LinuxCommandLibrary

sqlmap

automatic SQL injection tool

TLDR

Run sqlmap against a single target URL

$ python sqlmap.py -u "[http://www.target.com/vuln.php?id=1]"
copy


Send data in a POST request (--data implies POST request)
$ python sqlmap.py -u "[http://www.target.com/vuln.php]" --data="[id=1]"
copy


Change the parameter delimiter (& is the default)
$ python sqlmap.py -u "[http://www.target.com/vuln.php]" --data="[query=foobar;id=1]" --param-del="[;]"
copy


Select a random User-Agent from ./txt/user-agents.txt and use it
$ python sqlmap.py -u "[http://www.target.com/vuln.php]" --random-agent
copy


Provide user credentials for HTTP protocol authentication
$ python sqlmap.py -u "[http://www.target.com/vuln.php]" --auth-type [Basic] --auth-cred "[testuser:testpass]"
copy

SYNOPSIS

python3 sqlmap [options]

DESCRIPTION

___

__H__

___ ___[)]_____ ___ ___

{1.4.8#stable}

|_ -| . ["] | .'| . | |___|_ [(]_|_|_|__,| _|

|_|V...

|_| http://sqlmap.org

OPTIONS

-h, --help

Show basic help message and exit

-hh

Show advanced help message and exit

--version

Show program's version number and exit

-v VERBOSE

Verbosity level: 0-6 (default 1)

Target:

At least one of these options has to be provided to define the target(s)

-u URL, --url=URL

Target URL (e.g. "http://www.site.com/vuln.php?id=1")

-g GOOGLEDORK

Process Google dork results as target URLs

Request:

These options can be used to specify how to connect to the target URL

--data=DATA

Data string to be sent through POST (e.g. "id=1")

--cookie=COOKIE

HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")

--random-agent

Use randomly selected HTTP User-Agent header value

--proxy=PROXY

Use a proxy to connect to the target URL

--tor

Use Tor anonymity network

--check-tor

Check to see if Tor is used properly

Injection:

These options can be used to specify which parameters to test for, provide custom injection payloads and optional tampering scripts

-p TESTPARAMETER

Testable parameter(s)

--dbms=DBMS

Force back-end DBMS to provided value

Detection:

These options can be used to customize the detection phase

--level=LEVEL

Level of tests to perform (1-5, default 1)

--risk=RISK

Risk of tests to perform (1-3, default 1)

Techniques:

These options can be used to tweak testing of specific SQL injection techniques

--technique=TECH..

SQL injection techniques to use (default "BEUSTQ")

Enumeration:

These options can be used to enumerate the back-end database management system information, structure and data contained in the tables

-a, --all

Retrieve everything

-b, --banner

Retrieve DBMS banner

--current-user

Retrieve DBMS current user

--current-db

Retrieve DBMS current database

--passwords

Enumerate DBMS users password hashes

--tables

Enumerate DBMS database tables

--columns

Enumerate DBMS database table columns

--schema

Enumerate DBMS schema

--dump

Dump DBMS database table entries

--dump-all

Dump all DBMS databases tables entries

-D DB

DBMS database to enumerate

-T TBL

DBMS database table(s) to enumerate

-C COL

DBMS database table column(s) to enumerate

Operating system access:

These options can be used to access the back-end database management system underlying operating system

--os-shell

Prompt for an interactive operating system shell

--os-pwn

Prompt for an OOB shell, Meterpreter or VNC

General:

These options can be used to set some general working parameters

--batch

Never ask for user input, use the default behavior

--flush-session

Flush session files for current target

Miscellaneous:

These options do not fit into any other category

--sqlmap-shell

Prompt for an interactive sqlmap shell

--wizard

Simple wizard interface for beginner users

Copied to clipboard