施工中...
https://github.com/sqlmapproject/sqlmap/wiki/Usage
用法: python sqlmap.py [选项]
选项:
-h, --help 显示基本的帮助信息
-hh 显示更为详细、高级的帮助信息
--version 显示版本信息
-v VERBOSE 显示打印详细信息,级别: 0-6 (默认为 1)
目标:
必须提供至少一个选项来定义目标(S)
-d DIRECT 直接连接数据库(e.g. sqlmap -d mysql://root:123456@127.0.0.1:3306/数据库)
-u URL, --url=URL 目标url (e.g. "http://www.site.com/vuln.php?id=1")
-l LOGFILE 从Burp或WebScarab代理日志文件解析目标(s)
-x SITEMAPURL 从从站点sitemap(.xml)文件解析目标(s)
-m BULKFILE 扫描文本文件中给出的多个目标
-r REQUESTFILE 从文件中读取HTTP协议请求
-g GOOGLEDORK 将Google搜索的结果作为目标(e.g. sqlmap -g "google 语法" --dump-all)
-c CONFIGFILE 从INI配置文件中加载选项
请求:
下列选项可用于指定如何连接到目标URL
--method=METHOD 使用给定的方式连接目标 (e.g. PUT)
--data=DATA 通过Post提交数据
--param-del=PARA.. 用于拆分参数值
--cookie=COOKIE HTTP Cookie header
--cookie-del=COO.. 用于分割Cookie值的选项
--load-cookies=L.. File containing cookies in Netscape/wget format
--drop-set-cookie Ignore Set-Cookie header from response
--user-agent=AGENT HTTP User-Agent header value
--random-agent Use randomly selected HTTP User-Agent header value
--host=HOST HTTP Host header value
--referer=REFERER HTTP Referer header value
-H HEADER, --hea.. Extra header (e.g. "X-Forwarded-For: 127.0.0.1")
--headers=HEADERS Extra headers (e.g. "Accept-Language: fr\nETag: 123")
--auth-type=AUTH.. HTTP authentication type (Basic, Digest, NTLM or PKI)
--auth-cred=AUTH.. HTTP authentication credentials (name:password)
--auth-file=AUTH.. HTTP authentication PEM cert/private key file
--ignore-401 Ignore HTTP Error 401 (Unauthorized)
--proxy=PROXY Use a proxy to connect to the target URL
--proxy-cred=PRO.. Proxy authentication credentials (name:password)
--proxy-file=PRO.. Load proxy list from a file
--ignore-proxy Ignore system default proxy settings
--tor Use Tor anonymity network
--tor-port=TORPORT Set Tor proxy port other than default
--tor-type=TORTYPE Set Tor proxy type (HTTP (default), SOCKS4 or SOCKS5)
--check-tor Check to see if Tor is used properly
--delay=DELAY Delay in seconds between each HTTP request
--timeout=TIMEOUT Seconds to wait before timeout connection (default 30)
--retries=RETRIES Retries when the connection timeouts (default 3)
--randomize=RPARAM Randomly change value for given parameter(s)
--safe-url=SAFEURL URL address to visit frequently during testing
--safe-post=SAFE.. POST data to send to a safe URL
--safe-req=SAFER.. Load safe HTTP request from a file
--safe-freq=SAFE.. Test requests between two visits to a given safe URL
--skip-urlencode Skip URL encoding of payload data
--csrf-token=CSR.. Parameter used to hold anti-CSRF token
--csrf-url=CSRFURL URL address to visit to extract anti-CSRF token
--force-ssl Force usage of SSL/HTTPS
--hpp Use HTTP parameter pollution method
--eval=EVALCODE Evaluate provided Python code before the request (e.g.
"import hashlib;id2=hashlib.md5(id).hexdigest()")
优化:
这些选项可用于优化SqlMap的性能
-o 使用所有最佳化开关
--predict-output 预测常见查询输出
--keep-alive 最稳定的HTTP(S)连接
--null-connection Retrieve page length without actual HTTP response body
--threads=THREADS Max number of concurrent HTTP(s) requests (default 1)
Injection:
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts
-p TESTPARAMETER Testable parameter(s)
--skip=SKIP Skip testing for given parameter(s)
--skip-static Skip testing parameters that not appear to be dynamic
--param-exclude=.. Regexp to exclude parameters from testing (e.g. "ses")
--dbms=DBMS Force back-end DBMS to this value
--dbms-cred=DBMS.. DBMS authentication credentials (user:password)
--os=OS Force back-end DBMS operating system to this value
--invalid-bignum Use big numbers for invalidating values
--invalid-logical Use logical operations for invalidating values
--invalid-string Use random strings for invalidating values
--no-cast Turn off payload casting mechanism
--no-escape Turn off string escaping mechanism
--prefix=PREFIX Injection payload prefix string
--suffix=SUFFIX Injection payload suffix string
--tamper=TAMPER Use given script(s) for tampering injection data
Detection:
These options can be used to customize the detection phase
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (1-3, default 1)
--string=STRING String to match when query is evaluated to True
--not-string=NOT.. String to match when query is evaluated to False
--regexp=REGEXP Regexp to match when query is evaluated to True
--code=CODE HTTP code to match when query is evaluated to True
--text-only Compare pages based only on the textual content
--titles Compare pages based only on their titles
Techniques:
These options can be used to tweak testing of specific SQL injection techniques
--technique=TECH SQL injection techniques to use (default "BEUSTQ")
--time-sec=TIMESEC Seconds to delay the DBMS response (default 5)
--union-cols=UCOLS Range of columns to test for UNION query SQL injection
--union-char=UCHAR Character to use for bruteforcing number of columns
--union-from=UFROM Table to use in FROM part of UNION query SQL injection
--dns-domain=DNS.. Domain name used for DNS exfiltration attack
--second-order=S.. Resulting page URL searched for second-order response
Fingerprint:
-f, --fingerprint Perform an extensive DBMS version fingerprint
列举:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables. Moreover you can run your own SQL statements
-a, --all 检索所有
-b, --banner 检索 数据库管理系统 标识信息(如:版本号)
--current-user 检索 数据库管理系统 当前用户
--current-db 检索 数据库管理系统 当前数据库
--hostname 检索 数据库管理系统 服务器的主机名称
--is-dba 检测当前用户是否是DBA(sa权限)
--users 列举数据库管理系统用户
--passwords 列举数据库管理系统用户密码的哈希值
--privileges 列举当前系统用户的权限
--roles 列举当前数据库系统用户的角色
--dbs 列举数据库
--tables 列举数据库的表名
--columns 列举数据库的表与列值
--schema Enumerate DBMS schema
--count 检索有多少表
--dump 转储当前所在数据库中的表项
--dump-all 转储所有数据库表目
--search 搜索列(s), 表(s) and/or 数据库名称(s)
--comments Retrieve DBMS comments
-D DB 指定要枚举的数据库名
-T TBL 指定要枚举的数据库表
-C COL 指定要枚举的数据库列
-X EXCLUDECOL 指定不列举的表
-U USER 指定需要枚举的用户
--exclude-sysdbs Exclude DBMS system databases when enumerating tables
--pivot-column=P.. Pivot column name
--where=DUMPWHERE Use WHERE condition while table dumping
--start=LIMITSTART First query output entry to retrieve
--stop=LIMITSTOP Last query output entry to retrieve
--first=FIRSTCHAR First query output word character to retrieve
--last=LASTCHAR Last query output word character to retrieve
--sql-query=QUERY SQL statement to be executed
--sql-shell 执行shell
--sql-file=SQLFILE 从给定的文件中执行SQL语句
暴力:
下列选项用于暴力检查
--common-tables 检查常见的tables
--common-columns 检查常见的列
User-defined function injection:
These options can be used to create custom user-defined functions
--udf-inject Inject custom user-defined functions
--shared-lib=SHLIB Local path of the shared library
File system access:
These options can be used to access the back-end database management
system underlying file system
--file-read=RFILE Read a file from the back-end DBMS file system
--file-write=WFILE Write a local file on the back-end DBMS file system
--file-dest=DFILE Back-end DBMS absolute filepath to write to
Operating system access:
These options can be used to access the back-end database management
system underlying operating system
--os-cmd=OSCMD Execute an operating system command
--os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an OOB shell, Meterpreter or VNC
--os-smbrelay One click prompt for an OOB shell, Meterpreter or VNC
--os-bof Stored procedure buffer overflow exploitation
--priv-esc Database process user privilege escalation
--msf-path=MSFPATH Local path where Metasploit Framework is installed
--tmp-path=TMPPATH Remote absolute path of temporary files directory
Windows registry access:
These options can be used to access the back-end database management
system Windows registry
--reg-read Read a Windows registry key value
--reg-add Write a Windows registry key value data
--reg-del Delete a Windows registry key value
--reg-key=REGKEY Windows registry key
--reg-value=REGVAL Windows registry key value
--reg-data=REGDATA Windows registry key value data
--reg-type=REGTYPE Windows registry key value type
General:
These options can be used to set some general working parameters
-s SESSIONFILE Load session from a stored (.sqlite) file
-t TRAFFICFILE Log all HTTP traffic into a textual file
--batch Never ask for user input, use the default behaviour
--binary-fields=.. Result fields having binary values (e.g. "digest")
--charset=CHARSET Force character encoding used for data retrieval
--crawl=CRAWLDEPTH Crawl the website starting from the target URL
--crawl-exclude=.. Regexp to exclude pages from crawling (e.g. "logout")
--csv-del=CSVDEL Delimiting character used in CSV output (default ",")
--dump-format=DU.. Format of dumped data (CSV (default), HTML or SQLITE)
--eta Display for each output the estimated time of arrival
--flush-session Flush session files for current target
--forms Parse and test forms on target URL
--fresh-queries Ignore query results stored in session file
--hex Use DBMS hex function(s) for data retrieval
--output-dir=OUT.. Custom output directory path
--parse-errors Parse and display DBMS error messages from responses
--save=SAVECONFIG Save options to a configuration INI file
--scope=SCOPE Regexp to filter targets from provided proxy log
--test-filter=TE.. Select tests by payloads and/or titles (e.g. ROW)
--test-skip=TEST.. Skip tests by payloads and/or titles (e.g. BENCHMARK)
--update Update sqlmap
Miscellaneous:
-z MNEMONICS Use short mnemonics (e.g. "flu,bat,ban,tec=EU")
--alert=ALERT Run host OS command(s) when SQL injection is found
--answers=ANSWERS Set question answers (e.g. "quit=N,follow=N")
--beep Beep on question and/or when SQL injection is found
--cleanup Clean up the DBMS from sqlmap specific UDF and tables
--dependencies Check for missing (non-core) sqlmap dependencies
--disable-coloring Disable console output coloring
--gpage=GOOGLEPAGE Use Google dork results from specified page number
--identify-waf Make a thorough testing for a WAF/IPS/IDS protection
--skip-waf Skip heuristic detection of WAF/IPS/IDS protection
--mobile Imitate smartphone through HTTP User-Agent header
--offline Work in offline mode (only use session data)
--purge-output Safely remove all content from output directory
--smart Conduct thorough tests only if positive heuristic(s)
--sqlmap-shell Prompt for an interactive sqlmap shell
--wizard Simple wizard interface for beginner users