--live-cookiesLive cookies file used for loading up-to-date values

load-cookies

string

--load-cookiesFile containing cookies in Netscape/wget format

optimization

boolean

-oTurn on all optimization switches

param-filter

string

--param-filterSelect testable parameter(s) by place (e.g. POST)

parse-errors

boolean

--parse-errorsParse and display DBMS error messages from responses

pivot-column

string

--pivot-columnPivot column name

random-agent

boolean

--random-agentUse randomly selected HTTP User-Agent header value

request-file

file

-rLoad HTTP request from a file

session-file

file

-sLoad session from a stored (.sqlite) file

table-prefix

string

--table-prefixPrefix used for temporary tables (default: sqlmap)

union-values

string

--union-valuesColumn values to use for UNION query SQL injection

binary-fields

string

--binary-fieldsResult fields having binary values (e.g. digest)

common-tables

boolean

--common-tablesCheck existence of common tables

crawl-exclude

string

--crawl-excludeRegexp to exclude pages from crawling (e.g. logout)

flush-session

boolean

--flush-sessionFlush session files for current target

fresh-queries

boolean

--fresh-queriesIgnore query results stored in session file

param-exclude

string

--param-excludeRegexp to exclude parameters from testing (e.g. ses)

abort-on-empty

boolean

--abort-on-emptyAbort data retrieval on empty results

check-internet

boolean

--check-internetCheck Internet connection before assessing the target

common-columns

boolean

--common-columnsCheck existence of common columns

exclude-sysdbs

boolean

--exclude-sysdbsExclude DBMS system databases when enumerating tables

invalid-bignum

boolean

--invalid-bignumUse big numbers for invalidating values

invalid-string

boolean

--invalid-stringUse random strings for invalidating values

predict-output

boolean

--predict-outputPredict common queries output

skip-urlencode

boolean

--skip-urlencodeSkip URL encoding of payload data

--drop-set-cookieIgnore Set-Cookie header from response

ignore-timeouts

boolean

--ignore-timeoutsIgnore connection timeouts

invalid-logical

boolean

--invalid-logicalUse logical operations for invalidating values

null-connection

boolean

--null-connectionRetrieve page length without actual HTTP response body

skip-heuristics

boolean

--skip-heuristicsSkip heuristic detection of vulnerabilities

test-parameters

string

-pTestable parameter(s)

disable-coloring

boolean

--disable-coloringDisable console output coloring

ignore-redirects

boolean

--ignore-redirectsIgnore redirection attempts

connection-string

string

-dConnection string for direct database connection

exclude-idnetifiers

string

-XDBMS database identifier(s) to not enumerate

Library

Parameters