sqlmap 使用方法
Usage: python3 sqlmap [options]
Options:
-h, --help Show basic help message and exit(显示基本帮助信息并退出)
-hh Show advanced help message and exit(显示高级帮助信息并退出)
--version Show program's version number and exit(显示程序的版本号并退出)
-v VERBOSE Verbosity level: 0-6 (default 1)(详细级别:0-6)
Target:
At least one of these options has to be provided to define the
target(s)(至少提供其中一个选项来定义目标)
-u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")(目标url)
-d DIRECT Connection string for direct database connection(用于直接数据库连接的连接字符串)
-l LOGFILE Parse target(s) from Burp or WebScarab proxy log file(解析Burp或WebScarab代理日志文件中的目标)
-m BULKFILE Scan multiple targets given in a textual file(扫描多个目标给定的文本文件)
-r REQUESTFILE Load HTTP request from a file(从文件加载HTTP请求)
-g GOOGLEDORK Process Google dork results as target URLs(将谷歌dork结果作为目标url处理)
-c CONFIGFILE Load options from a configuration INI file(从配置INI文件加载选项)
Request:
These options can be used to specify how to connect to the target URL)(这些选项可用于指定如何连接到目标URL)
-A AGENT, --user.. HTTP User-Agent header value(HTTP用户代理头部值)
-H HEADER, --hea.. Extra header (e.g. "X-Forwarded-For: 127.0.0.1")(额外的头部)
--method=METHOD Force usage of given HTTP method (e.g. PUT)(强制使用给定的HTTP方法(例如PUT))
--data=DATA Data string to be sent through POST (e.g. "id=1")(通过POST发送的数据字符串(例如。“id = 1”))
--param-del=PARA.. Character used for splitting parameter values (e.g. &)(用于分割参数值的字符(例如&))
--cookie=COOKIE HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")(HTTP Cookie报头值(例如:“PHPSESSID = a8d127e…”))
--cookie-del=COO.. Character used for splitting cookie values (e.g. ;)(用于分割cookie值的字符(例如;))
--live-cookies=L.. Live cookies file used for loading up-to-date values(用于加载最新值的实时cookie文件)
--load-cookies=L.. File containing cookies in Netscape/wget format(包含Netscape/wget格式cookie的文件)
--drop-set-cookie Ignore Set-Cookie header from response(忽略Set-Cookie报头)
--mobile Imitate smartphone through HTTP User-Agent header(通过HTTP用户代理头模仿智能手机)
--random-agent Use randomly selected HTTP User-Agent header value(使用随机选择的HTTP用户代理头部值)
--host=HOST HTTP Host header value(HTTP主机报头值)
--referer=REFERER HTTP Referer header value(HTTP引用报头值)
--headers=HEADERS Extra headers (e.g. "Accept-Language: fr\nETag: 123")((如额外报头。“接收语言:fr \ nETag: 123”))
--auth-type=AUTH.. HTTP authentication type (Basic, Digest, NTLM or PKI)(HTTP认证类型(Basic、Digest、NTLM或PKI))
--auth-cred=AUTH.. HTTP authentication credentials (name:password)(HTTP身份验证凭据(名称:密码))
--auth-file=AUTH.. HTTP authentication PEM cert/private key file(HTTP认证PEM证书/私钥文件)
--ignore-code=IG.. Ignore (problematic) HTTP error code (e.g. 401)(忽略(有问题的)HTTP错误代码(例如401))
--ignore-proxy Ignore system default proxy settings(忽略系统默认的代理设置)
--ignore-redirects Ignore redirection attempts(忽略重定向的尝试)
--ignore-timeouts Ignore connection timeouts(忽略连接超时)
--proxy=PROXY Use a proxy to connect to the target URL(使用代理连接到目标URL)
--proxy-cred=PRO.. Proxy authentication credentials (name:password)(代理身份验证凭据(名称:密码))
--proxy-file=PRO.. Load proxy list from a file(从文件中加载代理列表)
--proxy-freq=PRO.. Requests between change of proxy from a given list(从给定列表更改代理之间的请求)
--tor Use Tor anonymity network(使用Tor匿名网络)
--tor-port=TORPORT Set Tor proxy port other than default(将Tor代理端口设置为默认端口)
--tor-type=TORTYPE Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))(设置Tor代理类型(HTTP、SOCKS4或SOCKS5(默认)))
--check-tor Check to see if Tor is used properly(检查Tor是否被正确使用)
--delay=DELAY Delay in seconds between each HTTP request(每个HTTP请求之间的延迟(秒))
--timeout=TIMEOUT Seconds to wait before timeout connection (default 30)(超时连接前等待的秒数)
--retries=RETRIES Retries when the connection timeouts (default 3)(连接超时时重试(默认3))
--randomize=RPARAM Randomly change value for given parameter(s)(给定参数(s)的随机变化值)
--safe-url=SAFEURL URL address to visit frequently during testing (测试期间要经常访问的URL地址)
--safe-post=SAFE.. POST data to send to a safe URL(POST数据发送到一个安全的URL)
--safe-req=SAFER.. Load safe HTTP request from a file(从文件加载安全的HTTP请求)
--safe-freq=SAFE.. Regular requests between visits to a safe URL(Regular requests between visits to a safe URL)
--skip-urlencode Skip URL encoding of payload data(跳过负载数据的URL编码)
--csrf-token=CSR.. Parameter used to hold anti-CSRF token(用于保存anti-CSRF令牌的参数)
--csrf-url=CSRFURL URL address to visit for extraction of anti-CSRF token(提取anti-CSRF令牌所需访问的URL地址)
--csrf-method=CS.. HTTP method to use during anti-CSRF token page visit(在anti-CSRF令牌页面访问期间使用的HTTP方法)
--csrf-retries=C.. Retries for anti-CSRF token retrieval (default 0)(对anti-CSRF令牌检索的重试(默认0))
--force-ssl Force usage of SSL/HTTPS(强制使用SSL/HTTPS)
--chunked Use HTTP chunked transfer encoded (POST) requests(使用HTTP块传输编码(POST)请求)
--hpp Use HTTP parameter pollution method(使用HTTP参数污染方法)
--eval=EVALCODE Evaluate provided Python code before the request (e.g.
"import hashlib;id2=hashlib.md5(id).hexdigest()")(在请求之前评估提供的Python代码(例如。“进口hashlib; id2 = hashlib.md5 (id) .hexdigest ()))
Optimization:(优化)
These options can be used to optimize the performance of sqlmap(这些选项可用于优化sqlmap的性能)
-o Turn on all optimization switches(打开所有优化开关)
--predict-output Predict common queries output(预测常见查询输出)
--keep-alive Use persistent HTTP(s) connections(使用持久的HTTP连接)
--null-connection Retrieve page length without actual HTTP response body(在没有实际HTTP响应体的情况下检索页面长度)
--threads=THREADS Max number of concurrent HTTP(s) requests (default 1)(最大并发HTTP请求数(s)(默认1))
Injection:(注入)
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts(这些选项可用于指定要测试的参数,提供自定义注入载荷和可选的篡改脚本)
-p TESTPARAMETER Testable parameter(s)(可测试的参数(s))
--skip=SKIP Skip testing for given parameter(s) (给定参数跳过测试)
--skip-static Skip testing parameters that not appear to be dynamic(跳过看起来不是动态的测试参数)
--param-exclude=.. Regexp to exclude parameters from testing (e.g. "ses")(Regexp从测试中排除参数(例如。“ses”))
--param-filter=P.. Select testable parameter(s) by place (e.g. "POST")(按位置选择可测试参数(例如:“POST”))
--dbms=DBMS Force back-end DBMS to provided value (强制后端DBMS提供价值)
--dbms-cred=DBMS.. DBMS authentication credentials (user:password)(DBMS认证凭据(用户:密码))
--os=OS Force back-end DBMS operating system to provided value(强制后端DBMS操作系统提供价值)
--invalid-bignum Use big numbers for invalidating values(使用大数字使值无效)
--invalid-logical Use logical operations for invalidating values(使用逻辑操作使值失效)
--invalid-string Use random strings for invalidating values(使用随机字符串使值无效)
--no-cast Turn off payload casting mechanism(关闭有效载荷铸造机制)
--no-escape Turn off string escaping mechanism(关闭字符串转义机制)
--prefix=PREFIX Injection payload prefix string(注入有效负载前缀字符串)
--suffix=SUFFIX Injection payload suffix string(注入有效载荷后缀串)
--tamper=TAMPER Use given script(s) for tampering injection data(使用给定的脚本篡改注入数据)
Detection:(检测)
These options can be used to customize the detection phase(这些选项可用于自定义检测阶段)
--level=LEVEL Level of tests to perform (1-5, default 1)(要执行的测试级别(1-5,默认为1))
--risk=RISK Risk of tests to perform (1-3, default 1)(执行测试的风险(1-3,默认1))
--string=STRING String to match when query is evaluated to True(当查询被计算为True时要匹配的字符串)
--not-string=NOT.. String to match when query is evaluated to False(当查询被计算为False时要匹配的字符串)
--regexp=REGEXP Regexp to match when query is evaluated to True(在查询被计算为True时匹配)
--code=CODE HTTP code to match when query is evaluated to True(当查询被计算为True时要匹配的HTTP代码)
--smart Perform thorough tests only if positive heuristic(s)(仅在正面启发式时执行彻底测试)
--text-only Compare pages based only on the textual content(仅基于文本内容比较页面)
--titles Compare pages based only on their titles(只根据标题比较页面)
Techniques:(技巧)
These options can be used to tweak testing of specific SQL injection
techniques(这些选项可用于调整特定SQL注入的测试技术)
--technique=TECH.. SQL injection techniques to use (default "BEUSTQ")(要使用的SQL注入技术(默认为“BEUSTQ”))
--time-sec=TIMESEC Seconds to delay the DBMS response (default 5)(延迟DBMS响应的秒数(默认5秒))
--union-cols=UCOLS Range of columns to test for UNION query SQL injection(要测试UNION查询SQL注入的列范围)
--union-char=UCHAR Character to use for bruteforcing number of columns(用于强制列数的字符)
--union-from=UFROM Table to use in FROM part of UNION query SQL injection(在UNION查询SQL注入的FROM部分中使用的表)
--dns-domain=DNS.. Domain name used for DNS exfiltration attack(用于DNS过滤攻击的域名)
--second-url=SEC.. Resulting page URL searched for second-order response(结果页面URL搜索二阶响应)
--second-req=SEC.. Load second-order HTTP request from file(从文件加载二级HTTP请求)
Fingerprint:(指纹)
-f, --fingerprint Perform an extensive DBMS version fingerprint(行一个广泛的DBMS版本指纹)
Enumeration:(枚举)
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables(这些选项可用于枚举后端数据库管理系统中包含的信息、结构和数据表)
-a, --all Retrieve everything(检索所有)
-b, --banner Retrieve DBMS banner(检索DBMS横幅)
--current-user Retrieve DBMS current user(寻找数据库系统的有效用户)
--current-db Retrieve DBMS current database(检索DBMS当前数据库)
--hostname Retrieve DBMS server hostname(检索DBMS服务器主机名)
--is-dba Detect if the DBMS current user is DBA(检测DBMS当前用户是否为DBA)
--users Enumerate DBMS users(列举DBMS用户)
--passwords Enumerate DBMS users password hashes(枚举DBMS用户密码散列)
--privileges Enumerate DBMS users privileges(枚举DBMS用户权限)
--roles Enumerate DBMS users roles(枚举DBMS用户角色)
--dbs Enumerate DBMS databases(列举DBMS数据库)
--tables Enumerate DBMS database tables(枚举数据库中的表)
--columns Enumerate DBMS database table columns(枚举DBMS数据库表列)
--schema Enumerate DBMS schema(列举DBMS模式)
--count Retrieve number of entries for table(s)(检索表的条目数)
--dump Dump DBMS database table entries(Dump DBMS数据库表项)
--dump-all Dump all DBMS databases tables entries(转储所有DBMS数据库表项)
--search Search column(s), table(s) and/or database name(s)(查找列、表及/或资料库名称)
--comments Check for DBMS comments during enumeration(在枚举期间检查DBMS注释)
--statements Retrieve SQL statements being run on DBMS(检索在DBMS上运行的SQL语句)
-D DB DBMS database to enumerate(DBMS数据库要枚举)
-T TBL DBMS database table(s) to enumerate(要枚举的DBMS数据库表)
-C COL DBMS database table column(s) to enumerate(DBMS数据库表要枚举的列)
-X EXCLUDE DBMS database identifier(s) to not enumerate(不能枚举的DBMS数据库标识符)
-U USER DBMS user to enumerate(DBMS用户枚举)
--exclude-sysdbs Exclude DBMS system databases when enumerating tables(在枚举表时排除DBMS系统数据库)
--pivot-column=P.. Pivot column name(主列名称)
--where=DUMPWHERE Use WHERE condition while table dumping(表转储时使用WHERE条件)
--start=LIMITSTART First dump table entry to retrieve(首先转储要检索的表项)
--stop=LIMITSTOP Last dump table entry to retrieve(要检索的最后一个转储表项)
--first=FIRSTCHAR First query output word character to retrieve(首先查询要检索的输出字字符)
--last=LASTCHAR Last query output word character to retrieve(最后查询要检索的输出字字符)
--sql-query=SQLQ.. SQL statement to be executed(要执行的SQL语句)
--sql-shell Prompt for an interactive SQL shell(提示一个交互式SQL shell)
--sql-file=SQLFILE Execute SQL statements from given file(s)(从给定文件执行SQL语句)
Brute force:(暴力破解)
These options can be used to run brute force checks(这些选项可用于运行强力检查)
--common-tables Check existence of common tables(检查公共表是否存在)
--common-columns Check existence of common columns(检查公共列是否存在)
--common-files Check existence of common files(检查公共文件是否存在)
User-defined function injection:(用户自定义函数注入)
These options can be used to create custom user-defined functions(这些选项可用于创建自定义的用户定义函数)
--udf-inject Inject custom user-defined functions(注入自定义用户定义函数)
--shared-lib=SHLIB Local path of the shared library(共享库的本地路径)
File system access:(文件系统访问)
These options can be used to access the back-end database management
system underlying file system(这些选项可用于访问后端数据库管理系统底层文件系统)
--file-read=FILE.. Read a file from the back-end DBMS file system(从后端DBMS文件系统读取一个文件)
--file-write=FIL.. Write a local file on the back-end DBMS file system(在后端DBMS文件系统上编写一个本地文件)
--file-dest=FILE.. Back-end DBMS absolute filepath to write to(后端DBMS绝对文件路径写入)
Operating system access:(访问操作系统)
These options can be used to access the back-end database management
system underlying operating system(这些选项可用于访问后端数据库管理系统底层操作系统)
--os-cmd=OSCMD Execute an operating system command(执行操作系统命令)
--os-shell Prompt for an interactive operating system shell(交互式操作系统外壳的提示符)
--os-pwn Prompt for an OOB shell, Meterpreter or VNC(提示一个OOB shell, Meterpreter或VNC)
--os-smbrelay One click prompt for an OOB shell, Meterpreter or VNC(一个单击提示OOB shell, Meterpreter或VNC)
--os-bof Stored procedure buffer overflow exploitation(存储过程缓冲区溢出利用)
--priv-esc Database process user privilege escalation(数据库进程用户权限升级)
--msf-path=MSFPATH Local path where Metasploit Framework is installed(安装Metasploit框架的本地路径)
--tmp-path=TMPPATH Remote absolute path of temporary files directory(临时文件目录的远程绝对路径)
Windows registry access:(Windows 注册表访问)
These options can be used to access the back-end database management
system Windows registry(这些选项可用于访问后端数据库管理系统Windows注册表)
--reg-read Read a Windows registry key value(读取Windows注册表项值)
--reg-add Write a Windows registry key value data(写一个Windows注册表键值数据)
--reg-del Delete a Windows registry key value(删除Windows注册表项值)
--reg-key=REGKEY Windows registry key(Windows注册表键)
--reg-value=REGVAL Windows registry key value(Windows注册表键值)
--reg-data=REGDATA Windows registry key value data(Windows注册表键值数据)
--reg-type=REGTYPE Windows registry key value type(Windows注册表键值类型)
General:(常规)
These options can be used to set some general working parameters(这些选项可用于设置一些通用工作参数)
-s SESSIONFILE Load session from a stored (.sqlite) file(从存储的(.sqlite)文件加载会话)
-t TRAFFICFILE Log all HTTP traffic into a textual file(将所有HTTP通信记录到文本文件中)
--answers=ANSWERS Set predefined answers (e.g. "quit=N,follow=N")(设置预先定义的答案(例如:“停止= N,允许= N”))
--base64=BASE64P.. Parameter(s) containing Base64 encoded data(包含Base64编码数据的参数)
--base64-safe Use URL and filename safe Base64 alphabet (RFC 4648)(使用URL和文件名安全Base64字母表(RFC 4648))
--batch Never ask for user input, use the default behavior(永远不要要求用户输入,使用默认行为)
--binary-fields=.. Result fields having binary values (e.g. "digest")(结果字段具有二进制值(例如。“摘要”))
--check-internet Check Internet connection before assessing the target(在评估目标前检查互联网连接)
--cleanup Clean up the DBMS from sqlmap specific UDF and tables(从sqlmap特定的UDF和表中清理DBMS)
--crawl=CRAWLDEPTH Crawl the website starting from the target URL(从目标URL开始抓取网站)
--crawl-exclude=.. Regexp to exclude pages from crawling (e.g. "logout")(Regexp以排除从爬行(例如。“注销”))
--csv-del=CSVDEL Delimiting character used in CSV output (default ",")(CSV输出中使用的分隔字符(默认“,”))
--charset=CHARSET Blind SQL injection charset (e.g. "0123456789abcdef")(盲SQL注入字符集(例如:“0123456789六边形abcdef”))
--dump-format=DU.. Format of dumped data (CSV (default), HTML or SQLITE)(转储数据格式(CSV(默认)、HTML或SQLITE))
--encoding=ENCOD.. Character encoding used for data retrieval (e.g. GBK)(用于数据检索的字符编码(例如GBK))
--eta Display for each output the estimated time of arrival(显示每个输出的预计到达时间)
--flush-session Flush session files for current target(刷新当前目标的会话文件)
--forms Parse and test forms on target URL(解析和测试目标URL上的表单)
--fresh-queries Ignore query results stored in session file(忽略会话文件中存储的查询结果)
--gpage=GOOGLEPAGE Use Google dork results from specified page number(使用谷歌从指定的页码dork结果)
--har=HARFILE Log all HTTP traffic into a HAR file(将所有HTTP流量记录到一个HAR文件中)
--hex Use hex conversion during data retrieval(在数据检索期间使用十六进制转换)
--output-dir=OUT.. Custom output directory path(自定义输出目录路径)
--parse-errors Parse and display DBMS error messages from responses(解析和显示来自响应的DBMS错误消息)
--preprocess=PRE.. Use given script(s) for preprocessing (request)(使用给定的脚本进行预处理(请求))
--postprocess=PO.. Use given script(s) for postprocessing (response)(使用给定的脚本进行后处理(响应))
--repair Redump entries having unknown character marker (?)(有未知字符标记(?)的Redump条目)
--save=SAVECONFIG Save options to a configuration INI file(将选项保存到配置INI文件中)
--scope=SCOPE Regexp for filtering targets(用于筛选目标的Regexp)
--skip-heuristics Skip heuristic detection of SQLi/XSS vulnerabilities(跳过启发式检测SQLi/XSS漏洞)
--skip-waf Skip heuristic detection of WAF/IPS protection(WAF/IPS保护跳过启发式检测)
--table-prefix=T.. Prefix used for temporary tables (default: "sqlmap")(用于临时表的前缀(默认:"sqlmap"))
--test-filter=TE.. Select tests by payloads and/or titles (e.g. ROW)(根据有效负载和/或标题(如ROW)选择测试)
--test-skip=TEST.. Skip tests by payloads and/or titles (e.g. BENCHMARK)(通过有效负载和/或标题跳过测试(例如基准测试))
--web-root=WEBROOT Web server document root directory (e.g. "/var/www")(Web服务器文档根目录(例如。" / var / www))
Miscellaneous:(其他参数)
These options do not fit into any other category(这些选项不属于任何其他类别)
-z MNEMONICS Use short mnemonics (e.g. "flu,bat,ban,tec=EU")(使用简短的助记符(例如:“流感,蝙蝠,禁令,tec =欧盟”))
--alert=ALERT Run host OS command(s) when SQL injection is found(发现SQL注入时,运行主机操作系统命令)
--beep Beep on question and/or when SQLi/XSS/FI is found(在问题和/或发现SQLi/XSS/FI时被发现)
--dependencies Check for missing (optional) sqlmap dependencies(检查缺少的(可选的)sqlmap依赖项)
--disable-coloring Disable console output coloring(禁用控制台输出着色)
--list-tampers Display list of available tamper scripts(显示可用的篡改脚本的列表)
--offline Work in offline mode (only use session data)(在脱机模式下工作(只使用会话数据))
--purge Safely remove all content from sqlmap data directory(安全地从sqlmap数据目录删除所有内容)
--results-file=R.. Location of CSV results file in multiple targets mode(多目标模式下CSV结果文件的位置)
--sqlmap-shell Prompt for an interactive sqlmap shell(提示一个交互式sqlmap shell)
--tmp-dir=TMPDIR Local directory for storing temporary files(存放临时文件的本地目录)
--unstable Adjust options for unstable connections(调整不稳定连接的选项)
--update Update sqlmap(更新sqlmap)
--wizard Simple wizard interface for beginner users(简单的向导界面为初学者用户)
常用命令
sqlmap -u url --dbs //爆数据库
sqlmap -u url --current-db //爆当前数据库
sqlmap -u url --user //查看用户权限
sqlmap -u url --tables -D 数据库 //爆表段
sqlmap -u url --columns -T 表段 -D 数据库 //爆字段
sqlmap -u url --dump -C 字段 -T 表段 -D 数据库 //猜解
京公网安备 11010502036488号