1# At least one of these options has to be specified to set the source to
2# get target URLs from.
3[Target]
4
5# Target URL.
6# Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2
7url =
8
9# Direct connection to the database.
10# Examples:
11#   mysql://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME
12#   oracle://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_SID
13direct =
14
15# Parse targets from Burp or WebScarab logs
16# Valid: Burp proxy (http://portswigger.net/suite/) requests log file path
17# or WebScarab proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)
18# 'conversations/' folder path
19logFile =
20
21# Scan multiple targets enlisted in a given textual file
22bulkFile =
23
24# Load HTTP request from a file
25# Example (file content): POST /login.jsp HTTP/1.1\nHost: example.com\nUser-Agent: Mozilla/4.0\n\nuserid=joe&password=guessme
26requestFile =
27
28# Rather than providing a target URL, let Google return target
29# hosts as result of your Google dork expression. For a list of Google
30# dorks see Johnny Long Google Hacking Database at
31# http://johnny.ihackstuff.com/ghdb.php.
32# Example: +ext:php +inurl:"&id=" +intext:"powered by "
33googleDork =
34
35
36# These options can be used to specify how to connect to the target URL.
37[Request]
38
39# Force usage of given HTTP method (e.g. PUT).
40method =
41
42# Data string to be sent through POST (e.g. "id=1").
43data =
44
45# Character used for splitting parameter values (e.g. &).
46paramDel =
47
48# HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..").
49cookie =
50
51# Character used for splitting cookie values (e.g. ;).
52cookieDel =
53
54# File containing cookies in Netscape/wget format.
55loadCookies =
56
57# Ignore Set-Cookie header from response.
58# Valid: True or False
59dropSetCookie = False
60
61# HTTP User-Agent header value. Useful to fake the HTTP User-Agent header value
62# at each HTTP request.
63# sqlmap will also test for SQL injection on the HTTP User-Agent value.
64agent =
65
66# Imitate smartphone through HTTP User-Agent header.
67# Valid: True or False
68mobile = False
69
70# Use randomly selected HTTP User-Agent header value.
71# Valid: True or False
72randomAgent = False
73
74# HTTP Host header value.
75host =
76
77# HTTP Referer header. Useful to fake the HTTP Referer header value at
78# each HTTP request.
79referer =
80
81# Extra HTTP headers
82headers = Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
83 Accept-Language: en-us,en;q=0.5
84 Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
85
86# HTTP Authentication type. Useful only if the target URL requires
87# HTTP Basic, Digest or NTLM authentication and you have such data.
88# Valid: Basic, Digest, NTLM or PKI
89authType =
90
91# HTTP authentication credentials. Useful only if the target URL requires
92# HTTP Basic, Digest or NTLM authentication and you have such data.
93# Syntax: username:password
94authCred =
95
96# HTTP Authentication PEM private/cert key file. Useful only if the target URL requires
97# PKI authentication and you have such data.
98# Syntax: key_file
99authFile =
100
101# Ignore (problematic) HTTP error code (e.g. 401).
102# Valid: integer
103ignoreCode =
104
105# Ignore system default proxy settings.
106# Valid: True or False
107ignoreProxy = False
108
109# Ignore redirection attempts.
110# Valid: True or False
111ignoreRedirects = False
112
113# Ignore connection timeouts.
114# Valid: True or False
115ignoreTimeouts = False
116
117# Use a proxy to connect to the target URL.
118# Syntax: (http|https|socks4|socks5)://address:port
119proxy =
120
121# Proxy authentication credentials. Useful only if the proxy requires
122# Basic or Digest authentication and you have such data.
123# Syntax: username:password
124proxyCred =
125
126# Load proxy list from a file
127proxyFile =
128
129# Use Tor anonymity network.
130# Valid: True or False
131tor = False
132
133# Set Tor proxy port other than default.
134# Valid: integer
135# torPort =
136
137# Set Tor proxy type.
138# Valid: HTTP, SOCKS4, SOCKS5
139torType = SOCKS5
140
141# Check to see if Tor is used properly.
142# Valid: True or False
143checkTor = False
144
145# Delay in seconds between each HTTP request.
146# Valid: float
147# Default: 0
148delay = 0
149
150# Seconds to wait before timeout connection.
151# Valid: float
152# Default: 30
153timeout = 30
154
155# Maximum number of retries when the HTTP connection timeouts.
156# Valid: integer
157# Default: 3
158retries = 3
159
160# Randomly change value for the given parameter.
161rParam =
162
163# URL address to visit frequently during testing.
164# Example: http://192.168.1.121/index.html
165safeUrl =
166
167# POST data to send to a safe URL.
168# Example: username=admin&password=passw0rd!
169safePost =
170
171# Load safe HTTP request from a file.
172safeReqFile =
173
174# Test requests between two visits to a given safe URL (default 0).
175# Valid: integer
176# Default: 0
177safeFreq = 0
178
179# Skip URL encoding of payload data.
180# Valid: True or False
181skipUrlEncode = False
182
183# Parameter used to hold anti-CSRF token.
184csrfToken =
185
186# URL address to visit to extract anti-CSRF token
187csrfUrl =
188
189# HTTP method to use during anti-CSRF token page visit.
190csrfMethod =
191
192# Force usage of SSL/HTTPS
193# Valid: True or False
194forceSSL = False
195
196# Use HTTP chunked transfer encoded requests.
197# Valid: True or False
198chunked = False
199
200# Use HTTP parameter pollution.
201# Valid: True or False
202hpp = False
203
204# Evaluate provided Python code before the request.
205# Example: import hashlib;id2=hashlib.md5(id).hexdigest()
206evalCode =
207
208# These options can be used to optimize the performance of sqlmap.
209[Optimization]
210
211# Use all optimization options.
212# Valid: True or False
213optimize = False
214
215# Predict common queries output.
216# Valid: True or False
217predictOutput = False
218
219# Use persistent HTTP(s) connections.
220keepAlive = False
221
222# Retrieve page length without actual HTTP response body.
223# Valid: True or False
224nullConnection = False
225
226# Maximum number of concurrent HTTP(s) requests (handled with Python threads)
227# to be used in the inference SQL injection attack.
228# Valid: integer
229# Default: 1
230threads = 1
231
232
233# These options can be used to specify which parameters to test for,
234# provide custom injection payloads and optional tampering scripts.
235[Injection]
236
237# Testable parameter(s) comma separated. By default all GET/POST/Cookie
238# parameters and HTTP User-Agent are tested by sqlmap.
239testParameter =
240
241# Skip testing for given parameter(s).
242skip =
243
244# Skip testing parameters that not appear to be dynamic.
245# Valid: True or False
246skipStatic = False
247
248# Regexp to exclude parameters from testing (e.g. "ses").
249paramExclude =
250
251# Select testable parameter(s) by place (e.g. "POST").
252paramFilter =
253
254# Force back-end DBMS to provided value. If this option is set, the back-end
255# DBMS identification process will be minimized as needed.
256# If not set, sqlmap will detect back-end DBMS automatically by default.
257# Valid: mssql, mysql, mysql 4, mysql 5, oracle, pgsql, sqlite, sqlite3,
258# access, firebird, maxdb, sybase
259dbms =
260
261# DBMS authentication credentials (user:password). Useful if you want to
262# run SQL statements as another user, the back-end database management
263# system is PostgreSQL or Microsoft SQL Server and the parameter is
264# vulnerable by stacked queries SQL injection or you are connecting directly
265# to the DBMS (-d switch).
266# Syntax: username:password
267dbmsCred =
268
269# Force back-end DBMS operating system to provided value. If this option is
270# set, the back-end DBMS identification process will be minimized as
271# needed.
272# If not set, sqlmap will detect back-end DBMS operating system
273# automatically by default.
274# Valid: linux, windows
275os =
276
277# Use big numbers for invalidating values.
278# Valid: True or False
279invalidBignum = False
280
281# Use logical operations for invalidating values.
282# Valid: True or False
283invalidLogical = False
284
285# Use random strings for invalidating values.
286# Valid: True or False
287invalidString = False
288
289# Turn off payload casting mechanism
290# Valid: True or False
291noCast = False
292
293# Turn off string escaping mechanism
294# Valid: True or False
295noEscape = False
296
297# Injection payload prefix string.
298prefix =
299
300# Injection payload suffix string.
301suffix =
302
303# Use given script(s) for tampering injection data.
304tamper =
305
306
307# These options can be used to specify how to parse and compare page
308# content from HTTP responses when using blind SQL injection technique.
309[Detection]
310
311# Level of tests to perform.
312# The higher the value is, the higher the number of HTTP(s) requests are
313# as well as the better chances to detect a tricky SQL injection.
314# Valid: Integer between 1 and 5
315# Default: 1
316level = 1
317
318# Risk of tests to perform.
319# Note: boolean-based blind SQL injection tests with AND are considered
320# risk 1, with OR are considered risk 3.
321# Valid: Integer between 1 and 3
322# Default: 1
323risk = 1
324
325# String to match within the raw response when the query is evaluated to
326# True, only needed if the page content dynamically changes at each refresh.
327# Refer to the user's manual for further details.
328string =
329
330# String to match within the raw response when the query is evaluated to
331# False, only needed if the page content dynamically changes at each refresh.
332# Refer to the user's manual for further details.
333notString =
334
335# Regular expression to match within the raw response when the query is
336# evaluated to True, only needed if the needed if the page content
337# dynamically changes at each refresh.
338# Refer to the user's manual for further details.
339# Valid: regular expression with Python syntax
340# (http://www.python.org/doc/2.5.2/lib/re-syntax.html)
341regexp =
342
343# HTTP response code to match when the query is True.
344# Valid: Integer
345# Example: 200 (assuming any False statement returns a different response
346# code)
347# code =
348
349# Conduct thorough tests only if positive heuristic(s).
350# Valid: True or False
351smart = False
352
353# Compare pages based only on the textual content.
354# Valid: True or False
355textOnly = False
356
357# Compare pages based only on their titles.
358# Valid: True or False
359titles = False
360
361
362# These options can be used to tweak testing of specific SQL injection
363# techniques.
364[Techniques]
365
366# SQL injection techniques to use.
367# Valid: a string composed by B, E, U, S, T and Q where:
368# B: Boolean-based blind SQL injection
369# E: Error-based SQL injection
370# U: UNION query SQL injection
371# S: Stacked queries SQL injection
372# T: Time-based blind SQL injection
373# Q: Inline SQL injection
374# Example: ES (means test for error-based and stacked queries SQL
375# injection types only)
376# Default: BEUSTQ (means test for all SQL injection types - recommended)
377technique = BEUSTQ
378
379# Seconds to delay the response from the DBMS.
380# Valid: integer
381# Default: 5
382timeSec = 5
383
384# Range of columns to test for.
385# Valid: range of integers
386# Example: 1-10
387uCols =
388
389# Character to use for bruteforcing number of columns.
390# Valid: string
391# Example: NULL
392uChar =
393
394# Table to use in FROM part of UNION query SQL injection.
395# Valid: string
396# Example: INFORMATION_SCHEMA.COLLATIONS
397uFrom =
398
399# Domain name used for DNS exfiltration attack.
400# Valid: string
401dnsDomain =
402
403# Resulting page URL searched for second-order response.
404# Valid: string
405secondUrl =
406
407# Load second-order HTTP request from file.
408# Valid: string
409secondReq =
410
411
412[Fingerprint]
413
414# Perform an extensive back-end database management system fingerprint
415# based on various techniques.
416# Valid: True or False
417extensiveFp = False
418
419
420# These options can be used to enumerate the back-end database
421# management system information, structure and data contained in the
422# tables. Moreover you can run your own SQL statements.
423[Enumeration]
424
425# Retrieve everything
426# Valid: True or False
427getAll = False
428
429# Retrieve back-end database management system banner.
430# Valid: True or False
431getBanner = False
432
433# Retrieve back-end database management system current user.
434# Valid: True or False
435getCurrentUser = False
436
437# Retrieve back-end database management system current database.
438# Valid: True or False
439getCurrentDb = False
440
441# Retrieve back-end database management system server hostname.
442# Valid: True or False
443getHostname = False
444
445# Detect if the DBMS current user is DBA.
446# Valid: True or False
447isDba = False
448
449# Enumerate back-end database management system users.
450# Valid: True or False
451getUsers = False
452
453# Enumerate back-end database management system users password hashes.
454# Valid: True or False
455getPasswordHashes = False
456
457# Enumerate back-end database management system users privileges.
458# Valid: True or False
459getPrivileges = False
460
461# Enumerate back-end database management system users roles.
462# Valid: True or False
463getRoles = False
464
465# Enumerate back-end database management system databases.
466# Valid: True or False
467getDbs = False
468
469# Enumerate back-end database management system database tables.
470# Optional: db
471# Valid: True or False
472getTables = False
473
474# Enumerate back-end database management system database table columns.
475# Optional: db, tbl, col
476# Valid: True or False
477getColumns = False
478
479# Enumerate back-end database management system schema.
480# Valid: True or False
481getSchema = False
482
483# Retrieve number of entries for table(s).
484# Valid: True or False
485getCount = False
486
487# Dump back-end database management system database table entries.
488# Requires: tbl and/or col
489# Optional: db
490# Valid: True or False
491dumpTable = False
492
493# Dump all back-end database management system databases tables entries.
494# Valid: True or False
495dumpAll = False
496
497# Search column(s), table(s) and/or database name(s).
498# Requires: db, tbl or col
499# Valid: True or False
500search = False
501
502# Check for database management system database comments during enumeration.
503# Valid: True or False
504getComments = False
505
506# Retrieve SQL statements being run on database management system.
507# Valid: True or False
508getStatements = False
509
510# Back-end database management system database to enumerate.
511db =
512
513# Back-end database management system database table(s) to enumerate.
514tbl =
515
516# Back-end database management system database table column(s) to enumerate.
517col =
518
519# Back-end database management system identifiers (database(s), table(s) and column(s)) to not enumerate.
520exclude =
521
522# Pivot column name.
523pivotColumn =
524
525# Use WHERE condition while table dumping (e.g. "id=1").
526dumpWhere =
527
528# Back-end database management system database user to enumerate.
529user =
530
531# Exclude DBMS system databases when enumerating tables.
532# Valid: True or False
533excludeSysDbs = False
534
535# First query output entry to retrieve
536# Valid: integer
537# Default: 0 (sqlmap will start to retrieve the table dump entries from
538# first one)
539limitStart = 0
540
541# Last query output entry to retrieve
542# Valid: integer
543# Default: 0 (sqlmap will detect the number of table dump entries and
544# retrieve them until the last)
545limitStop = 0
546
547# First query output word character to retrieve
548# Valid: integer
549# Default: 0 (sqlmap will enumerate the query output from the first
550# character)
551firstChar = 0
552
553# Last query output word character to retrieve
554# Valid: integer
555# Default: 0 (sqlmap will enumerate the query output until the last
556# character)
557lastChar = 0
558
559# SQL statement to be executed.
560# Example: SELECT 'foo', 'bar'
561sqlQuery =
562
563# Prompt for an interactive SQL shell.
564# Valid: True or False
565sqlShell = False
566
567# Execute SQL statements from given file(s).
568sqlFile =
569
570
571# These options can be used to run brute force checks.
572[Brute force]
573
574# Check existence of common tables.
575# Valid: True or False
576commonTables = False
577
578# Check existence of common columns.
579# Valid: True or False
580commonColumns = False
581
582# Check existence of common files.
583# Valid: True or False
584commonFiles = False
585
586
587# These options can be used to create custom user-defined functions.
588[User-defined function]
589
590# Inject custom user-defined functions
591# Valid: True or False
592udfInject = False
593
594# Local path of the shared library
595shLib =
596
597
598# These options can be used to access the back-end database management
599# system underlying file system.
600[File system]
601
602# Read a specific file from the back-end DBMS underlying file system.
603# Examples: /etc/passwd or C:\boot.ini
604fileRead =
605
606# Write a local file to a specific path on the back-end DBMS underlying
607# file system.
608# Example: /tmp/sqlmap.txt or C:\WINNT\Temp\sqlmap.txt
609fileWrite =
610
611# Back-end DBMS absolute filepath to write the file to.
612fileDest =
613
614
615# These options can be used to access the back-end database management
616# system underlying operating system.
617[Takeover]
618
619# Execute an operating system command.
620# Valid: operating system command
621osCmd =
622
623# Prompt for an interactive operating system shell.
624# Valid: True or False
625osShell = False
626
627# Prompt for an out-of-band shell, Meterpreter or VNC.
628# Valid: True or False
629osPwn = False
630
631# One click prompt for an out-of-band shell, Meterpreter or VNC.
632# Valid: True or False
633osSmb = False
634
635# Microsoft SQL Server 2000 and 2005 'sp_replwritetovarbin' stored
636# procedure heap-based buffer overflow (MS09-004) exploitation.
637# Valid: True or False
638osBof = False
639
640# Database process' user privilege escalation.
641# Note: Use in conjunction with osPwn, osSmb or osBof. It will force the
642# payload to be Meterpreter.
643privEsc = False
644
645# Local path where Metasploit Framework is installed.
646# Valid: file system path
647msfPath =
648
649# Remote absolute path of temporary files directory.
650# Valid: absolute file system path
651tmpPath =
652
653
654# These options can be used to access the back-end database management
655# system Windows registry.
656[Windows]
657
658# Read a Windows registry key value.
659# Valid: True or False
660regRead = False
661
662# Write a Windows registry key value data.
663# Valid: True or False
664regAdd = False
665
666# Delete a Windows registry key value.
667# Valid: True or False
668regDel = False
669
670# Windows registry key.
671regKey =
672
673# Windows registry key value.
674regVal =
675
676# Windows registry key value data.
677regData =
678
679# Windows registry key value type.
680regType =
681
682
683# These options can be used to set some general working parameters.
684[General]
685
686# Load session from a stored (.sqlite) file
687# Example: output/www.target.com/session.sqlite
688sessionFile =
689
690# Log all HTTP traffic into a textual file.
691trafficFile =
692
693# Set predefined answers (e.g. "quit=N,follow=N").
694answers =
695
696# Never ask for user input, use the default behaviour.
697# Valid: True or False
698batch = False
699
700# Result fields having binary values (e.g. "digest").
701binaryFields =
702
703# Check Internet connection before assessing the target.
704checkInternet = False
705
706# Clean up the DBMS from sqlmap specific UDF and tables.
707# Valid: True or False
708cleanup = False
709
710# Crawl the website starting from the target URL.
711# Valid: integer
712# Default: 0
713crawlDepth = 0
714
715# Regexp to exclude pages from crawling (e.g. "logout").
716crawlExclude =
717
718# Delimiting character used in CSV output.
719# Default: ,
720csvDel = ,
721
722# Format of dumped data
723# Valid: CSV, HTML or SQLITE
724dumpFormat = CSV
725
726# Force character encoding used for data retrieval.
727encoding =
728
729# Retrieve each query output length and calculate the estimated time of
730# arrival in real time.
731# Valid: True or False
732eta = False
733
734# Flush session files for current target.
735# Valid: True or False
736flushSession = False
737
738# Parse and test forms on target URL.
739# Valid: True or False
740forms = False
741
742# Ignore query results stored in session file.
743# Valid: True or False
744freshQueries = False
745
746# Use Google dork results from specified page number.
747# Valid: integer
748# Default: 1
749googlePage = 1
750
751# Use hex conversion during data retrieval.
752# Valid: True or False
753hexConvert = False
754
755# Custom output directory path.
756outputDir =
757
758# Parse and display DBMS error messages from responses.
759# Valid: True or False
760parseErrors = False
761
762# Use given script(s) for preprocessing of response data.
763preprocess =
764
765# Redump entries having unknown character marker (?).
766# Valid: True or False
767repair = False
768
769# Regular expression for filtering targets from provided Burp.
770# or WebScarab proxy log.
771# Example: (google|yahoo)
772scope =
773
774# Skip heuristic detection of WAF/IPS protection.
775# Valid: True or False
776skipWaf = False
777
778# Prefix used for temporary tables.
779# Default: sqlmap
780tablePrefix = sqlmap
781
782# Select tests by payloads and/or titles (e.g. ROW)
783testFilter =
784
785# Skip tests by payloads and/or titles (e.g. BENCHMARK)
786testSkip =
787
788# Web server document root directory (e.g. "/var/www").
789webRoot =
790
791
792[Miscellaneous]
793
794# Run host OS command(s) when SQL injection is found.
795alert =
796
797# Beep on question and/or when SQL injection is found.
798# Valid: True or False
799beep = False
800
801# Offline WAF/IPS payload detection testing.
802# Valid: True or False
803checkPayload = False
804
805# Check for missing (optional) sqlmap dependencies.
806# Valid: True or False
807dependencies = False
808
809# Disable console output coloring.
810# Valid: True or False
811disableColoring = False
812
813# Display list of available tamper scripts
814# Valid: True or False
815listTampers = False
816
817# Work in offline mode (only use session data)
818# Valid: True or False
819offline = False
820
821# Location of CSV results file in multiple targets mode.
822resultsFile =
823
824# Local directory for storing temporary files.
825tmpDir =
826
827# Adjust options for unstable connections.
828# Valid: True or False
829unstable = False
830
831# Update sqlmap.
832# Valid: True or False
833updateAll = False
834
835# Simple wizard interface for beginner users.
836# Valid: True or False
837wizard = False
838
839# Verbosity level.
840# Valid: integer between 0 and 6
841# 0: Show only error and critical messages
842# 1: Show also warning and info messages
843# 2: Show also debug messages
844# 3: Show also payloads injected
845# 4: Show also HTTP requests
846# 5: Show also HTTP responses' headers
847# 6: Show also HTTP responses' page content
848# Default: 1
849verbose = 1
850