SQLmap
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester, and a broad range of switches including database fingerprinting, over data fetching from the database, accessing the underlying file system, and executing commands on the operating system via out-of-band connections.
___
__H__
___ ___[,]_____ ___ ___ {1.9.4#stable}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
Usage
Usage: sqlmap [options]
Target
At least one of these options has to be provided to define the target(s)
| Option | Description |
|---|---|
-u URL, --url=URL | Target URL (e.g. "http://www.site.com/vuln.php?id=1") |
-g GOOGLEDORK | Process Google dork results as target URLs |
Request
These options can be used to specify how to connect to the target URL
| Option | Description |
|---|---|
--data=DATA | Data string to be sent through POST (e.g. "id=1") |
--cookie=COOKIE | HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..") |
--random-agent | Use randomly selected HTTP User-Agent header value |
--proxy=PROXY | Use a proxy to connect to the target URL |
--tor | Use Tor anonymity network |
--check-tor | Check to see if Tor is used properly |
Injection
These options can be used to specify which parameters to test for, provide custom injection payloads and optional tampering scripts
| Option | Description |
|---|---|
-p TESTPARAMETER | Testable parameter(s) |
--dbms=DBMS | Force back-end DBMS to provided value |
Detection:
These options can be used to customize the detection phase
| Option | Description |
|---|---|
--level=LEVEL | Level of tests to perform (1–5, default 1) |
--risk=RISK | Risk of tests to perform (1–3, default 1) |
Techniques
These options can be used to tweak testing of specific SQL injection techniques
| Option | Description |
|---|---|
--technique=TECH... | SQL injection techniques to use (default "BEUSTQ") |
Enumeration
These options can be used to enumerate the back-end database management system information, structure and data contained in the tables
| Option | Description |
|---|---|
-a, --all | Retrieve everything |
-b, --banner | Retrieve DBMS banner |
--current-user | Retrieve DBMS current user |
--current-db | Retrieve DBMS current database |
--passwords | Enumerate DBMS users password hashes |
--dbs | Enumerate DBMS databases |
--tables | Enumerate DBMS database tables |
--columns | Enumerate DBMS database table columns |
--schema | Enumerate DBMS schema |
--dump | Dump DBMS database table entries |
--dump-all | Dump all DBMS databases tables entries |
-D DB | DBMS database to enumerate |
-T TBL | DBMS database table(s) to enumerate |
-C COL | DBMS database table column(s) to enumerate |
Operating system access
These options can be used to access the back-end database management system underlying operating system
| Option | Description |
|---|---|
--os-shell | Prompt for an interactive operating system shell |
--os-pwn | Prompt for an OOB shell, Meterpreter or VNC |
General
These options can be used to set some general working parameters
| Option | Description |
|---|---|
--batch | Never ask for user input, use the default behavior |
--flush-session | Flush session files for current target |
Miscellaneous
These options do not fit into any other category
| Option | Description |
|---|---|
--wizard | Simple wizard interface for beginner users |