Provided by: sqlmap_1.3.4-1_all bug

NAME

       sqlmap - automatic SQL injection tool

SYNOPSIS

       python sqlmap [options]

OPTIONS

       -h, --help
              Show basic help message and exit

       -hh    Show advanced help message and exit

       --version
              Show program's version number and exit

       -v VERBOSE
              Verbosity level: 0-6 (default 1)

              Target:

              At least one of these options has to be provided to define the target(s)

       -d DIRECT
              Connection string for direct database connection

       -u URL, --url=URL
              Target URL (e.g. "http://www.site.com/vuln.php?id=1")

       -l LOGFILE
              Parse target(s) from Burp or WebScarab proxy log file

       -x SITEMAPURL
              Parse target(s) from remote sitemap(.xml) file

       -m BULKFILE
              Scan multiple targets given in a textual file

       -r REQUESTFILE
              Load HTTP request from a file

       -g GOOGLEDORK
              Process Google dork results as target URLs

       -c CONFIGFILE
              Load options from a configuration INI file

              Request:

              These options can be used to specify how to connect to the target URL

       --method=METHOD
              Force usage of given HTTP method (e.g. PUT)

       --data=DATA
              Data string to be sent through POST

       --param-del=PARA..
              Character used for splitting parameter values

       --cookie=COOKIE
              HTTP Cookie header value

       --cookie-del=COO..
              Character used for splitting cookie values

       --load-cookies=L..
              File containing cookies in Netscape/wget format

       --drop-set-cookie
              Ignore Set-Cookie header from response

       --user-agent=AGENT
              HTTP User-Agent header value

       --random-agent
              Use randomly selected HTTP User-Agent header value

       --host=HOST
              HTTP Host header value

       --referer=REFERER
              HTTP Referer header value

       -H HEADER, --hea..
              Extra header (e.g. "X-Forwarded-For: 127.0.0.1")

       --headers=HEADERS
              Extra headers (e.g. "Accept-Language: fr\nETag: 123")

       --auth-type=AUTH..
              HTTP authentication type (Basic, Digest, NTLM or PKI)

       --auth-cred=AUTH..
              HTTP authentication credentials (name:password)

       --auth-file=AUTH..
              HTTP authentication PEM cert/private key file

       --ignore-401
              Ignore HTTP Error 401 (Unauthorized)

       --proxy=PROXY
              Use a proxy to connect to the target URL

       --proxy-cred=PRO..
              Proxy authentication credentials (name:password)

       --proxy-file=PRO..
              Load proxy list from a file

       --ignore-proxy
              Ignore system default proxy settings

       --tor  Use Tor anonymity network

       --tor-port=TORPORT
              Set Tor proxy port other than default

       --tor-type=TORTYPE
              Set Tor proxy type (HTTP (default), SOCKS4 or SOCKS5)

       --check-tor
              Check to see if Tor is used properly

       --delay=DELAY
              Delay in seconds between each HTTP request

       --timeout=TIMEOUT
              Seconds to wait before timeout connection (default 30)

       --retries=RETRIES
              Retries when the connection timeouts (default 3)

       --randomize=RPARAM
              Randomly change value for given parameter(s)

       --safe-url=SAFEURL
              URL address to visit frequently during testing

       --safe-post=SAFE..
              POST data to send to a safe URL

       --safe-req=SAFER..
              Load safe HTTP request from a file

       --safe-freq=SAFE..
              Test requests between two visits to a given safe URL

       --skip-urlencode
              Skip URL encoding of payload data

       --csrf-token=CSR..
              Parameter used to hold anti-CSRF token

       --csrf-url=CSRFURL
              URL address to visit to extract anti-CSRF token

       --force-ssl
              Force usage of SSL/HTTPS

       --hpp  Use HTTP parameter pollution method

       --eval=EVALCODE
              Evaluate    provided    Python    code    before   the   request   (e.g.    "import
              hashlib;id2=hashlib.md5(id).hexdigest()")

              Optimization:

              These options can be used to optimize the performance of sqlmap

       -o     Turn on all optimization switches

       --predict-output
              Predict common queries output

       --keep-alive
              Use persistent HTTP(s) connections

       --null-connection
              Retrieve page length without actual HTTP response body

       --threads=THREADS
              Max number of concurrent HTTP(s) requests (default 1)

              Injection:

              These options can be used to specify which parameters to test for,  provide  custom
              injection payloads and optional tampering scripts

       -p TESTPARAMETER
              Testable parameter(s)

       --skip=SKIP
              Skip testing for given parameter(s)

       --skip-static
              Skip testing parameters that not appear dynamic

       --dbms=DBMS
              Force back-end DBMS to this value

       --dbms-cred=DBMS..
              DBMS authentication credentials (user:password)

       --os=OS
              Force back-end DBMS operating system to this value

       --invalid-bignum
              Use big numbers for invalidating values

       --invalid-logical
              Use logical operations for invalidating values

       --invalid-string
              Use random strings for invalidating values

       --no-cast
              Turn off payload casting mechanism

       --no-escape
              Turn off string escaping mechanism

       --prefix=PREFIX
              Injection payload prefix string

       --suffix=SUFFIX
              Injection payload suffix string

       --tamper=TAMPER
              Use given script(s) for tampering injection data

              Detection:

              These options can be used to customize the detection phase

       --level=LEVEL
              Level of tests to perform (1-5, default 1)

       --risk=RISK
              Risk of tests to perform (1-3, default 1)

       --string=STRING
              String to match when query is evaluated to True

       --not-string=NOT..
              String to match when query is evaluated to False

       --regexp=REGEXP
              Regexp to match when query is evaluated to True

       --code=CODE
              HTTP code to match when query is evaluated to True

       --text-only
              Compare pages based only on the textual content

       --titles
              Compare pages based only on their titles

              Techniques:

              These options can be used to tweak testing of specific SQL injection techniques

       --technique=TECH
              SQL injection techniques to use (default "BEUSTQ")

       --time-sec=TIMESEC
              Seconds to delay the DBMS response (default 5)

       --union-cols=UCOLS
              Range of columns to test for UNION query SQL injection

       --union-char=UCHAR
              Character to use for bruteforcing number of columns

       --union-from=UFROM
              Table to use in FROM part of UNION query SQL injection

       --dns-domain=DNS..
              Domain name used for DNS exfiltration attack

       --second-order=S..
              Resulting page URL searched for second-order response

              Fingerprint:

       -f, --fingerprint
              Perform an extensive DBMS version fingerprint

              Enumeration:

              These  options  can  be  used  to enumerate the back-end database management system
              information, structure and data contained in the tables. Moreover you can run  your
              own SQL statements

       -a, --all
              Retrieve everything

       -b, --banner
              Retrieve DBMS banner

       --current-user
              Retrieve DBMS current user

       --current-db
              Retrieve DBMS current database

       --hostname
              Retrieve DBMS server hostname

       --is-dba
              Detect if the DBMS current user is DBA

       --users
              Enumerate DBMS users

       --passwords
              Enumerate DBMS users password hashes

       --privileges
              Enumerate DBMS users privileges

       --roles
              Enumerate DBMS users roles

       --dbs  Enumerate DBMS databases

       --tables
              Enumerate DBMS database tables

       --columns
              Enumerate DBMS database table columns

       --schema
              Enumerate DBMS schema

       --count
              Retrieve number of entries for table(s)

       --dump Dump DBMS database table entries

       --dump-all
              Dump all DBMS databases tables entries

       --search
              Search column(s), table(s) and/or database name(s)

       --comments
              Retrieve DBMS comments

       -D DB  DBMS database to enumerate

       -T TBL DBMS database table(s) to enumerate

       -C COL DBMS database table column(s) to enumerate

       -X EXCLUDECOL
              DBMS database table column(s) to not enumerate

       -U USER
              DBMS user to enumerate

       --exclude-sysdbs
              Exclude DBMS system databases when enumerating tables

       --where=DUMPWHERE
              Use WHERE condition while table dumping

       --start=LIMITSTART
              First query output entry to retrieve

       --stop=LIMITSTOP
              Last query output entry to retrieve

       --first=FIRSTCHAR
              First query output word character to retrieve

       --last=LASTCHAR
              Last query output word character to retrieve

       --sql-query=QUERY
              SQL statement to be executed

       --sql-shell
              Prompt for an interactive SQL shell

       --sql-file=SQLFILE
              Execute SQL statements from given file(s)

              Brute force:

              These options can be used to run brute force checks

       --common-tables
              Check existence of common tables

       --common-columns
              Check existence of common columns

              User-defined function injection:

              These options can be used to create custom user-defined functions

       --udf-inject
              Inject custom user-defined functions

       --shared-lib=SHLIB
              Local path of the shared library

              File system access:

              These  options  can  be  used  to  access  the  back-end database management system
              underlying file system

       --file-read=RFILE
              Read a file from the back-end DBMS file system

       --file-write=WFILE
              Write a local file on the back-end DBMS file system

       --file-dest=DFILE
              Back-end DBMS absolute filepath to write to

              Operating system access:

              These options can be  used  to  access  the  back-end  database  management  system
              underlying operating system

       --os-cmd=OSCMD
              Execute an operating system command

       --os-shell
              Prompt for an interactive operating system shell

       --os-pwn
              Prompt for an OOB shell, Meterpreter or VNC

       --os-smbrelay
              One click prompt for an OOB shell, Meterpreter or VNC

       --os-bof
              Stored procedure buffer overflow exploitation

       --priv-esc
              Database process user privilege escalation

       --msf-path=MSFPATH
              Local path where Metasploit Framework is installed

       --tmp-path=TMPPATH
              Remote absolute path of temporary files directory

              Windows registry access:

              These options can be used to access the back-end database management system Windows
              registry

       --reg-read
              Read a Windows registry key value

       --reg-add
              Write a Windows registry key value data

       --reg-del
              Delete a Windows registry key value

       --reg-key=REGKEY
              Windows registry key

       --reg-value=REGVAL
              Windows registry key value

       --reg-data=REGDATA
              Windows registry key value data

       --reg-type=REGTYPE
              Windows registry key value type

              General:

              These options can be used to set some general working parameters

       -s SESSIONFILE
              Load session from a stored (.sqlite) file

       -t TRAFFICFILE
              Log all HTTP traffic into a textual file

       --batch
              Never ask for user input, use the default behaviour

       --charset=CHARSET
              Force character encoding used for data retrieval

       --crawl=CRAWLDEPTH
              Crawl the website starting from the target URL

       --crawl-exclude=..
              Regexp to exclude pages from crawling (e.g. "logout")

       --csv-del=CSVDEL
              Delimiting character used in CSV output (default ",")

       --dump-format=DU..
              Format of dumped data (CSV (default), HTML or SQLITE)

       --eta  Display for each output the estimated time of arrival

       --flush-session
              Flush session files for current target

       --forms
              Parse and test forms on target URL

       --fresh-queries
              Ignore query results stored in session file

       --hex  Use DBMS hex function(s) for data retrieval

       --output-dir=OUT..
              Custom output directory path

       --parse-errors
              Parse and display DBMS error messages from responses

       --pivot-column=P..
              Pivot column name

       --save=SAVECONFIG
              Save options to a configuration INI file

       --scope=SCOPE
              Regexp to filter targets from provided proxy log

       --test-filter=TE..
              Select tests by payloads and/or titles (e.g. ROW)

       --test-skip=TEST..
              Skip tests by payloads and/or titles (e.g. BENCHMARK)

       --update
              Update sqlmap

              Miscellaneous:

       -z MNEMONICS
              Use short mnemonics (e.g. "flu,bat,ban,tec=EU")

       --alert=ALERT
              Run host OS command(s) when SQL injection is found

       --answers=ANSWERS
              Set question answers (e.g. "quit=N,follow=N")

       --beep Beep on question and/or when SQL injection is found

       --cleanup
              Clean up the DBMS from sqlmap specific UDF and tables

       --dependencies
              Check for missing (non-core) sqlmap dependencies

       --disable-coloring
              Disable console output coloring

       --gpage=GOOGLEPAGE
              Use Google dork results from specified page number

       --identify-waf
              Make a thorough testing for a WAF/IPS/IDS protection

       --skip-waf
              Skip heuristic detection of WAF/IPS/IDS protection

       --mobile
              Imitate smartphone through HTTP User-Agent header

       --offline
              Work in offline mode (only use session data)

       --page-rank
              Display page rank (PR) for Google dork results

       --purge-output
              Safely remove all content from output directory

       --smart
              Conduct thorough tests only if positive heuristic(s)

       --sqlmap-shell
              Prompt for an interactive sqlmap shell

       --wizard
              Simple wizard interface for beginner users