1# At least one of these options has to be specified to set the source to 2# get target URLs from. 3[Target] 4 5# Target URL. 6# Example: http://192.168.1.121/sqlmap/mysql/get_int.php?id=1&cat=2 7url = 8 9# Direct connection to the database. 10# Examples: 11# mysql://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME 12# oracle://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_SID 13direct = 14 15# Parse targets from Burp or WebScarab logs 16# Valid: Burp proxy (http://portswigger.net/suite/) requests log file path 17# or WebScarab proxy (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project) 18# 'conversations/' folder path 19logFile = 20 21# Scan multiple targets enlisted in a given textual file 22bulkFile = 23 24# Load HTTP request from a file 25# Example (file content): POST /login.jsp HTTP/1.1\nHost: example.com\nUser-Agent: Mozilla/4.0\n\nuserid=joe&password=guessme 26requestFile = 27 28# Rather than providing a target URL, let Google return target 29# hosts as result of your Google dork expression. For a list of Google 30# dorks see Johnny Long Google Hacking Database at 31# http://johnny.ihackstuff.com/ghdb.php. 32# Example: +ext:php +inurl:"&id=" +intext:"powered by " 33googleDork = 34 35 36# These options can be used to specify how to connect to the target URL. 37[Request] 38 39# Force usage of given HTTP method (e.g. PUT). 40method = 41 42# Data string to be sent through POST (e.g. "id=1"). 43data = 44 45# Character used for splitting parameter values (e.g. &). 46paramDel = 47 48# HTTP Cookie header value (e.g. "PHPSESSID=a8d127e.."). 49cookie = 50 51# Character used for splitting cookie values (e.g. ;). 52cookieDel = 53 54# File containing cookies in Netscape/wget format. 55loadCookies = 56 57# Ignore Set-Cookie header from response. 58# Valid: True or False 59dropSetCookie = False 60 61# HTTP User-Agent header value. Useful to fake the HTTP User-Agent header value 62# at each HTTP request. 63# sqlmap will also test for SQL injection on the HTTP User-Agent value. 64agent = 65 66# Imitate smartphone through HTTP User-Agent header. 67# Valid: True or False 68mobile = False 69 70# Use randomly selected HTTP User-Agent header value. 71# Valid: True or False 72randomAgent = False 73 74# HTTP Host header value. 75host = 76 77# HTTP Referer header. Useful to fake the HTTP Referer header value at 78# each HTTP request. 79referer = 80 81# Extra HTTP headers 82headers = Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 83 Accept-Language: en-us,en;q=0.5 84 Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 85 86# HTTP Authentication type. Useful only if the target URL requires 87# HTTP Basic, Digest or NTLM authentication and you have such data. 88# Valid: Basic, Digest, NTLM or PKI 89authType = 90 91# HTTP authentication credentials. Useful only if the target URL requires 92# HTTP Basic, Digest or NTLM authentication and you have such data. 93# Syntax: username:password 94authCred = 95 96# HTTP Authentication PEM private/cert key file. Useful only if the target URL requires 97# PKI authentication and you have such data. 98# Syntax: key_file 99authFile = 100 101# Ignore (problematic) HTTP error code (e.g. 401). 102# Valid: integer 103ignoreCode = 104 105# Ignore system default proxy settings. 106# Valid: True or False 107ignoreProxy = False 108 109# Ignore redirection attempts. 110# Valid: True or False 111ignoreRedirects = False 112 113# Ignore connection timeouts. 114# Valid: True or False 115ignoreTimeouts = False 116 117# Use a proxy to connect to the target URL. 118# Syntax: (http|https|socks4|socks5)://address:port 119proxy = 120 121# Proxy authentication credentials. Useful only if the proxy requires 122# Basic or Digest authentication and you have such data. 123# Syntax: username:password 124proxyCred = 125 126# Load proxy list from a file 127proxyFile = 128 129# Use Tor anonymity network. 130# Valid: True or False 131tor = False 132 133# Set Tor proxy port other than default. 134# Valid: integer 135# torPort = 136 137# Set Tor proxy type. 138# Valid: HTTP, SOCKS4, SOCKS5 139torType = SOCKS5 140 141# Check to see if Tor is used properly. 142# Valid: True or False 143checkTor = False 144 145# Delay in seconds between each HTTP request. 146# Valid: float 147# Default: 0 148delay = 0 149 150# Seconds to wait before timeout connection. 151# Valid: float 152# Default: 30 153timeout = 30 154 155# Maximum number of retries when the HTTP connection timeouts. 156# Valid: integer 157# Default: 3 158retries = 3 159 160# Randomly change value for the given parameter. 161rParam = 162 163# URL address to visit frequently during testing. 164# Example: http://192.168.1.121/index.html 165safeUrl = 166 167# POST data to send to a safe URL. 168# Example: username=admin&password=passw0rd! 169safePost = 170 171# Load safe HTTP request from a file. 172safeReqFile = 173 174# Test requests between two visits to a given safe URL (default 0). 175# Valid: integer 176# Default: 0 177safeFreq = 0 178 179# Skip URL encoding of payload data. 180# Valid: True or False 181skipUrlEncode = False 182 183# Parameter used to hold anti-CSRF token. 184csrfToken = 185 186# URL address to visit to extract anti-CSRF token 187csrfUrl = 188 189# HTTP method to use during anti-CSRF token page visit. 190csrfMethod = 191 192# Force usage of SSL/HTTPS 193# Valid: True or False 194forceSSL = False 195 196# Use HTTP chunked transfer encoded requests. 197# Valid: True or False 198chunked = False 199 200# Use HTTP parameter pollution. 201# Valid: True or False 202hpp = False 203 204# Evaluate provided Python code before the request. 205# Example: import hashlib;id2=hashlib.md5(id).hexdigest() 206evalCode = 207 208# These options can be used to optimize the performance of sqlmap. 209[Optimization] 210 211# Use all optimization options. 212# Valid: True or False 213optimize = False 214 215# Predict common queries output. 216# Valid: True or False 217predictOutput = False 218 219# Use persistent HTTP(s) connections. 220keepAlive = False 221 222# Retrieve page length without actual HTTP response body. 223# Valid: True or False 224nullConnection = False 225 226# Maximum number of concurrent HTTP(s) requests (handled with Python threads) 227# to be used in the inference SQL injection attack. 228# Valid: integer 229# Default: 1 230threads = 1 231 232 233# These options can be used to specify which parameters to test for, 234# provide custom injection payloads and optional tampering scripts. 235[Injection] 236 237# Testable parameter(s) comma separated. By default all GET/POST/Cookie 238# parameters and HTTP User-Agent are tested by sqlmap. 239testParameter = 240 241# Skip testing for given parameter(s). 242skip = 243 244# Skip testing parameters that not appear to be dynamic. 245# Valid: True or False 246skipStatic = False 247 248# Regexp to exclude parameters from testing (e.g. "ses"). 249paramExclude = 250 251# Select testable parameter(s) by place (e.g. "POST"). 252paramFilter = 253 254# Force back-end DBMS to provided value. If this option is set, the back-end 255# DBMS identification process will be minimized as needed. 256# If not set, sqlmap will detect back-end DBMS automatically by default. 257# Valid: mssql, mysql, mysql 4, mysql 5, oracle, pgsql, sqlite, sqlite3, 258# access, firebird, maxdb, sybase 259dbms = 260 261# DBMS authentication credentials (user:password). Useful if you want to 262# run SQL statements as another user, the back-end database management 263# system is PostgreSQL or Microsoft SQL Server and the parameter is 264# vulnerable by stacked queries SQL injection or you are connecting directly 265# to the DBMS (-d switch). 266# Syntax: username:password 267dbmsCred = 268 269# Force back-end DBMS operating system to provided value. If this option is 270# set, the back-end DBMS identification process will be minimized as 271# needed. 272# If not set, sqlmap will detect back-end DBMS operating system 273# automatically by default. 274# Valid: linux, windows 275os = 276 277# Use big numbers for invalidating values. 278# Valid: True or False 279invalidBignum = False 280 281# Use logical operations for invalidating values. 282# Valid: True or False 283invalidLogical = False 284 285# Use random strings for invalidating values. 286# Valid: True or False 287invalidString = False 288 289# Turn off payload casting mechanism 290# Valid: True or False 291noCast = False 292 293# Turn off string escaping mechanism 294# Valid: True or False 295noEscape = False 296 297# Injection payload prefix string. 298prefix = 299 300# Injection payload suffix string. 301suffix = 302 303# Use given script(s) for tampering injection data. 304tamper = 305 306 307# These options can be used to specify how to parse and compare page 308# content from HTTP responses when using blind SQL injection technique. 309[Detection] 310 311# Level of tests to perform. 312# The higher the value is, the higher the number of HTTP(s) requests are 313# as well as the better chances to detect a tricky SQL injection. 314# Valid: Integer between 1 and 5 315# Default: 1 316level = 1 317 318# Risk of tests to perform. 319# Note: boolean-based blind SQL injection tests with AND are considered 320# risk 1, with OR are considered risk 3. 321# Valid: Integer between 1 and 3 322# Default: 1 323risk = 1 324 325# String to match within the raw response when the query is evaluated to 326# True, only needed if the page content dynamically changes at each refresh. 327# Refer to the user's manual for further details. 328string = 329 330# String to match within the raw response when the query is evaluated to 331# False, only needed if the page content dynamically changes at each refresh. 332# Refer to the user's manual for further details. 333notString = 334 335# Regular expression to match within the raw response when the query is 336# evaluated to True, only needed if the needed if the page content 337# dynamically changes at each refresh. 338# Refer to the user's manual for further details. 339# Valid: regular expression with Python syntax 340# (http://www.python.org/doc/2.5.2/lib/re-syntax.html) 341regexp = 342 343# HTTP response code to match when the query is True. 344# Valid: Integer 345# Example: 200 (assuming any False statement returns a different response 346# code) 347# code = 348 349# Conduct thorough tests only if positive heuristic(s). 350# Valid: True or False 351smart = False 352 353# Compare pages based only on the textual content. 354# Valid: True or False 355textOnly = False 356 357# Compare pages based only on their titles. 358# Valid: True or False 359titles = False 360 361 362# These options can be used to tweak testing of specific SQL injection 363# techniques. 364[Techniques] 365 366# SQL injection techniques to use. 367# Valid: a string composed by B, E, U, S, T and Q where: 368# B: Boolean-based blind SQL injection 369# E: Error-based SQL injection 370# U: UNION query SQL injection 371# S: Stacked queries SQL injection 372# T: Time-based blind SQL injection 373# Q: Inline SQL injection 374# Example: ES (means test for error-based and stacked queries SQL 375# injection types only) 376# Default: BEUSTQ (means test for all SQL injection types - recommended) 377technique = BEUSTQ 378 379# Seconds to delay the response from the DBMS. 380# Valid: integer 381# Default: 5 382timeSec = 5 383 384# Range of columns to test for. 385# Valid: range of integers 386# Example: 1-10 387uCols = 388 389# Character to use for bruteforcing number of columns. 390# Valid: string 391# Example: NULL 392uChar = 393 394# Table to use in FROM part of UNION query SQL injection. 395# Valid: string 396# Example: INFORMATION_SCHEMA.COLLATIONS 397uFrom = 398 399# Domain name used for DNS exfiltration attack. 400# Valid: string 401dnsDomain = 402 403# Resulting page URL searched for second-order response. 404# Valid: string 405secondUrl = 406 407# Load second-order HTTP request from file. 408# Valid: string 409secondReq = 410 411 412[Fingerprint] 413 414# Perform an extensive back-end database management system fingerprint 415# based on various techniques. 416# Valid: True or False 417extensiveFp = False 418 419 420# These options can be used to enumerate the back-end database 421# management system information, structure and data contained in the 422# tables. Moreover you can run your own SQL statements. 423[Enumeration] 424 425# Retrieve everything 426# Valid: True or False 427getAll = False 428 429# Retrieve back-end database management system banner. 430# Valid: True or False 431getBanner = False 432 433# Retrieve back-end database management system current user. 434# Valid: True or False 435getCurrentUser = False 436 437# Retrieve back-end database management system current database. 438# Valid: True or False 439getCurrentDb = False 440 441# Retrieve back-end database management system server hostname. 442# Valid: True or False 443getHostname = False 444 445# Detect if the DBMS current user is DBA. 446# Valid: True or False 447isDba = False 448 449# Enumerate back-end database management system users. 450# Valid: True or False 451getUsers = False 452 453# Enumerate back-end database management system users password hashes. 454# Valid: True or False 455getPasswordHashes = False 456 457# Enumerate back-end database management system users privileges. 458# Valid: True or False 459getPrivileges = False 460 461# Enumerate back-end database management system users roles. 462# Valid: True or False 463getRoles = False 464 465# Enumerate back-end database management system databases. 466# Valid: True or False 467getDbs = False 468 469# Enumerate back-end database management system database tables. 470# Optional: db 471# Valid: True or False 472getTables = False 473 474# Enumerate back-end database management system database table columns. 475# Optional: db, tbl, col 476# Valid: True or False 477getColumns = False 478 479# Enumerate back-end database management system schema. 480# Valid: True or False 481getSchema = False 482 483# Retrieve number of entries for table(s). 484# Valid: True or False 485getCount = False 486 487# Dump back-end database management system database table entries. 488# Requires: tbl and/or col 489# Optional: db 490# Valid: True or False 491dumpTable = False 492 493# Dump all back-end database management system databases tables entries. 494# Valid: True or False 495dumpAll = False 496 497# Search column(s), table(s) and/or database name(s). 498# Requires: db, tbl or col 499# Valid: True or False 500search = False 501 502# Check for database management system database comments during enumeration. 503# Valid: True or False 504getComments = False 505 506# Retrieve SQL statements being run on database management system. 507# Valid: True or False 508getStatements = False 509 510# Back-end database management system database to enumerate. 511db = 512 513# Back-end database management system database table(s) to enumerate. 514tbl = 515 516# Back-end database management system database table column(s) to enumerate. 517col = 518 519# Back-end database management system identifiers (database(s), table(s) and column(s)) to not enumerate. 520exclude = 521 522# Pivot column name. 523pivotColumn = 524 525# Use WHERE condition while table dumping (e.g. "id=1"). 526dumpWhere = 527 528# Back-end database management system database user to enumerate. 529user = 530 531# Exclude DBMS system databases when enumerating tables. 532# Valid: True or False 533excludeSysDbs = False 534 535# First query output entry to retrieve 536# Valid: integer 537# Default: 0 (sqlmap will start to retrieve the table dump entries from 538# first one) 539limitStart = 0 540 541# Last query output entry to retrieve 542# Valid: integer 543# Default: 0 (sqlmap will detect the number of table dump entries and 544# retrieve them until the last) 545limitStop = 0 546 547# First query output word character to retrieve 548# Valid: integer 549# Default: 0 (sqlmap will enumerate the query output from the first 550# character) 551firstChar = 0 552 553# Last query output word character to retrieve 554# Valid: integer 555# Default: 0 (sqlmap will enumerate the query output until the last 556# character) 557lastChar = 0 558 559# SQL statement to be executed. 560# Example: SELECT 'foo', 'bar' 561sqlQuery = 562 563# Prompt for an interactive SQL shell. 564# Valid: True or False 565sqlShell = False 566 567# Execute SQL statements from given file(s). 568sqlFile = 569 570 571# These options can be used to run brute force checks. 572[Brute force] 573 574# Check existence of common tables. 575# Valid: True or False 576commonTables = False 577 578# Check existence of common columns. 579# Valid: True or False 580commonColumns = False 581 582# Check existence of common files. 583# Valid: True or False 584commonFiles = False 585 586 587# These options can be used to create custom user-defined functions. 588[User-defined function] 589 590# Inject custom user-defined functions 591# Valid: True or False 592udfInject = False 593 594# Local path of the shared library 595shLib = 596 597 598# These options can be used to access the back-end database management 599# system underlying file system. 600[File system] 601 602# Read a specific file from the back-end DBMS underlying file system. 603# Examples: /etc/passwd or C:\boot.ini 604fileRead = 605 606# Write a local file to a specific path on the back-end DBMS underlying 607# file system. 608# Example: /tmp/sqlmap.txt or C:\WINNT\Temp\sqlmap.txt 609fileWrite = 610 611# Back-end DBMS absolute filepath to write the file to. 612fileDest = 613 614 615# These options can be used to access the back-end database management 616# system underlying operating system. 617[Takeover] 618 619# Execute an operating system command. 620# Valid: operating system command 621osCmd = 622 623# Prompt for an interactive operating system shell. 624# Valid: True or False 625osShell = False 626 627# Prompt for an out-of-band shell, Meterpreter or VNC. 628# Valid: True or False 629osPwn = False 630 631# One click prompt for an out-of-band shell, Meterpreter or VNC. 632# Valid: True or False 633osSmb = False 634 635# Microsoft SQL Server 2000 and 2005 'sp_replwritetovarbin' stored 636# procedure heap-based buffer overflow (MS09-004) exploitation. 637# Valid: True or False 638osBof = False 639 640# Database process' user privilege escalation. 641# Note: Use in conjunction with osPwn, osSmb or osBof. It will force the 642# payload to be Meterpreter. 643privEsc = False 644 645# Local path where Metasploit Framework is installed. 646# Valid: file system path 647msfPath = 648 649# Remote absolute path of temporary files directory. 650# Valid: absolute file system path 651tmpPath = 652 653 654# These options can be used to access the back-end database management 655# system Windows registry. 656[Windows] 657 658# Read a Windows registry key value. 659# Valid: True or False 660regRead = False 661 662# Write a Windows registry key value data. 663# Valid: True or False 664regAdd = False 665 666# Delete a Windows registry key value. 667# Valid: True or False 668regDel = False 669 670# Windows registry key. 671regKey = 672 673# Windows registry key value. 674regVal = 675 676# Windows registry key value data. 677regData = 678 679# Windows registry key value type. 680regType = 681 682 683# These options can be used to set some general working parameters. 684[General] 685 686# Load session from a stored (.sqlite) file 687# Example: output/www.target.com/session.sqlite 688sessionFile = 689 690# Log all HTTP traffic into a textual file. 691trafficFile = 692 693# Set predefined answers (e.g. "quit=N,follow=N"). 694answers = 695 696# Never ask for user input, use the default behaviour. 697# Valid: True or False 698batch = False 699 700# Result fields having binary values (e.g. "digest"). 701binaryFields = 702 703# Check Internet connection before assessing the target. 704checkInternet = False 705 706# Clean up the DBMS from sqlmap specific UDF and tables. 707# Valid: True or False 708cleanup = False 709 710# Crawl the website starting from the target URL. 711# Valid: integer 712# Default: 0 713crawlDepth = 0 714 715# Regexp to exclude pages from crawling (e.g. "logout"). 716crawlExclude = 717 718# Delimiting character used in CSV output. 719# Default: , 720csvDel = , 721 722# Format of dumped data 723# Valid: CSV, HTML or SQLITE 724dumpFormat = CSV 725 726# Force character encoding used for data retrieval. 727encoding = 728 729# Retrieve each query output length and calculate the estimated time of 730# arrival in real time. 731# Valid: True or False 732eta = False 733 734# Flush session files for current target. 735# Valid: True or False 736flushSession = False 737 738# Parse and test forms on target URL. 739# Valid: True or False 740forms = False 741 742# Ignore query results stored in session file. 743# Valid: True or False 744freshQueries = False 745 746# Use Google dork results from specified page number. 747# Valid: integer 748# Default: 1 749googlePage = 1 750 751# Use hex conversion during data retrieval. 752# Valid: True or False 753hexConvert = False 754 755# Custom output directory path. 756outputDir = 757 758# Parse and display DBMS error messages from responses. 759# Valid: True or False 760parseErrors = False 761 762# Use given script(s) for preprocessing of response data. 763preprocess = 764 765# Redump entries having unknown character marker (?). 766# Valid: True or False 767repair = False 768 769# Regular expression for filtering targets from provided Burp. 770# or WebScarab proxy log. 771# Example: (google|yahoo) 772scope = 773 774# Skip heuristic detection of WAF/IPS protection. 775# Valid: True or False 776skipWaf = False 777 778# Prefix used for temporary tables. 779# Default: sqlmap 780tablePrefix = sqlmap 781 782# Select tests by payloads and/or titles (e.g. ROW) 783testFilter = 784 785# Skip tests by payloads and/or titles (e.g. BENCHMARK) 786testSkip = 787 788# Web server document root directory (e.g. "/var/www"). 789webRoot = 790 791 792[Miscellaneous] 793 794# Run host OS command(s) when SQL injection is found. 795alert = 796 797# Beep on question and/or when SQL injection is found. 798# Valid: True or False 799beep = False 800 801# Offline WAF/IPS payload detection testing. 802# Valid: True or False 803checkPayload = False 804 805# Check for missing (optional) sqlmap dependencies. 806# Valid: True or False 807dependencies = False 808 809# Disable console output coloring. 810# Valid: True or False 811disableColoring = False 812 813# Display list of available tamper scripts 814# Valid: True or False 815listTampers = False 816 817# Work in offline mode (only use session data) 818# Valid: True or False 819offline = False 820 821# Location of CSV results file in multiple targets mode. 822resultsFile = 823 824# Local directory for storing temporary files. 825tmpDir = 826 827# Adjust options for unstable connections. 828# Valid: True or False 829unstable = False 830 831# Update sqlmap. 832# Valid: True or False 833updateAll = False 834 835# Simple wizard interface for beginner users. 836# Valid: True or False 837wizard = False 838 839# Verbosity level. 840# Valid: integer between 0 and 6 841# 0: Show only error and critical messages 842# 1: Show also warning and info messages 843# 2: Show also debug messages 844# 3: Show also payloads injected 845# 4: Show also HTTP requests 846# 5: Show also HTTP responses' headers 847# 6: Show also HTTP responses' page content 848# Default: 1 849verbose = 1 850