def version(token=None):
"""
Fetch server version
"""
logger.debug("Fetched version (%s)" % ("admin" if is_admin(token) else request.remote_addr))
return jsonize({"success": True, "version": VERSION_STRING.split('/')[-1]})
def unhandledExceptionMessage():
"""
Returns detailed message about occurred unhandled exception
"""
errMsg = "unhandled exception occurred in %s. It is recommended to retry your " % VERSION_STRING
errMsg += "run with the latest development version from official Gitlab "
errMsg += "repository at '%s'. If the exception persists, please open a new issue " % GIT_PAGE
errMsg += "at '%s' " % ISSUES_PAGE
errMsg += "with the following text and any other information required to "
errMsg += "reproduce the bug. The "
errMsg += "developers will try to reproduce the bug, fix it accordingly "
errMsg += "and get back to you\n"
errMsg += "zeroscan version: %s\n" % VERSION_STRING[VERSION_STRING.find('/') + 1:]
errMsg += "Python version: %s\n" % PYVERSION
errMsg += "Operating system: %s\n" % PLATFORM
return errMsg
def cmdLineParser():
"""
This function parses the command line parameters and arguments
"""
checkSystemEncoding()
_ = os.path.normpath(sys.argv[0])
usage = "%s%s [options]" % ("python " if not IS_WIN else "", \
"\"%s\"" % _ if " " in _ else _)
parser = OptionParser(usage=usage)
try:
parser.add_option("--hh", dest="advancedHelp",
action="store_true",
help="Show advanced help message and exit")
parser.add_option("--version", dest="showVersion",
action="store_true",
help="Show program's version number and exit")
parser.add_option("-v", dest="verbose", type="int",
help="Verbosity level: 0-6 (default %d)" % defaults.verbose)
# Target options
target = OptionGroup(parser, "Target", "At least one of these "
"options has to be provided to define the target(s)")
target.add_option("-d", dest="direct", help="Connection string "
"for direct database connection")
target.add_option("-u", "--url", dest="url", help="Target URL (e.g. \"http://www.site.com/vuln.php?id=1\")")
target.add_option("-l", dest="logFile", help="Parse target(s) from Burp "
"or WebScarab proxy log file")
target.add_option("-x", dest="sitemapUrl", help="Parse target(s) from remote sitemap(.xml) file")
target.add_option("-m", dest="bulkFile", help="Scan multiple targets given "
"in a textual file ")
target.add_option("-r", dest="requestFile",
help="Load HTTP request from a file")
target.add_option("-g", dest="googleDork",
help="Process Google dork results as target URLs")
target.add_option("-c", dest="configFile",
help="Load options from a configuration INI file")
# Request options
request = OptionGroup(parser, "Request", "These options can be used "
"to specify how to connect to the target URL")
request.add_option("--data", dest="data",
help="Data string to be sent through POST")
request.add_option("--param-del", dest="paramDel",
help="Character used for splitting parameter values")
request.add_option("--cookie", dest="cookie",
help="HTTP Cookie header value")
request.add_option("--cookie-del", dest="cookieDel",
help="Character used for splitting cookie values")
request.add_option("--load-cookies", dest="loadCookies",
help="File containing cookies in Netscape/wget format")
request.add_option("--drop-set-cookie", dest="dropSetCookie",
action="store_true",
help="Ignore Set-Cookie header from response")
request.add_option("--user-agent", dest="agent",
help="HTTP User-Agent header value")
request.add_option("--random-agent", dest="randomAgent",
action="store_true",
help="Use randomly selected HTTP User-Agent header value")
request.add_option("--host", dest="host",
help="HTTP Host header value")
request.add_option("--referer", dest="referer",
help="HTTP Referer header value")
request.add_option("--headers", dest="headers",
help="Extra headers (e.g. \"Accept-Language: fr\\nETag: 123\")")
request.add_option("--auth-type", dest="authType",
help="HTTP authentication type "
"(Basic, Digest, NTLM or PKI)")
request.add_option("--auth-cred", dest="authCred",
help="HTTP authentication credentials "
"(name:password)")
request.add_option("--auth-private", dest="authPrivate",
help="HTTP authentication PEM private key file")
request.add_option("--ignore-401", dest="ignore401", action="store_true",
help="Ignore HTTP Error 401 (Unauthorized)")
request.add_option("--proxy", dest="proxy",
help="Use a proxy to connect to the target URL")
request.add_option("--proxy-cred", dest="proxyCred",
help="Proxy authentication credentials "
"(name:password)")
request.add_option("--proxy-file", dest="proxyFile",
help="Load proxy list from a file")
request.add_option("--ignore-proxy", dest="ignoreProxy", action="store_true",
help="Ignore system default proxy settings")
request.add_option("--tor", dest="tor",
action="store_true",
help="Use Tor anonymity network")
request.add_option("--tor-port", dest="torPort",
help="Set Tor proxy port other than default")
request.add_option("--tor-type", dest="torType",
help="Set Tor proxy type (HTTP (default), SOCKS4 or SOCKS5)")
request.add_option("--check-tor", dest="checkTor",
action="store_true",
help="Check to see if Tor is used properly")
request.add_option("--delay", dest="delay", type="float",
help="Delay in seconds between each HTTP request")
request.add_option("--timeout", dest="timeout", type="float",
help="Seconds to wait before timeout connection "
"(default %d)" % defaults.timeout)
request.add_option("--retries", dest="retries", type="int",
help="Retries when the connection timeouts "
"(default %d)" % defaults.retries)
request.add_option("--randomize", dest="rParam",
help="Randomly change value for given parameter(s)")
request.add_option("--safe-url", dest="safUrl",
help="URL address to visit frequently during testing")
request.add_option("--safe-freq", dest="saFreq", type="int",
help="Test requests between two visits to a given safe URL")
request.add_option("--skip-urlencode", dest="skipUrlEncode",
action="store_true",
help="Skip URL encoding of payload data")
request.add_option("--force-ssl", dest="forceSSL",
action="store_true",
help="Force usage of SSL/HTTPS")
request.add_option("--hpp", dest="hpp",
action="store_true",
help="Use HTTP parameter pollution method")
request.add_option("--eval", dest="evalCode",
help="Evaluate provided Python code before the request (e.g. \"import hashlib;id2=hashlib.md5(id).hexdigest()\")")
# Optimization options
optimization = OptionGroup(parser, "Optimization", "These "
"options can be used to optimize the "
"performance of sqlmap")
optimization.add_option("-o", dest="optimize",
action="store_true",
help="Turn on all optimization switches")
optimization.add_option("--predict-output", dest="predictOutput", action="store_true",
help="Predict common queries output")
optimization.add_option("--keep-alive", dest="keepAlive", action="store_true",
help="Use persistent HTTP(s) connections")
optimization.add_option("--null-connection", dest="nullConnection", action="store_true",
help="Retrieve page length without actual HTTP response body")
optimization.add_option("--threads", dest="threads", type="int",
help="Max number of concurrent HTTP(s) "
"requests (default %d)" % defaults.threads)
# Injection options
injection = OptionGroup(parser, "Injection", "These options can be "
"used to specify which parameters to test "
"for, provide custom injection payloads and "
"optional tampering scripts")
injection.add_option("-p", dest="testParameter",
help="Testable parameter(s)")
injection.add_option("--skip", dest="skip",
help="Skip testing for given parameter(s)")
injection.add_option("--dbms", dest="dbms",
help="Force back-end DBMS to this value")
injection.add_option("--dbms-cred", dest="dbmsCred",
help="DBMS authentication credentials (user:password)")
injection.add_option("--os", dest="os",
help="Force back-end DBMS operating system "
"to this value")
injection.add_option("--invalid-bignum", dest="invalidBignum",
action="store_true",
help="Use big numbers for invalidating values")
injection.add_option("--invalid-logical", dest="invalidLogical",
action="store_true",
help="Use logical operations for invalidating values")
injection.add_option("--invalid-string", dest="invalidString",
action="store_true",
help="Use random strings for invalidating values")
injection.add_option("--no-cast", dest="noCast",
action="store_true",
help="Turn off payload casting mechanism")
injection.add_option("--no-escape", dest="noEscape",
action="store_true",
help="Turn off string escaping mechanism")
injection.add_option("--prefix", dest="prefix",
help="Injection payload prefix string")
injection.add_option("--suffix", dest="suffix",
help="Injection payload suffix string")
injection.add_option("--tamper", dest="tamper",
help="Use given script(s) for tampering injection data")
# Detection options
detection = OptionGroup(parser, "Detection", "These options can be "
"used to customize the detection phase")
detection.add_option("--level", dest="level", type="int",
help="Level of tests to perform (1-5, "
"default %d)" % defaults.level)
detection.add_option("--risk", dest="risk", type="int",
help="Risk of tests to perform (0-3, "
"default %d)" % defaults.level)
detection.add_option("--string", dest="string",
help="String to match when "
"query is evaluated to True")
detection.add_option("--not-string", dest="notString",
help="String to match when "
"query is evaluated to False")
detection.add_option("--regexp", dest="regexp",
help="Regexp to match when "
"query is evaluated to True")
detection.add_option("--code", dest="code", type="int",
help="HTTP code to match when "
"query is evaluated to True")
detection.add_option("--text-only", dest="textOnly",
action="store_true",
help="Compare pages based only on the textual content")
detection.add_option("--titles", dest="titles",
action="store_true",
help="Compare pages based only on their titles")
# Techniques options
techniques = OptionGroup(parser, "Techniques", "These options can be "
"used to tweak testing of specific SQL "
"injection techniques")
techniques.add_option("--technique", dest="tech",
help="SQL injection techniques to use "
"(default \"%s\")" % defaults.tech)
techniques.add_option("--time-sec", dest="timeSec",
type="int",
help="Seconds to delay the DBMS response "
"(default %d)" % defaults.timeSec)
techniques.add_option("--union-cols", dest="uCols",
help="Range of columns to test for UNION query SQL injection")
techniques.add_option("--union-char", dest="uChar",
help="Character to use for bruteforcing number of columns")
techniques.add_option("--union-from", dest="uFrom",
help="Table to use in FROM part of UNION query SQL injection")
techniques.add_option("--dns-domain", dest="dnsName",
help="Domain name used for DNS exfiltration attack")
techniques.add_option("--second-order", dest="secondOrder",
help="Resulting page URL searched for second-order "
"response")
# Fingerprint options
fingerprint = OptionGroup(parser, "Fingerprint")
fingerprint.add_option("-f", "--fingerprint", dest="extensiveFp",
action="store_true",
help="Perform an extensive DBMS version fingerprint")
# Enumeration options
enumeration = OptionGroup(parser, "Enumeration", "These options can "
"be used to enumerate the back-end database "
"management system information, structure "
"and data contained in the tables. Moreover "
"you can run your own SQL statements")
enumeration.add_option("-a", "--all", dest="getAll",
action="store_true", help="Retrieve everything")
enumeration.add_option("-b", "--banner", dest="getBanner",
action="store_true", help="Retrieve DBMS banner")
enumeration.add_option("--current-user", dest="getCurrentUser",
action="store_true",
help="Retrieve DBMS current user")
enumeration.add_option("--current-db", dest="getCurrentDb",
action="store_true",
help="Retrieve DBMS current database")
enumeration.add_option("--hostname", dest="getHostname",
action="store_true",
help="Retrieve DBMS server hostname")
enumeration.add_option("--is-dba", dest="isDba",
action="store_true",
help="Detect if the DBMS current user is DBA")
enumeration.add_option("--users", dest="getUsers", action="store_true",
help="Enumerate DBMS users")
enumeration.add_option("--passwords", dest="getPasswordHashes",
action="store_true",
help="Enumerate DBMS users password hashes")
enumeration.add_option("--privileges", dest="getPrivileges",
action="store_true",
help="Enumerate DBMS users privileges")
enumeration.add_option("--roles", dest="getRoles",
action="store_true",
help="Enumerate DBMS users roles")
enumeration.add_option("--dbs", dest="getDbs", action="store_true",
help="Enumerate DBMS databases")
enumeration.add_option("--tables", dest="getTables", action="store_true",
help="Enumerate DBMS database tables")
enumeration.add_option("--columns", dest="getColumns", action="store_true",
help="Enumerate DBMS database table columns")
enumeration.add_option("--schema", dest="getSchema", action="store_true",
help="Enumerate DBMS schema")
enumeration.add_option("--count", dest="getCount", action="store_true",
help="Retrieve number of entries for table(s)")
enumeration.add_option("--dump", dest="dumpTable", action="store_true",
help="Dump DBMS database table entries")
enumeration.add_option("--dump-all", dest="dumpAll", action="store_true",
help="Dump all DBMS databases tables entries")
enumeration.add_option("--search", dest="search", action="store_true",
help="Search column(s), table(s) and/or database name(s)")
enumeration.add_option("--comments", dest="getComments", action="store_true",
help="Retrieve DBMS comments")
enumeration.add_option("-D", dest="db",
help="DBMS database to enumerate")
enumeration.add_option("-T", dest="tbl",
help="DBMS database table(s) to enumerate")
enumeration.add_option("-C", dest="col",
help="DBMS database table column(s) to enumerate")
enumeration.add_option("-X", dest="excludeCol",
help="DBMS database table column(s) to not enumerate")
enumeration.add_option("-U", dest="user",
help="DBMS user to enumerate")
enumeration.add_option("--exclude-sysdbs", dest="excludeSysDbs",
action="store_true",
help="Exclude DBMS system databases when "
"enumerating tables")
enumeration.add_option("--where", dest="dumpWhere",
help="Use WHERE condition while table dumping")
enumeration.add_option("--start", dest="limitStart", type="int",
help="First query output entry to retrieve")
enumeration.add_option("--stop", dest="limitStop", type="int",
help="Last query output entry to retrieve")
enumeration.add_option("--first", dest="firstChar", type="int",
help="First query output word character to retrieve")
enumeration.add_option("--last", dest="lastChar", type="int",
help="Last query output word character to retrieve")
enumeration.add_option("--sql-query", dest="query",
help="SQL statement to be executed")
enumeration.add_option("--sql-shell", dest="sqlShell",
action="store_true",
help="Prompt for an interactive SQL shell")
enumeration.add_option("--sql-file", dest="sqlFile",
help="Execute SQL statements from given file(s)")
# User-defined function options
brute = OptionGroup(parser, "Brute force", "These "
"options can be used to run brute force "
"checks")
brute.add_option("--common-tables", dest="commonTables", action="store_true",
help="Check existence of common tables")
brute.add_option("--common-columns", dest="commonColumns", action="store_true",
help="Check existence of common columns")
# User-defined function options
udf = OptionGroup(parser, "User-defined function injection", "These "
"options can be used to create custom user-defined "
"functions")
udf.add_option("--udf-inject", dest="udfInject", action="store_true",
help="Inject custom user-defined functions")
udf.add_option("--shared-lib", dest="shLib",
help="Local path of the shared library")
# File system options
filesystem = OptionGroup(parser, "File system access", "These options "
"can be used to access the back-end database "
"management system underlying file system")
filesystem.add_option("--file-read", dest="rFile",
help="Read a file from the back-end DBMS "
"file system")
filesystem.add_option("--file-write", dest="wFile",
help="Write a local file on the back-end "
"DBMS file system")
filesystem.add_option("--file-dest", dest="dFile",
help="Back-end DBMS absolute filepath to "
"write to")
# Takeover options
takeover = OptionGroup(parser, "Operating system access", "These "
"options can be used to access the back-end "
"database management system underlying "
"operating system")
takeover.add_option("--os-cmd", dest="osCmd",
help="Execute an operating system command")
takeover.add_option("--os-shell", dest="osShell",
action="store_true",
help="Prompt for an interactive operating "
"system shell")
takeover.add_option("--os-pwn", dest="osPwn",
action="store_true",
help="Prompt for an OOB shell, "
"Meterpreter or VNC")
takeover.add_option("--os-smbrelay", dest="osSmb",
action="store_true",
help="One click prompt for an OOB shell, "
"Meterpreter or VNC")
takeover.add_option("--os-bof", dest="osBof",
action="store_true",
help="Stored procedure buffer overflow "
"exploitation")
takeover.add_option("--priv-esc", dest="privEsc",
action="store_true",
help="Database process user privilege escalation")
takeover.add_option("--msf-path", dest="msfPath",
help="Local path where Metasploit Framework "
"is installed")
takeover.add_option("--tmp-path", dest="tmpPath",
help="Remote absolute path of temporary files "
"directory")
# Windows registry options
windows = OptionGroup(parser, "Windows registry access", "These "
"options can be used to access the back-end "
"database management system Windows "
"registry")
windows.add_option("--reg-read", dest="regRead",
action="store_true",
help="Read a Windows registry key value")
windows.add_option("--reg-add", dest="regAdd",
action="store_true",
help="Write a Windows registry key value data")
windows.add_option("--reg-del", dest="regDel",
action="store_true",
help="Delete a Windows registry key value")
windows.add_option("--reg-key", dest="regKey",
help="Windows registry key")
windows.add_option("--reg-value", dest="regVal",
help="Windows registry key value")
windows.add_option("--reg-data", dest="regData",
help="Windows registry key value data")
windows.add_option("--reg-type", dest="regType",
help="Windows registry key value type")
# General options
general = OptionGroup(parser, "General", "These options can be used "
"to set some general working parameters")
#general.add_option("-x", dest="xmlFile",
# help="Dump the data into an XML file")
general.add_option("-s", dest="sessionFile",
help="Load session from a stored (.sqlite) file")
general.add_option("-t", dest="trafficFile",
help="Log all HTTP traffic into a "
"textual file")
general.add_option("--batch", dest="batch",
action="store_true",
help="Never ask for user input, use the default behaviour")
general.add_option("--charset", dest="charset",
help="Force character encoding used for data retrieval")
general.add_option("--crawl", dest="crawlDepth", type="int",
help="Crawl the website starting from the target URL")
general.add_option("--csv-del", dest="csvDel",
help="Delimiting character used in CSV output "
"(default \"%s\")" % defaults.csvDel)
general.add_option("--dump-format", dest="dumpFormat",
help="Format of dumped data (CSV (default), HTML or SQLITE)")
general.add_option("--eta", dest="eta",
action="store_true",
help="Display for each output the "
"estimated time of arrival")
general.add_option("--flush-session", dest="flushSession",
action="store_true",
help="Flush session files for current target")
general.add_option("--forms", dest="forms",
action="store_true",
help="Parse and test forms on target URL")
general.add_option("--fresh-queries", dest="freshQueries",
action="store_true",
help="Ignore query results stored in session file")
general.add_option("--hex", dest="hexConvert",
action="store_true",
help="Use DBMS hex function(s) for data retrieval")
general.add_option("--output-dir", dest="outputDir",
action="store",
help="Custom output directory path")
general.add_option("--parse-errors", dest="parseErrors",
action="store_true",
help="Parse and display DBMS error messages from responses")
general.add_option("--pivot-column", dest="pivotColumn",
help="Pivot column name")
general.add_option("--save", dest="saveCmdline",
action="store_true",
help="Save options to a configuration INI file")
general.add_option("--scope", dest="scope",
help="Regexp to filter targets from provided proxy log")
general.add_option("--test-filter", dest="testFilter",
help="Select tests by payloads and/or titles (e.g. ROW)")
general.add_option("--update", dest="updateAll",
action="store_true",
help="Update sqlmap")
# Miscellaneous options
miscellaneous = OptionGroup(parser, "Miscellaneous")
miscellaneous.add_option("-z", dest="mnemonics",
help="Use short mnemonics (e.g. \"flu,bat,ban,tec=EU\")")
miscellaneous.add_option("--alert", dest="alert",
help="Run host OS command(s) when SQL injection is found")
miscellaneous.add_option("--answers", dest="answers",
help="Set question answers (e.g. \"quit=N,follow=N\")")
miscellaneous.add_option("--beep", dest="beep", action="store_true",
help="Make a beep sound when SQL injection is found")
miscellaneous.add_option("--check-waf", dest="checkWaf",
action="store_true",
help="Heuristically check for WAF/IPS/IDS protection")
miscellaneous.add_option("--cleanup", dest="cleanup",
action="store_true",
help="Clean up the DBMS from sqlmap specific "
"UDF and tables")
miscellaneous.add_option("--dependencies", dest="dependencies",
action="store_true",
help="Check for missing (non-core) sqlmap dependencies")
miscellaneous.add_option("--disable-coloring", dest="disableColoring",
action="store_true",
help="Disable console output coloring")
miscellaneous.add_option("--gpage", dest="googlePage", type="int",
help="Use Google dork results from specified page number")
miscellaneous.add_option("--identify-waf", dest="identifyWaf",
action="store_true",
help="Make a through testing for a WAF/IPS/IDS protection")
miscellaneous.add_option("--mobile", dest="mobile",
action="store_true",
help="Imitate smartphone through HTTP User-Agent header")
miscellaneous.add_option("--page-rank", dest="pageRank",
action="store_true",
help="Display page rank (PR) for Google dork results")
miscellaneous.add_option("--purge-output", dest="purgeOutput",
action="store_true",
help="Safely remove all content from output directory")
miscellaneous.add_option("--smart", dest="smart",
action="store_true",
help="Conduct through tests only if positive heuristic(s)")
miscellaneous.add_option("--sqlmap-shell", dest="sqlmapShell", action="store_true",
help="Prompt for an interactive sqlmap shell")
miscellaneous.add_option("--wizard", dest="wizard",
action="store_true",
help="Simple wizard interface for beginner users")
# Hidden and/or experimental options
parser.add_option("--dummy", dest="dummy", action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--pickled-options", dest="pickledOptions",
help=SUPPRESS_HELP)
parser.add_option("--profile", dest="profile", action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--binary-fields", dest="binaryFields",
help=SUPPRESS_HELP)
parser.add_option("--cpu-throttle", dest="cpuThrottle", type="int",
help=SUPPRESS_HELP)
parser.add_option("--force-dns", dest="forceDns", action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--smoke-test", dest="smokeTest", action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--live-test", dest="liveTest", action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--stop-fail", dest="stopFail", action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--run-case", dest="runCase", help=SUPPRESS_HELP)
parser.add_option_group(target)
parser.add_option_group(request)
parser.add_option_group(optimization)
parser.add_option_group(injection)
parser.add_option_group(detection)
parser.add_option_group(techniques)
parser.add_option_group(fingerprint)
parser.add_option_group(enumeration)
parser.add_option_group(brute)
parser.add_option_group(udf)
parser.add_option_group(filesystem)
parser.add_option_group(takeover)
parser.add_option_group(windows)
parser.add_option_group(general)
parser.add_option_group(miscellaneous)
# Dirty hack to display longer options without breaking into two lines
def _(self, *args):
_ = parser.formatter._format_option_strings(*args)
if len(_) > MAX_HELP_OPTION_LENGTH:
_ = ("%%.%ds.." % (MAX_HELP_OPTION_LENGTH - parser.formatter.indent_increment)) % _
return _
parser.formatter._format_option_strings = parser.formatter.format_option_strings
parser.formatter.format_option_strings = type(parser.formatter.format_option_strings)(_, parser, type(parser))
# Dirty hack for making a short option -hh
option = parser.get_option("--hh")
option._short_opts = ["-hh"]
option._long_opts = []
# Dirty hack for inherent help message of switch -h
option = parser.get_option("-h")
option.help = option.help.capitalize().replace("this help", "basic help")
argv = []
prompt = False
advancedHelp = True
for arg in sys.argv:
argv.append(getUnicode(arg, system=True))
checkDeprecatedOptions(argv)
prompt = "--sqlmap-shell" in argv
if prompt:
parser.usage = ""
cmdLineOptions.sqlmapShell = True
_ = ["x", "q", "exit", "quit", "clear"]
for option in parser.option_list:
_.extend(option._long_opts)
_.extend(option._short_opts)
for group in parser.option_groups:
for option in group.option_list:
_.extend(option._long_opts)
_.extend(option._short_opts)
autoCompletion(AUTOCOMPLETE_TYPE.SQLMAP, commands=_)
while True:
command = None
try:
command = raw_input("sqlmap-shell> ").strip()
except (KeyboardInterrupt, EOFError):
print
raise SqlmapShellQuitException
if not command:
continue
elif command.lower() == "clear":
clearHistory()
print "[i] history cleared"
saveHistory(AUTOCOMPLETE_TYPE.SQLMAP)
elif command.lower() in ("x", "q", "exit", "quit"):
raise SqlmapShellQuitException
elif command[0] != '-':
print "[!] invalid option(s) provided"
print "[i] proper example: '-u http://www.site.com/vuln.php?id=1 --banner'"
else:
saveHistory(AUTOCOMPLETE_TYPE.SQLMAP)
loadHistory(AUTOCOMPLETE_TYPE.SQLMAP)
break
for arg in shlex.split(command):
argv.append(getUnicode(arg, system=True))
# Hide non-basic options in basic help case
for i in xrange(len(argv)):
if argv[i] == "-hh":
argv[i] = "-h"
elif argv[i] == "--version":
print VERSION_STRING.split('/')[-1]
raise SystemExit
elif argv[i] == "-h":
advancedHelp = False
for group in parser.option_groups[:]:
found = False
for option in group.option_list:
if option.dest not in BASIC_HELP_ITEMS:
option.help = SUPPRESS_HELP
else:
found = True
if not found:
parser.option_groups.remove(group)
try:
(args, _) = parser.parse_args(argv)
except SystemExit:
if "-h" in argv and not advancedHelp:
print "\n[!] to see full list of options run with '-hh'"
raise
# Expand given mnemonic options (e.g. -z "ign,flu,bat")
for i in xrange(len(argv) - 1):
if argv[i] == "-z":
expandMnemonics(argv[i + 1], parser, args)
if args.dummy:
args.url = args.url or DUMMY_URL
if not any((args.direct, args.url, args.logFile, args.bulkFile, args.googleDork, args.configFile, \
args.requestFile, args.updateAll, args.smokeTest, args.liveTest, args.wizard, args.dependencies, \
args.purgeOutput, args.pickledOptions, args.sitemapUrl)):
errMsg = "missing a mandatory option (-d, -u, -l, -m, -r, -g, -c, -x, --wizard, --update, --purge-output or --dependencies), "
errMsg += "use -h for basic or -hh for advanced help"
parser.error(errMsg)
return args
except (OptionError, TypeError), e:
parser.error(e)
def cmdLineParser(argv=None):
"""
This function parses the command line parameters and arguments
"""
if not argv:
argv = sys.argv
checkSystemEncoding()
# Reference: https://stackoverflow.com/a/4012683 (Note: previously used "...sys.getfilesystemencoding() or UNICODE_ENCODING")
_ = getUnicode(os.path.basename(argv[0]), encoding=sys.stdin.encoding)
usage = "%s%s [options]" % ("%s " % os.path.basename(sys.executable) if not IS_WIN else "", "\"%s\"" % _ if " " in _ else _)
parser = ArgumentParser(usage=usage)
try:
parser.add_argument("--hh", dest="advancedHelp", action="store_true",
help="Show advanced help message and exit")
parser.add_argument("--version", dest="showVersion", action="store_true",
help="Show program's version number and exit")
parser.add_argument("-v", dest="verbose", type=int,
help="Verbosity level: 0-6 (default %d)" % defaults.verbose)
# Target options
target = parser.add_argument_group("Target", "At least one of these options has to be provided to define the target(s)")
target.add_argument("-d", dest="direct",
help="Connection string for direct database connection")
target.add_argument("-u", "--url", dest="url",
help="Target URL (e.g. \"http://www.site.com/vuln.php?id=1\")")
target.add_argument("-l", dest="logFile",
help="Parse target(s) from Burp or WebScarab proxy log file")
target.add_argument("-m", dest="bulkFile",
help="Scan multiple targets given in a textual file ")
target.add_argument("-r", dest="requestFile",
help="Load HTTP request from a file")
target.add_argument("-g", dest="googleDork",
help="Process Google dork results as target URLs")
target.add_argument("-c", dest="configFile",
help="Load options from a configuration INI file")
# Request options
request = parser.add_argument_group("Request", "These options can be used to specify how to connect to the target URL")
request.add_argument("-A", "--user-agent", dest="agent",
help="HTTP User-Agent header value")
request.add_argument("-H", "--header", dest="header",
help="Extra header (e.g. \"X-Forwarded-For: 127.0.0.1\")")
request.add_argument("--method", dest="method",
help="Force usage of given HTTP method (e.g. PUT)")
request.add_argument("--data", dest="data",
help="Data string to be sent through POST (e.g. \"id=1\")")
request.add_argument("--param-del", dest="paramDel",
help="Character used for splitting parameter values (e.g. &)")
request.add_argument("--cookie", dest="cookie",
help="HTTP Cookie header value (e.g. \"PHPSESSID=a8d127e..\")")
request.add_argument("--cookie-del", dest="cookieDel",
help="Character used for splitting cookie values (e.g. ;)")
request.add_argument("--load-cookies", dest="loadCookies",
help="File containing cookies in Netscape/wget format")
request.add_argument("--drop-set-cookie", dest="dropSetCookie", action="store_true",
help="Ignore Set-Cookie header from response")
request.add_argument("--mobile", dest="mobile", action="store_true",
help="Imitate smartphone through HTTP User-Agent header")
request.add_argument("--random-agent", dest="randomAgent", action="store_true",
help="Use randomly selected HTTP User-Agent header value")
request.add_argument("--host", dest="host",
help="HTTP Host header value")
request.add_argument("--referer", dest="referer",
help="HTTP Referer header value")
request.add_argument("--headers", dest="headers",
help="Extra headers (e.g. \"Accept-Language: fr\\nETag: 123\")")
request.add_argument("--auth-type", dest="authType",
help="HTTP authentication type (Basic, Digest, NTLM or PKI)")
request.add_argument("--auth-cred", dest="authCred",
help="HTTP authentication credentials (name:password)")
request.add_argument("--auth-file", dest="authFile",
help="HTTP authentication PEM cert/private key file")
request.add_argument("--ignore-code", dest="ignoreCode",
help="Ignore (problematic) HTTP error code (e.g. 401)")
request.add_argument("--ignore-proxy", dest="ignoreProxy", action="store_true",
help="Ignore system default proxy settings")
request.add_argument("--ignore-redirects", dest="ignoreRedirects", action="store_true",
help="Ignore redirection attempts")
request.add_argument("--ignore-timeouts", dest="ignoreTimeouts", action="store_true",
help="Ignore connection timeouts")
request.add_argument("--proxy", dest="proxy",
help="Use a proxy to connect to the target URL")
request.add_argument("--proxy-cred", dest="proxyCred",
help="Proxy authentication credentials (name:password)")
request.add_argument("--proxy-file", dest="proxyFile",
help="Load proxy list from a file")
request.add_argument("--tor", dest="tor", action="store_true",
help="Use Tor anonymity network")
request.add_argument("--tor-port", dest="torPort",
help="Set Tor proxy port other than default")
request.add_argument("--tor-type", dest="torType",
help="Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))")
request.add_argument("--check-tor", dest="checkTor", action="store_true",
help="Check to see if Tor is used properly")
request.add_argument("--delay", dest="delay", type=float,
help="Delay in seconds between each HTTP request")
request.add_argument("--timeout", dest="timeout", type=float,
help="Seconds to wait before timeout connection (default %d)" % defaults.timeout)
request.add_argument("--retries", dest="retries", type=int,
help="Retries when the connection timeouts (default %d)" % defaults.retries)
request.add_argument("--randomize", dest="rParam",
help="Randomly change value for given parameter(s)")
request.add_argument("--safe-url", dest="safeUrl",
help="URL address to visit frequently during testing")
request.add_argument("--safe-post", dest="safePost",
help="POST data to send to a safe URL")
request.add_argument("--safe-req", dest="safeReqFile",
help="Load safe HTTP request from a file")
request.add_argument("--safe-freq", dest="safeFreq", type=int,
help="Test requests between two visits to a given safe URL")
request.add_argument("--skip-urlencode", dest="skipUrlEncode", action="store_true",
help="Skip URL encoding of payload data")
request.add_argument("--csrf-token", dest="csrfToken",
help="Parameter used to hold anti-CSRF token")
request.add_argument("--csrf-url", dest="csrfUrl",
help="URL address to visit for extraction of anti-CSRF token")
request.add_argument("--csrf-method", dest="csrfMethod",
help="HTTP method to use during anti-CSRF token page visit")
request.add_argument("--force-ssl", dest="forceSSL", action="store_true",
help="Force usage of SSL/HTTPS")
request.add_argument("--chunked", dest="chunked", action="store_true",
help="Use HTTP chunked transfer encoded (POST) requests")
request.add_argument("--hpp", dest="hpp", action="store_true",
help="Use HTTP parameter pollution method")
request.add_argument("--eval", dest="evalCode",
help="Evaluate provided Python code before the request (e.g. \"import hashlib;id2=hashlib.md5(id).hexdigest()\")")
# Optimization options
optimization = parser.add_argument_group("Optimization", "These options can be used to optimize the performance of sqlmap")
optimization.add_argument("-o", dest="optimize", action="store_true",
help="Turn on all optimization switches")
optimization.add_argument("--predict-output", dest="predictOutput", action="store_true",
help="Predict common queries output")
optimization.add_argument("--keep-alive", dest="keepAlive", action="store_true",
help="Use persistent HTTP(s) connections")
optimization.add_argument("--null-connection", dest="nullConnection", action="store_true",
help="Retrieve page length without actual HTTP response body")
optimization.add_argument("--threads", dest="threads", type=int,
help="Max number of concurrent HTTP(s) requests (default %d)" % defaults.threads)
# Injection options
injection = parser.add_argument_group("Injection", "These options can be used to specify which parameters to test for, provide custom injection payloads and optional tampering scripts")
injection.add_argument("-p", dest="testParameter",
help="Testable parameter(s)")
injection.add_argument("--skip", dest="skip",
help="Skip testing for given parameter(s)")
injection.add_argument("--skip-static", dest="skipStatic", action="store_true",
help="Skip testing parameters that not appear to be dynamic")
injection.add_argument("--param-exclude", dest="paramExclude",
help="Regexp to exclude parameters from testing (e.g. \"ses\")")
injection.add_argument("--param-filter", dest="paramFilter",
help="Select testable parameter(s) by place (e.g. \"POST\")")
injection.add_argument("--dbms", dest="dbms",
help="Force back-end DBMS to provided value")
injection.add_argument("--dbms-cred", dest="dbmsCred",
help="DBMS authentication credentials (user:password)")
injection.add_argument("--os", dest="os",
help="Force back-end DBMS operating system to provided value")
injection.add_argument("--invalid-bignum", dest="invalidBignum", action="store_true",
help="Use big numbers for invalidating values")
injection.add_argument("--invalid-logical", dest="invalidLogical", action="store_true",
help="Use logical operations for invalidating values")
injection.add_argument("--invalid-string", dest="invalidString", action="store_true",
help="Use random strings for invalidating values")
injection.add_argument("--no-cast", dest="noCast", action="store_true",
help="Turn off payload casting mechanism")
injection.add_argument("--no-escape", dest="noEscape", action="store_true",
help="Turn off string escaping mechanism")
injection.add_argument("--prefix", dest="prefix",
help="Injection payload prefix string")
injection.add_argument("--suffix", dest="suffix",
help="Injection payload suffix string")
injection.add_argument("--tamper", dest="tamper",
help="Use given script(s) for tampering injection data")
# Detection options
detection = parser.add_argument_group("Detection", "These options can be used to customize the detection phase")
detection.add_argument("--level", dest="level", type=int,
help="Level of tests to perform (1-5, default %d)" % defaults.level)
detection.add_argument("--risk", dest="risk", type=int,
help="Risk of tests to perform (1-3, default %d)" % defaults.risk)
detection.add_argument("--string", dest="string",
help="String to match when query is evaluated to True")
detection.add_argument("--not-string", dest="notString",
help="String to match when query is evaluated to False")
detection.add_argument("--regexp", dest="regexp",
help="Regexp to match when query is evaluated to True")
detection.add_argument("--code", dest="code", type=int,
help="HTTP code to match when query is evaluated to True")
detection.add_argument("--smart", dest="smart", action="store_true",
help="Perform thorough tests only if positive heuristic(s)")
detection.add_argument("--text-only", dest="textOnly", action="store_true",
help="Compare pages based only on the textual content")
detection.add_argument("--titles", dest="titles", action="store_true",
help="Compare pages based only on their titles")
# Techniques options
techniques = parser.add_argument_group("Techniques", "These options can be used to tweak testing of specific SQL injection techniques")
techniques.add_argument("--technique", dest="technique",
help="SQL injection techniques to use (default \"%s\")" % defaults.technique)
techniques.add_argument("--time-sec", dest="timeSec", type=int,
help="Seconds to delay the DBMS response (default %d)" % defaults.timeSec)
techniques.add_argument("--union-cols", dest="uCols",
help="Range of columns to test for UNION query SQL injection")
techniques.add_argument("--union-char", dest="uChar",
help="Character to use for bruteforcing number of columns")
techniques.add_argument("--union-from", dest="uFrom",
help="Table to use in FROM part of UNION query SQL injection")
techniques.add_argument("--dns-domain", dest="dnsDomain",
help="Domain name used for DNS exfiltration attack")
techniques.add_argument("--second-url", dest="secondUrl",
help="Resulting page URL searched for second-order response")
techniques.add_argument("--second-req", dest="secondReq",
help="Load second-order HTTP request from file")
# Fingerprint options
fingerprint = parser.add_argument_group("Fingerprint")
fingerprint.add_argument("-f", "--fingerprint", dest="extensiveFp", action="store_true",
help="Perform an extensive DBMS version fingerprint")
# Enumeration options
enumeration = parser.add_argument_group("Enumeration", "These options can be used to enumerate the back-end database management system information, structure and data contained in the tables")
enumeration.add_argument("-a", "--all", dest="getAll", action="store_true",
help="Retrieve everything")
enumeration.add_argument("-b", "--banner", dest="getBanner", action="store_true",
help="Retrieve DBMS banner")
enumeration.add_argument("--current-user", dest="getCurrentUser", action="store_true",
help="Retrieve DBMS current user")
enumeration.add_argument("--current-db", dest="getCurrentDb", action="store_true",
help="Retrieve DBMS current database")
enumeration.add_argument("--hostname", dest="getHostname", action="store_true",
help="Retrieve DBMS server hostname")
enumeration.add_argument("--is-dba", dest="isDba", action="store_true",
help="Detect if the DBMS current user is DBA")
enumeration.add_argument("--users", dest="getUsers", action="store_true",
help="Enumerate DBMS users")
enumeration.add_argument("--passwords", dest="getPasswordHashes", action="store_true",
help="Enumerate DBMS users password hashes")
enumeration.add_argument("--privileges", dest="getPrivileges", action="store_true",
help="Enumerate DBMS users privileges")
enumeration.add_argument("--roles", dest="getRoles", action="store_true",
help="Enumerate DBMS users roles")
enumeration.add_argument("--dbs", dest="getDbs", action="store_true",
help="Enumerate DBMS databases")
enumeration.add_argument("--tables", dest="getTables", action="store_true",
help="Enumerate DBMS database tables")
enumeration.add_argument("--columns", dest="getColumns", action="store_true",
help="Enumerate DBMS database table columns")
enumeration.add_argument("--schema", dest="getSchema", action="store_true",
help="Enumerate DBMS schema")
enumeration.add_argument("--count", dest="getCount", action="store_true",
help="Retrieve number of entries for table(s)")
enumeration.add_argument("--dump", dest="dumpTable", action="store_true",
help="Dump DBMS database table entries")
enumeration.add_argument("--dump-all", dest="dumpAll", action="store_true",
help="Dump all DBMS databases tables entries")
enumeration.add_argument("--search", dest="search", action="store_true",
help="Search column(s), table(s) and/or database name(s)")
enumeration.add_argument("--comments", dest="getComments", action="store_true",
help="Check for DBMS comments during enumeration")
enumeration.add_argument("--statements", dest="getStatements", action="store_true",
help="Retrieve SQL statements being run on DBMS")
enumeration.add_argument("-D", dest="db",
help="DBMS database to enumerate")
enumeration.add_argument("-T", dest="tbl",
help="DBMS database table(s) to enumerate")
enumeration.add_argument("-C", dest="col",
help="DBMS database table column(s) to enumerate")
enumeration.add_argument("-X", dest="exclude",
help="DBMS database identifier(s) to not enumerate")
enumeration.add_argument("-U", dest="user",
help="DBMS user to enumerate")
enumeration.add_argument("--exclude-sysdbs", dest="excludeSysDbs", action="store_true",
help="Exclude DBMS system databases when enumerating tables")
enumeration.add_argument("--pivot-column", dest="pivotColumn",
help="Pivot column name")
enumeration.add_argument("--where", dest="dumpWhere",
help="Use WHERE condition while table dumping")
enumeration.add_argument("--start", dest="limitStart", type=int,
help="First dump table entry to retrieve")
enumeration.add_argument("--stop", dest="limitStop", type=int,
help="Last dump table entry to retrieve")
enumeration.add_argument("--first", dest="firstChar", type=int,
help="First query output word character to retrieve")
enumeration.add_argument("--last", dest="lastChar", type=int,
help="Last query output word character to retrieve")
enumeration.add_argument("--sql-query", dest="sqlQuery",
help="SQL statement to be executed")
enumeration.add_argument("--sql-shell", dest="sqlShell", action="store_true",
help="Prompt for an interactive SQL shell")
enumeration.add_argument("--sql-file", dest="sqlFile",
help="Execute SQL statements from given file(s)")
# Brute force options
brute = parser.add_argument_group("Brute force", "These options can be used to run brute force checks")
brute.add_argument("--common-tables", dest="commonTables", action="store_true",
help="Check existence of common tables")
brute.add_argument("--common-columns", dest="commonColumns", action="store_true",
help="Check existence of common columns")
brute.add_argument("--common-files", dest="commonFiles", action="store_true",
help="Check existence of common files")
# User-defined function options
udf = parser.add_argument_group("User-defined function injection", "These options can be used to create custom user-defined functions")
udf.add_argument("--udf-inject", dest="udfInject", action="store_true",
help="Inject custom user-defined functions")
udf.add_argument("--shared-lib", dest="shLib",
help="Local path of the shared library")
# File system options
filesystem = parser.add_argument_group("File system access", "These options can be used to access the back-end database management system underlying file system")
filesystem.add_argument("--file-read", dest="fileRead",
help="Read a file from the back-end DBMS file system")
filesystem.add_argument("--file-write", dest="fileWrite",
help="Write a local file on the back-end DBMS file system")
filesystem.add_argument("--file-dest", dest="fileDest",
help="Back-end DBMS absolute filepath to write to")
# Takeover options
takeover = parser.add_argument_group("Operating system access", "These options can be used to access the back-end database management system underlying operating system")
takeover.add_argument("--os-cmd", dest="osCmd",
help="Execute an operating system command")
takeover.add_argument("--os-shell", dest="osShell", action="store_true",
help="Prompt for an interactive operating system shell")
takeover.add_argument("--os-pwn", dest="osPwn", action="store_true",
help="Prompt for an OOB shell, Meterpreter or VNC")
takeover.add_argument("--os-smbrelay", dest="osSmb", action="store_true",
help="One click prompt for an OOB shell, Meterpreter or VNC")
takeover.add_argument("--os-bof", dest="osBof", action="store_true",
help="Stored procedure buffer overflow "
"exploitation")
takeover.add_argument("--priv-esc", dest="privEsc", action="store_true",
help="Database process user privilege escalation")
takeover.add_argument("--msf-path", dest="msfPath",
help="Local path where Metasploit Framework is installed")
takeover.add_argument("--tmp-path", dest="tmpPath",
help="Remote absolute path of temporary files directory")
# Windows registry options
windows = parser.add_argument_group("Windows registry access", "These options can be used to access the back-end database management system Windows registry")
windows.add_argument("--reg-read", dest="regRead", action="store_true",
help="Read a Windows registry key value")
windows.add_argument("--reg-add", dest="regAdd", action="store_true",
help="Write a Windows registry key value data")
windows.add_argument("--reg-del", dest="regDel", action="store_true",
help="Delete a Windows registry key value")
windows.add_argument("--reg-key", dest="regKey",
help="Windows registry key")
windows.add_argument("--reg-value", dest="regVal",
help="Windows registry key value")
windows.add_argument("--reg-data", dest="regData",
help="Windows registry key value data")
windows.add_argument("--reg-type", dest="regType",
help="Windows registry key value type")
# General options
general = parser.add_argument_group("General", "These options can be used to set some general working parameters")
general.add_argument("-s", dest="sessionFile",
help="Load session from a stored (.sqlite) file")
general.add_argument("-t", dest="trafficFile",
help="Log all HTTP traffic into a textual file")
general.add_argument("--answers", dest="answers",
help="Set predefined answers (e.g. \"quit=N,follow=N\")")
general.add_argument("--batch", dest="batch", action="store_true",
help="Never ask for user input, use the default behavior")
general.add_argument("--binary-fields", dest="binaryFields",
help="Result fields having binary values (e.g. \"digest\")")
general.add_argument("--check-internet", dest="checkInternet", action="store_true",
help="Check Internet connection before assessing the target")
general.add_argument("--cleanup", dest="cleanup", action="store_true",
help="Clean up the DBMS from sqlmap specific UDF and tables")
general.add_argument("--crawl", dest="crawlDepth", type=int,
help="Crawl the website starting from the target URL")
general.add_argument("--crawl-exclude", dest="crawlExclude",
help="Regexp to exclude pages from crawling (e.g. \"logout\")")
general.add_argument("--csv-del", dest="csvDel",
help="Delimiting character used in CSV output (default \"%s\")" % defaults.csvDel)
general.add_argument("--charset", dest="charset",
help="Blind SQL injection charset (e.g. \"0123456789abcdef\")")
general.add_argument("--dump-format", dest="dumpFormat",
help="Format of dumped data (CSV (default), HTML or SQLITE)")
general.add_argument("--encoding", dest="encoding",
help="Character encoding used for data retrieval (e.g. GBK)")
general.add_argument("--eta", dest="eta", action="store_true",
help="Display for each output the estimated time of arrival")
general.add_argument("--flush-session", dest="flushSession", action="store_true",
help="Flush session files for current target")
general.add_argument("--forms", dest="forms", action="store_true",
help="Parse and test forms on target URL")
general.add_argument("--fresh-queries", dest="freshQueries", action="store_true",
help="Ignore query results stored in session file")
general.add_argument("--gpage", dest="googlePage", type=int,
help="Use Google dork results from specified page number")
general.add_argument("--har", dest="harFile",
help="Log all HTTP traffic into a HAR file")
general.add_argument("--hex", dest="hexConvert", action="store_true",
help="Use hex conversion during data retrieval")
general.add_argument("--output-dir", dest="outputDir", action="store",
help="Custom output directory path")
general.add_argument("--parse-errors", dest="parseErrors", action="store_true",
help="Parse and display DBMS error messages from responses")
general.add_argument("--preprocess", dest="preprocess",
help="Use given script(s) for preprocessing of response data")
general.add_argument("--repair", dest="repair", action="store_true",
help="Redump entries having unknown character marker (%s)" % INFERENCE_UNKNOWN_CHAR)
general.add_argument("--save", dest="saveConfig",
help="Save options to a configuration INI file")
general.add_argument("--scope", dest="scope",
help="Regexp to filter targets from provided proxy log")
general.add_argument("--skip-waf", dest="skipWaf", action="store_true",
help="Skip heuristic detection of WAF/IPS protection")
general.add_argument("--table-prefix", dest="tablePrefix",
help="Prefix used for temporary tables (default: \"%s\")" % defaults.tablePrefix)
general.add_argument("--test-filter", dest="testFilter",
help="Select tests by payloads and/or titles (e.g. ROW)")
general.add_argument("--test-skip", dest="testSkip",
help="Skip tests by payloads and/or titles (e.g. BENCHMARK)")
general.add_argument("--web-root", dest="webRoot",
help="Web server document root directory (e.g. \"/var/www\")")
# Miscellaneous options
miscellaneous = parser.add_argument_group("Miscellaneous", "These options do not fit into any other category")
miscellaneous.add_argument("-z", dest="mnemonics",
help="Use short mnemonics (e.g. \"flu,bat,ban,tec=EU\")")
miscellaneous.add_argument("--alert", dest="alert",
help="Run host OS command(s) when SQL injection is found")
miscellaneous.add_argument("--beep", dest="beep", action="store_true",
help="Beep on question and/or when SQL injection is found")
miscellaneous.add_argument("--dependencies", dest="dependencies", action="store_true",
help="Check for missing (optional) sqlmap dependencies")
miscellaneous.add_argument("--disable-coloring", dest="disableColoring", action="store_true",
help="Disable console output coloring")
miscellaneous.add_argument("--list-tampers", dest="listTampers", action="store_true",
help="Display list of available tamper scripts")
miscellaneous.add_argument("--offline", dest="offline", action="store_true",
help="Work in offline mode (only use session data)")
miscellaneous.add_argument("--purge", dest="purge", action="store_true",
help="Safely remove all content from sqlmap data directory")
miscellaneous.add_argument("--results-file", dest="resultsFile",
help="Location of CSV results file in multiple targets mode")
miscellaneous.add_argument("--sqlmap-shell", dest="sqlmapShell", action="store_true",
help="Prompt for an interactive sqlmap shell")
miscellaneous.add_argument("--tmp-dir", dest="tmpDir",
help="Local directory for storing temporary files")
miscellaneous.add_argument("--unstable", dest="unstable", action="store_true",
help="Adjust options for unstable connections")
miscellaneous.add_argument("--update", dest="updateAll", action="store_true",
help="Update sqlmap")
miscellaneous.add_argument("--wizard", dest="wizard", action="store_true",
help="Simple wizard interface for beginner users")
# Hidden and/or experimental options
parser.add_argument("--base64", dest="base64Parameter",
help=SUPPRESS) # "Parameter(s) containing Base64 encoded values"
parser.add_argument("--crack", dest="hashFile",
help=SUPPRESS) # "Load and crack hashes from a file (standalone)"
parser.add_argument("--dummy", dest="dummy", action="store_true",
help=SUPPRESS)
parser.add_argument("--murphy-rate", dest="murphyRate", type=int,
help=SUPPRESS)
parser.add_argument("--debug", dest="debug", action="store_true",
help=SUPPRESS)
parser.add_argument("--disable-precon", dest="disablePrecon", action="store_true",
help=SUPPRESS)
parser.add_argument("--disable-stats", dest="disableStats", action="store_true",
help=SUPPRESS)
parser.add_argument("--profile", dest="profile", action="store_true",
help=SUPPRESS)
parser.add_argument("--force-dbms", dest="forceDbms",
help=SUPPRESS)
parser.add_argument("--force-dns", dest="forceDns", action="store_true",
help=SUPPRESS)
parser.add_argument("--force-partial", dest="forcePartial", action="store_true",
help=SUPPRESS)
parser.add_argument("--force-pivoting", dest="forcePivoting", action="store_true",
help=SUPPRESS)
parser.add_argument("--gui", dest="gui", action="store_true",
help=SUPPRESS)
parser.add_argument("--smoke-test", dest="smokeTest", action="store_true",
help=SUPPRESS)
parser.add_argument("--live-test", dest="liveTest", action="store_true",
help=SUPPRESS)
parser.add_argument("--vuln-test", dest="vulnTest", action="store_true",
help=SUPPRESS)
parser.add_argument("--stop-fail", dest="stopFail", action="store_true",
help=SUPPRESS)
parser.add_argument("--run-case", dest="runCase",
help=SUPPRESS)
# API options
parser.add_argument("--api", dest="api", action="store_true",
help=SUPPRESS)
parser.add_argument("--taskid", dest="taskid",
help=SUPPRESS)
parser.add_argument("--database", dest="database",
help=SUPPRESS)
# Dirty hack to display longer options without breaking into two lines
if hasattr(parser, "formatter"):
def _(self, *args):
retVal = parser.formatter._format_option_strings(*args)
if len(retVal) > MAX_HELP_OPTION_LENGTH:
retVal = ("%%.%ds.." % (MAX_HELP_OPTION_LENGTH - parser.formatter.indent_increment)) % retVal
return retVal
parser.formatter._format_option_strings = parser.formatter.format_option_strings
parser.formatter.format_option_strings = type(parser.formatter.format_option_strings)(_, parser)
else:
def _format_action_invocation(self, action):
retVal = self.__format_action_invocation(action)
if len(retVal) > MAX_HELP_OPTION_LENGTH:
retVal = ("%%.%ds.." % (MAX_HELP_OPTION_LENGTH - self._indent_increment)) % retVal
return retVal
parser.formatter_class.__format_action_invocation = parser.formatter_class._format_action_invocation
parser.formatter_class._format_action_invocation = _format_action_invocation
# Dirty hack for making a short option '-hh'
if hasattr(parser, "get_option"):
option = parser.get_option("--hh")
option._short_opts = ["-hh"]
option._long_opts = []
else:
for action in get_actions(parser):
if action.option_strings == ["--hh"]:
action.option_strings = ["-hh"]
break
# Dirty hack for inherent help message of switch '-h'
if hasattr(parser, "get_option"):
option = parser.get_option("-h")
option.help = option.help.capitalize().replace("this help", "basic help")
else:
for action in get_actions(parser):
if action.option_strings == ["-h", "--help"]:
action.help = action.help.capitalize().replace("this help", "basic help")
break
_ = []
advancedHelp = True
extraHeaders = []
tamperIndex = None
# Reference: https://stackoverflow.com/a/4012683 (Note: previously used "...sys.getfilesystemencoding() or UNICODE_ENCODING")
for arg in argv:
_.append(getUnicode(arg, encoding=sys.stdin.encoding))
argv = _
checkOldOptions(argv)
if "--gui" in argv:
runGui(parser)
elif "--sqlmap-shell" in argv:
_createHomeDirectories()
parser.usage = ""
cmdLineOptions.sqlmapShell = True
commands = set(("x", "q", "exit", "quit", "clear"))
commands.update(get_all_options(parser))
autoCompletion(AUTOCOMPLETE_TYPE.SQLMAP, commands=commands)
while True:
command = None
try:
# Note: in Python2 command should not be converted to Unicode before passing to shlex (Reference: https://bugs.python.org/issue1170)
command = _input("sqlmap-shell> ").strip()
except (KeyboardInterrupt, EOFError):
print()
raise SqlmapShellQuitException
if not command:
continue
elif command.lower() == "clear":
clearHistory()
dataToStdout("[i] history cleared\n")
saveHistory(AUTOCOMPLETE_TYPE.SQLMAP)
elif command.lower() in ("x", "q", "exit", "quit"):
raise SqlmapShellQuitException
elif command[0] != '-':
dataToStdout("[!] invalid option(s) provided\n")
dataToStdout("[i] proper example: '-u http://www.site.com/vuln.php?id=1 --banner'\n")
else:
saveHistory(AUTOCOMPLETE_TYPE.SQLMAP)
loadHistory(AUTOCOMPLETE_TYPE.SQLMAP)
break
try:
for arg in shlex.split(command):
argv.append(getUnicode(arg, encoding=sys.stdin.encoding))
except ValueError as ex:
raise SqlmapSyntaxException("something went wrong during command line parsing ('%s')" % getSafeExString(ex))
for i in xrange(len(argv)):
longOptions = set(re.findall(r"\-\-([^= ]+?)=", parser.format_help()))
if argv[i] == "-hh":
argv[i] = "-h"
elif i == 1 and re.search(r"\A(http|www\.|\w[\w.-]+\.\w{2,})", argv[i]) is not None:
argv[i] = "--url=%s" % argv[i]
elif len(argv[i]) > 1 and all(ord(_) in xrange(0x2018, 0x2020) for _ in ((argv[i].split('=', 1)[-1].strip() or ' ')[0], argv[i][-1])):
dataToStdout("[!] copy-pasting illegal (non-console) quote characters from Internet is, well, illegal (%s)\n" % argv[i])
raise SystemExit
elif len(argv[i]) > 1 and u"\uff0c" in argv[i].split('=', 1)[-1]:
dataToStdout("[!] copy-pasting illegal (non-console) comma characters from Internet is, well, illegal (%s)\n" % argv[i])
raise SystemExit
elif re.search(r"\A-\w=.+", argv[i]):
dataToStdout("[!] potentially miswritten (illegal '=') short option detected ('%s')\n" % argv[i])
raise SystemExit
elif argv[i] in DEPRECATED_OPTIONS:
argv[i] = ""
elif argv[i].startswith("--tamper"):
if tamperIndex is None:
tamperIndex = i if '=' in argv[i] else (i + 1 if i + 1 < len(argv) and not argv[i + 1].startswith('-') else None)
else:
argv[tamperIndex] = "%s,%s" % (argv[tamperIndex], argv[i].split('=')[1] if '=' in argv[i] else (argv[i + 1] if i + 1 < len(argv) and not argv[i + 1].startswith('-') else ""))
argv[i] = ""
elif argv[i] == "-H":
if i + 1 < len(argv):
extraHeaders.append(argv[i + 1])
elif argv[i] == "-r":
for j in xrange(i + 2, len(argv)):
value = argv[j]
if os.path.isfile(value):
argv[i + 1] += ",%s" % value
argv[j] = ''
else:
break
elif re.match(r"\A\d+!\Z", argv[i]) and argv[max(0, i - 1)] == "--threads" or re.match(r"\A--threads.+\d+!\Z", argv[i]):
argv[i] = argv[i][:-1]
conf.skipThreadCheck = True
elif argv[i] == "--version":
print(VERSION_STRING.split('/')[-1])
raise SystemExit
elif argv[i] in ("-h", "--help"):
advancedHelp = False
for group in get_groups(parser)[:]:
found = False
for option in get_actions(group):
if option.dest not in BASIC_HELP_ITEMS:
option.help = SUPPRESS
else:
found = True
if not found:
get_groups(parser).remove(group)
elif '=' in argv[i] and not argv[i].startswith('-') and argv[i].split('=')[0] in longOptions and re.search(r"\A-\w\Z", argv[i - 1]) is None:
dataToStdout("[!] detected usage of long-option without a starting hyphen ('%s')\n" % argv[i])
raise SystemExit
for verbosity in (_ for _ in argv if re.search(r"\A\-v+\Z", _)):
try:
if argv.index(verbosity) == len(argv) - 1 or not argv[argv.index(verbosity) + 1].isdigit():
conf.verbose = verbosity.count('v') + 1
del argv[argv.index(verbosity)]
except (IndexError, ValueError):
pass
try:
(args, _) = parser.parse_known_args(argv) if hasattr(parser, "parse_known_args") else parser.parse_args(argv)
except UnicodeEncodeError as ex:
dataToStdout("\n[!] %s\n" % getUnicode(ex.object.encode("unicode-escape")))
raise SystemExit
except SystemExit:
if "-h" in argv and not advancedHelp:
dataToStdout("\n[!] to see full list of options run with '-hh'\n")
raise
if extraHeaders:
if not args.headers:
args.headers = ""
delimiter = "\\n" if "\\n" in args.headers else "\n"
args.headers += delimiter + delimiter.join(extraHeaders)
# Expand given mnemonic options (e.g. -z "ign,flu,bat")
for i in xrange(len(argv) - 1):
if argv[i] == "-z":
expandMnemonics(argv[i + 1], parser, args)
if args.dummy:
args.url = args.url or DUMMY_URL
if not any((args.direct, args.url, args.logFile, args.bulkFile, args.googleDork, args.configFile, args.requestFile, args.updateAll, args.smokeTest, args.vulnTest, args.liveTest, args.wizard, args.dependencies, args.purge, args.listTampers, args.hashFile)):
errMsg = "missing a mandatory option (-d, -u, -l, -m, -r, -g, -c, --list-tampers, --wizard, --update, --purge or --dependencies). "
errMsg += "Use -h for basic and -hh for advanced help\n"
parser.error(errMsg)
return args
except (ArgumentError, TypeError) as ex:
parser.error(ex)
except SystemExit:
# Protection against Windows dummy double clicking
if IS_WIN:
dataToStdout("\nPress Enter to continue...")
_input()
raise
debugMsg = "parsing command line"
logger.debug(debugMsg)
def cmdLineParser(argv=None):
"""
This function parses the command line parameters and arguments
"""
if not argv:
argv = sys.argv
checkSystemEncoding()
# Reference: https://stackoverflow.com/a/4012683 (Note: previously used "...sys.getfilesystemencoding() or UNICODE_ENCODING")
_ = getUnicode(os.path.basename(argv[0]), encoding=sys.stdin.encoding)
usage = "%s%s [options]" % ("python " if not IS_WIN else "", \
"\"%s\"" % _ if " " in _ else _)
parser = OptionParser(usage=usage)
try:
parser.add_option("--hh",
dest="advancedHelp",
action="store_true",
help="Show advanced help message and exit")
parser.add_option("--version",
dest="showVersion",
action="store_true",
help="Show program's version number and exit")
parser.add_option("-v",
dest="verbose",
type="int",
help="Verbosity level: 0-6 (default %d)" %
defaults.verbose)
# Target options
target = OptionGroup(
parser, "Target", "At least one of these "
"options has to be provided to define the target(s)")
target.add_option("-d",
dest="direct",
help="Connection string "
"for direct database connection")
target.add_option(
"-u",
"--url",
dest="url",
help="Target URL (e.g. \"http://www.site.com/vuln.php?id=1\")")
target.add_option("-l",
dest="logFile",
help="Parse target(s) from Burp "
"or WebScarab proxy log file")
target.add_option(
"-x",
dest="sitemapUrl",
help="Parse target(s) from remote sitemap(.xml) file")
target.add_option("-m",
dest="bulkFile",
help="Scan multiple targets given "
"in a textual file ")
target.add_option("-r",
dest="requestFile",
help="Load HTTP request from a file")
target.add_option("-g",
dest="googleDork",
help="Process Google dork results as target URLs")
target.add_option("-c",
dest="configFile",
help="Load options from a configuration INI file")
# Request options
request = OptionGroup(
parser, "Request", "These options can be used "
"to specify how to connect to the target URL")
request.add_option("--method",
dest="method",
help="Force usage of given HTTP method (e.g. PUT)")
request.add_option("--data",
dest="data",
help="Data string to be sent through POST")
request.add_option(
"--param-del",
dest="paramDel",
help="Character used for splitting parameter values")
request.add_option("--cookie",
dest="cookie",
help="HTTP Cookie header value")
request.add_option("--cookie-del",
dest="cookieDel",
help="Character used for splitting cookie values")
request.add_option(
"--load-cookies",
dest="loadCookies",
help="File containing cookies in Netscape/wget format")
request.add_option("--drop-set-cookie",
dest="dropSetCookie",
action="store_true",
help="Ignore Set-Cookie header from response")
request.add_option("--user-agent",
dest="agent",
help="HTTP User-Agent header value")
request.add_option(
"--random-agent",
dest="randomAgent",
action="store_true",
help="Use randomly selected HTTP User-Agent header value")
request.add_option("--host",
dest="host",
help="HTTP Host header value")
request.add_option("--referer",
dest="referer",
help="HTTP Referer header value")
request.add_option(
"-H",
"--header",
dest="header",
help="Extra header (e.g. \"X-Forwarded-For: 127.0.0.1\")")
request.add_option(
"--headers",
dest="headers",
help="Extra headers (e.g. \"Accept-Language: fr\\nETag: 123\")")
request.add_option("--auth-type",
dest="authType",
help="HTTP authentication type "
"(Basic, Digest, NTLM or PKI)")
request.add_option("--auth-cred",
dest="authCred",
help="HTTP authentication credentials "
"(name:password)")
request.add_option(
"--auth-file",
dest="authFile",
help="HTTP authentication PEM cert/private key file")
request.add_option("--ignore-400",
dest="ignore400",
action="store_true",
help="Suppress HTTP Error 400 (Bad Request)")
request.add_option("--ignore-401",
dest="ignore401",
action="store_true",
help="Ignore HTTP Error 401 (Unauthorized)")
request.add_option("--ignore-proxy",
dest="ignoreProxy",
action="store_true",
help="Ignore system default proxy settings")
request.add_option("--ignore-redirects",
dest="ignoreRedirects",
action="store_true",
help="Ignore redirection attempts")
request.add_option("--ignore-timeouts",
dest="ignoreTimeouts",
action="store_true",
help="Ignore connection timeouts")
request.add_option("--proxy",
dest="proxy",
help="Use a proxy to connect to the target URL")
request.add_option("--proxy-cred",
dest="proxyCred",
help="Proxy authentication credentials "
"(name:password)")
request.add_option("--proxy-file",
dest="proxyFile",
help="Load proxy list from a file")
request.add_option("--tor",
dest="tor",
action="store_true",
help="Use Tor anonymity network")
request.add_option("--tor-port",
dest="torPort",
help="Set Tor proxy port other than default")
request.add_option(
"--tor-type",
dest="torType",
help="Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))")
request.add_option("--check-tor",
dest="checkTor",
action="store_true",
help="Check to see if Tor is used properly")
request.add_option("--delay",
dest="delay",
type="float",
help="Delay in seconds between each HTTP request")
request.add_option("--timeout",
dest="timeout",
type="float",
help="Seconds to wait before timeout connection "
"(default %d)" % defaults.timeout)
request.add_option("--retries",
dest="retries",
type="int",
help="Retries when the connection timeouts "
"(default %d)" % defaults.retries)
request.add_option("--randomize",
dest="rParam",
help="Randomly change value for given parameter(s)")
request.add_option(
"--safe-url",
dest="safeUrl",
help="URL address to visit frequently during testing")
request.add_option("--safe-post",
dest="safePost",
help="POST data to send to a safe URL")
request.add_option("--safe-req",
dest="safeReqFile",
help="Load safe HTTP request from a file")
request.add_option(
"--safe-freq",
dest="safeFreq",
type="int",
help="Test requests between two visits to a given safe URL")
request.add_option("--skip-urlencode",
dest="skipUrlEncode",
action="store_true",
help="Skip URL encoding of payload data")
request.add_option("--csrf-token",
dest="csrfToken",
help="Parameter used to hold anti-CSRF token")
request.add_option(
"--csrf-url",
dest="csrfUrl",
help="URL address to visit to extract anti-CSRF token")
request.add_option("--force-ssl",
dest="forceSSL",
action="store_true",
help="Force usage of SSL/HTTPS")
request.add_option("--hpp",
dest="hpp",
action="store_true",
help="Use HTTP parameter pollution method")
request.add_option(
"--eval",
dest="evalCode",
help=
"Evaluate provided Python code before the request (e.g. \"import hashlib;id2=hashlib.md5(id).hexdigest()\")"
)
# Optimization options
optimization = OptionGroup(
parser, "Optimization", "These "
"options can be used to optimize the "
"performance of sqlmap")
optimization.add_option("-o",
dest="optimize",
action="store_true",
help="Turn on all optimization switches")
optimization.add_option("--predict-output",
dest="predictOutput",
action="store_true",
help="Predict common queries output")
optimization.add_option("--keep-alive",
dest="keepAlive",
action="store_true",
help="Use persistent HTTP(s) connections")
optimization.add_option(
"--null-connection",
dest="nullConnection",
action="store_true",
help="Retrieve page length without actual HTTP response body")
optimization.add_option("--threads",
dest="threads",
type="int",
help="Max number of concurrent HTTP(s) "
"requests (default %d)" % defaults.threads)
# Injection options
injection = OptionGroup(
parser, "Injection", "These options can be "
"used to specify which parameters to test "
"for, provide custom injection payloads and "
"optional tampering scripts")
injection.add_option("-p",
dest="testParameter",
help="Testable parameter(s)")
injection.add_option("--skip",
dest="skip",
help="Skip testing for given parameter(s)")
injection.add_option(
"--skip-static",
dest="skipStatic",
action="store_true",
help="Skip testing parameters that not appear to be dynamic")
injection.add_option(
"--param-exclude",
dest="paramExclude",
help="Regexp to exclude parameters from testing (e.g. \"ses\")")
injection.add_option("--dbms",
dest="dbms",
help="Force back-end DBMS to this value")
injection.add_option(
"--dbms-cred",
dest="dbmsCred",
help="DBMS authentication credentials (user:password)")
injection.add_option("--os",
dest="os",
help="Force back-end DBMS operating system "
"to this value")
injection.add_option("--invalid-bignum",
dest="invalidBignum",
action="store_true",
help="Use big numbers for invalidating values")
injection.add_option(
"--invalid-logical",
dest="invalidLogical",
action="store_true",
help="Use logical operations for invalidating values")
injection.add_option("--invalid-string",
dest="invalidString",
action="store_true",
help="Use random strings for invalidating values")
injection.add_option("--no-cast",
dest="noCast",
action="store_true",
help="Turn off payload casting mechanism")
injection.add_option("--no-escape",
dest="noEscape",
action="store_true",
help="Turn off string escaping mechanism")
injection.add_option("--prefix",
dest="prefix",
help="Injection payload prefix string")
injection.add_option("--suffix",
dest="suffix",
help="Injection payload suffix string")
injection.add_option(
"--tamper",
dest="tamper",
help="Use given script(s) for tampering injection data")
# Detection options
detection = OptionGroup(
parser, "Detection", "These options can be "
"used to customize the detection phase")
detection.add_option("--level",
dest="level",
type="int",
help="Level of tests to perform (1-5, "
"default %d)" % defaults.level)
detection.add_option("--risk",
dest="risk",
type="int",
help="Risk of tests to perform (1-3, "
"default %d)" % defaults.level)
detection.add_option("--string",
dest="string",
help="String to match when "
"query is evaluated to True")
detection.add_option("--not-string",
dest="notString",
help="String to match when "
"query is evaluated to False")
detection.add_option("--regexp",
dest="regexp",
help="Regexp to match when "
"query is evaluated to True")
detection.add_option("--code",
dest="code",
type="int",
help="HTTP code to match when "
"query is evaluated to True")
detection.add_option(
"--text-only",
dest="textOnly",
action="store_true",
help="Compare pages based only on the textual content")
detection.add_option("--titles",
dest="titles",
action="store_true",
help="Compare pages based only on their titles")
# Techniques options
techniques = OptionGroup(
parser, "Techniques", "These options can be "
"used to tweak testing of specific SQL "
"injection techniques")
techniques.add_option("--technique",
dest="tech",
help="SQL injection techniques to use "
"(default \"%s\")" % defaults.tech)
techniques.add_option("--time-sec",
dest="timeSec",
type="int",
help="Seconds to delay the DBMS response "
"(default %d)" % defaults.timeSec)
techniques.add_option(
"--union-cols",
dest="uCols",
help="Range of columns to test for UNION query SQL injection")
techniques.add_option(
"--union-char",
dest="uChar",
help="Character to use for bruteforcing number of columns")
techniques.add_option(
"--union-from",
dest="uFrom",
help="Table to use in FROM part of UNION query SQL injection")
techniques.add_option(
"--dns-domain",
dest="dnsDomain",
help="Domain name used for DNS exfiltration attack")
techniques.add_option(
"--second-order",
dest="secondOrder",
help="Resulting page URL searched for second-order "
"response")
# Fingerprint options
fingerprint = OptionGroup(parser, "Fingerprint")
fingerprint.add_option(
"-f",
"--fingerprint",
dest="extensiveFp",
action="store_true",
help="Perform an extensive DBMS version fingerprint")
# Enumeration options
enumeration = OptionGroup(
parser, "Enumeration", "These options can "
"be used to enumerate the back-end database "
"management system information, structure "
"and data contained in the tables. Moreover "
"you can run your own SQL statements")
enumeration.add_option("-a",
"--all",
dest="getAll",
action="store_true",
help="Retrieve everything")
enumeration.add_option("-b",
"--banner",
dest="getBanner",
action="store_true",
help="Retrieve DBMS banner")
enumeration.add_option("--current-user",
dest="getCurrentUser",
action="store_true",
help="Retrieve DBMS current user")
enumeration.add_option("--current-db",
dest="getCurrentDb",
action="store_true",
help="Retrieve DBMS current database")
enumeration.add_option("--hostname",
dest="getHostname",
action="store_true",
help="Retrieve DBMS server hostname")
enumeration.add_option("--is-dba",
dest="isDba",
action="store_true",
help="Detect if the DBMS current user is DBA")
enumeration.add_option("--users",
dest="getUsers",
action="store_true",
help="Enumerate DBMS users")
enumeration.add_option("--passwords",
dest="getPasswordHashes",
action="store_true",
help="Enumerate DBMS users password hashes")
enumeration.add_option("--privileges",
dest="getPrivileges",
action="store_true",
help="Enumerate DBMS users privileges")
enumeration.add_option("--roles",
dest="getRoles",
action="store_true",
help="Enumerate DBMS users roles")
enumeration.add_option("--dbs",
dest="getDbs",
action="store_true",
help="Enumerate DBMS databases")
enumeration.add_option("--tables",
dest="getTables",
action="store_true",
help="Enumerate DBMS database tables")
enumeration.add_option("--columns",
dest="getColumns",
action="store_true",
help="Enumerate DBMS database table columns")
enumeration.add_option("--schema",
dest="getSchema",
action="store_true",
help="Enumerate DBMS schema")
enumeration.add_option("--count",
dest="getCount",
action="store_true",
help="Retrieve number of entries for table(s)")
enumeration.add_option("--dump",
dest="dumpTable",
action="store_true",
help="Dump DBMS database table entries")
enumeration.add_option("--dump-all",
dest="dumpAll",
action="store_true",
help="Dump all DBMS databases tables entries")
enumeration.add_option(
"--search",
dest="search",
action="store_true",
help="Search column(s), table(s) and/or database name(s)")
enumeration.add_option("--comments",
dest="getComments",
action="store_true",
help="Retrieve DBMS comments")
enumeration.add_option("-D",
dest="db",
help="DBMS database to enumerate")
enumeration.add_option("-T",
dest="tbl",
help="DBMS database table(s) to enumerate")
enumeration.add_option(
"-C",
dest="col",
help="DBMS database table column(s) to enumerate")
enumeration.add_option(
"-X",
dest="excludeCol",
help="DBMS database table column(s) to not enumerate")
enumeration.add_option("-U",
dest="user",
help="DBMS user to enumerate")
enumeration.add_option("--exclude-sysdbs",
dest="excludeSysDbs",
action="store_true",
help="Exclude DBMS system databases when "
"enumerating tables")
enumeration.add_option("--pivot-column",
dest="pivotColumn",
help="Pivot column name")
enumeration.add_option("--where",
dest="dumpWhere",
help="Use WHERE condition while table dumping")
enumeration.add_option("--start",
dest="limitStart",
type="int",
help="First dump table entry to retrieve")
enumeration.add_option("--stop",
dest="limitStop",
type="int",
help="Last dump table entry to retrieve")
enumeration.add_option(
"--first",
dest="firstChar",
type="int",
help="First query output word character to retrieve")
enumeration.add_option(
"--last",
dest="lastChar",
type="int",
help="Last query output word character to retrieve")
enumeration.add_option("--sql-query",
dest="query",
help="SQL statement to be executed")
enumeration.add_option("--sql-shell",
dest="sqlShell",
action="store_true",
help="Prompt for an interactive SQL shell")
enumeration.add_option(
"--sql-file",
dest="sqlFile",
help="Execute SQL statements from given file(s)")
# Brute force options
brute = OptionGroup(
parser, "Brute force", "These "
"options can be used to run brute force "
"checks")
brute.add_option("--common-tables",
dest="commonTables",
action="store_true",
help="Check existence of common tables")
brute.add_option("--common-columns",
dest="commonColumns",
action="store_true",
help="Check existence of common columns")
# User-defined function options
udf = OptionGroup(
parser, "User-defined function injection", "These "
"options can be used to create custom user-defined "
"functions")
udf.add_option("--udf-inject",
dest="udfInject",
action="store_true",
help="Inject custom user-defined functions")
udf.add_option("--shared-lib",
dest="shLib",
help="Local path of the shared library")
# File system options
filesystem = OptionGroup(
parser, "File system access", "These options "
"can be used to access the back-end database "
"management system underlying file system")
filesystem.add_option("--file-read",
dest="rFile",
help="Read a file from the back-end DBMS "
"file system")
filesystem.add_option("--file-write",
dest="wFile",
help="Write a local file on the back-end "
"DBMS file system")
filesystem.add_option("--file-dest",
dest="dFile",
help="Back-end DBMS absolute filepath to "
"write to")
# Takeover options
takeover = OptionGroup(
parser, "Operating system access", "These "
"options can be used to access the back-end "
"database management system underlying "
"operating system")
takeover.add_option("--os-cmd",
dest="osCmd",
help="Execute an operating system command")
takeover.add_option("--os-shell",
dest="osShell",
action="store_true",
help="Prompt for an interactive operating "
"system shell")
takeover.add_option("--os-pwn",
dest="osPwn",
action="store_true",
help="Prompt for an OOB shell, "
"Meterpreter or VNC")
takeover.add_option("--os-smbrelay",
dest="osSmb",
action="store_true",
help="One click prompt for an OOB shell, "
"Meterpreter or VNC")
takeover.add_option("--os-bof",
dest="osBof",
action="store_true",
help="Stored procedure buffer overflow "
"exploitation")
takeover.add_option("--priv-esc",
dest="privEsc",
action="store_true",
help="Database process user privilege escalation")
takeover.add_option("--msf-path",
dest="msfPath",
help="Local path where Metasploit Framework "
"is installed")
takeover.add_option("--tmp-path",
dest="tmpPath",
help="Remote absolute path of temporary files "
"directory")
# Windows registry options
windows = OptionGroup(
parser, "Windows registry access", "These "
"options can be used to access the back-end "
"database management system Windows "
"registry")
windows.add_option("--reg-read",
dest="regRead",
action="store_true",
help="Read a Windows registry key value")
windows.add_option("--reg-add",
dest="regAdd",
action="store_true",
help="Write a Windows registry key value data")
windows.add_option("--reg-del",
dest="regDel",
action="store_true",
help="Delete a Windows registry key value")
windows.add_option("--reg-key",
dest="regKey",
help="Windows registry key")
windows.add_option("--reg-value",
dest="regVal",
help="Windows registry key value")
windows.add_option("--reg-data",
dest="regData",
help="Windows registry key value data")
windows.add_option("--reg-type",
dest="regType",
help="Windows registry key value type")
# General options
general = OptionGroup(
parser, "General", "These options can be used "
"to set some general working parameters")
general.add_option("-s",
dest="sessionFile",
help="Load session from a stored (.sqlite) file")
general.add_option("-t",
dest="trafficFile",
help="Log all HTTP traffic into a "
"textual file")
general.add_option(
"--batch",
dest="batch",
action="store_true",
help="Never ask for user input, use the default behaviour")
general.add_option(
"--binary-fields",
dest="binaryFields",
help="Result fields having binary values (e.g. \"digest\")")
general.add_option(
"--charset",
dest="charset",
help="Force character encoding used for data retrieval")
general.add_option(
"--check-internet",
dest="checkInternet",
action="store_true",
help="Check Internet connection before assessing the target")
general.add_option(
"--crawl",
dest="crawlDepth",
type="int",
help="Crawl the website starting from the target URL")
general.add_option(
"--crawl-exclude",
dest="crawlExclude",
help="Regexp to exclude pages from crawling (e.g. \"logout\")")
general.add_option("--csv-del",
dest="csvDel",
help="Delimiting character used in CSV output "
"(default \"%s\")" % defaults.csvDel)
general.add_option(
"--dump-format",
dest="dumpFormat",
help="Format of dumped data (CSV (default), HTML or SQLITE)")
general.add_option(
"--eta",
dest="eta",
action="store_true",
help="Display for each output the estimated time of arrival")
general.add_option("--flush-session",
dest="flushSession",
action="store_true",
help="Flush session files for current target")
general.add_option("--forms",
dest="forms",
action="store_true",
help="Parse and test forms on target URL")
general.add_option("--fresh-queries",
dest="freshQueries",
action="store_true",
help="Ignore query results stored in session file")
general.add_option("--har",
dest="harFile",
help="Log all HTTP traffic into a HAR file")
general.add_option("--hex",
dest="hexConvert",
action="store_true",
help="Use DBMS hex function(s) for data retrieval")
general.add_option("--output-dir",
dest="outputDir",
action="store",
help="Custom output directory path")
general.add_option(
"--parse-errors",
dest="parseErrors",
action="store_true",
help="Parse and display DBMS error messages from responses")
general.add_option("--save",
dest="saveConfig",
help="Save options to a configuration INI file")
general.add_option(
"--scope",
dest="scope",
help="Regexp to filter targets from provided proxy log")
general.add_option(
"--test-filter",
dest="testFilter",
help="Select tests by payloads and/or titles (e.g. ROW)")
general.add_option(
"--test-skip",
dest="testSkip",
help="Skip tests by payloads and/or titles (e.g. BENCHMARK)")
general.add_option("--update",
dest="updateAll",
action="store_true",
help="Update sqlmap")
# Miscellaneous options
miscellaneous = OptionGroup(parser, "Miscellaneous")
miscellaneous.add_option(
"-z",
dest="mnemonics",
help="Use short mnemonics (e.g. \"flu,bat,ban,tec=EU\")")
miscellaneous.add_option(
"--alert",
dest="alert",
help="Run host OS command(s) when SQL injection is found")
miscellaneous.add_option(
"--answers",
dest="answers",
help="Set question answers (e.g. \"quit=N,follow=N\")")
miscellaneous.add_option(
"--beep",
dest="beep",
action="store_true",
help="Beep on question and/or when SQL injection is found")
miscellaneous.add_option("--cleanup",
dest="cleanup",
action="store_true",
help="Clean up the DBMS from sqlmap specific "
"UDF and tables")
miscellaneous.add_option(
"--dependencies",
dest="dependencies",
action="store_true",
help="Check for missing (non-core) sqlmap dependencies")
miscellaneous.add_option("--disable-coloring",
dest="disableColoring",
action="store_true",
help="Disable console output coloring")
miscellaneous.add_option(
"--gpage",
dest="googlePage",
type="int",
help="Use Google dork results from specified page number")
miscellaneous.add_option(
"--identify-waf",
dest="identifyWaf",
action="store_true",
help="Make a thorough testing for a WAF/IPS/IDS protection")
miscellaneous.add_option(
"--mobile",
dest="mobile",
action="store_true",
help="Imitate smartphone through HTTP User-Agent header")
miscellaneous.add_option(
"--offline",
dest="offline",
action="store_true",
help="Work in offline mode (only use session data)")
miscellaneous.add_option(
"--purge-output",
dest="purgeOutput",
action="store_true",
help="Safely remove all content from output directory")
miscellaneous.add_option(
"--skip-waf",
dest="skipWaf",
action="store_true",
help="Skip heuristic detection of WAF/IPS/IDS protection")
miscellaneous.add_option(
"--smart",
dest="smart",
action="store_true",
help="Conduct thorough tests only if positive heuristic(s)")
miscellaneous.add_option("--sqlmap-shell",
dest="sqlmapShell",
action="store_true",
help="Prompt for an interactive sqlmap shell")
miscellaneous.add_option(
"--tmp-dir",
dest="tmpDir",
help="Local directory for storing temporary files")
miscellaneous.add_option(
"--web-root",
dest="webRoot",
help="Web server document root directory (e.g. \"/var/www\")")
miscellaneous.add_option(
"--wizard",
dest="wizard",
action="store_true",
help="Simple wizard interface for beginner users")
# Hidden and/or experimental options
parser.add_option("--dummy",
dest="dummy",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--murphy-rate",
dest="murphyRate",
type="int",
help=SUPPRESS_HELP)
parser.add_option("--disable-precon",
dest="disablePrecon",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--disable-stats",
dest="disableStats",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--profile",
dest="profile",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--force-dns",
dest="forceDns",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--force-threads",
dest="forceThreads",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--smoke-test",
dest="smokeTest",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--live-test",
dest="liveTest",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--stop-fail",
dest="stopFail",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--run-case", dest="runCase", help=SUPPRESS_HELP)
# API options
parser.add_option("--api",
dest="api",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--taskid", dest="taskid", help=SUPPRESS_HELP)
parser.add_option("--database", dest="database", help=SUPPRESS_HELP)
parser.add_option_group(target)
parser.add_option_group(request)
parser.add_option_group(optimization)
parser.add_option_group(injection)
parser.add_option_group(detection)
parser.add_option_group(techniques)
parser.add_option_group(fingerprint)
parser.add_option_group(enumeration)
parser.add_option_group(brute)
parser.add_option_group(udf)
parser.add_option_group(filesystem)
parser.add_option_group(takeover)
parser.add_option_group(windows)
parser.add_option_group(general)
parser.add_option_group(miscellaneous)
# Dirty hack to display longer options without breaking into two lines
def _(self, *args):
retVal = parser.formatter._format_option_strings(*args)
if len(retVal) > MAX_HELP_OPTION_LENGTH:
retVal = ("%%.%ds.." %
(MAX_HELP_OPTION_LENGTH -
parser.formatter.indent_increment)) % retVal
return retVal
parser.formatter._format_option_strings = parser.formatter.format_option_strings
parser.formatter.format_option_strings = type(
parser.formatter.format_option_strings)(_, parser, type(parser))
# Dirty hack for making a short option '-hh'
option = parser.get_option("--hh")
option._short_opts = ["-hh"]
option._long_opts = []
# Dirty hack for inherent help message of switch '-h'
option = parser.get_option("-h")
option.help = option.help.capitalize().replace("this help",
"basic help")
_ = []
prompt = False
advancedHelp = True
extraHeaders = []
# Reference: https://stackoverflow.com/a/4012683 (Note: previously used "...sys.getfilesystemencoding() or UNICODE_ENCODING")
for arg in argv:
_.append(getUnicode(arg, encoding=sys.stdin.encoding))
argv = _
checkDeprecatedOptions(argv)
prompt = "--sqlmap-shell" in argv
if prompt:
parser.usage = ""
cmdLineOptions.sqlmapShell = True
_ = ["x", "q", "exit", "quit", "clear"]
for option in parser.option_list:
_.extend(option._long_opts)
_.extend(option._short_opts)
for group in parser.option_groups:
for option in group.option_list:
_.extend(option._long_opts)
_.extend(option._short_opts)
autoCompletion(AUTOCOMPLETE_TYPE.SQLMAP, commands=_)
while True:
command = None
try:
command = raw_input("sqlmap-shell> ").strip()
command = getUnicode(command, encoding=sys.stdin.encoding)
except (KeyboardInterrupt, EOFError):
print
raise SqlmapShellQuitException
if not command:
continue
elif command.lower() == "clear":
clearHistory()
dataToStdout("[i] history cleared\n")
saveHistory(AUTOCOMPLETE_TYPE.SQLMAP)
elif command.lower() in ("x", "q", "exit", "quit"):
raise SqlmapShellQuitException
elif command[0] != '-':
dataToStdout("[!] invalid option(s) provided\n")
dataToStdout(
"[i] proper example: '-u http://www.site.com/vuln.php?id=1 --banner'\n"
)
else:
saveHistory(AUTOCOMPLETE_TYPE.SQLMAP)
loadHistory(AUTOCOMPLETE_TYPE.SQLMAP)
break
try:
for arg in shlex.split(command):
argv.append(getUnicode(arg, encoding=sys.stdin.encoding))
except ValueError, ex:
raise SqlmapSyntaxException, "something went wrong during command line parsing ('%s')" % ex.message
for i in xrange(len(argv)):
if argv[i] == "-hh":
argv[i] = "-h"
elif len(argv[i]) > 1 and all(
ord(_) in xrange(0x2018, 0x2020)
for _ in ((argv[i].split('=', 1)[-1].strip() or ' ')[0],
argv[i][-1])):
dataToStdout(
"[!] copy-pasting illegal (non-console) quote characters from Internet is, well, illegal (%s)\n"
% argv[i])
raise SystemExit
elif len(argv[i]) > 1 and u"\uff0c" in argv[i].split('=', 1)[-1]:
dataToStdout(
"[!] copy-pasting illegal (non-console) comma characters from Internet is, well, illegal (%s)\n"
% argv[i])
raise SystemExit
elif re.search(r"\A-\w=.+", argv[i]):
dataToStdout(
"[!] potentially miswritten (illegal '=') short option detected ('%s')\n"
% argv[i])
raise SystemExit
elif argv[i] == "-H":
if i + 1 < len(argv):
extraHeaders.append(argv[i + 1])
elif re.match(r"\A\d+!\Z", argv[i]) and argv[max(
0, i - 1)] == "--threads" or re.match(
r"\A--threads.+\d+!\Z", argv[i]):
argv[i] = argv[i][:-1]
conf.skipThreadCheck = True
elif argv[i] == "--version":
print VERSION_STRING.split('/')[-1]
raise SystemExit
elif argv[i] in ("-h", "--help"):
advancedHelp = False
for group in parser.option_groups[:]:
found = False
for option in group.option_list:
if option.dest not in BASIC_HELP_ITEMS:
option.help = SUPPRESS_HELP
else:
found = True
if not found:
parser.option_groups.remove(group)
for verbosity in (_ for _ in argv if re.search(r"\A\-v+\Z", _)):
try:
if argv.index(verbosity) == len(argv) - 1 or not argv[
argv.index(verbosity) + 1].isdigit():
conf.verbose = verbosity.count('v') + 1
del argv[argv.index(verbosity)]
except (IndexError, ValueError):
pass
try:
(args, _) = parser.parse_args(argv)
except UnicodeEncodeError, ex:
dataToStdout("\n[!] %s\n" % ex.object.encode("unicode-escape"))
raise SystemExit
def cmdLineParser(argv=None):
"""
This function parses the command line parameters and arguments
"""
if not argv:
argv = sys.argv
checkSystemEncoding()
# Reference: https://stackoverflow.com/a/4012683 (Note: previously used "...sys.getfilesystemencoding() or UNICODE_ENCODING")
_ = getUnicode(os.path.basename(argv[0]), encoding=sys.stdin.encoding)
usage = "%s%s [options]" % ("python " if not IS_WIN else "", "\"%s\"" % _ if " " in _ else _)
parser = OptionParser(usage=usage)
try:
parser.add_option("--hh", dest="advancedHelp",
action="store_true",
help="Show advanced help message and exit")
parser.add_option("--version", dest="showVersion",
action="store_true",
help="Show program's version number and exit")
parser.add_option("-v", dest="verbose", type="int",
help="Verbosity level: 0-6 (default %d)" % defaults.verbose)
# Target options
target = OptionGroup(parser, "Target", "At least one of these "
"options has to be provided to define the target(s)")
target.add_option("-d", dest="direct", help="Connection string "
"for direct database connection")
target.add_option("-u", "--url", dest="url", help="Target URL (e.g. \"http://www.site.com/vuln.php?id=1\")")
target.add_option("-l", dest="logFile", help="Parse target(s) from Burp "
"or WebScarab proxy log file")
target.add_option("-x", dest="sitemapUrl", help="Parse target(s) from remote sitemap(.xml) file")
target.add_option("-m", dest="bulkFile", help="Scan multiple targets given "
"in a textual file ")
target.add_option("-r", dest="requestFile",
help="Load HTTP request from a file")
target.add_option("-g", dest="googleDork",
help="Process Google dork results as target URLs")
target.add_option("-c", dest="configFile",
help="Load options from a configuration INI file")
# Request options
request = OptionGroup(parser, "Request", "These options can be used "
"to specify how to connect to the target URL")
request.add_option("--method", dest="method",
help="Force usage of given HTTP method (e.g. PUT)")
request.add_option("--data", dest="data",
help="Data string to be sent through POST")
request.add_option("--param-del", dest="paramDel",
help="Character used for splitting parameter values")
request.add_option("--cookie", dest="cookie",
help="HTTP Cookie header value")
request.add_option("--cookie-del", dest="cookieDel",
help="Character used for splitting cookie values")
request.add_option("--load-cookies", dest="loadCookies",
help="File containing cookies in Netscape/wget format")
request.add_option("--drop-set-cookie", dest="dropSetCookie", action="store_true",
help="Ignore Set-Cookie header from response")
request.add_option("--user-agent", dest="agent",
help="HTTP User-Agent header value")
request.add_option("--random-agent", dest="randomAgent", action="store_true",
help="Use randomly selected HTTP User-Agent header value")
request.add_option("--host", dest="host",
help="HTTP Host header value")
request.add_option("--referer", dest="referer",
help="HTTP Referer header value")
request.add_option("-H", "--header", dest="header",
help="Extra header (e.g. \"X-Forwarded-For: 127.0.0.1\")")
request.add_option("--headers", dest="headers",
help="Extra headers (e.g. \"Accept-Language: fr\\nETag: 123\")")
request.add_option("--auth-type", dest="authType",
help="HTTP authentication type (Basic, Digest, NTLM or PKI)")
request.add_option("--auth-cred", dest="authCred",
help="HTTP authentication credentials (name:password)")
request.add_option("--auth-file", dest="authFile",
help="HTTP authentication PEM cert/private key file")
request.add_option("--ignore-code", dest="ignoreCode", type="int",
help="Ignore HTTP error code (e.g. 401)")
request.add_option("--ignore-proxy", dest="ignoreProxy", action="store_true",
help="Ignore system default proxy settings")
request.add_option("--ignore-redirects", dest="ignoreRedirects", action="store_true",
help="Ignore redirection attempts")
request.add_option("--ignore-timeouts", dest="ignoreTimeouts", action="store_true",
help="Ignore connection timeouts")
request.add_option("--proxy", dest="proxy",
help="Use a proxy to connect to the target URL")
request.add_option("--proxy-cred", dest="proxyCred",
help="Proxy authentication credentials (name:password)")
request.add_option("--proxy-file", dest="proxyFile",
help="Load proxy list from a file")
request.add_option("--tor", dest="tor", action="store_true",
help="Use Tor anonymity network")
request.add_option("--tor-port", dest="torPort",
help="Set Tor proxy port other than default")
request.add_option("--tor-type", dest="torType",
help="Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))")
request.add_option("--check-tor", dest="checkTor", action="store_true",
help="Check to see if Tor is used properly")
request.add_option("--delay", dest="delay", type="float",
help="Delay in seconds between each HTTP request")
request.add_option("--timeout", dest="timeout", type="float",
help="Seconds to wait before timeout connection (default %d)" % defaults.timeout)
request.add_option("--retries", dest="retries", type="int",
help="Retries when the connection timeouts (default %d)" % defaults.retries)
request.add_option("--randomize", dest="rParam",
help="Randomly change value for given parameter(s)")
request.add_option("--safe-url", dest="safeUrl",
help="URL address to visit frequently during testing")
request.add_option("--safe-post", dest="safePost",
help="POST data to send to a safe URL")
request.add_option("--safe-req", dest="safeReqFile",
help="Load safe HTTP request from a file")
request.add_option("--safe-freq", dest="safeFreq", type="int",
help="Test requests between two visits to a given safe URL")
request.add_option("--skip-urlencode", dest="skipUrlEncode", action="store_true",
help="Skip URL encoding of payload data")
request.add_option("--csrf-token", dest="csrfToken",
help="Parameter used to hold anti-CSRF token")
request.add_option("--csrf-url", dest="csrfUrl",
help="URL address to visit to extract anti-CSRF token")
request.add_option("--force-ssl", dest="forceSSL", action="store_true",
help="Force usage of SSL/HTTPS")
request.add_option("--hpp", dest="hpp", action="store_true",
help="Use HTTP parameter pollution method")
request.add_option("--eval", dest="evalCode",
help="Evaluate provided Python code before the request (e.g. \"import hashlib;id2=hashlib.md5(id).hexdigest()\")")
# Optimization options
optimization = OptionGroup(parser, "Optimization", "These options can be used to optimize the performance of sqlmap")
optimization.add_option("-o", dest="optimize", action="store_true",
help="Turn on all optimization switches")
optimization.add_option("--predict-output", dest="predictOutput", action="store_true",
help="Predict common queries output")
optimization.add_option("--keep-alive", dest="keepAlive", action="store_true",
help="Use persistent HTTP(s) connections")
optimization.add_option("--null-connection", dest="nullConnection", action="store_true",
help="Retrieve page length without actual HTTP response body")
optimization.add_option("--threads", dest="threads", type="int",
help="Max number of concurrent HTTP(s) "
"requests (default %d)" % defaults.threads)
# Injection options
injection = OptionGroup(parser, "Injection", "These options can be used to specify which parameters to test for, provide custom injection payloads and optional tampering scripts")
injection.add_option("-p", dest="testParameter",
help="Testable parameter(s)")
injection.add_option("--skip", dest="skip",
help="Skip testing for given parameter(s)")
injection.add_option("--skip-static", dest="skipStatic", action="store_true",
help="Skip testing parameters that not appear to be dynamic")
injection.add_option("--param-exclude", dest="paramExclude",
help="Regexp to exclude parameters from testing (e.g. \"ses\")")
injection.add_option("--dbms", dest="dbms",
help="Force back-end DBMS to provided value")
injection.add_option("--dbms-cred", dest="dbmsCred",
help="DBMS authentication credentials (user:password)")
injection.add_option("--os", dest="os",
help="Force back-end DBMS operating system to provided value")
injection.add_option("--invalid-bignum", dest="invalidBignum", action="store_true",
help="Use big numbers for invalidating values")
injection.add_option("--invalid-logical", dest="invalidLogical", action="store_true",
help="Use logical operations for invalidating values")
injection.add_option("--invalid-string", dest="invalidString", action="store_true",
help="Use random strings for invalidating values")
injection.add_option("--no-cast", dest="noCast", action="store_true",
help="Turn off payload casting mechanism")
injection.add_option("--no-escape", dest="noEscape", action="store_true",
help="Turn off string escaping mechanism")
injection.add_option("--prefix", dest="prefix",
help="Injection payload prefix string")
injection.add_option("--suffix", dest="suffix",
help="Injection payload suffix string")
injection.add_option("--tamper", dest="tamper",
help="Use given script(s) for tampering injection data")
# Detection options
detection = OptionGroup(parser, "Detection", "These options can be used to customize the detection phase")
detection.add_option("--level", dest="level", type="int",
help="Level of tests to perform (1-5, default %d)" % defaults.level)
detection.add_option("--risk", dest="risk", type="int",
help="Risk of tests to perform (1-3, default %d)" % defaults.risk)
detection.add_option("--string", dest="string",
help="String to match when query is evaluated to True")
detection.add_option("--not-string", dest="notString",
help="String to match when query is evaluated to False")
detection.add_option("--regexp", dest="regexp",
help="Regexp to match when query is evaluated to True")
detection.add_option("--code", dest="code", type="int",
help="HTTP code to match when query is evaluated to True")
detection.add_option("--text-only", dest="textOnly", action="store_true",
help="Compare pages based only on the textual content")
detection.add_option("--titles", dest="titles", action="store_true",
help="Compare pages based only on their titles")
# Techniques options
techniques = OptionGroup(parser, "Techniques", "These options can be used to tweak testing of specific SQL injection techniques")
techniques.add_option("--technique", dest="tech",
help="SQL injection techniques to use (default \"%s\")" % defaults.tech)
techniques.add_option("--time-sec", dest="timeSec", type="int",
help="Seconds to delay the DBMS response (default %d)" % defaults.timeSec)
techniques.add_option("--union-cols", dest="uCols",
help="Range of columns to test for UNION query SQL injection")
techniques.add_option("--union-char", dest="uChar",
help="Character to use for bruteforcing number of columns")
techniques.add_option("--union-from", dest="uFrom",
help="Table to use in FROM part of UNION query SQL injection")
techniques.add_option("--dns-domain", dest="dnsDomain",
help="Domain name used for DNS exfiltration attack")
techniques.add_option("--second-url", dest="secondUrl",
help="Resulting page URL searched for second-order response")
techniques.add_option("--second-req", dest="secondReq",
help="Load second-order HTTP request from file")
# Fingerprint options
fingerprint = OptionGroup(parser, "Fingerprint")
fingerprint.add_option("-f", "--fingerprint", dest="extensiveFp", action="store_true",
help="Perform an extensive DBMS version fingerprint")
# Enumeration options
enumeration = OptionGroup(parser, "Enumeration", "These options can be used to enumerate the back-end database management system information, structure and data contained in the tables. Moreover you can run your own SQL statements")
enumeration.add_option("-a", "--all", dest="getAll", action="store_true",
help="Retrieve everything")
enumeration.add_option("-b", "--banner", dest="getBanner", action="store_true",
help="Retrieve DBMS banner")
enumeration.add_option("--current-user", dest="getCurrentUser", action="store_true",
help="Retrieve DBMS current user")
enumeration.add_option("--current-db", dest="getCurrentDb", action="store_true",
help="Retrieve DBMS current database")
enumeration.add_option("--hostname", dest="getHostname", action="store_true",
help="Retrieve DBMS server hostname")
enumeration.add_option("--is-dba", dest="isDba", action="store_true",
help="Detect if the DBMS current user is DBA")
enumeration.add_option("--users", dest="getUsers", action="store_true",
help="Enumerate DBMS users")
enumeration.add_option("--passwords", dest="getPasswordHashes", action="store_true",
help="Enumerate DBMS users password hashes")
enumeration.add_option("--privileges", dest="getPrivileges", action="store_true",
help="Enumerate DBMS users privileges")
enumeration.add_option("--roles", dest="getRoles", action="store_true",
help="Enumerate DBMS users roles")
enumeration.add_option("--dbs", dest="getDbs", action="store_true",
help="Enumerate DBMS databases")
enumeration.add_option("--tables", dest="getTables", action="store_true",
help="Enumerate DBMS database tables")
enumeration.add_option("--columns", dest="getColumns", action="store_true",
help="Enumerate DBMS database table columns")
enumeration.add_option("--schema", dest="getSchema", action="store_true",
help="Enumerate DBMS schema")
enumeration.add_option("--count", dest="getCount", action="store_true",
help="Retrieve number of entries for table(s)")
enumeration.add_option("--dump", dest="dumpTable", action="store_true",
help="Dump DBMS database table entries")
enumeration.add_option("--dump-all", dest="dumpAll", action="store_true",
help="Dump all DBMS databases tables entries")
enumeration.add_option("--search", dest="search", action="store_true",
help="Search column(s), table(s) and/or database name(s)")
enumeration.add_option("--comments", dest="getComments", action="store_true",
help="Check for DBMS comments during enumeration")
enumeration.add_option("-D", dest="db",
help="DBMS database to enumerate")
enumeration.add_option("-T", dest="tbl",
help="DBMS database table(s) to enumerate")
enumeration.add_option("-C", dest="col",
help="DBMS database table column(s) to enumerate")
enumeration.add_option("-X", dest="exclude",
help="DBMS database identifier(s) to not enumerate")
enumeration.add_option("-U", dest="user",
help="DBMS user to enumerate")
enumeration.add_option("--exclude-sysdbs", dest="excludeSysDbs", action="store_true",
help="Exclude DBMS system databases when enumerating tables")
enumeration.add_option("--pivot-column", dest="pivotColumn",
help="Pivot column name")
enumeration.add_option("--where", dest="dumpWhere",
help="Use WHERE condition while table dumping")
enumeration.add_option("--start", dest="limitStart", type="int",
help="First dump table entry to retrieve")
enumeration.add_option("--stop", dest="limitStop", type="int",
help="Last dump table entry to retrieve")
enumeration.add_option("--first", dest="firstChar", type="int",
help="First query output word character to retrieve")
enumeration.add_option("--last", dest="lastChar", type="int",
help="Last query output word character to retrieve")
enumeration.add_option("--sql-query", dest="query",
help="SQL statement to be executed")
enumeration.add_option("--sql-shell", dest="sqlShell", action="store_true",
help="Prompt for an interactive SQL shell")
enumeration.add_option("--sql-file", dest="sqlFile",
help="Execute SQL statements from given file(s)")
# Brute force options
brute = OptionGroup(parser, "Brute force", "These options can be used to run brute force checks")
brute.add_option("--common-tables", dest="commonTables", action="store_true",
help="Check existence of common tables")
brute.add_option("--common-columns", dest="commonColumns", action="store_true",
help="Check existence of common columns")
# User-defined function options
udf = OptionGroup(parser, "User-defined function injection", "These options can be used to create custom user-defined functions")
udf.add_option("--udf-inject", dest="udfInject", action="store_true",
help="Inject custom user-defined functions")
udf.add_option("--shared-lib", dest="shLib",
help="Local path of the shared library")
# File system options
filesystem = OptionGroup(parser, "File system access", "These options can be used to access the back-end database management system underlying file system")
filesystem.add_option("--file-read", dest="rFile",
help="Read a file from the back-end DBMS file system")
filesystem.add_option("--file-write", dest="wFile",
help="Write a local file on the back-end DBMS file system")
filesystem.add_option("--file-dest", dest="dFile",
help="Back-end DBMS absolute filepath to write to")
# Takeover options
takeover = OptionGroup(parser, "Operating system access", "These options can be used to access the back-end database management system underlying operating system")
takeover.add_option("--os-cmd", dest="osCmd",
help="Execute an operating system command")
takeover.add_option("--os-shell", dest="osShell", action="store_true",
help="Prompt for an interactive operating system shell")
takeover.add_option("--os-pwn", dest="osPwn", action="store_true",
help="Prompt for an OOB shell, Meterpreter or VNC")
takeover.add_option("--os-smbrelay", dest="osSmb", action="store_true",
help="One click prompt for an OOB shell, Meterpreter or VNC")
takeover.add_option("--os-bof", dest="osBof", action="store_true",
help="Stored procedure buffer overflow "
"exploitation")
takeover.add_option("--priv-esc", dest="privEsc", action="store_true",
help="Database process user privilege escalation")
takeover.add_option("--msf-path", dest="msfPath",
help="Local path where Metasploit Framework is installed")
takeover.add_option("--tmp-path", dest="tmpPath",
help="Remote absolute path of temporary files directory")
# Windows registry options
windows = OptionGroup(parser, "Windows registry access", "These options can be used to access the back-end database management system Windows registry")
windows.add_option("--reg-read", dest="regRead", action="store_true",
help="Read a Windows registry key value")
windows.add_option("--reg-add", dest="regAdd", action="store_true",
help="Write a Windows registry key value data")
windows.add_option("--reg-del", dest="regDel", action="store_true",
help="Delete a Windows registry key value")
windows.add_option("--reg-key", dest="regKey",
help="Windows registry key")
windows.add_option("--reg-value", dest="regVal",
help="Windows registry key value")
windows.add_option("--reg-data", dest="regData",
help="Windows registry key value data")
windows.add_option("--reg-type", dest="regType",
help="Windows registry key value type")
# General options
general = OptionGroup(parser, "General", "These options can be used to set some general working parameters")
general.add_option("-s", dest="sessionFile",
help="Load session from a stored (.sqlite) file")
general.add_option("-t", dest="trafficFile",
help="Log all HTTP traffic into a textual file")
general.add_option("--batch", dest="batch", action="store_true",
help="Never ask for user input, use the default behavior")
general.add_option("--binary-fields", dest="binaryFields",
help="Result fields having binary values (e.g. \"digest\")")
general.add_option("--check-internet", dest="checkInternet", action="store_true",
help="Check Internet connection before assessing the target")
general.add_option("--crawl", dest="crawlDepth", type="int",
help="Crawl the website starting from the target URL")
general.add_option("--crawl-exclude", dest="crawlExclude",
help="Regexp to exclude pages from crawling (e.g. \"logout\")")
general.add_option("--csv-del", dest="csvDel",
help="Delimiting character used in CSV output (default \"%s\")" % defaults.csvDel)
general.add_option("--charset", dest="charset",
help="Blind SQL injection charset (e.g. \"0123456789abcdef\")")
general.add_option("--dump-format", dest="dumpFormat",
help="Format of dumped data (CSV (default), HTML or SQLITE)")
general.add_option("--encoding", dest="encoding",
help="Character encoding used for data retrieval (e.g. GBK)")
general.add_option("--eta", dest="eta", action="store_true",
help="Display for each output the estimated time of arrival")
general.add_option("--flush-session", dest="flushSession", action="store_true",
help="Flush session files for current target")
general.add_option("--forms", dest="forms", action="store_true",
help="Parse and test forms on target URL")
general.add_option("--fresh-queries", dest="freshQueries", action="store_true",
help="Ignore query results stored in session file")
general.add_option("--har", dest="harFile",
help="Log all HTTP traffic into a HAR file")
general.add_option("--hex", dest="hexConvert", action="store_true",
help="Use hex conversion during data retrieval")
general.add_option("--output-dir", dest="outputDir", action="store",
help="Custom output directory path")
general.add_option("--parse-errors", dest="parseErrors", action="store_true",
help="Parse and display DBMS error messages from responses")
general.add_option("--save", dest="saveConfig",
help="Save options to a configuration INI file")
general.add_option("--scope", dest="scope",
help="Regexp to filter targets from provided proxy log")
general.add_option("--test-filter", dest="testFilter",
help="Select tests by payloads and/or titles (e.g. ROW)")
general.add_option("--test-skip", dest="testSkip",
help="Skip tests by payloads and/or titles (e.g. BENCHMARK)")
general.add_option("--update", dest="updateAll", action="store_true",
help="Update sqlmap")
# Miscellaneous options
miscellaneous = OptionGroup(parser, "Miscellaneous")
miscellaneous.add_option("-z", dest="mnemonics",
help="Use short mnemonics (e.g. \"flu,bat,ban,tec=EU\")")
miscellaneous.add_option("--alert", dest="alert",
help="Run host OS command(s) when SQL injection is found")
miscellaneous.add_option("--answers", dest="answers",
help="Set question answers (e.g. \"quit=N,follow=N\")")
miscellaneous.add_option("--beep", dest="beep", action="store_true",
help="Beep on question and/or when SQL injection is found")
miscellaneous.add_option("--cleanup", dest="cleanup", action="store_true",
help="Clean up the DBMS from sqlmap specific UDF and tables")
miscellaneous.add_option("--dependencies", dest="dependencies", action="store_true",
help="Check for missing (non-core) sqlmap dependencies")
miscellaneous.add_option("--disable-coloring", dest="disableColoring", action="store_true",
help="Disable console output coloring")
miscellaneous.add_option("--gpage", dest="googlePage", type="int",
help="Use Google dork results from specified page number")
miscellaneous.add_option("--identify-waf", dest="identifyWaf", action="store_true",
help="Make a thorough testing for a WAF/IPS/IDS protection")
miscellaneous.add_option("--list-tampers", dest="listTampers", action="store_true",
help="Display list of available tamper scripts")
miscellaneous.add_option("--mobile", dest="mobile", action="store_true",
help="Imitate smartphone through HTTP User-Agent header")
miscellaneous.add_option("--offline", dest="offline", action="store_true",
help="Work in offline mode (only use session data)")
miscellaneous.add_option("--purge", dest="purge", action="store_true",
help="Safely remove all content from sqlmap data directory")
miscellaneous.add_option("--skip-waf", dest="skipWaf", action="store_true",
help="Skip heuristic detection of WAF/IPS/IDS protection")
miscellaneous.add_option("--smart", dest="smart", action="store_true",
help="Conduct thorough tests only if positive heuristic(s)")
miscellaneous.add_option("--sqlmap-shell", dest="sqlmapShell", action="store_true",
help="Prompt for an interactive sqlmap shell")
miscellaneous.add_option("--tmp-dir", dest="tmpDir",
help="Local directory for storing temporary files")
miscellaneous.add_option("--web-root", dest="webRoot",
help="Web server document root directory (e.g. \"/var/www\")")
miscellaneous.add_option("--wizard", dest="wizard", action="store_true",
help="Simple wizard interface for beginner users")
# Hidden and/or experimental options
parser.add_option("--dummy", dest="dummy", action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--murphy-rate", dest="murphyRate", type="int",
help=SUPPRESS_HELP)
parser.add_option("--disable-precon", dest="disablePrecon", action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--disable-stats", dest="disableStats", action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--profile", dest="profile", action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--force-dbms", dest="forceDbms",
help=SUPPRESS_HELP)
parser.add_option("--force-dns", dest="forceDns", action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--force-pivoting", dest="forcePivoting", action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--force-threads", dest="forceThreads", action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--smoke-test", dest="smokeTest", action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--live-test", dest="liveTest", action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--stop-fail", dest="stopFail", action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--run-case", dest="runCase", help=SUPPRESS_HELP)
# API options
parser.add_option("--api", dest="api", action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--taskid", dest="taskid", help=SUPPRESS_HELP)
parser.add_option("--database", dest="database", help=SUPPRESS_HELP)
parser.add_option_group(target)
parser.add_option_group(request)
parser.add_option_group(optimization)
parser.add_option_group(injection)
parser.add_option_group(detection)
parser.add_option_group(techniques)
parser.add_option_group(fingerprint)
parser.add_option_group(enumeration)
parser.add_option_group(brute)
parser.add_option_group(udf)
parser.add_option_group(filesystem)
parser.add_option_group(takeover)
parser.add_option_group(windows)
parser.add_option_group(general)
parser.add_option_group(miscellaneous)
# Dirty hack to display longer options without breaking into two lines
def _(self, *args):
retVal = parser.formatter._format_option_strings(*args)
if len(retVal) > MAX_HELP_OPTION_LENGTH:
retVal = ("%%.%ds.." % (MAX_HELP_OPTION_LENGTH - parser.formatter.indent_increment)) % retVal
return retVal
parser.formatter._format_option_strings = parser.formatter.format_option_strings
parser.formatter.format_option_strings = type(parser.formatter.format_option_strings)(_, parser, type(parser))
# Dirty hack for making a short option '-hh'
option = parser.get_option("--hh")
option._short_opts = ["-hh"]
option._long_opts = []
# Dirty hack for inherent help message of switch '-h'
option = parser.get_option("-h")
option.help = option.help.capitalize().replace("this help", "basic help")
_ = []
prompt = False
advancedHelp = True
extraHeaders = []
# Reference: https://stackoverflow.com/a/4012683 (Note: previously used "...sys.getfilesystemencoding() or UNICODE_ENCODING")
for arg in argv:
_.append(getUnicode(arg, encoding=sys.stdin.encoding))
argv = _
checkDeprecatedOptions(argv)
prompt = "--sqlmap-shell" in argv
if prompt:
parser.usage = ""
cmdLineOptions.sqlmapShell = True
_ = ["x", "q", "exit", "quit", "clear"]
for option in parser.option_list:
_.extend(option._long_opts)
_.extend(option._short_opts)
for group in parser.option_groups:
for option in group.option_list:
_.extend(option._long_opts)
_.extend(option._short_opts)
autoCompletion(AUTOCOMPLETE_TYPE.SQLMAP, commands=_)
while True:
command = None
try:
command = raw_input("sqlmap-shell> ").strip()
command = getUnicode(command, encoding=sys.stdin.encoding)
except (KeyboardInterrupt, EOFError):
print
raise SqlmapShellQuitException
if not command:
continue
elif command.lower() == "clear":
clearHistory()
dataToStdout("[i] history cleared\n")
saveHistory(AUTOCOMPLETE_TYPE.SQLMAP)
elif command.lower() in ("x", "q", "exit", "quit"):
raise SqlmapShellQuitException
elif command[0] != '-':
dataToStdout("[!] invalid option(s) provided\n")
dataToStdout("[i] proper example: '-u http://www.site.com/vuln.php?id=1 --banner'\n")
else:
saveHistory(AUTOCOMPLETE_TYPE.SQLMAP)
loadHistory(AUTOCOMPLETE_TYPE.SQLMAP)
break
try:
for arg in shlex.split(command):
argv.append(getUnicode(arg, encoding=sys.stdin.encoding))
except ValueError, ex:
raise SqlmapSyntaxException("something went wrong during command line parsing ('%s')" % ex.message)
for i in xrange(len(argv)):
if argv[i] == "-hh":
argv[i] = "-h"
elif len(argv[i]) > 1 and all(ord(_) in xrange(0x2018, 0x2020) for _ in ((argv[i].split('=', 1)[-1].strip() or ' ')[0], argv[i][-1])):
dataToStdout("[!] copy-pasting illegal (non-console) quote characters from Internet is, well, illegal (%s)\n" % argv[i])
raise SystemExit
elif len(argv[i]) > 1 and u"\uff0c" in argv[i].split('=', 1)[-1]:
dataToStdout("[!] copy-pasting illegal (non-console) comma characters from Internet is, well, illegal (%s)\n" % argv[i])
raise SystemExit
elif re.search(r"\A-\w=.+", argv[i]):
dataToStdout("[!] potentially miswritten (illegal '=') short option detected ('%s')\n" % argv[i])
raise SystemExit
elif argv[i] == "-H":
if i + 1 < len(argv):
extraHeaders.append(argv[i + 1])
elif re.match(r"\A\d+!\Z", argv[i]) and argv[max(0, i - 1)] == "--threads" or re.match(r"\A--threads.+\d+!\Z", argv[i]):
argv[i] = argv[i][:-1]
conf.skipThreadCheck = True
elif argv[i] == "--version":
print VERSION_STRING.split('/')[-1]
raise SystemExit
elif argv[i] in ("-h", "--help"):
advancedHelp = False
for group in parser.option_groups[:]:
found = False
for option in group.option_list:
if option.dest not in BASIC_HELP_ITEMS:
option.help = SUPPRESS_HELP
else:
found = True
if not found:
parser.option_groups.remove(group)
for verbosity in (_ for _ in argv if re.search(r"\A\-v+\Z", _)):
try:
if argv.index(verbosity) == len(argv) - 1 or not argv[argv.index(verbosity) + 1].isdigit():
conf.verbose = verbosity.count('v') + 1
del argv[argv.index(verbosity)]
except (IndexError, ValueError):
pass
try:
(args, _) = parser.parse_args(argv)
except UnicodeEncodeError, ex:
dataToStdout("\n[!] %s\n" % ex.object.encode("unicode-escape"))
raise SystemExit
def cmdLineParser(argv=None):
"""
此函数解析命令行参数和参数
"""
if not argv:
argv = sys.argv
checkSystemEncoding()
# Reference: https://stackoverflow.com/a/4012683 (Note: previously used "...sys.getfilesystemencoding() or UNICODE_ENCODING")
_ = getUnicode(os.path.basename(argv[0]), encoding=sys.stdin.encoding)
usage = "%s%s [options]" % ("python " if not IS_WIN else "", \
"\"%s\"" % _ if " " in _ else _)
parser = OptionParser(usage=usage)
try:
parser.add_option("--hh",
dest=u"advancedHelp",
action="store_true",
help=u"显示高级帮助消息并退出")
# dest : 用于保存临时变量,其值可以作为options的属性进行访问。存储的内容就是如-f,-n 等紧挨着的那个参数内容。
parser.add_option("--version",
dest=u"showVersion",
action="store_true",
help=u"显示程序版本号并退出")
# type 参数类型
parser.add_option("-v",
dest="verbose",
type="int",
help=u"详细程度: 0-6 (默认 %d)" % defaults.verbose)
# 目标选项
target = OptionGroup(parser, u"目标", u"至少提供下列一个选项作为注入目标")
#例如:mysql://数据库用户名:数据库密码@数据库ip地址:数据库端口号/数据库名)
target.add_option(
"-d",
dest="direct",
help=
u"直接连接数据库\r\n(例如:mysql://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME)"
)
target.add_option("-u",
"--url",
dest="url",
help=u"目标网址(例如:http://www.site.com/vuln.php?id=1)")
target.add_option("-l",
dest="logFile",
help=u"从Burp或WebScarab代理日志文件解析目标")
target.add_option("-x", dest="sitemapUrl", help=u"从远程站点地图(.xml)文件解析目标")
target.add_option("-m", dest="bulkFile", help=u"扫描文本文件中给出的多个目标")
target.add_option("-r", dest="requestFile", help=u"从文件加载HTTP请求")
target.add_option(
"-g",
dest="googleDork",
help=u"将Google dork搜索结果作为目标,这个选项使得sqlmap可以通过和搜索引擎通信,"
u"通过google dork搜索可能存在sql注入的网站 ,然后sqlmap会提取前100个结果 ,"
u"并询问用户是否针对这些目标进行检测 "
u"\r\n(例如:python sqlmap.py -g \"inurl:\".php?id=1\"\")")
target.add_option("-c",
dest="configFile",
help=u"加载sqlmap.conf文件里面的相关配置")
# 请求选项
request = OptionGroup(parser, u"请求", u"该选项指定以何种方式连接到目标URL")
request.add_option("--method",
dest="method",
help=u"强制使用指定的HTTP请求方法(例如:GET PUT)")
request.add_option("--data", dest="data", help=u"以POST方式提交数据")
request.add_option("--param-del", dest="paramDel", help=u"用于分割参数值的字符")
request.add_option("--cookie",
dest="cookie",
help=u"HTTP Cookie header value")
request.add_option("--cookie-del",
dest="cookieDel",
help=u"用于分割cookie值的字符")
request.add_option("--load-cookies",
dest="loadCookies",
help=u"包含Netscape/wget格式的Cookie的文件")
request.add_option("--drop-set-cookie",
dest="dropSetCookie",
action="store_true",
help=u"从响应response中忽略Set-Cookie header")
request.add_option(
"--user-agent",
dest="agent",
help=u"自定义修改HTTP请求头中User-Agent值,只有--level等级为3以上设置才会生效")
request.add_option("--random-agent",
dest="randomAgent",
action="store_true",
help=u"使用随机选择的HTTP User-Agent header值")
request.add_option("--host",
dest="host",
help=u"自定义修改HTTP请求头中的Host值,只有在--level值为5的时候设置才会生效")
request.add_option("--referer",
dest="referer",
help=u"sqlmap可以在请求中伪造HTTP中的referer,"
u"当--level参数设定为3或者3以上的时候会尝试对referer注入。")
request.add_option(
"-H",
"--header",
dest="header",
help=u"Extra header (例如: \"X-Forwarded-For: 127.0.0.1\")")
request.add_option(
"--headers",
dest="headers",
help=u"Extra headers (例如: \"Accept-Language: fr\\nETag: 123\")")
request.add_option("--auth-type",
dest="authType",
help=u"HTTP认证类型(Basic, Digest, NTLM or PKI)")
request.add_option("--auth-cred",
dest="authCred",
help=u"HTTP身份验证凭证(用户名:密码)")
request.add_option("--auth-file",
dest="authFile",
help=u"HTTP认证PEM认证/私钥文件")
request.add_option("--ignore-401",
dest="ignore401",
action="store_true",
help=u"忽略HTTP错误401(未经授权)")
request.add_option("--ignore-proxy",
dest="ignoreProxy",
action="store_true",
help=u"忽略系统默认代理设置")
request.add_option("--ignore-redirects",
dest="ignoreRedirects",
action="store_true",
help=u"忽略重定向尝试")
request.add_option("--ignore-timeouts",
dest="ignoreTimeouts",
action="store_true",
help=u"忽略连接超时")
request.add_option("--proxy", dest="proxy", help=u"使用代理连接到目标URL")
request.add_option("--proxy-cred",
dest="proxyCred",
help=u"代理认证凭证(用户名:密码)")
request.add_option("--proxy-file", dest="proxyFile", help=u"从文件加载代理列表")
request.add_option("--tor",
dest="tor",
action="store_true",
help=u"使用Tor匿名网络")
request.add_option("--tor-port",
dest="torPort",
help=u"设置tor的端口,如果不是默认端口的话")
request.add_option("--tor-type",
dest="torType",
help=u"设置Tor代理类型(HTTP, SOCKS4 or SOCKS5 (default))")
request.add_option("--check-tor",
dest="checkTor",
action="store_true",
help=u"检查Tor是否可用")
request.add_option("--delay",
dest="delay",
type="float",
help=u"每个HTTP请求之间的延迟秒数")
request.add_option("--timeout",
dest="timeout",
type="float",
help=u"设置超时时间,默认%d秒" % defaults.timeout)
request.add_option("--retries",
dest="retries",
type="int",
help=u"设置连接超时时重试次数,默认%d次" % defaults.retries)
request.add_option("--randomize", dest="rParam", help=u"随机更改给定参数的值")
request.add_option("--safe-url",
dest="safeUrl",
help=u"有的web程序会在多次错误访问后屏蔽所有请求,这样就导致之后所有的测试无法进行,"
u"绕过这个策略可以使用--safe-url,每隔一段时间去访问一个正常的页面。")
request.add_option("--safe-post",
dest="safePost",
help=u"发送POST数据到一个安全的URL")
request.add_option("--safe-req",
dest="safeReqFile",
help=u"从文件加载安全的HTTP请求")
request.add_option("--safe-freq",
dest="safeFreq",
type="int",
help=u"提供一个安全无错误的连接,在测试URL和安全链接之间交叉访问")
request.add_option(
"--skip-urlencode",
dest="skipUrlEncode",
action="store_true",
help=u"根据参数位置,他的值默认将会被URL编码,但是有些时候后端的web服务器不遵守RFC标准,"
u"只接受不经过URL编码的值,这时候就需要用--skip-urlencode参数,跳过Payload数据的URL编码")
request.add_option("--csrf-token",
dest="csrfToken",
help=u"设置CSRF的token")
request.add_option("--csrf-url",
dest="csrfUrl",
help=u"访问URL地址提取anti-CSRF token")
request.add_option("--force-ssl",
dest="forceSSL",
action="store_true",
help=u"强制使用SSL/HTTPS")
request.add_option(
"--hpp",
dest="hpp",
action="store_true",
help=
u"使用HTTP参数污染方法绕过WAF的检测机制,HTTP参数污染是一种可以绕过WAF/IPS/IDS的方法,这在面对ASP/IIS 或者是ASP.NET/IIS 组合的时候非常有用,如果你怀疑目标使用了某种保护(WAF/IDS/IPS) 那么你可以试试这个选项"
)
request.add_option(
"--eval",
dest="evalCode",
help=u"发送请求之前,先运行这段python代码,比如下面的hash参数就是id的md5值 "
u"(python sqlmap.py -u \"http://www.target.com/vuln.php?id=1&hash=c4ca4238a0b923820dcc509a6f75849b\" "
u"--eval = \"import hashlib;hash=hashlib.md5(id).hexdigest()\")")
# 优化选项
optimization = OptionGroup(parser, u"优化", u"这些选项可用于优化sqlmap的性能")
optimization.add_option("-o",
dest="optimize",
action="store_true",
help=u"开启所有优化选项")
optimization.add_option("--predict-output",
dest="predictOutput",
action="store_true",
help=u"预测常见查询输出")
optimization.add_option("--keep-alive",
dest="keepAlive",
action="store_true",
help=u"使用持久的HTTP(s)连接")
optimization.add_option("--null-connection",
dest="nullConnection",
action="store_true",
help=u"检索页面长度,排除实际的 HTTP 响应内容")
optimization.add_option("--threads",
dest="threads",
type="int",
help=u"最大并发HTTP(s)请求数(默认为%d)" %
defaults.threads)
# 注入选项
injection = OptionGroup(parser, u"注入",
u"这些选项可用于指定要测试的参数,提供自定义注入Payload和篡改脚本")
injection.add_option(
"-p",
dest="testParameter",
help=u"手动指定要测试的参数,默认情况下sqlmap会测试所有的GET和POST参数(例如: -p \"id\")")
injection.add_option("--skip", dest="skip", help=u"跳过你不想进行注入测试的参数")
injection.add_option("--skip-static",
dest="skipStatic",
action="store_true",
help=u"跳过那些不是动态的测试参数,对静态参数进行注入测试是徒劳的")
injection.add_option("--param-exclude",
dest="paramExclude",
help=u"使用正则表达式来排除不需要测试的参数 (例如:\"ses\")")
injection.add_option("--dbms",
dest="dbms",
help=u"指定后端的数据库类型(如mysql,oracle等)")
injection.add_option("--dbms-cred",
dest="dbmsCred",
help=u"数据库认证凭证(user:password)")
injection.add_option("--os",
dest="os",
help=u"手动指定后端DBMS操作系统(Windows,linux)")
injection.add_option(
"--invalid-bignum",
dest="invalidBignum",
action="store_true",
help=u"指定无效的大数字id=13,sqlmap会变成id=-13来报错,你也可以指定比如id=9999999来报错")
injection.add_option(
"--invalid-logical",
dest="invalidLogical",
action="store_true",
help=u"指定无效的逻辑,可以指定id=13把原来的id=-13的报错改成id=13 AND 18=19")
injection.add_option("--invalid-string",
dest="invalidString",
action="store_true",
help=u"使用随机字符串无效值来给参数赋值")
injection.add_option("--no-cast",
dest="noCast",
action="store_true",
help=u"关闭payload构造机制")
injection.add_option("--no-escape",
dest="noEscape",
action="store_true",
help=u"关闭字符串转义机制")
injection.add_option("--prefix",
dest="prefix",
help=u"设置注入的前缀,比如单引号注入点,就设置前缀为单引号")
"""
注入payload
参数:--prefix, --suffix
在有些环境中,需要在注入的payload的前面或者后面加一些字符,来保证payload的正常执行。
例如,代码中是这样调用数据库的:
$query = "SELECT * FROM users WHERE id=(’". $_GET[’id’]."’) LIMIT 0, 1";
这时你就需要--prefix和--suffix参数了:
python sqlmap.py -u "http://xxx.com/sqlmap/mysql/get_str_brackets.php?id=1" -p id --prefix "’)" --suffix "AND (’abc’=’abc"
这样执行的SQL语句变成:
$query = "SELECT * FROM users WHERE id=('1') <PAYLOAD> AND ('abc'='abc') LIMIT 0, 1";
"""
injection.add_option("--suffix", dest="suffix", help=u"设置注入payload的后缀")
injection.add_option("--tamper",
dest="tamper",
help=u"使用tamper脚本修改请求从而逃避WAF的规则检测")
# 探测选项
detection = OptionGroup(parser, u"探测", u"这些选项可用于指定检测目标的等级")
detection.add_option("--level",
dest="level",
type="int",
help=u"探测等级(1-5,默认%d级)" % defaults.level)
detection.add_option("--risk",
dest="risk",
type="int",
help=u"风险等级(1-3, 默认%d级)" % defaults.risk)
detection.add_option(
"--string",
dest="string",
help=
u"设置原始页面与条件为真情况下页面中都存在的字符串,而错误页面中不存在,如果页面返回这个字符串,说明我们的注入判断语句是正确的")
detection.add_option("--not-string",
dest="notString",
help=u"设置一段在原始页面与真条件页面中都不存在的字符串,而错误页面中存在的字符串")
detection.add_option("--regexp",
dest="regexp",
help=u"利用正则匹配页面返回内容,如果存在匹配字符串,则可能存在注入点")
detection.add_option("--code",
dest="code",
type="int",
help=u"用HTTP响应码来判断注入语句是否正确,"
u"例如,响应200的时候为真,响应401的时候为假,可以添加参数--code=200")
detection.add_option(
"--text-only",
dest="textOnly",
action="store_true",
help=
u"基于文本内容比较页面,如果在HTTP响应中存在大量脚本、或者是各种内嵌的东西 ,可以通过使用--text-only来进行筛选只显示文本内容"
)
detection.add_option(
"--titles",
dest="titles",
action="store_true",
help=
u"基于标题比较页面,如果使用者知道正常、错误响应之间的HTML标题的区别 (例如Welcom为正常,Forbidden为错误)那么他可以通过使用--titles来比较HTML标题的不同来提示sqlmap是否能够注入"
)
# 注入技术
techniques = OptionGroup(parser, u"注入技术", u"这些选项可用于指定具体的SQL注入技术的测试")
techniques.add_option("--technique",
dest="tech",
help=u"要使用的SQL注入技术(默认 \"%s\")" % defaults.tech)
techniques.add_option("--time-sec",
dest="timeSec",
type="int",
help=u"设定延迟注入的时间,"
u"当使用基于时间的盲注时,时刻使用--time-sec参数设定延时时间,默认是%d秒" %
defaults.timeSec)
techniques.add_option(
"--union-cols",
dest="uCols",
help=u"设定SQL注入时UNION查询字段数范围,如:12-16,是测试12-16个字段数")
techniques.add_option(
"--union-char",
dest="uChar",
help=
u"设定UNION查询使用的字符,用于爆破字段数目的字符,默认使用NULL字符,但是有些情况下会造成页面返回失败,而一个随机整数是成功的,这时你可以用--union-char指定UNION查询的字符"
)
techniques.add_option(
"--union-from",
dest="uFrom",
help=
u"在某些UNION查询SQL注入情况下,需要在FROM子句中强制使用有效且可访问的表名。 例如,Microsoft Access需要使用这样的表。 如果不提供一个UNION查询,SQL注入将无法正确执行(例如 --union-from = users)"
)
techniques.add_option("--dns-domain",
dest="dnsDomain",
help=u"用于DNS渗透攻击的域名")
techniques.add_option(
"--second-order",
dest="secondOrder",
help=
u"二阶注入是攻击者首先提交恶意的请求,在数据库保存成功后 再提交另外一个用于检索之前的恶意请求的请求,如果攻击成功,那么响应会在第二次响应中返回结果,使用这个选项的时候后面跟着的是显示结果页面的URL。有些时候注入点输入的数据返回结果的时候并不是当前的页面,而是另外的一个页面,这时候就需要你指定到哪个页面来获取响应结果判断真假。--second-order后面跟一个判断页面的URL地址。"
)
# 指纹识别选项
fingerprint = OptionGroup(parser, u"指纹识别")
fingerprint.add_option("-f",
"--fingerprint",
dest="extensiveFp",
action="store_true",
help=u"利用数据库特有的指纹信息识别其数据库类型和版本号")
# 枚举选项
enumeration = OptionGroup(
parser, u"检索数据", u"这些选项可用于枚举表中包含的DBMS信息结构和数据。此外,您可以运行自己的SQL语句")
enumeration.add_option("-a",
"--all",
dest="getAll",
action="store_true",
help=u"检索所有内容")
enumeration.add_option("-b",
"--banner",
dest="getBanner",
action="store_true",
help=u"检索数据库管理系统的标识(如mysql,oracle)")
enumeration.add_option("--current-user",
dest="getCurrentUser",
action="store_true",
help=u"检索当前连接数据库的用户CURRENT_USER()")
enumeration.add_option("--current-db",
dest="getCurrentDb",
action="store_true",
help=u"检索当前连接的数据库DATABASE()")
enumeration.add_option("--hostname",
dest="getHostname",
action="store_true",
help=u"检索服务器的主机名@@HOSTNAME")
enumeration.add_option("--is-dba",
dest="isDba",
action="store_true",
help=u"判断当前用户是否为管理,是的话会返回True")
enumeration.add_option("--users",
dest="getUsers",
action="store_true",
help=u"枚举数据库用户,"
u"当前用户有权限读取包含所有用户的表的权限时,就可以列出所有管理用户")
enumeration.add_option("--passwords",
dest="getPasswordHashes",
action="store_true",
help=u"枚举数据库用户密码的哈希值并尝试破解")
enumeration.add_option("--privileges",
dest="getPrivileges",
action="store_true",
help=u"枚举数据库用户的权限")
enumeration.add_option("--roles",
dest="getRoles",
action="store_true",
help=u"枚举数据库用户的角色")
enumeration.add_option("--dbs",
dest="getDbs",
action="store_true",
help=u"列出所有的数据库")
enumeration.add_option("--tables",
dest="getTables",
action="store_true",
help=u"列举数据库中的所有表")
enumeration.add_option("--columns",
dest="getColumns",
action="store_true",
help=u"列举数据库表中的字段,同时也会列出字段的数据类型")
enumeration.add_option("--schema",
dest="getSchema",
action="store_true",
help=u"列举数据库系统的架构,包含所有的数据库,表和字段,以及各自的类型")
enumeration.add_option("--count",
dest="getCount",
action="store_true",
help=u"检索表的条目数")
enumeration.add_option("--dump",
dest="dumpTable",
action="store_true",
help=u"获取整个表的数据")
enumeration.add_option("--dump-all",
dest="dumpAll",
action="store_true",
help=u"获取所有数据库表中的内容")
enumeration.add_option("--search",
dest="search",
action="store_true",
help=u"搜索字段,表,数据库,配合下面的-D,-C,-T")
enumeration.add_option("--comments",
dest="getComments",
action="store_true",
help=u"枚举数据库的注释")
enumeration.add_option("-D", dest="db", help=u"要进行枚举的数据库名")
enumeration.add_option("-T", dest="tbl", help=u"要进行枚举的数据库表")
enumeration.add_option("-C", dest="col", help=u"要进行枚举的数据库字段")
enumeration.add_option("-X", dest="excludeCol", help=u"指定不枚举那个字段")
enumeration.add_option("-U", dest="user", help=u"枚举数据库用户")
enumeration.add_option("--exclude-sysdbs",
dest="excludeSysDbs",
action="store_true",
help=u"枚举表时排除系统数据库")
enumeration.add_option("--pivot-column",
dest="pivotColumn",
help=u"行转列名称")
enumeration.add_option("--where",
dest="dumpWhere",
help=u"使用WHERE条件查询/获取指定表中的内容")
enumeration.add_option("--start",
dest="limitStart",
type="int",
help=u"指定开始从第几行开始输出,如--start=3,前两行就不输出了")
enumeration.add_option("--stop",
dest="limitStop",
type="int",
help=u"指定从第几行开始停止输出")
enumeration.add_option("--first",
dest="firstChar",
type="int",
help=u"指定从第几个字符之后开始输出")
enumeration.add_option("--last",
dest="lastChar",
type="int",
help=u"指定输出到第几个字符后停止输出,盲注才有效,亲测,跟上面的配合指定范围,"
u"如 :--first 3 --last 5 只输出3到5位置的字符")
enumeration.add_option("--sql-query",
dest="query",
help=u"指定执行我们的sql语句")
enumeration.add_option("--sql-shell",
dest="sqlShell",
action="store_true",
help=u"返回一个sql的shell")
enumeration.add_option("--sql-file",
dest="sqlFile",
help=u"从文件中读取执行sql语句")
# 爆破选项
brute = OptionGroup(parser, u"爆破", u"这些选项可用于执行爆破检查")
brute.add_option("--common-tables",
dest="commonTables",
action="store_true",
help=u"检测常见的表名,暴力破解表名")
brute.add_option("--common-columns",
dest="commonColumns",
action="store_true",
help=u"检测常见的字段名,暴力破解列名")
# 用户自定义的功能选项
udf = OptionGroup(parser, u"使用用户自定义的功能进行注入")
udf.add_option("--udf-inject",
dest="udfInject",
action="store_true",
help=u"注入用户自定义的功能")
udf.add_option("--shared-lib", dest="shLib", help=u"共享库的本地路径")
# 文件系统访问"", "这些选项可用于访问基础文件系统的后端数据库管理系统"
filesystem = OptionGroup(parser, u"文件系统访问", u"这些选项可用于访问基础文件系统的后端DBMS")
filesystem.add_option("--file-read",
dest="rFile",
help=u"从数据库服务器中读取文件")
filesystem.add_option("--file-write",
dest="wFile",
help=u"把文件写入/上传到数据库服务器中")
filesystem.add_option("--file-dest",
dest="dFile",
help=u"写入数据库服务器的绝对路径")
# Takeover options
takeover = OptionGroup(parser, u"操作系统访问", u"这些选项可用于访问基础操作系统的后端DBMS")
takeover.add_option("--os-cmd", dest="osCmd", help=u"执行操作系统命令")
takeover.add_option("--os-shell",
dest="osShell",
action="store_true",
help=u"返回一个shell")
takeover.add_option("--os-pwn",
dest="osPwn",
action="store_true",
help=u"调出一个带外shell/meterpreter/VNC")
takeover.add_option("--os-smbrelay",
dest="osSmb",
action="store_true",
help=u"一键调出OOB shell/meterpreter/VNC")
takeover.add_option("--os-bof",
dest="osBof",
action="store_true",
help=u"存储过程缓冲区溢出利用")
takeover.add_option("--priv-esc",
dest="privEsc",
action="store_true",
help=u"对当前连接数据库进程的用户进行权限提升")
takeover.add_option("--msf-path",
dest="msfPath",
help=u"安装Metasploit Framework的本地路径")
takeover.add_option("--tmp-path",
dest="tmpPath",
help=u"临时文件目录的远程绝对路径")
# Windows registry options
windows = OptionGroup(parser, u"Windows注册表访问",
u"这些选项可用于访问后端数据库管理系统Windows注册表")
windows.add_option("--reg-read",
dest="regRead",
action="store_true",
help=u"读取Windows注册表项值")
windows.add_option("--reg-add",
dest="regAdd",
action="store_true",
help=u"写入注册表值")
windows.add_option("--reg-del",
dest="regDel",
action="store_true",
help=u"删除注册表值")
windows.add_option("--reg-key", dest="regKey",
help=u"指定键,配合之前三个参数使用,"
u"例如:python sqlmap.py -u http://192.168.136.129/sqlmap/pgsql/get_int.aspx?id=1"
u" --reg-add --reg-key=\"HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap\" --reg-value=Test" \
u" --reg-type=REG_SZ --reg-data=1")
windows.add_option("--reg-value", dest="regVal", help=u"指定键值")
windows.add_option("--reg-data", dest="regData", help=u"指定键值的数据")
windows.add_option("--reg-type", dest="regType", help=u"指定键值的类型")
# 常用选项
general = OptionGroup(parser, u"通用", u"一些常用选项")
general.add_option("-s",
dest="sessionFile",
help=u"从(.sqlite)文件中读取session会话")
general.add_option(
"-t",
dest="trafficFile",
help=u"保存HTTP(S)日志,这个参数需要跟一个文本文件,sqlmap会把HTTP(S)请求与响应的日志保存到那里")
general.add_option("--batch",
dest="batch",
action="store_true",
help=u"非交互模式,用此参数,不需要用户输入,将会使用sqlmap提示的默认值一直运行下去")
general.add_option(
"--binary-fields",
dest="binaryFields",
help=u"Result fields having binary values (例如: \"digest\")")
general.add_option("--charset",
dest="charset",
help=u"强制指定字符编码(如:--charset=GBK)")
general.add_option("--check-internet",
dest="checkInternet",
action="store_true",
help=u"访问\"http://ipinfo.io/\"确认是否连接到互联网")
general.add_option(
"--crawl",
dest="crawlDepth",
type="int",
help=u"爬行网站URL,sqlmap可以收集潜在的可能存在漏洞的连接,后面跟的参数是爬行的深度--batch --crawl=3"
)
general.add_option(
"--crawl-exclude",
dest="crawlExclude",
help=
u"使用正则表达式排除网页中我们不想抓取的内容 (例如我们不想爬行url中包含logout的页面,可以这样写--crawl-exclude=logout)"
)
general.add_option(
"--csv-del",
dest="csvDel",
help=u"当保存为CSV格式时(--dump-format=CSV),需要一个分隔符(默认是逗号: \"%s\"),"
u"用户也可以改为别的,如分号:--csv-del=\";\" " % defaults.csvDel)
general.add_option("--dump-format",
dest="dumpFormat",
help=u"输出数据的格式(CSV,HTML或SQLITE)默认输出CSV格式")
general.add_option(
"--eta",
dest="eta",
action="store_true",
help=u"计算注入数据的剩余时间,sqlmap先输出长度,预计完成时间,显示百分比,输出字符"
u"17% [========> ] 11/64 ETA 00:19")
general.add_option(
"--flush-session",
dest="flushSession",
action="store_true",
help=u"刷新session文件,如果不想用之前缓存这个目标的session文件,可以使用这个参数。 "
u"会清空之前的session,重新测试该目标。")
general.add_option(
"--forms",
dest="forms",
action="store_true",
help=
u"在目标网址上解析和测试表单,如果你想通过form表单来测试SQL注入或者是弱密码(名字加密码) ,你可以通过使用-r把请求保存在文件中进行测试 或者--data发送POST数据 或者让sqlmap自动选择个选项对HTML响应中的<;form>;或者是<;input>;这样的标签进行测试,通过给sqlmap提供目标地址参数-u以及使用--form参数,它会自动请求对应的目标地址并且对form表单的输入进行测试"
)
general.add_option("--fresh-queries",
dest="freshQueries",
action="store_true",
help=u"忽略存储在会话文件中的查询结果")
general.add_option("--har", dest="harFile", help=u"将所有HTTP流量记录到HAR文件中")
general.add_option(
"--hex",
dest="hexConvert",
action="store_true",
help=
u"使用DBMS十六进制功能进行数据检索,很多情况下你检索的数据可能是非ASCII码的, 解决这个问题的一个办法是使用DBMS十六进制功能。 在这个开关打开的情况下,数据在被检索之前被编码为十六进制形式,然后被编码为原始形式。"
)
general.add_option("--output-dir",
dest="outputDir",
action="store",
help=u"自定义输出目录路径")
general.add_option("--parse-errors",
dest="parseErrors",
action="store_true",
help=u"从响应中解析并显示DBMS错误消息")
general.add_option("--save", dest="saveConfig", help=u"将选项保存到配置文件中INI")
general.add_option("--scope",
dest="scope",
help=u"利用正则表达式从提供的代理日志中过滤目标")
general.add_option("--test-filter",
dest="testFilter",
help=u"通过Payload和/或标题选择测试 (例如:ROW)")
general.add_option("--test-skip",
dest="testSkip",
help=u"跳过Payload和/或标题测试 (例如:BENCHMARK)")
general.add_option("--update",
dest="updateAll",
action="store_true",
help=u"更新sqlmap")
# 杂项
miscellaneous = OptionGroup(parser, u"解忧杂货铺")
miscellaneous.add_option("-z",
dest="mnemonics",
help=u"使用简短的助记符 (例如: \"flu,bat,ban,tec=EU\")")
miscellaneous.add_option("--alert",
dest="alert",
help=u"发现SQL注入时运行主机操作系统命令")
miscellaneous.add_option(
"--answers",
dest="answers",
help=
u"设置问题的答案,在使用--batch的时候可以通过使用--answers来指定某个回答所需要的答案,如果是多个的话 可以通过使用,来进行分隔 (例如: \"quit=N,follow=N\")"
)
miscellaneous.add_option("--beep",
dest="beep",
action="store_true",
help=u"检测到注入点时发出蜂鸣声提示")
miscellaneous.add_option("--cleanup",
dest="cleanup",
action="store_true",
help=u"清除sqlmap注入时产生的udf与表")
miscellaneous.add_option(
"--dependencies",
dest="dependencies",
action="store_true",
help=
u"检查sqlmap是否缺少第三方库,sqlmap在某些特定的情况下需要用到第三方的库 (例如 -d --os-pwn用到的icmpsh 通道 --auth-type 用到的NTLM HTTP认证类型) 在这些情况下都会有警告,建议使用--dependencies来进行检查"
)
miscellaneous.add_option("--disable-coloring",
dest="disableColoring",
action="store_true",
help=u"禁用控制台输出着色")
miscellaneous.add_option(
"--gpage",
dest="googlePage",
type="int",
help=u"默认sqlmap使用前100个URL地址作为注入测试,结合此选项,可以对指定页码的URL测试")
miscellaneous.add_option("--identify-waf",
dest="identifyWaf",
action="store_true",
help=u"对WAF/IPS/IDS保护进行全面测试")
miscellaneous.add_option(
"--mobile",
dest="mobile",
action="store_true",
help=u"通过HTTP User-Agent header模拟智能手机,"
u"有时服务端只接收移动端的访问,此时可以设定一个手机的User-Agent来模仿手机登陆")
miscellaneous.add_option("--offline",
dest="offline",
action="store_true",
help=u"离线模式工作(仅使用会话数据)")
miscellaneous.add_option(
"--purge-output",
dest="purgeOutput",
action="store_true",
help=u"从输出目录中安全删除所有内容,有时需要删除结果文件,而不被恢复,原有文件将会被随机的一些文件覆盖")
miscellaneous.add_option("--skip-waf",
dest="skipWaf",
action="store_true",
help=u"跳过启发式检测WAF/IPS/IDS保护")
miscellaneous.add_option(
"--smart",
dest="smart",
action="store_true",
help=u"启发式判断注入,有时对目标非常多的URL进行测试,为节省时间,只对能够快速判断为注入的报错点进行注入")
miscellaneous.add_option("--sqlmap-shell",
dest="sqlmapShell",
action="store_true",
help=u"交互式sqlmap shell")
miscellaneous.add_option("--tmp-dir",
dest="tmpDir",
help=u"用于存储临时文件的本地目录")
miscellaneous.add_option("--web-root",
dest="webRoot",
help=u"Web服务器文件根目录(例如 \"/var/www\")")
miscellaneous.add_option("--wizard",
dest="wizard",
action="store_true",
help=u"简单的向导界面,用于初级用户")
# Hidden and/or experimental options
parser.add_option("--dummy",
dest="dummy",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--murphy-rate",
dest="murphyRate",
type="int",
help=SUPPRESS_HELP)
parser.add_option("--disable-precon",
dest="disablePrecon",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--disable-stats",
dest="disableStats",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--profile",
dest="profile",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--force-dns",
dest="forceDns",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--force-threads",
dest="forceThreads",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--smoke-test",
dest="smokeTest",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--live-test",
dest="liveTest",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--stop-fail",
dest="stopFail",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--run-case", dest="runCase", help=SUPPRESS_HELP)
# API选项
parser.add_option("--api",
dest="api",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--taskid", dest="taskid", help=SUPPRESS_HELP)
parser.add_option("--database", dest="database", help=SUPPRESS_HELP)
parser.add_option_group(target)
parser.add_option_group(request)
parser.add_option_group(optimization)
parser.add_option_group(injection)
parser.add_option_group(detection)
parser.add_option_group(techniques)
parser.add_option_group(fingerprint)
parser.add_option_group(enumeration)
parser.add_option_group(brute)
parser.add_option_group(udf)
parser.add_option_group(filesystem)
parser.add_option_group(takeover)
parser.add_option_group(windows)
parser.add_option_group(general)
parser.add_option_group(miscellaneous)
# Dirty hack可以显示更长的选项,而不会分成两行
def _(self, *args):
retVal = parser.formatter._format_option_strings(*args)
# sqlmap参数的最大长度
# MAX_HELP_OPTION_LENGTH = 18
if len(retVal) > MAX_HELP_OPTION_LENGTH:
retVal = ("%%.%ds.." %
(MAX_HELP_OPTION_LENGTH -
parser.formatter.indent_increment)) % retVal
return retVal
parser.formatter._format_option_strings = parser.formatter.format_option_strings
parser.formatter.format_option_strings = type(
parser.formatter.format_option_strings)(_, parser, type(parser))
# Dirty hack for making a short option '-hh'简短选项
option = parser.get_option("--hh")
option._short_opts = ["-hh"]
option._long_opts = []
# Dirty hack for inherent help message of switch '-h'固有的帮助信息
option = parser.get_option("-h")
option.help = option.help.capitalize().replace("此帮助", "基本的帮助")
_ = []
prompt = False
advancedHelp = True
extraHeaders = []
# Reference: https://stackoverflow.com/a/4012683 (Note: previously used "...sys.getfilesystemencoding() or UNICODE_ENCODING")
for arg in argv:
_.append(getUnicode(arg, encoding=sys.stdin.encoding))
argv = _
checkDeprecatedOptions(argv)
prompt = "--sqlmap-shell" in argv
if prompt:
parser.usage = ""
cmdLineOptions.sqlmapShell = True
_ = ["x", "q", "exit", "quit", "clear"]
for option in parser.option_list:
_.extend(option._long_opts)
_.extend(option._short_opts)
for group in parser.option_groups:
for option in group.option_list:
_.extend(option._long_opts)
_.extend(option._short_opts)
autoCompletion(AUTOCOMPLETE_TYPE.SQLMAP, commands=_)
while True:
command = None
try:
command = raw_input("sqlmap-shell> ").strip()
command = getUnicode(command, encoding=sys.stdin.encoding)
except (KeyboardInterrupt, EOFError):
print
raise SqlmapShellQuitException
if not command:
continue
elif command.lower() == "clear":
clearHistory()
dataToStdout(u"[i] 清除历史记录\n")
saveHistory(AUTOCOMPLETE_TYPE.SQLMAP)
elif command.lower() in ("x", "q", "exit", "quit"):
raise SqlmapShellQuitException
elif command[0] != '-':
dataToStdout(u"[!] 提供无效选项\n")
dataToStdout(
u"[i] 正确的例子: '-u http://www.site.com/vuln.php?id=1 --banner'\n"
)
else:
saveHistory(AUTOCOMPLETE_TYPE.SQLMAP)
loadHistory(AUTOCOMPLETE_TYPE.SQLMAP)
break
try:
for arg in shlex.split(command):
argv.append(getUnicode(arg, encoding=sys.stdin.encoding))
except ValueError, ex:
raise SqlmapSyntaxException, u"命令行解析时出错 ('%s')" % ex.message
for i in xrange(len(argv)):
if argv[i] == "-hh":
argv[i] = "-h"
elif len(argv[i]) > 1 and all(
ord(_) in xrange(0x2018, 0x2020)
for _ in ((argv[i].split('=', 1)[-1].strip() or ' ')[0],
argv[i][-1])):
dataToStdout("[!] 从互联网上复制粘贴非法(非控制台)引号字符是非法的(%s)\n" % argv[i])
raise SystemExit
elif len(argv[i]) > 1 and u"\uff0c" in argv[i].split('=', 1)[-1]:
dataToStdout("[!] 从互联网复制粘贴非法(非控制台)逗号字符是非法的(%s)\n" % argv[i])
raise SystemExit
elif re.search(r"\A-\w=.+", argv[i]):
dataToStdout("[!] 检测到潜在的错误(非法的 '=') 短选项 ('%s')\n" % argv[i])
raise SystemExit
elif argv[i] == "-H":
if i + 1 < len(argv):
extraHeaders.append(argv[i + 1])
elif re.match(r"\A\d+!\Z", argv[i]) and argv[max(
0, i - 1)] == "--threads" or re.match(
r"\A--threads.+\d+!\Z", argv[i]):
argv[i] = argv[i][:-1]
conf.skipThreadCheck = True
elif argv[i] == "--version":
print VERSION_STRING.split('/')[-1]
raise SystemExit
elif argv[i] in ("-h", "--help"):
advancedHelp = False
for group in parser.option_groups[:]:
found = False
for option in group.option_list:
if option.dest not in BASIC_HELP_ITEMS:
option.help = SUPPRESS_HELP
else:
found = True
if not found:
parser.option_groups.remove(group)
for verbosity in (_ for _ in argv if re.search(r"\A\-v+\Z", _)):
try:
if argv.index(verbosity) == len(argv) - 1 or not argv[
argv.index(verbosity) + 1].isdigit():
conf.verbose = verbosity.count('v') + 1
del argv[argv.index(verbosity)]
except (IndexError, ValueError):
pass
try:
(args, _) = parser.parse_args(argv)
except UnicodeEncodeError, ex:
dataToStdout("\n[!] %s\n" % ex.object.encode("unicode-escape"))
raise SystemExit
def cmdLineParser():
"""
This function parses the command line parameters and arguments
"""
checkSystemEncoding()
_ = os.path.normpath(sys.argv[0])
usage = "%s%s [options]" % ("python " if not IS_WIN else "", \
"\"%s\"" % _ if " " in _ else _)
parser = OptionParser(usage=usage)
try:
parser.add_option("--hh",
dest="advancedHelp",
action="store_true",
help="Show advanced help message and exit")
parser.add_option("--version",
dest="showVersion",
action="store_true",
help="Show program's version number and exit")
parser.add_option("-v",
dest="verbose",
type="int",
help="Verbosity level: 0-6 (default %d)" %
defaults.verbose)
# Target options
target = OptionGroup(
parser, "Target", "At least one of these "
"options has to be provided to define the target(s)")
target.add_option("-d",
dest="direct",
help="Connection string "
"for direct database connection")
target.add_option(
"-u",
"--url",
dest="url",
help="Target URL (e.g. \"http://www.site.com/vuln.php?id=1\")")
target.add_option("-l",
dest="logFile",
help="Parse target(s) from Burp "
"or WebScarab proxy log file")
target.add_option(
"-x",
dest="sitemapUrl",
help="Parse target(s) from remote sitemap(.xml) file")
target.add_option("-m",
dest="bulkFile",
help="Scan multiple targets given "
"in a textual file ")
target.add_option("-r",
dest="requestFile",
help="Load HTTP request from a file")
target.add_option("-g",
dest="googleDork",
help="Process Google dork results as target URLs")
target.add_option("-c",
dest="configFile",
help="Load options from a configuration INI file")
# Request options
request = OptionGroup(
parser, "Request", "These options can be used "
"to specify how to connect to the target URL")
request.add_option("--data",
dest="data",
help="Data string to be sent through POST")
request.add_option(
"--param-del",
dest="paramDel",
help="Character used for splitting parameter values")
request.add_option("--cookie",
dest="cookie",
help="HTTP Cookie header value")
request.add_option("--cookie-del",
dest="cookieDel",
help="Character used for splitting cookie values")
request.add_option(
"--load-cookies",
dest="loadCookies",
help="File containing cookies in Netscape/wget format")
request.add_option("--drop-set-cookie",
dest="dropSetCookie",
action="store_true",
help="Ignore Set-Cookie header from response")
request.add_option("--user-agent",
dest="agent",
help="HTTP User-Agent header value")
request.add_option(
"--random-agent",
dest="randomAgent",
action="store_true",
help="Use randomly selected HTTP User-Agent header value")
request.add_option("--host",
dest="host",
help="HTTP Host header value")
request.add_option("--referer",
dest="referer",
help="HTTP Referer header value")
request.add_option(
"--headers",
dest="headers",
help="Extra headers (e.g. \"Accept-Language: fr\\nETag: 123\")")
request.add_option("--auth-type",
dest="authType",
help="HTTP authentication type "
"(Basic, Digest, NTLM or PKI)")
request.add_option("--auth-cred",
dest="authCred",
help="HTTP authentication credentials "
"(name:password)")
request.add_option("--auth-private",
dest="authPrivate",
help="HTTP authentication PEM private key file")
request.add_option("--ignore-401",
dest="ignore401",
action="store_true",
help="Ignore HTTP Error 401 (Unauthorized)")
request.add_option("--proxy",
dest="proxy",
help="Use a proxy to connect to the target URL")
request.add_option("--proxy-cred",
dest="proxyCred",
help="Proxy authentication credentials "
"(name:password)")
request.add_option("--proxy-file",
dest="proxyFile",
help="Load proxy list from a file")
request.add_option("--ignore-proxy",
dest="ignoreProxy",
action="store_true",
help="Ignore system default proxy settings")
request.add_option("--tor",
dest="tor",
action="store_true",
help="Use Tor anonymity network")
request.add_option("--tor-port",
dest="torPort",
help="Set Tor proxy port other than default")
request.add_option(
"--tor-type",
dest="torType",
help="Set Tor proxy type (HTTP (default), SOCKS4 or SOCKS5)")
request.add_option("--check-tor",
dest="checkTor",
action="store_true",
help="Check to see if Tor is used properly")
request.add_option("--delay",
dest="delay",
type="float",
help="Delay in seconds between each HTTP request")
request.add_option("--timeout",
dest="timeout",
type="float",
help="Seconds to wait before timeout connection "
"(default %d)" % defaults.timeout)
request.add_option("--retries",
dest="retries",
type="int",
help="Retries when the connection timeouts "
"(default %d)" % defaults.retries)
request.add_option("--randomize",
dest="rParam",
help="Randomly change value for given parameter(s)")
request.add_option(
"--safe-url",
dest="safUrl",
help="URL address to visit frequently during testing")
request.add_option(
"--safe-freq",
dest="saFreq",
type="int",
help="Test requests between two visits to a given safe URL")
request.add_option("--skip-urlencode",
dest="skipUrlEncode",
action="store_true",
help="Skip URL encoding of payload data")
request.add_option("--csrf-token",
dest="csrfToken",
help="Parameter used to hold CSRF protection token")
request.add_option(
"--csrf-url",
dest="csrfUrl",
help="URL address to visit to extract CSRF protection token")
request.add_option("--force-ssl",
dest="forceSSL",
action="store_true",
help="Force usage of SSL/HTTPS")
request.add_option("--hpp",
dest="hpp",
action="store_true",
help="Use HTTP parameter pollution method")
request.add_option(
"--eval",
dest="evalCode",
help=
"Evaluate provided Python code before the request (e.g. \"import hashlib;id2=hashlib.md5(id).hexdigest()\")"
)
# Optimization options
optimization = OptionGroup(
parser, "Optimization", "These "
"options can be used to optimize the "
"performance of sqlmap")
optimization.add_option("-o",
dest="optimize",
action="store_true",
help="Turn on all optimization switches")
optimization.add_option("--predict-output",
dest="predictOutput",
action="store_true",
help="Predict common queries output")
optimization.add_option("--keep-alive",
dest="keepAlive",
action="store_true",
help="Use persistent HTTP(s) connections")
optimization.add_option(
"--null-connection",
dest="nullConnection",
action="store_true",
help="Retrieve page length without actual HTTP response body")
optimization.add_option("--threads",
dest="threads",
type="int",
help="Max number of concurrent HTTP(s) "
"requests (default %d)" % defaults.threads)
# Injection options
injection = OptionGroup(
parser, "Injection", "These options can be "
"used to specify which parameters to test "
"for, provide custom injection payloads and "
"optional tampering scripts")
injection.add_option("-p",
dest="testParameter",
help="Testable parameter(s)")
injection.add_option("--skip",
dest="skip",
help="Skip testing for given parameter(s)")
injection.add_option("--dbms",
dest="dbms",
help="Force back-end DBMS to this value")
injection.add_option(
"--dbms-cred",
dest="dbmsCred",
help="DBMS authentication credentials (user:password)")
injection.add_option("--os",
dest="os",
help="Force back-end DBMS operating system "
"to this value")
injection.add_option("--invalid-bignum",
dest="invalidBignum",
action="store_true",
help="Use big numbers for invalidating values")
injection.add_option(
"--invalid-logical",
dest="invalidLogical",
action="store_true",
help="Use logical operations for invalidating values")
injection.add_option("--invalid-string",
dest="invalidString",
action="store_true",
help="Use random strings for invalidating values")
injection.add_option("--no-cast",
dest="noCast",
action="store_true",
help="Turn off payload casting mechanism")
injection.add_option("--no-escape",
dest="noEscape",
action="store_true",
help="Turn off string escaping mechanism")
injection.add_option("--prefix",
dest="prefix",
help="Injection payload prefix string")
injection.add_option("--suffix",
dest="suffix",
help="Injection payload suffix string")
injection.add_option(
"--tamper",
dest="tamper",
help="Use given script(s) for tampering injection data")
# Detection options
detection = OptionGroup(
parser, "Detection", "These options can be "
"used to customize the detection phase")
detection.add_option("--level",
dest="level",
type="int",
help="Level of tests to perform (1-5, "
"default %d)" % defaults.level)
detection.add_option("--risk",
dest="risk",
type="int",
help="Risk of tests to perform (0-3, "
"default %d)" % defaults.level)
detection.add_option("--string",
dest="string",
help="String to match when "
"query is evaluated to True")
detection.add_option("--not-string",
dest="notString",
help="String to match when "
"query is evaluated to False")
detection.add_option("--regexp",
dest="regexp",
help="Regexp to match when "
"query is evaluated to True")
detection.add_option("--code",
dest="code",
type="int",
help="HTTP code to match when "
"query is evaluated to True")
detection.add_option(
"--text-only",
dest="textOnly",
action="store_true",
help="Compare pages based only on the textual content")
detection.add_option("--titles",
dest="titles",
action="store_true",
help="Compare pages based only on their titles")
# Techniques options
techniques = OptionGroup(
parser, "Techniques", "These options can be "
"used to tweak testing of specific SQL "
"injection techniques")
techniques.add_option("--technique",
dest="tech",
help="SQL injection techniques to use "
"(default \"%s\")" % defaults.tech)
techniques.add_option("--time-sec",
dest="timeSec",
type="int",
help="Seconds to delay the DBMS response "
"(default %d)" % defaults.timeSec)
techniques.add_option(
"--union-cols",
dest="uCols",
help="Range of columns to test for UNION query SQL injection")
techniques.add_option(
"--union-char",
dest="uChar",
help="Character to use for bruteforcing number of columns")
techniques.add_option(
"--union-from",
dest="uFrom",
help="Table to use in FROM part of UNION query SQL injection")
techniques.add_option(
"--dns-domain",
dest="dnsName",
help="Domain name used for DNS exfiltration attack")
techniques.add_option(
"--second-order",
dest="secondOrder",
help="Resulting page URL searched for second-order "
"response")
# Fingerprint options
fingerprint = OptionGroup(parser, "Fingerprint")
fingerprint.add_option(
"-f",
"--fingerprint",
dest="extensiveFp",
action="store_true",
help="Perform an extensive DBMS version fingerprint")
# Enumeration options
enumeration = OptionGroup(
parser, "Enumeration", "These options can "
"be used to enumerate the back-end database "
"management system information, structure "
"and data contained in the tables. Moreover "
"you can run your own SQL statements")
enumeration.add_option("-a",
"--all",
dest="getAll",
action="store_true",
help="Retrieve everything")
enumeration.add_option("-b",
"--banner",
dest="getBanner",
action="store_true",
help="Retrieve DBMS banner")
enumeration.add_option("--current-user",
dest="getCurrentUser",
action="store_true",
help="Retrieve DBMS current user")
enumeration.add_option("--current-db",
dest="getCurrentDb",
action="store_true",
help="Retrieve DBMS current database")
enumeration.add_option("--hostname",
dest="getHostname",
action="store_true",
help="Retrieve DBMS server hostname")
enumeration.add_option("--is-dba",
dest="isDba",
action="store_true",
help="Detect if the DBMS current user is DBA")
enumeration.add_option("--users",
dest="getUsers",
action="store_true",
help="Enumerate DBMS users")
enumeration.add_option("--passwords",
dest="getPasswordHashes",
action="store_true",
help="Enumerate DBMS users password hashes")
enumeration.add_option("--privileges",
dest="getPrivileges",
action="store_true",
help="Enumerate DBMS users privileges")
enumeration.add_option("--roles",
dest="getRoles",
action="store_true",
help="Enumerate DBMS users roles")
enumeration.add_option("--dbs",
dest="getDbs",
action="store_true",
help="Enumerate DBMS databases")
enumeration.add_option("--tables",
dest="getTables",
action="store_true",
help="Enumerate DBMS database tables")
enumeration.add_option("--columns",
dest="getColumns",
action="store_true",
help="Enumerate DBMS database table columns")
enumeration.add_option("--schema",
dest="getSchema",
action="store_true",
help="Enumerate DBMS schema")
enumeration.add_option("--count",
dest="getCount",
action="store_true",
help="Retrieve number of entries for table(s)")
enumeration.add_option("--dump",
dest="dumpTable",
action="store_true",
help="Dump DBMS database table entries")
enumeration.add_option("--dump-all",
dest="dumpAll",
action="store_true",
help="Dump all DBMS databases tables entries")
enumeration.add_option(
"--search",
dest="search",
action="store_true",
help="Search column(s), table(s) and/or database name(s)")
enumeration.add_option("--comments",
dest="getComments",
action="store_true",
help="Retrieve DBMS comments")
enumeration.add_option("-D",
dest="db",
help="DBMS database to enumerate")
enumeration.add_option("-T",
dest="tbl",
help="DBMS database table(s) to enumerate")
enumeration.add_option(
"-C",
dest="col",
help="DBMS database table column(s) to enumerate")
enumeration.add_option(
"-X",
dest="excludeCol",
help="DBMS database table column(s) to not enumerate")
enumeration.add_option("-U",
dest="user",
help="DBMS user to enumerate")
enumeration.add_option("--exclude-sysdbs",
dest="excludeSysDbs",
action="store_true",
help="Exclude DBMS system databases when "
"enumerating tables")
enumeration.add_option("--where",
dest="dumpWhere",
help="Use WHERE condition while table dumping")
enumeration.add_option("--start",
dest="limitStart",
type="int",
help="First query output entry to retrieve")
enumeration.add_option("--stop",
dest="limitStop",
type="int",
help="Last query output entry to retrieve")
enumeration.add_option(
"--first",
dest="firstChar",
type="int",
help="First query output word character to retrieve")
enumeration.add_option(
"--last",
dest="lastChar",
type="int",
help="Last query output word character to retrieve")
enumeration.add_option("--sql-query",
dest="query",
help="SQL statement to be executed")
enumeration.add_option("--sql-shell",
dest="sqlShell",
action="store_true",
help="Prompt for an interactive SQL shell")
enumeration.add_option(
"--sql-file",
dest="sqlFile",
help="Execute SQL statements from given file(s)")
# User-defined function options
brute = OptionGroup(
parser, "Brute force", "These "
"options can be used to run brute force "
"checks")
brute.add_option("--common-tables",
dest="commonTables",
action="store_true",
help="Check existence of common tables")
brute.add_option("--common-columns",
dest="commonColumns",
action="store_true",
help="Check existence of common columns")
# User-defined function options
udf = OptionGroup(
parser, "User-defined function injection", "These "
"options can be used to create custom user-defined "
"functions")
udf.add_option("--udf-inject",
dest="udfInject",
action="store_true",
help="Inject custom user-defined functions")
udf.add_option("--shared-lib",
dest="shLib",
help="Local path of the shared library")
# File system options
filesystem = OptionGroup(
parser, "File system access", "These options "
"can be used to access the back-end database "
"management system underlying file system")
filesystem.add_option("--file-read",
dest="rFile",
help="Read a file from the back-end DBMS "
"file system")
filesystem.add_option("--file-write",
dest="wFile",
help="Write a local file on the back-end "
"DBMS file system")
filesystem.add_option("--file-dest",
dest="dFile",
help="Back-end DBMS absolute filepath to "
"write to")
# Takeover options
takeover = OptionGroup(
parser, "Operating system access", "These "
"options can be used to access the back-end "
"database management system underlying "
"operating system")
takeover.add_option("--os-cmd",
dest="osCmd",
help="Execute an operating system command")
takeover.add_option("--os-shell",
dest="osShell",
action="store_true",
help="Prompt for an interactive operating "
"system shell")
takeover.add_option("--os-pwn",
dest="osPwn",
action="store_true",
help="Prompt for an OOB shell, "
"Meterpreter or VNC")
takeover.add_option("--os-smbrelay",
dest="osSmb",
action="store_true",
help="One click prompt for an OOB shell, "
"Meterpreter or VNC")
takeover.add_option("--os-bof",
dest="osBof",
action="store_true",
help="Stored procedure buffer overflow "
"exploitation")
takeover.add_option("--priv-esc",
dest="privEsc",
action="store_true",
help="Database process user privilege escalation")
takeover.add_option("--msf-path",
dest="msfPath",
help="Local path where Metasploit Framework "
"is installed")
takeover.add_option("--tmp-path",
dest="tmpPath",
help="Remote absolute path of temporary files "
"directory")
# Windows registry options
windows = OptionGroup(
parser, "Windows registry access", "These "
"options can be used to access the back-end "
"database management system Windows "
"registry")
windows.add_option("--reg-read",
dest="regRead",
action="store_true",
help="Read a Windows registry key value")
windows.add_option("--reg-add",
dest="regAdd",
action="store_true",
help="Write a Windows registry key value data")
windows.add_option("--reg-del",
dest="regDel",
action="store_true",
help="Delete a Windows registry key value")
windows.add_option("--reg-key",
dest="regKey",
help="Windows registry key")
windows.add_option("--reg-value",
dest="regVal",
help="Windows registry key value")
windows.add_option("--reg-data",
dest="regData",
help="Windows registry key value data")
windows.add_option("--reg-type",
dest="regType",
help="Windows registry key value type")
# General options
general = OptionGroup(
parser, "General", "These options can be used "
"to set some general working parameters")
#general.add_option("-x", dest="xmlFile",
# help="Dump the data into an XML file")
general.add_option("-s",
dest="sessionFile",
help="Load session from a stored (.sqlite) file")
general.add_option("-t",
dest="trafficFile",
help="Log all HTTP traffic into a "
"textual file")
general.add_option(
"--batch",
dest="batch",
action="store_true",
help="Never ask for user input, use the default behaviour")
general.add_option(
"--charset",
dest="charset",
help="Force character encoding used for data retrieval")
general.add_option(
"--crawl",
dest="crawlDepth",
type="int",
help="Crawl the website starting from the target URL")
general.add_option("--csv-del",
dest="csvDel",
help="Delimiting character used in CSV output "
"(default \"%s\")" % defaults.csvDel)
general.add_option(
"--dump-format",
dest="dumpFormat",
help="Format of dumped data (CSV (default), HTML or SQLITE)")
general.add_option("--eta",
dest="eta",
action="store_true",
help="Display for each output the "
"estimated time of arrival")
general.add_option("--flush-session",
dest="flushSession",
action="store_true",
help="Flush session files for current target")
general.add_option("--forms",
dest="forms",
action="store_true",
help="Parse and test forms on target URL")
general.add_option("--fresh-queries",
dest="freshQueries",
action="store_true",
help="Ignore query results stored in session file")
general.add_option("--hex",
dest="hexConvert",
action="store_true",
help="Use DBMS hex function(s) for data retrieval")
general.add_option("--output-dir",
dest="outputDir",
action="store",
help="Custom output directory path")
general.add_option(
"--parse-errors",
dest="parseErrors",
action="store_true",
help="Parse and display DBMS error messages from responses")
general.add_option("--pivot-column",
dest="pivotColumn",
help="Pivot column name")
general.add_option("--save",
dest="saveCmdline",
action="store_true",
help="Save options to a configuration INI file")
general.add_option(
"--scope",
dest="scope",
help="Regexp to filter targets from provided proxy log")
general.add_option(
"--test-filter",
dest="testFilter",
help="Select tests by payloads and/or titles (e.g. ROW)")
general.add_option("--update",
dest="updateAll",
action="store_true",
help="Update sqlmap")
# Miscellaneous options
miscellaneous = OptionGroup(parser, "Miscellaneous")
miscellaneous.add_option(
"-z",
dest="mnemonics",
help="Use short mnemonics (e.g. \"flu,bat,ban,tec=EU\")")
miscellaneous.add_option(
"--alert",
dest="alert",
help="Run host OS command(s) when SQL injection is found")
miscellaneous.add_option(
"--answers",
dest="answers",
help="Set question answers (e.g. \"quit=N,follow=N\")")
miscellaneous.add_option(
"--beep",
dest="beep",
action="store_true",
help="Make a beep sound when SQL injection is found")
miscellaneous.add_option(
"--check-waf",
dest="checkWaf",
action="store_true",
help="Heuristically check for WAF/IPS/IDS protection")
miscellaneous.add_option("--cleanup",
dest="cleanup",
action="store_true",
help="Clean up the DBMS from sqlmap specific "
"UDF and tables")
miscellaneous.add_option(
"--dependencies",
dest="dependencies",
action="store_true",
help="Check for missing (non-core) sqlmap dependencies")
miscellaneous.add_option("--disable-coloring",
dest="disableColoring",
action="store_true",
help="Disable console output coloring")
miscellaneous.add_option(
"--gpage",
dest="googlePage",
type="int",
help="Use Google dork results from specified page number")
miscellaneous.add_option(
"--identify-waf",
dest="identifyWaf",
action="store_true",
help="Make a through testing for a WAF/IPS/IDS protection")
miscellaneous.add_option(
"--mobile",
dest="mobile",
action="store_true",
help="Imitate smartphone through HTTP User-Agent header")
miscellaneous.add_option(
"--page-rank",
dest="pageRank",
action="store_true",
help="Display page rank (PR) for Google dork results")
miscellaneous.add_option(
"--purge-output",
dest="purgeOutput",
action="store_true",
help="Safely remove all content from output directory")
miscellaneous.add_option(
"--smart",
dest="smart",
action="store_true",
help="Conduct through tests only if positive heuristic(s)")
miscellaneous.add_option("--sqlmap-shell",
dest="sqlmapShell",
action="store_true",
help="Prompt for an interactive sqlmap shell")
miscellaneous.add_option(
"--wizard",
dest="wizard",
action="store_true",
help="Simple wizard interface for beginner users")
# Hidden and/or experimental options
parser.add_option("--dummy",
dest="dummy",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--pickled-options",
dest="pickledOptions",
help=SUPPRESS_HELP)
parser.add_option("--profile",
dest="profile",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--binary-fields",
dest="binaryFields",
help=SUPPRESS_HELP)
parser.add_option("--cpu-throttle",
dest="cpuThrottle",
type="int",
help=SUPPRESS_HELP)
parser.add_option("--force-dns",
dest="forceDns",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--smoke-test",
dest="smokeTest",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--live-test",
dest="liveTest",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--stop-fail",
dest="stopFail",
action="store_true",
help=SUPPRESS_HELP)
parser.add_option("--run-case", dest="runCase", help=SUPPRESS_HELP)
parser.add_option_group(target)
parser.add_option_group(request)
parser.add_option_group(optimization)
parser.add_option_group(injection)
parser.add_option_group(detection)
parser.add_option_group(techniques)
parser.add_option_group(fingerprint)
parser.add_option_group(enumeration)
parser.add_option_group(brute)
parser.add_option_group(udf)
parser.add_option_group(filesystem)
parser.add_option_group(takeover)
parser.add_option_group(windows)
parser.add_option_group(general)
parser.add_option_group(miscellaneous)
# Dirty hack to display longer options without breaking into two lines
def _(self, *args):
_ = parser.formatter._format_option_strings(*args)
if len(_) > MAX_HELP_OPTION_LENGTH:
_ = ("%%.%ds.." % (MAX_HELP_OPTION_LENGTH -
parser.formatter.indent_increment)) % _
return _
parser.formatter._format_option_strings = parser.formatter.format_option_strings
parser.formatter.format_option_strings = type(
parser.formatter.format_option_strings)(_, parser, type(parser))
# Dirty hack for making a short option -hh
option = parser.get_option("--hh")
option._short_opts = ["-hh"]
option._long_opts = []
# Dirty hack for inherent help message of switch -h
option = parser.get_option("-h")
option.help = option.help.capitalize().replace("this help",
"basic help")
argv = []
prompt = False
advancedHelp = True
for arg in sys.argv:
argv.append(getUnicode(arg, system=True))
checkDeprecatedOptions(argv)
prompt = "--sqlmap-shell" in argv
if prompt:
parser.usage = ""
cmdLineOptions.sqlmapShell = True
_ = ["x", "q", "exit", "quit", "clear"]
for option in parser.option_list:
_.extend(option._long_opts)
_.extend(option._short_opts)
for group in parser.option_groups:
for option in group.option_list:
_.extend(option._long_opts)
_.extend(option._short_opts)
autoCompletion(AUTOCOMPLETE_TYPE.SQLMAP, commands=_)
while True:
command = None
try:
command = raw_input("sqlmap-shell> ").strip()
except (KeyboardInterrupt, EOFError):
print
raise SqlmapShellQuitException
if not command:
continue
elif command.lower() == "clear":
clearHistory()
print "[i] history cleared"
saveHistory(AUTOCOMPLETE_TYPE.SQLMAP)
elif command.lower() in ("x", "q", "exit", "quit"):
raise SqlmapShellQuitException
elif command[0] != '-':
print "[!] invalid option(s) provided"
print "[i] proper example: '-u http://www.site.com/vuln.php?id=1 --banner'"
else:
saveHistory(AUTOCOMPLETE_TYPE.SQLMAP)
loadHistory(AUTOCOMPLETE_TYPE.SQLMAP)
break
for arg in shlex.split(command):
argv.append(getUnicode(arg, system=True))
# Hide non-basic options in basic help case
for i in xrange(len(argv)):
if argv[i] == "-hh":
argv[i] = "-h"
elif argv[i] == "--version":
print VERSION_STRING.split('/')[-1]
raise SystemExit
elif argv[i] == "-h":
advancedHelp = False
for group in parser.option_groups[:]:
found = False
for option in group.option_list:
if option.dest not in BASIC_HELP_ITEMS:
option.help = SUPPRESS_HELP
else:
found = True
if not found:
parser.option_groups.remove(group)
try:
(args, _) = parser.parse_args(argv)
except SystemExit:
if "-h" in argv and not advancedHelp:
print "\n[!] to see full list of options run with '-hh'"
raise
# Expand given mnemonic options (e.g. -z "ign,flu,bat")
for i in xrange(len(argv) - 1):
if argv[i] == "-z":
expandMnemonics(argv[i + 1], parser, args)
if args.dummy:
args.url = args.url or DUMMY_URL
if not any((args.direct, args.url, args.logFile, args.bulkFile, args.googleDork, args.configFile, \
args.requestFile, args.updateAll, args.smokeTest, args.liveTest, args.wizard, args.dependencies, \
args.purgeOutput, args.pickledOptions, args.sitemapUrl)):
errMsg = "missing a mandatory option (-d, -u, -l, -m, -r, -g, -c, -x, --wizard, --update, --purge-output or --dependencies), "
errMsg += "use -h for basic or -hh for advanced help"
parser.error(errMsg)
return args
except (OptionError, TypeError), e:
parser.error(e)