If you are willing to connect directly to a database server (-d switch), without passing
-via a web application, you need to install Python bindings for the database
-management system that you are going to attack:
If you are willing to connect directly to a database server (-d switch),
+without passing via a web application, you need to install Python bindings
+for the database management system that you are going to attack:
Switches: --proxy, --proxy-cred and --ignore-proxy
Switches: --proxy, --proxy-cred,
+--ignore-proxy and --tor
It is possible to provide an HTTP(S) proxy address to pass by the HTTP(S)
requests to the target URL. The syntax of HTTP(S) proxy value is
@@ -1334,7 +1338,8 @@ single predefined HTTP(S) proxy server, you can configure a
Privoxy (or similar) on
your machine as explained on the Tor client guide and use the Privoxy
daemon, by default listening on 127.0.0.1:8118, as the sqlmap
-proxy.
--tor
+switch instead of --proxy.
The switch --ignore-proxy should be used when you want
to run sqlmap against a target part of a local area network by ignoring
@@ -1427,8 +1432,7 @@ it.
--keep-alive--null-connection--threads 4--group-concat--threads 3 if not set to a higher value.Switch: --keep-alive
TODO
+This switch instructs sqlmap to use persistent HTTP(s) connections.
+Note that this switch is incompatible with --proxy switch.
Switch: --null-connection
TODO
+TODO
+Note that this switch is incompatible with --text-only
+switch.
Switch: --group-concat
TODO
- -These options can be used to specify which parameters to test for, provide custom injection payloads and optional tampering scripts.
-Switch: -p
JOIN queries for instance.
Switch: --tamper
TODO
+sqlmap itself does no obfuscation of the payload sent, except for strings
+between single quotes replaced by their CHAR()-alike
+representation.
This switch can be very useful and powerful in situations where there is +a weak input validation mechanism between you and the back-end database +management system. This mechanism usually is a self-developed input +validation routine called by the application source code, an expensive +enterprise-grade IPS appliance or a web application firewall (WAF). All +buzzwords to define the same concept, implemented in a different way and +costing lots of money, usually.
+ +To take advantage of this switch, provide sqlmap with a comma-separated
+list of tamper scripts and this will process the payload and return it
+transformed. You can define your own tamper scripts, use sqlmap ones from
+the tamper/ folder or edit them as long as you concatenate them
+comma-separated as the argument of --tamper switch.
The format of a valid tamper script is as follows:
++
+
+# Needed imports
+from lib.core.enums import PRIORITY
+
+# Define which is the order of application of tamper scripts against the payload
+__priority__ = PRIORITY.HIGHEST
+
+def tamper(payload):
+ '''
+ Description of your tamper script
+ '''
+
+ retVal = payload
+
+ # your code to tamper the original payload (retVal)
+
+ return retVal
+
+You can check valid and usable tamper scripts in the tamper/
+directory.
Example against a MySQL target assuming > character, spaces and
+SELECT string are banned:
+
+
+$ python sqlmap.py -u "http://debiandev/sqlmap/mysql/get_int.php?id=1" --tamper \
+tamper/between.py,tamper/randomcase.py,tamper/space2comment.py -v 3
+
+[hh:mm:03] [DEBUG] cleaning up configuration parameters
+[hh:mm:03] [INFO] loading tamper script 'between'
+[hh:mm:03] [INFO] loading tamper script 'randomcase'
+[hh:mm:03] [INFO] loading tamper script 'space2comment'
+[...]
+[hh:mm:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
+[hh:mm:04] [PAYLOAD] 1)/**/And/**/1369=7706/**/And/**/(4092=4092
+[hh:mm:04] [PAYLOAD] 1)/**/AND/**/9267=9267/**/AND/**/(4057=4057
+[hh:mm:04] [PAYLOAD] 1/**/AnD/**/950=7041
+[...]
+[hh:mm:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
+[hh:mm:04] [PAYLOAD] 1/**/anD/**/(SELeCt/**/9921/**/fROm(SELeCt/**/counT(*),CONCAT(cHar(
+58,117,113,107,58),(SELeCt/**/(case/**/whEN/**/(9921=9921)/**/THeN/**/1/**/elsE/**/0/**/
+ENd)),cHar(58,106,104,104,58),FLOOR(RanD(0)*2))x/**/fROm/**/information_schema.tables/**/
+group/**/bY/**/x)a)
+[hh:mm:04] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING
+clause' injectable
+[...]
+
+These options can be used to specify how to parse and compare page content -from HTTP responses when using blind SQL injection technique.
- +These options can be used to specify how to parse and compare page +content from HTTP responses when using blind SQL injection technique.
Switch: --level
TODO
+This switch requires an argument which specifies the level of tests to
+perform. There are five levels. The default value is 1
+where limited number of tests (requests) are performed. Vice versa, level
+5 will test verbosely for a much larger number of payloads and
+boundaries (as in pair of SQL payload prefix and suffix).
+The payloads used by sqlmap are specified in the textual file
+xml/payloads.xml. Following the instructions on top of the file,
+if sqlmap misses an injection, you should be able to add your own
+payload(s) to test for too!
Not only this switch affects which payload sqlmap tries, but also which +injection points are taken in exam: GET and POST parameters are +always tested, HTTP Cookie header values are tested from level +2 and HTTP User-Agent/Referer headers' value is tested from level +3.
+ +All in all, the harder it is to detect a SQL injection, the higher the
+--level must be set.
It is strongly recommended to higher this value before reporting to the +mailing list that sqlmap is not able to detect a certain injection point.
Switch: --risk
TODO
+This switch requires an argument which specifies the risk of tests to
+perform. There are four risk values. The default value is
+1 which is innocuous for the majority of SQL injection points.
+Risk value 2 adds to the default level the tests for heavy query
+time-based SQL injections and value 3 adds also OR-based SQL
+injection tests.
In some instances, like a SQL injection in an UPDATE statement,
+injecting an OR-based payload can lead to an update of all the
+entries of the table, which is certainly not what the attacker wants. For
+this reason and others this switch has been introduced: the user has
+control over which payloads get tested, the user can arbitrarily choose
+to use also potentially dangerous ones.
+As per the previous switch, the payloads used by sqlmap are specified in
+the textual file xml/payloads.xml and you are free to edit and
+add your owns.
Switches: --string and --regexp
Switches: --string, --regexp and
+--text-only
By default the distinction of a True query by a False one (basic concept -for Inferential blind SQL injection attacks) is done comparing injected -requests page content MD5 hash with the original not injected page content -MD5 hash. +
By default the distinction of a True query by a False
+one (rough concept behind boolean-based blind SQL injection vulnerabilities)
+is done by comparing the injected requests page content with the original
+not injected page content.
Not always this concept works because sometimes the page content changes at
each refresh even not injecting anything, for instance when the page has a
-counter, a dynamic advertisment banner or any other part of the HTML which
-is render dynamically and might change in time not only consequently to
+counter, a dynamic advertisement banner or any other part of the HTML which
+is rendered dynamically and might change in time not only consequently to
user's input.
-To bypass this limit, sqlmap makes it possible to manually provide a
-string which is always present on the not injected page
-and on all True injected query pages, but that it is not
-on the False ones. This can also be achieved by providing a regular
-expression.
-Such information is easy for an user to retrieve, simply try to inject on
-the affected URL parameter an invalid value and compare original (not
-injected) page content with the injected wrong page content to identify
-which string or regular expression match is on not injected and True page
-only.
+To bypass this limit, sqlmap tries hard to identify these snippets of the
+response bodies and deal accordingly. Sometimes it may fail, that is why
+the user can provide a string (--string switch) which is
+always present on the not injected page and on all True
+injected query pages, but that it is not on the False ones. As
+an alternative to a static string, the user can provide a regular
+expression (--regexp switch).
Such data is easy for an user to retrieve, simply try to inject on the +affected parameter an invalid value and compare manually the original (not +injected) page content with the injected wrong page content. This way the distinction will be based upon string presence or regular -expression match and not page MD5 hash comparison.
+expression match. -As you can see, the string after Dynamic content changes its
-value every second. In the example it is just a call to PHP
-time() function, but on the real world it is usually much more
-than that.
Looking at the HTTP responses page content you can see that the first five
-lines of code do not change at all.
-So choosing for instance the word luther as an output that is
-on the not injected page content and it is not on the False page content
-(because the query condition returns no output so luther is not
-displayed on the page content) and passing it to sqlmap, you are able to
-inject anyway.
You can also specify a regular expression to match rather than a string if -you prefer.
- -As you can see, when one of these options is specified, sqlmap skips the -URL stability test.
- -Consider one of these options a MUST when dealing with a page -with content that changes itself at each refresh without modifying the -user's input.
+TODO: --text-only
These options can be used to tweak how specific SQL injection techniques -are tested.
+These options can be used to tweak testing of specific SQL injection +techniques.
+--time-sec option followed by an integer.
By default delay is set to 5 seconds.
-Switch: --union-cols
TODO
-Switch: --union-char
Switches: -f or --fingerprint
By default the web application's back-end database management system -fingerprint is performed requesting a database specific function which -returns a known static value. By comparing these value with the returned -value it is possible to identify if the back-end database is effectively -the one that sqlmap expected. Depending on the DBMS being tested, a -SQL dialect syntax which is syntatically correct depending upon the -back-end DBMS is also tested.
-After identifying an injectable vector, sqlmap fingerprints the back-end -database management system and go ahead with the injection with its -specific syntax within the limits of the database architecture.
+fingerprint is handled automatically by sqlmap. +Just after the detection phase finishes and the user is eventually +prompted with a choice of which vulnerable parameter to use further on, +sqlmap fingerprints the back-end database management system and carries +on the injection by knowing which SQL syntax, dialect and queries to use +to proceed with the attack within the limits of the database architecture. -As you can see, sqlmap automatically fingerprints the web server operating -system and the web application technology by parsing some HTTP response headers.
+If for any instance you want to perform an extensive database management
+system fingerprint based on various techniques like specific SQL dialects
+and inband error messages, you can provide the
+--fingerprint switch. sqlmap will perform a lot more
+requests and fingerprint the exact DBMS version and, where possible,
+operating system, architecture and patch level.
If you want to perform an extensive database management system fingerprint
-based on various techniques like specific SQL dialects and inband error
-messages, you can provide the --fingerprint option.
As you can see from the last example, sqlmap first tested for MySQL,
-then for Oracle, then for PostgreSQL since the user did not forced the
-back-end database management system name with option --dbms.
If you want an even more accurate result, based also on banner parsing,
-you can also provide the -b or --banner option.
As you can see, sqlmap was also able to fingerprint the back-end DBMS -operating system by parsing the DBMS banner value.
- -As you can see, from the Microsoft SQL Server banner, sqlmap was able to -correctly identify the database management system patch level. -The Microsoft SQL Server XML versions file is the result of a sqlmap -parsing library that fetches data from Chip Andrews' -SQLSecurity.com site and outputs it to the XML versions file.
+If you want the fingerprint to be even more accurate result, you can also
+provide the -b or --banner switch.
Switches: --search, -C, -T, -D
TODO
+This switch allows you to search for specific database names, specific +tables across all databases or specific columns across all databases' +tables.
+ +This is useful, for instance, to identify tables containing custom +application credentials where relevant columns' names contain string like +name and pass.
+ +The switch --search needs to be used in conjunction with
+one of the following support switches:
+
-C following a list of comma-separated column names to look
+for across the whole database management system.-T following a list of comma-separated table names to look
+for across the whole database management system.-D following a list of comma-separated database names to
+look for across the database management system.Switch: -t
TODO
+This switch requires an argument that specified the textual file to write +all HTTP(s) traffic generated by sqlmap - HTTP(s) requests and HTTP(s) +responses.
+ +This is useful primarily for debug purposes.
Switch: --fresh-queries
As you are already familiar with the concept of a session file from the
+description above, it is good to know that you can ignore the content of
+that file using option --fresh-queries.
+This way you can keep the session file untouched and for a selected run,
+avoid the resuming/restoring of queries output.
Switch: --eta
Switch: --beep
TODO
+When this switch is provided, sqlmap will beep at every new SQL injection +that it finds. It can be useful when you are processing in batch mode a +Google dork output or a proxy log file so that you do not need to monitor +the terminal constantly.
-Switch: --check-payload
TODO
+Curious to see if a +decent intrusion detection system (IDS) picks up sqlmap payloads? +Use this switch!
--cleanup will attempt to clean up the DBMS and
the file system wherever possible.
-Switch: --forms
TODO
+Say that you want to test against SQL injections a huge search form
+or you want to test a login bypass (typically only two input fields named
+like username and password), you can either pass to sqlmap
+the request in a request file (-r), set the POSTed data
+accordingly (--data) or let sqlmap do it for you!
Both of the above mentioned instances, and many others, appear as
+<form> and <input> tags in HTML response
+bodies and this is where this switch comes into play.
Provide sqlmap with --forms as well as the page where
+the form can be found as the target url (-u) and sqlmap will
+request the target url for you, parse the forms it has and guide you
+through to test for SQL injection on those form input fields (parameters)
+rather than the target url provided.
--gpage, some page other than the first o
to retrieve target URLs from.
-Switch: --page-rank
Performs further requests to Google when -g is provided and
+display page rank (PR) for Google dork results.
Switch: --parse-errors
TODO
+If the web application is configured in debug mode so that it displays +in the HTTP responses the back-end database management system error +messages, sqlmap can parse and display them for you.
+This is useful for debugging purposes like understanding why a certain
+enumeration or takeover switch does not work - it might be a matter of
+session user's privileges and in this case you would see a DBMS error
+message along the lines of Access denied for user <SESSION
+USER>.
Switch: --replicate
TODO
+If you want to store in a local SQLite 3 database file each dumped table
+(--dump or --dump-all), you can
+provide sqlmap with the --replicate switch at dump
+phase. This will create a <TABLE_NAME>.sqlite3 rather than
+a <DB_NAME>/<TABLE_NAME>.csv file into
+output/TARGET_URL/dump/ directory.
You can then use sqlmap itself to read and query the locally created
+SQLite 3 file. For instance, python sqlmap.py -d
+sqlite:///tmp/sqlmap/output/debiandev/dump/testdb.sqlite3 --table.
Switch: --wizard
Do you really want to know?
-Switches: --proxy, --proxy-cred and --ignore-proxy +Switches: --proxy, --proxy-cred, +--ignore-proxy and --tor
It is possible to provide an HTTP(S) proxy address to pass by the HTTP(S)
@@ -1281,7 +1282,8 @@ url="http://www.torproject.org/" name="Tor client"> together with
The switch --ignore-proxy should be used when you want
@@ -1386,8 +1388,7 @@ This switch is an alias that implicitly sets the following switches:
@@ -1409,7 +1410,8 @@ TODO
Switch: --keep-alive
-TODO
+This switch instructs sqlmap to use persistent HTTP(s) connections.
+Note that this switch is incompatible with --proxy switch.
TODO
+Note that this switch is incompatible with --text-only
+switch.
-Switch: --group-concat
-
-
-TODO
-
-
These options can be used to specify which parameters to test for, provide
custom injection payloads and optional tampering scripts.
-
@@ -1609,15 +1603,87 @@ within nested JOIN queries for instance.
Switch: --tamper
-TODO
+sqlmap itself does no obfuscation of the payload sent, except for strings
+between single quotes replaced by their CHAR()-alike
+representation.
+
+
+This switch can be very useful and powerful in situations where there is
+a weak input validation mechanism between you and the back-end database
+management system. This mechanism usually is a self-developed input
+validation routine called by the application source code, an expensive
+enterprise-grade IPS appliance or a web application firewall (WAF). All
+buzzwords to define the same concept, implemented in a different way and
+costing lots of money, usually.
+
+
+To take advantage of this switch, provide sqlmap with a comma-separated
+list of tamper scripts and this will process the payload and return it
+transformed. You can define your own tamper scripts, use sqlmap ones from
+the tamper/ folder or edit them as long as you concatenate them
+comma-separated as the argument of --tamper switch.
+
+
+The format of a valid tamper script is as follows:
+
+
+You can check valid and usable tamper scripts in the tamper/
+directory.
+
+
+Example against a MySQL target assuming > character, spaces and
+SELECT string are banned:
+
+
-These options can be used to specify how to parse and compare page content
-from HTTP responses when using blind SQL injection technique.
-
+These options can be used to specify how to parse and compare page
+content from HTTP responses when using blind SQL injection technique.
-TODO
+This switch requires an argument which specifies the level of tests to
+perform. There are
+Not only this switch affects which payload sqlmap tries, but also which
+injection points are taken in exam: GET and POST parameters are
+
+All in all, the harder it is to detect a SQL injection, the higher the
+--level must be set.
+
+
+It is strongly recommended to higher this value before reporting to the
+mailing list that sqlmap is not able to detect a certain injection point.
-TODO
-
-
-
-Switches: --string and --regexp
+In some instances, like a SQL injection in an UPDATE statement,
+injecting an OR-based payload can lead to an update of all the
+entries of the table, which is certainly not what the attacker wants. For
+this reason and others this switch has been introduced: the user has
+control over which payloads get tested, the user can arbitrarily choose
+to use also potentially dangerous ones.
+As per the previous switch, the payloads used by sqlmap are specified in
+the textual file xml/payloads.xml and you are free to edit and
+add your owns.
+
+
+
-By default the distinction of a True query by a False one (basic concept
-for Inferential blind SQL injection attacks) is done comparing injected
-requests page content MD5 hash with the original not injected page content
-MD5 hash.
+Switches: --string, --regexp and
+--text-only
+
+
+By default the distinction of a True query by a False
+one (rough concept behind boolean-based blind SQL injection vulnerabilities)
+is done by comparing the injected requests page content with the original
+not injected page content.
Not always this concept works because sometimes the page content changes at
each refresh even not injecting anything, for instance when the page has a
-counter, a dynamic advertisment banner or any other part of the HTML which
-is render dynamically and might change in time not only consequently to
+counter, a dynamic advertisement banner or any other part of the HTML which
+is rendered dynamically and might change in time not only consequently to
user's input.
-To bypass this limit, sqlmap makes it possible to manually provide a
-string which is
+Such data is easy for an user to retrieve, simply try to inject on the
+affected parameter an invalid value and compare manually the original (not
+injected) page content with the injected wrong page content.
This way the distinction will be based upon string presence or regular
-expression match and not page MD5 hash comparison.
+expression match.
-As you can see, the string after Dynamic content changes its
-value every second. In the example it is just a call to PHP
-time() function, but on the real world it is usually much more
-than that.
-
-
-Looking at the HTTP responses page content you can see that the first five
-lines of code do not change at all.
-So choosing for instance the word luther as an output that is
-on the not injected page content and it is not on the False page content
-(because the query condition returns no output so luther is not
-displayed on the page content) and passing it to sqlmap, you are able to
-inject anyway.
-
-
-You can also specify a regular expression to match rather than a string if
-you prefer.
-
-
-As you can see, when one of these options is specified, sqlmap skips the
-URL stability test.
-
-
-
-These options can be used to tweak how specific SQL injection techniques
-are tested.
+These options can be used to tweak testing of specific SQL injection
+techniques.
+
Switch: --union-cols
@@ -1719,7 +1804,8 @@ Switch: --union-cols
TODO
-
Switch: --union-char
@@ -1730,53 +1816,31 @@ TODO
Switches: -f or --fingerprint
By default the web application's back-end database management system
-fingerprint is performed requesting a database specific function which
-returns a known static value. By comparing these value with the returned
-value it is possible to identify if the back-end database is effectively
-the one that sqlmap expected. Depending on the DBMS being tested, a
-SQL dialect syntax which is syntatically correct depending upon the
-back-end DBMS is also tested.
-
-After identifying an injectable vector, sqlmap fingerprints the back-end
-database management system and go ahead with the injection with its
-specific syntax within the limits of the database architecture.
+fingerprint is handled automatically by sqlmap.
+Just after the detection phase finishes and the user is eventually
+prompted with a choice of which vulnerable parameter to use further on,
+sqlmap fingerprints the back-end database management system and carries
+on the injection by knowing which SQL syntax, dialect and queries to use
+to proceed with the attack within the limits of the database architecture.
-As you can see, sqlmap automatically fingerprints the web server operating
-system and the web application technology by parsing some HTTP response headers.
+If for any instance you want to perform an extensive database management
+system fingerprint based on various techniques like specific SQL dialects
+and inband error messages, you can provide the
+--fingerprint switch. sqlmap will perform a lot more
+requests and fingerprint the exact DBMS version and, where possible,
+operating system, architecture and patch level.
-If you want to perform an extensive database management system fingerprint
-based on various techniques like specific SQL dialects and inband error
-messages, you can provide the --fingerprint option.
-
-
-As you can see from the last example, sqlmap first tested for MySQL,
-then for Oracle, then for PostgreSQL since the user did not forced the
-back-end database management system name with option --dbms.
-
-
-If you want an even more accurate result, based also on banner parsing,
-you can also provide the -b or --banner option.
-
-
-As you can see, sqlmap was also able to fingerprint the back-end DBMS
-operating system by parsing the DBMS banner value.
-
-
-As you can see, from the Microsoft SQL Server banner, sqlmap was able to
-correctly identify the database management system patch level.
-The Microsoft SQL Server XML versions file is the result of a sqlmap
-parsing library that fetches data from Chip Andrews'
-
-TODO
+This switch allows you to
+This is useful, for instance, to identify tables containing custom
+application credentials where relevant columns' names contain string like
+name and pass.
+
+
+The switch --search needs to be used in conjunction with
+one of the following support switches:
+
+
Switch: -t
-TODO
+This switch requires an argument that specified the textual file to write
+all HTTP(s) traffic generated by sqlmap - HTTP(s) requests and HTTP(s)
+responses.
+
+
+This is useful primarily for debug purposes.
+Switch: --fresh-queries
+
+
+As you are already familiar with the concept of a session file from the
+description above, it is good to know that you can ignore the content of
+that file using option --fresh-queries.
+This way you can keep the session file untouched and for a selected run,
+avoid the resuming/restoring of queries output.
+
+
@@ -2740,22 +2842,27 @@ default behaviour whenever user's input would be required.
Switch: --beep
-TODO
+When this switch is provided, sqlmap will beep at every new SQL injection
+that it finds. It can be useful when you are processing in batch mode a
+Google dork output or a proxy log file so that you do not need to monitor
+the terminal constantly.
-
Switch: --check-payload
-TODO
+Curious to see if a
Switch: --forms
-TODO
+Say that you want to test against SQL injections a huge search form
+or you want to test a login bypass (typically only two input fields named
+like username and password), you can either pass to sqlmap
+the request in a request file (-r), set the POSTed data
+accordingly (--data) or let sqlmap do it for you!
+
+
+Both of the above mentioned instances, and many others, appear as
+<form> and <input> tags in HTML response
+bodies and this is where this switch comes into play.
+
+
+Provide sqlmap with --forms as well as the page where
+the form can be found as the target url (-u) and sqlmap will
+request the target url for you, parse the forms it has and guide you
+through to test for SQL injection on those form input fields (parameters)
+rather than the target url provided.
+Switch: --page-rank
+
+
+Performs further requests to Google when -g is provided and
+display page rank (PR) for Google dork results.
+
+
+
Switch: --parse-errors
-TODO
+If the web application is configured in debug mode so that it displays
+in the HTTP responses the back-end database management system error
+messages, sqlmap can parse and display them for you.
+
+This is useful for debugging purposes like understanding why a certain
+enumeration or takeover switch does not work - it might be a matter of
+session user's privileges and in this case you would see a DBMS error
+message along the lines of Access denied for user <SESSION
+USER>.
-
Switch: --replicate
-TODO
+If you want to store in a local SQLite 3 database file each dumped table
+(--dump or --dump-all), you can
+provide sqlmap with the --replicate switch at dump
+phase. This will create a <TABLE_NAME>.sqlite3 rather than
+a <DB_NAME>/<TABLE_NAME>.csv file into
+output/TARGET_URL/dump/ directory.
+
+
+You can then use sqlmap itself to read and query the locally created
+SQLite 3 file. For instance, python sqlmap.py -d
+sqlite:///tmp/sqlmap/output/debiandev/dump/testdb.sqlite3 --table.
+
+
+
+Switch: --wizard
+
+
+Do you really want to know?