施工中...

https://github.com/sqlmapproject/sqlmap/wiki/Usage

用法: python sqlmap.py [选项]

选项:

 -h, --help    显示基本的帮助信息
 -hh           显示更为详细、高级的帮助信息
 --version     显示版本信息
 -v VERBOSE    显示打印详细信息，级别: 0-6 (默认为 1)

目标:

  必须提供至少一个选项来定义目标(S)
 -d DIRECT           直接连接数据库(e.g. sqlmap -d mysql://root:123456@127.0.0.1:3306/数据库)
 -u URL, --url=URL   目标url (e.g. "http://www.site.com/vuln.php?id=1")
 -l LOGFILE          从Burp或WebScarab代理日志文件解析目标(s)
 -x SITEMAPURL       从从站点sitemap(.xml)文件解析目标(s)
 -m BULKFILE         扫描文本文件中给出的多个目标
 -r REQUESTFILE      从文件中读取HTTP协议请求
 -g GOOGLEDORK       将Google搜索的结果作为目标(e.g. sqlmap -g "google 语法" --dump-all)
 -c CONFIGFILE       从INI配置文件中加载选项

请求:

下列选项可用于指定如何连接到目标URL

 --method=METHOD       使用给定的方式连接目标 (e.g. PUT)
 --data=DATA           通过Post提交数据
 --param-del=PARA..    用于拆分参数值
 --cookie=COOKIE       HTTP Cookie header
 --cookie-del=COO..    用于分割Cookie值的选项
 --load-cookies=L..    File containing cookies in Netscape/wget format
 --drop-set-cookie     Ignore Set-Cookie header from response
 --user-agent=AGENT    HTTP User-Agent header value
 --random-agent        Use randomly selected HTTP User-Agent header value
 --host=HOST           HTTP Host header value
 --referer=REFERER     HTTP Referer header value
 -H HEADER, --hea..    Extra header (e.g. "X-Forwarded-For: 127.0.0.1")
 --headers=HEADERS     Extra headers (e.g. "Accept-Language: fr\nETag: 123")
 --auth-type=AUTH..    HTTP authentication type (Basic, Digest, NTLM or PKI)
 --auth-cred=AUTH..    HTTP authentication credentials (name:password)
 --auth-file=AUTH..    HTTP authentication PEM cert/private key file
 --ignore-401          Ignore HTTP Error 401 (Unauthorized)
 --proxy=PROXY         Use a proxy to connect to the target URL
 --proxy-cred=PRO..    Proxy authentication credentials (name:password)
 --proxy-file=PRO..    Load proxy list from a file
 --ignore-proxy        Ignore system default proxy settings
 --tor                 Use Tor anonymity network
 --tor-port=TORPORT    Set Tor proxy port other than default
 --tor-type=TORTYPE    Set Tor proxy type (HTTP (default), SOCKS4 or SOCKS5)
 --check-tor           Check to see if Tor is used properly
 --delay=DELAY         Delay in seconds between each HTTP request
 --timeout=TIMEOUT     Seconds to wait before timeout connection (default 30)
 --retries=RETRIES     Retries when the connection timeouts (default 3)
 --randomize=RPARAM    Randomly change value for given parameter(s)
 --safe-url=SAFEURL    URL address to visit frequently during testing
 --safe-post=SAFE..    POST data to send to a safe URL
 --safe-req=SAFER..    Load safe HTTP request from a file
 --safe-freq=SAFE..    Test requests between two visits to a given safe URL
 --skip-urlencode      Skip URL encoding of payload data
 --csrf-token=CSR..    Parameter used to hold anti-CSRF token
 --csrf-url=CSRFURL    URL address to visit to extract anti-CSRF token
 --force-ssl           Force usage of SSL/HTTPS
 --hpp                 Use HTTP parameter pollution method
 --eval=EVALCODE       Evaluate provided Python code before the request (e.g.
                        "import hashlib;id2=hashlib.md5(id).hexdigest()")

优化:

这些选项可用于优化SqlMap的性能

 -o                   使用所有最佳化开关
 --predict-output     预测常见查询输出
 --keep-alive         最稳定的HTTP(S)连接
 --null-connection    Retrieve page length without actual HTTP response body
 --threads=THREADS    Max number of concurrent HTTP(s) requests (default 1)

Injection:

These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts

 -p TESTPARAMETER    Testable parameter(s)
 --skip=SKIP         Skip testing for given parameter(s)
 --skip-static       Skip testing parameters that not appear to be dynamic
 --param-exclude=..  Regexp to exclude parameters from testing (e.g. "ses")
 --dbms=DBMS         Force back-end DBMS to this value
 --dbms-cred=DBMS..  DBMS authentication credentials (user:password)
 --os=OS             Force back-end DBMS operating system to this value
 --invalid-bignum    Use big numbers for invalidating values
 --invalid-logical   Use logical operations for invalidating values
 --invalid-string    Use random strings for invalidating values
 --no-cast           Turn off payload casting mechanism
 --no-escape         Turn off string escaping mechanism
 --prefix=PREFIX     Injection payload prefix string
 --suffix=SUFFIX     Injection payload suffix string
 --tamper=TAMPER     Use given script(s) for tampering injection data

Detection:

These options can be used to customize the detection phase
 --level=LEVEL       Level of tests to perform (1-5, default 1)
 --risk=RISK         Risk of tests to perform (1-3, default 1)
 --string=STRING     String to match when query is evaluated to True
 --not-string=NOT..  String to match when query is evaluated to False
 --regexp=REGEXP     Regexp to match when query is evaluated to True
 --code=CODE         HTTP code to match when query is evaluated to True
 --text-only         Compare pages based only on the textual content
 --titles            Compare pages based only on their titles

Techniques:

These options can be used to tweak testing of specific SQL injection techniques
 --technique=TECH    SQL injection techniques to use (default "BEUSTQ")
 --time-sec=TIMESEC  Seconds to delay the DBMS response (default 5)
 --union-cols=UCOLS  Range of columns to test for UNION query SQL injection
 --union-char=UCHAR  Character to use for bruteforcing number of columns
 --union-from=UFROM  Table to use in FROM part of UNION query SQL injection
 --dns-domain=DNS..  Domain name used for DNS exfiltration attack
 --second-order=S..  Resulting page URL searched for second-order response

Fingerprint:

 -f, --fingerprint   Perform an extensive DBMS version fingerprint

列举:

These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables. Moreover you can run your own SQL statements
 -a, --all             检索所有
 -b, --banner          检索 数据库管理系统 标识信息(如：版本号)
 --current-user        检索 数据库管理系统 当前用户
 --current-db          检索 数据库管理系统 当前数据库
 --hostname            检索 数据库管理系统 服务器的主机名称
 --is-dba              检测当前用户是否是DBA(sa权限)
 --users               列举数据库管理系统用户
 --passwords           列举数据库管理系统用户密码的哈希值
 --privileges          列举当前系统用户的权限
 --roles               列举当前数据库系统用户的角色
 --dbs                 列举数据库
 --tables              列举数据库的表名
 --columns             列举数据库的表与列值
 --schema              Enumerate DBMS schema
 --count               检索有多少表
 --dump                转储当前所在数据库中的表项
 --dump-all            转储所有数据库表目
 --search              搜索列(s), 表(s) and/or 数据库名称(s)
 --comments            Retrieve DBMS comments
 -D DB                 指定要枚举的数据库名
 -T TBL                指定要枚举的数据库表
 -C COL                指定要枚举的数据库列
 -X EXCLUDECOL         指定不列举的表
 -U USER               指定需要枚举的用户
 --exclude-sysdbs      Exclude DBMS system databases when enumerating tables
 --pivot-column=P..    Pivot column name
 --where=DUMPWHERE     Use WHERE condition while table dumping
 --start=LIMITSTART    First query output entry to retrieve
 --stop=LIMITSTOP      Last query output entry to retrieve
 --first=FIRSTCHAR     First query output word character to retrieve
 --last=LASTCHAR       Last query output word character to retrieve
 --sql-query=QUERY     SQL statement to be executed
 --sql-shell           执行shell
 --sql-file=SQLFILE    从给定的文件中执行SQL语句

暴力:

下列选项用于暴力检查

 --common-tables     检查常见的tables
 --common-columns    检查常见的列

User-defined function injection:

These options can be used to create custom user-defined functions
 --udf-inject        Inject custom user-defined functions
 --shared-lib=SHLIB  Local path of the shared library

File system access:

These options can be used to access the back-end database management
    system underlying file system
 --file-read=RFILE   Read a file from the back-end DBMS file system
 --file-write=WFILE  Write a local file on the back-end DBMS file system
 --file-dest=DFILE   Back-end DBMS absolute filepath to write to

Operating system access:

These options can be used to access the back-end database management
    system underlying operating system
 --os-cmd=OSCMD      Execute an operating system command
 --os-shell          Prompt for an interactive operating system shell
 --os-pwn            Prompt for an OOB shell, Meterpreter or VNC
 --os-smbrelay       One click prompt for an OOB shell, Meterpreter or VNC
 --os-bof            Stored procedure buffer overflow exploitation
 --priv-esc          Database process user privilege escalation
 --msf-path=MSFPATH  Local path where Metasploit Framework is installed
 --tmp-path=TMPPATH  Remote absolute path of temporary files directory

Windows registry access:

These options can be used to access the back-end database management
    system Windows registry
 --reg-read          Read a Windows registry key value
 --reg-add           Write a Windows registry key value data
 --reg-del           Delete a Windows registry key value
 --reg-key=REGKEY    Windows registry key
 --reg-value=REGVAL  Windows registry key value
 --reg-data=REGDATA  Windows registry key value data
 --reg-type=REGTYPE  Windows registry key value type

General:

These options can be used to set some general working parameters
 -s SESSIONFILE      Load session from a stored (.sqlite) file
 -t TRAFFICFILE      Log all HTTP traffic into a textual file
 --batch             Never ask for user input, use the default behaviour
 --binary-fields=..  Result fields having binary values (e.g. "digest")
 --charset=CHARSET   Force character encoding used for data retrieval
 --crawl=CRAWLDEPTH  Crawl the website starting from the target URL
 --crawl-exclude=..  Regexp to exclude pages from crawling (e.g. "logout")
 --csv-del=CSVDEL    Delimiting character used in CSV output (default ",")
 --dump-format=DU..  Format of dumped data (CSV (default), HTML or SQLITE)
 --eta               Display for each output the estimated time of arrival
 --flush-session     Flush session files for current target
 --forms             Parse and test forms on target URL
 --fresh-queries     Ignore query results stored in session file
 --hex               Use DBMS hex function(s) for data retrieval
 --output-dir=OUT..  Custom output directory path
 --parse-errors      Parse and display DBMS error messages from responses
 --save=SAVECONFIG   Save options to a configuration INI file
 --scope=SCOPE       Regexp to filter targets from provided proxy log
 --test-filter=TE..  Select tests by payloads and/or titles (e.g. ROW)
 --test-skip=TEST..  Skip tests by payloads and/or titles (e.g. BENCHMARK)
 --update            Update sqlmap

Miscellaneous:

 -z MNEMONICS        Use short mnemonics (e.g. "flu,bat,ban,tec=EU")
 --alert=ALERT       Run host OS command(s) when SQL injection is found
 --answers=ANSWERS   Set question answers (e.g. "quit=N,follow=N")
 --beep              Beep on question and/or when SQL injection is found
 --cleanup           Clean up the DBMS from sqlmap specific UDF and tables
 --dependencies      Check for missing (non-core) sqlmap dependencies
 --disable-coloring  Disable console output coloring
 --gpage=GOOGLEPAGE  Use Google dork results from specified page number
 --identify-waf      Make a thorough testing for a WAF/IPS/IDS protection
 --skip-waf          Skip heuristic detection of WAF/IPS/IDS protection
 --mobile            Imitate smartphone through HTTP User-Agent header
 --offline           Work in offline mode (only use session data)
 --purge-output      Safely remove all content from output directory
 --smart             Conduct thorough tests only if positive heuristic(s)
 --sqlmap-shell      Prompt for an interactive sqlmap shell
 --wizard            Simple wizard interface for beginner users