SQLMAP|阅读手记一{从sqlmap.py开始到参数分析}

sqlmap可以说是目前使用人数最多,功能最复杂的注入工具。作为一款开源工具,开发者有意的让我们自行去阅读并扩充,作为一个Web狗,阅读sqlmap源码也是有必要的,更何况从软件工程的角度,sqlmap的源码部署也是很值得学习的。

从sqlmap.py入手到入狱

 开始的开始

from lib.utils import versioncheck

sqlmap的正常运行首先需要进行python的版本自检。

/lib/utils/versioncheck.py

import sys

PYVERSION = sys.version.split()[0]

if PYVERSION >= "3" or PYVERSION < "2.6":
    exit("[CRITICAL] incompatible Python version detected ('%s'). For successfully 
    running sqlmap you'll have to use version 2.6 or 2.7 (visit 'http://www.python.org/
    download/')" % PYVERSION)

extensions = ("gzip", "ssl", "sqlite3", "zlib")
try:
    for _ in extensions:
        __import__(_)
except ImportError:
    errMsg = "missing one or more core extensions (%s) " % (", ".join("'%s'" % _ for _ 
    in extensions))
    errMsg += "most probably because current version of Python has been "
    errMsg += "built without appropriate dev packages (e.g. 'libsqlite3-dev')"
    exit(errMsg)

这里利用__import__()抛出的异常来检查必要库的存在。

from lib.core.data import logger

挂载logger(日志记录器)

 def main()

        checkEnvironment()
        setPaths()
        banner()

首先是检查环境(路径、版本)

def checkEnvironment():
    paths.SQLMAP_ROOT_PATH = modulePath()

    try:
        os.path.isdir(paths.SQLMAP_ROOT_PATH)
    except UnicodeEncodeError:
        errMsg = "your system does not properly handle non-ASCII paths. "
        errMsg += "Please move the sqlmap's directory to the other location"
        logger.critical(errMsg)
        raise SystemExit

    if distutils.version.LooseVersion(VERSION) < distutils.version.LooseVersion("1.0"):
        errMsg = "your runtime environment (e.g. PYTHONPATH) is "
        errMsg += "broken. Please make sure that you are not running "
        errMsg += "newer versions of sqlmap with runtime scripts for older "
        errMsg += "versions"
        logger.critical(errMsg)
        raise SystemExit
def modulePath():
    """
    This will get us the program's directory, even if we are frozen
    using py2exe
    """

    try:
        _ = sys.executable if weAreFrozen() else __file__
    except NameError:
        _ = inspect.getsourcefile(modulePath)

    return getUnicode(os.path.dirname(os.path.realpath(_)), encoding=sys.getfilesysteme
    ncoding())

这里的weAreFrozen()就是用来解决py2exe无法用__file__来获取路径的

详见官方示例 http://www.py2exe.org/index.cgi/WhereAmI

最后modulePath()就是返回用此系统编码编码后的模块绝对路径

paths.SQLMAP_ROOT_PATH

setPaths()

 """
    Sets absolute paths for project directories and files
 """

设置文件目录和一些字典、xml地图的地址

banner()

banner以及文字颜色的配置

接下来就是开始解析附加参数了

 # Store original command line options for possible later restoration
        cmdLineOptions.update(cmdLineParser().__dict__)
        initOptions(cmdLineOptions)

跟踪cmdLineParser()到lib/parse/cmdline.py

def cmdLineParser(argv=None):
    """
    This function parses the command line parameters and arguments
    """

    if not argv:
        argv = sys.argv

    checkSystemEncoding()

    _ = getUnicode(os.path.basename(argv[0]), encoding=sys.getfilesystemencoding())

    usage = "%s%s [options]" % ("python " if not IS_WIN else "", \
            "\"%s\"" % _ if " " in _ else _)

    parser = OptionParser(usage=usage)

利用python的optionparser模块来对参数进行分析,在此之前,提取出第一个参数前的内容,例python sqlmap.py作为参数传入OptionParser

之后就是对参数进行分析了,首先是帮助、版本、log级有关参数。

try:
        parser.add_option("--hh", dest="advancedHelp",
                          action="store_true",
                          help="Show advanced help message and exit")

        parser.add_option("--version", dest="showVersion",
                          action="store_true",
                          help="Show program's version number and exit")

        parser.add_option("-v", dest="verbose", type="int",
                          help="Verbosity level: 0-6 (default %d)" % defaults.verbose)

就是大家熟知的-hh 帮助

--version 版本

-v[0-6] 显示的log级别(从低到高)

常用-v3(恰好可以显示注入payload来debug)

之后是基本参数

 # Target options
        target = OptionGroup(parser, "Target", "At least one of these "
                             "options has to be provided to define the 
                             target(s)")

        target.add_option("-d", dest="direct", help="Connection string "
                          "for direct database connection")

        target.add_option("-u", "--url", dest="url", help="Target URL (e.g. \"http://
        www.site.com/vuln.php?id=1\")")

        target.add_option("-l", dest="logFile", help="Parse target(s) from Burp "
                          "or WebScarab proxy log file")

        target.add_option("-x", dest="sitemapUrl", help="Parse target(s) from remote 
        sitemap(.xml) file")

        target.add_option("-m", dest="bulkFile", help="Scan multiple targets given "
                          "in a textual file ")

        target.add_option("-r", dest="requestFile",
                          help="Load HTTP request from a file")

        target.add_option("-g", dest="googleDork",
                          help="Process Google dork results as target URLs")

        target.add_option("-c", dest="configFile",
                          help="Load options from a configuration INI file")

Target:

    At least one of these options has to be provided to define the

    target(s)

    -d DIRECT           Connection string for direct database connection

    -u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")

    -l LOGFILE          Parse target(s) from Burp or WebScarab proxy log file

    -x SITEMAPURL       Parse target(s) from remote sitemap(.xml) file

    -m BULKFILE         Scan multiple targets given in a textual file

    -r REQUESTFILE      Load HTTP request from a file

    -g GOOGLEDORK       Process Google dork results as target URLs

    -c CONFIGFILE       Load options from a configuration INI file

-d 数据库直连

-u url方式传入注入点

-l 从burp或WebScarab中提取出代理记录

例:利用burp代理,转到history选项卡,选中数据包右键-->save items,保存文档a.txt

然后 -l a.txt

-x xml地图的方式传入注入点

-m 批量注入url连接文件

例:利用burp代理,转到history选项卡,选中数据包右键-->copy URLs,保存文档b.txt

然后 -m b.txt

-r 从文件中读取完整request信息(常用)

-g 目标url在Process Google dork的结果

-c 读取配置信息

request参数

 # Request options
        request = OptionGroup(parser, "Request", "These options can be used "
                              "to specify how to connect to the target URL")

        request.add_option("--method", dest="method",
                           help="Force usage of given HTTP method (e.g. PUT)")

        request.add_option("--data", dest="data",
                           help="Data string to be sent through POST")

        request.add_option("--param-del", dest="paramDel",
                           help="Character used for splitting parameter values")

        request.add_option("--cookie", dest="cookie",
                           help="HTTP Cookie header value")

        request.add_option("--cookie-del", dest="cookieDel",
                           help="Character used for splitting cookie values")

        request.add_option("--load-cookies", dest="loadCookies",
                           help="File containing cookies in Netscape/wget format")

        request.add_option("--drop-set-cookie", dest="dropSetCookie",
                           action="store_true",
                           help="Ignore Set-Cookie header from response")

        request.add_option("--user-agent", dest="agent",
                           help="HTTP User-Agent header value")

        request.add_option("--random-agent", dest="randomAgent",
                           action="store_true",
                           help="Use randomly selected HTTP User-Agent header value")

        request.add_option("--host", dest="host",
                           help="HTTP Host header value")

        request.add_option("--referer", dest="referer",
                           help="HTTP Referer header value")

        request.add_option("-H", "--header", dest="header",
                           help="Extra header (e.g. \"X-Forwarded-For: 127.0.0.1\")")

        request.add_option("--headers", dest="headers",
                           help="Extra headers (e.g. \"Accept-Language: fr\\nETag: 123\
                           ")")

        request.add_option("--auth-type", dest="authType",
                           help="HTTP authentication type "
                                "(Basic, Digest, NTLM or PKI)")

        request.add_option("--auth-cred", dest="authCred",
                           help="HTTP authentication credentials "
                                "(name:password)")

        request.add_option("--auth-file", dest="authFile",
                           help="HTTP authentication PEM cert/private key file")

        request.add_option("--ignore-401", dest="ignore401", action="store_true",
                          help="Ignore HTTP Error 401 (Unauthorized)")

        request.add_option("--proxy", dest="proxy",
                           help="Use a proxy to connect to the target URL")

        request.add_option("--proxy-cred", dest="proxyCred",
                           help="Proxy authentication credentials "
                                "(name:password)")

        request.add_option("--proxy-file", dest="proxyFile",
                           help="Load proxy list from a file")

        request.add_option("--ignore-proxy", dest="ignoreProxy", action="store_true",
                           help="Ignore system default proxy settings")

        request.add_option("--tor", dest="tor",
                                  action="store_true",
                                  help="Use Tor anonymity network")

        request.add_option("--tor-port", dest="torPort",
                                  help="Set Tor proxy port other than 
                                  default")

        request.add_option("--tor-type", dest="torType",
                                  help="Set Tor proxy type (HTTP (default),
                                   SOCKS4 or 
                                  SOCKS5)")

        request.add_option("--check-tor", dest="checkTor",
                                  action="store_true",
                                  help="Check to see if Tor is used 
                                  properly")

        request.add_option("--delay", dest="delay", type="float",
                           help="Delay in seconds between each HTTP request")

        request.add_option("--timeout", dest="timeout", type="float",
                           help="Seconds to wait before timeout connection "
                                "(default %d)" % defaults.timeout)

        request.add_option("--retries", dest="retries", type="int",
                           help="Retries when the connection timeouts "
                                "(default %d)" % defaults.retries)

        request.add_option("--randomize", dest="rParam",
                           help="Randomly change value for given parameter(s)")

        request.add_option("--safe-url", dest="safeUrl",
                           help="URL address to visit frequently during testing")

        request.add_option("--safe-post", dest="safePost",
                           help="POST data to send to a safe URL")

        request.add_option("--safe-req", dest="safeReqFile",
                           help="Load safe HTTP request from a file")

        request.add_option("--safe-freq", dest="safeFreq", type="int",
                           help="Test requests between two visits to a given safe URL")

        request.add_option("--skip-urlencode", dest="skipUrlEncode",
                           action="store_true",
                           help="Skip URL encoding of payload data")

        request.add_option("--csrf-token", dest="csrfToken",
                           help="Parameter used to hold anti-CSRF token")

        request.add_option("--csrf-url", dest="csrfUrl",
                           help="URL address to visit to extract anti-CSRF token")

        request.add_option("--force-ssl", dest="forceSSL",
                           action="store_true",
                           help="Force usage of SSL/HTTPS")

        request.add_option("--hpp", dest="hpp",
                                  action="store_true",
                                  help="Use HTTP parameter pollution method")

        request.add_option("--eval", dest="evalCode",
                           help="Evaluate provided Python code before the request (e.g.
                            \"import hashlib;id2=hashlib.md5(id).hexdigest()\")")

        # Optimization options
        optimization = OptionGroup(parser, "Optimization", "These "
                               "options can be used to optimize the "
                               "performance of sqlmap")

        optimization.add_option("-o", dest="optimize",
                                 action="store_true",
                                 help="Turn on all optimization switches")

        optimization.add_option("--predict-output", dest="predictOutput", action="stor
        e_true",
                          help="Predict common queries output")

        optimization.add_option("--keep-alive", dest="keepAlive", action="store_true",
                           help="Use persistent HTTP(s) connections")

        optimization.add_option("--null-connection", dest="nullConnection", action="sto
        re_true",
                          help="Retrieve page length without actual HTTP response body")

        optimization.add_option("--threads", dest="threads", type="int",
                           help="Max number of concurrent HTTP(s) "
                                "requests (default %d)" % defaults.threads)

        # Injection options
        injection = OptionGroup(parser, "Injection", "These options can be "
                                "used to specify which parameters to test "
                                "for, provide custom injection payloads and "
                                "optional tampering scripts")

        injection.add_option("-p", dest="testParameter",
                             help="Testable parameter(s)")

        injection.add_option("--skip", dest="skip",
                             help="Skip testing for given parameter(s)")

        injection.add_option("--skip-static", dest="skipStatic", action="store_true",
                             help="Skip testing parameters that not appear dynamic")

        injection.add_option("--dbms", dest="dbms",
                             help="Force back-end DBMS to this value")

        injection.add_option("--dbms-cred", dest="dbmsCred",
                            help="DBMS authentication credentials (user:password)")

        injection.add_option("--os", dest="os",
                             help="Force back-end DBMS operating system "
                                  "to this value")

        injection.add_option("--invalid-bignum", dest="invalidBignum",
                             action="store_true",
                             help="Use big numbers for invalidating values")

        injection.add_option("--invalid-logical", dest="invalidLogical",
                             action="store_true",
                             help="Use logical operations for invalidating values")

        injection.add_option("--invalid-string", dest="invalidString",
                             action="store_true",
                             help="Use random strings for invalidating values")

        injection.add_option("--no-cast", dest="noCast",
                             action="store_true",
                             help="Turn off payload casting mechanism")

        injection.add_option("--no-escape", dest="noEscape",
                             action="store_true",
                             help="Turn off string escaping mechanism")

        injection.add_option("--prefix", dest="prefix",
                             help="Injection payload prefix string")

        injection.add_option("--suffix", dest="suffix",
                             help="Injection payload suffix string")

        injection.add_option("--tamper", dest="tamper",
                             help="Use given script(s) for tampering injection data")

Request:

    These options can be used to specify how to connect to the target URL

    --method=METHOD     Force usage of given HTTP method (e.g. PUT)

    --data=DATA         Data string to be sent through POST

    --param-del=PARA..  Character used for splitting parameter values

    --cookie=COOKIE     HTTP Cookie header value

    --cookie-del=COO..  Character used for splitting cookie values

    --load-cookies=L..  File containing cookies in Netscape/wget format

    --drop-set-cookie   Ignore Set-Cookie header from response

    --user-agent=AGENT  HTTP User-Agent header value

    --random-agent      Use randomly selected HTTP User-Agent header value

    --host=HOST         HTTP Host header value

    --referer=REFERER   HTTP Referer header value

    -H HEADER, --hea..  Extra header (e.g. "X-Forwarded-For: 127.0.0.1")

    --headers=HEADERS   Extra headers (e.g. "Accept-Language: fr\nETag: 123")

    --auth-type=AUTH..  HTTP authentication type (Basic, Digest, NTLM or PKI)

    --auth-cred=AUTH..  HTTP authentication credentials (name:password)

    --auth-file=AUTH..  HTTP authentication PEM cert/private key file

    --ignore-401        Ignore HTTP Error 401 (Unauthorized)

    --proxy=PROXY       Use a proxy to connect to the target URL

    --proxy-cred=PRO..  Proxy authentication credentials (name:password)

    --proxy-file=PRO..  Load proxy list from a file

    --ignore-proxy      Ignore system default proxy settings

    --tor               Use Tor anonymity network

    --tor-port=TORPORT  Set Tor proxy port other than default

    --tor-type=TORTYPE  Set Tor proxy type (HTTP (default), SOCKS4 or SOCKS5)

    --check-tor         Check to see if Tor is used properly

    --delay=DELAY       Delay in seconds between each HTTP request

    --timeout=TIMEOUT   Seconds to wait before timeout connection (default 30)

    --retries=RETRIES   Retries when the connection timeouts (default 3)

    --randomize=RPARAM  Randomly change value for given parameter(s)

    --safe-url=SAFEURL  URL address to visit frequently during testing

    --safe-post=SAFE..  POST data to send to a safe URL

    --safe-req=SAFER..  Load safe HTTP request from a file

    --safe-freq=SAFE..  Test requests between two visits to a given safe URL

    --skip-urlencode    Skip URL encoding of payload data

    --csrf-token=CSR..  Parameter used to hold anti-CSRF token

    --csrf-url=CSRFURL  URL address to visit to extract anti-CSRF token

    --force-ssl         Force usage of SSL/HTTPS

    --hpp               Use HTTP parameter pollution method

    --eval=EVALCODE     Evaluate provided Python code before the request (e.g.

                        "import hashlib;id2=hashlib.md5(id).hexdigest()")

 --method=METHOD 使用指定的method访问目标url

 --data=DATA  post方式传输的数据

 --param-del=PARA..   指定分割参数用到的分隔符

 --cookie=COOKIE  指定cookie

 --cookie-del=COO.  指定分割cookie用到的分隔符

 --load-cookies=L.. 从netscape或者wget保存cookie的文件中读取cookie

 --drop-set-cookie 忽略返回包中的set-cookie

 --user-agent=AGENT 指定user-agent的内容

 --random-agent 随机使用一个agent

 --host=HOST 指定host

 --referer=REFERER 指定referer

 -H HEADER, --hea.. 指定头部其他的内容,比如X-Forwarded-For

 --headers=HEADERS 指定头部其他的内容们,用\n分隔

 --auth-type=AUTH..  

 --auth-cred=AUTH.. 

 --auth-file=AUTH..

 分别指定身份认证的方式、格式、文件

 --ignore-401 忽略http401错误

 --proxy=PROXY 

 --proxy-cred=PRO..  

 --proxy-file=PRO..

分别指定代理的方式、格式、文件

 --ignore-proxy 忽略系统缺省的代理设置

 --tor 使用匿名访问

 --tor-port=TORPORT 设置非缺省的匿名访问代理端口

 --tor-type=TORTYPE  设置代理的方式

 --check-tor  检查代理是否能正确使用

 --delay=DELAY 发送请求的时间间隔

  --timeout=TIMEOUT 指定判断超时的时间,默认为30s

 --retries=RETRIES  指定重连的时间,默认为3s

  --randomize=RPARAM 随机更改参数的值

 --safe-url=SAFEURL 测试中需要多次访问的url

 --safe-post=SAFE..  向safe-url发送post数据

 --safe-req=SAFER..  从文件中加载对safe-url的请求 

 --safe-freq=SAFE..   测试建立两个安全访问

 --skip-urlencode  跳过对payload的url编码

 --csrf-token=CSR..  指定csrftoken参数

 --csrf-url=CSRFURL  指定提取csrftoken参数的url

--force-ssl 使用ssl/https协议

 --hpp 测试http参数污染

  --eval=EVALCODE 在请求前执行指定的python脚本,例"import hashlib;id2=hashlib.md5(id).hexdigest()"

性能参数

optimization = OptionGroup(parser, "Optimization", "These "
                               "options can be used to optimize the "
                               "performance of sqlmap")

        optimization.add_option("-o", dest="optimize",
                                 action="store_true",
                                 help="Turn on all optimization switches")

        optimization.add_option("--predict-output", dest="predictOutput", action="store_true",
                          help="Predict common queries output")

        optimization.add_option("--keep-alive", dest="keepAlive", action="store_true",
                           help="Use persistent HTTP(s) connections")

        optimization.add_option("--null-connection", dest="nullConnection", action="store_true",
                          help="Retrieve page length without actual HTTP response body")

        optimization.add_option("--threads", dest="threads", type="int",
                           help="Max number of concurrent HTTP(s) "
                                "requests (default %d)" % defaults.threads)

  Optimization:

    These options can be used to optimize the performance of sqlmap

    -o                  Turn on all optimization switches

    --predict-output    Predict common queries output

    --keep-alive        Use persistent HTTP(s) connections

    --null-connection   Retrieve page length without actual HTTP response body

    --threads=THREADS   Max number of concurrent HTTP(s) requests (default 1)

-o 开启所有优化选项

--predict-output 预测常见的输出

 --keep-alive  使用持续连接

--null-connection 空页面重连

--threads=THREADS 最大http连接线程数,默认为1

注入参数

 # Injection options
        injection = OptionGroup(parser, "Injection", "These options can be "
                                "used to specify which parameters to test "
                                "for, provide custom injection payloads and "
                                "optional tampering scripts")

        injection.add_option("-p", dest="testParameter",
                             help="Testable parameter(s)")

        injection.add_option("--skip", dest="skip",
                             help="Skip testing for given parameter(s)")

        injection.add_option("--skip-static", dest="skipStatic", action="store_true",
                             help="Skip testing parameters that not appear dynamic")

        injection.add_option("--dbms", dest="dbms",
                             help="Force back-end DBMS to this value")

        injection.add_option("--dbms-cred", dest="dbmsCred",
                            help="DBMS authentication credentials (user:password)")

        injection.add_option("--os", dest="os",
                             help="Force back-end DBMS operating system "
                                  "to this value")

        injection.add_option("--invalid-bignum", dest="invalidBignum",
                             action="store_true",
                             help="Use big numbers for invalidating values")

        injection.add_option("--invalid-logical", dest="invalidLogical",
                             action="store_true",
                             help="Use logical operations for invalidating values")

        injection.add_option("--invalid-string", dest="invalidString",
                             action="store_true",
                             help="Use random strings for invalidating values")

        injection.add_option("--no-cast", dest="noCast",
                             action="store_true",
                             help="Turn off payload casting mechanism")

        injection.add_option("--no-escape", dest="noEscape",
                             action="store_true",
                             help="Turn off string escaping mechanism")

        injection.add_option("--prefix", dest="prefix",
                             help="Injection payload prefix string")

        injection.add_option("--suffix", dest="suffix",
                             help="Injection payload suffix string")

        injection.add_option("--tamper", dest="tamper",
                             help="Use given script(s) for tampering injection data")

Injection:

    These options can be used to specify which parameters to test for,

    provide custom injection payloads and optional tampering scripts

    -p TESTPARAMETER    Testable parameter(s)

    --skip=SKIP         Skip testing for given parameter(s)

    --skip-static       Skip testing parameters that not appear dynamic

    --dbms=DBMS         Force back-end DBMS to this value

    --dbms-cred=DBMS..  DBMS authentication credentials (user:password)

    --os=OS             Force back-end DBMS operating system to this value

    --invalid-bignum    Use big numbers for invalidating values

    --invalid-logical   Use logical operations for invalidating values

    --invalid-string    Use random strings for invalidating values

    --no-cast           Turn off payload casting mechanism

    --no-escape         Turn off string escaping mechanism

    --prefix=PREFIX     Injection payload prefix string

    --suffix=SUFFIX     Injection payload suffix string

    --tamper=TAMPER     Use given script(s) for tampering injection data

 -p TESTPARAMETER 指定可测试的参数

 --skip=SKIP 跳过对参数的测试

 --skip-static 跳过非动态的参数(即跳过无意义的参数)

 --dbms=DBMS 指定数据库

 --dbms-cred=DBMS.. 数据库系统认证的格式

 --os=OS  指定数据库服务器系统

 --invalid-bignum 指定无效的大数字

当你想指定一个报错的数值时,可以使用这个参数,例如默认情况系id=13,sqlmap会变成id=-13来报错,你可以指定比如id=9999999来报错。

 --invalid-logical 指定无效的逻辑

可以指定id=13把原来的id=-13的报错改成id=13 AND 18=19。

 --invalid-string 无效的字符串(使用随机字符串来代替无效的值)

--no-cast 关闭payload的构造机制

 --no-escape 关闭字符escape编码机制

 --prefix=PREFIX 指定payload前注入前缀

  --suffix=SUFFIX 指定payload后注入后缀

 --tamper=TAMPER 指定脚本来修改注入数据

自定义测试参数(盲注)

 # Detection options
        detection = OptionGroup(parser, "Detection", "These options can be "
                                "used to customize the detection phase")

        detection.add_option("--level", dest="level", type="int",
                             help="Level of tests to perform (1-5, "
                                  "default %d)" % defaults.level)

        detection.add_option("--risk", dest="risk", type="int",
                             help="Risk of tests to perform (1-3, "
                                  "default %d)" % defaults.level)

        detection.add_option("--string", dest="string",
                             help="String to match when "
                                  "query is evaluated to True")

        detection.add_option("--not-string", dest="notString",
                             help="String to match when "
                                  "query is evaluated to False")

        detection.add_option("--regexp", dest="regexp",
                             help="Regexp to match when "
                                  "query is evaluated to True")

        detection.add_option("--code", dest="code", type="int",
                             help="HTTP code to match when "
                                  "query is evaluated to True")

        detection.add_option("--text-only", dest="textOnly",
                             action="store_true",
                             help="Compare pages based only on the textual content")

        detection.add_option("--titles", dest="titles",
                             action="store_true",
                             help="Compare pages based only on their titles")

Detection:

    These options can be used to customize the detection phase

    --level=LEVEL       Level of tests to perform (1-5, default 1)

    --risk=RISK         Risk of tests to perform (1-3, default 1)

    --string=STRING     String to match when query is evaluated to True

    --not-string=NOT..  String to match when query is evaluated to False

    --regexp=REGEXP     Regexp to match when query is evaluated to True

    --code=CODE         HTTP code to match when query is evaluated to True

    --text-only         Compare pages based only on the textual content

    --titles            Compare pages based only on their titles

 --level=LEVEL  平台测试等级[1-5]

  --risk=RISK   测试风险等级[1-5]

  --string=STRING  bool注入时为true所匹配的字符串

  --not-string=NOT  为false所匹配的字符串

  --regexp=REGEXP  为true时的正则匹配

  --code=CODE   为true时的http状态码

   --text-only  通过内容比对页面

   --titles   通过标题比对页面

 技术参数

# Techniques options
        techniques = OptionGroup(parser, "Techniques", "These options can be "
                                 "used to tweak testing of specific SQL "
                                 "injection techniques")

        techniques.add_option("--technique", dest="tech",
                              help="SQL injection techniques to use "
                                   "(default \"%s\")" % defaults.tech)

        techniques.add_option("--time-sec", dest="timeSec",
                              type="int",
                              help="Seconds to delay the DBMS response "
                                   "(default %d)" % defaults.timeSec)

        techniques.add_option("--union-cols", dest="uCols",
                              help="Range of columns to test for UNION query SQL injection")

        techniques.add_option("--union-char", dest="uChar",
                              help="Character to use for bruteforcing number of columns")

        techniques.add_option("--union-from", dest="uFrom",
                              help="Table to use in FROM part of UNION query SQL injection")

        techniques.add_option("--dns-domain", dest="dnsName",
                              help="Domain name used for DNS exfiltration attack")

        techniques.add_option("--second-order", dest="secondOrder",
                             help="Resulting page URL searched for second-order "
                                  "response")

 Techniques:

    These options can be used to tweak testing of specific SQL injection

    techniques

    --technique=TECH    SQL injection techniques to use (default "BEUSTQ")

    --time-sec=TIMESEC  Seconds to delay the DBMS response (default 5)

    --union-cols=UCOLS  Range of columns to test for UNION query SQL injection

    --union-char=UCHAR  Character to use for bruteforcing number of columns

    --union-from=UFROM  Table to use in FROM part of UNION query SQL injection

    --dns-domain=DNS..  Domain name used for DNS exfiltration attack

    --second-order=S..  Resulting page URL searched for second-order response

  --technique=TECH  sql注入技术,默认为beust

  --time-sec=TIMESEC  数据库返回延迟,默认为5

   --union-cols=UCOLS  union查询注入所选列个数的范围

  --union-char=UCHAR  用于爆破列数的字符

  --union-from=UFROM 在form表单中所使用的用于联合查询的表

   --dns-domain=DNS..  用于DNS sql注入的域名

 

  --second-order=S..  从生成的页面中寻找二次响应的url

指纹参数

# Fingerprint options
        fingerprint = OptionGroup(parser, "Fingerprint")

        fingerprint.add_option("-f", "--fingerprint", dest="extensiveFp",
                               action="store_true",
                               help="Perform an extensive DBMS version fingerprint")

  Fingerprint:

    -f, --fingerprint   Perform an extensive DBMS version fingerprint

  -f, --fingerprint 指出数据库版本的指纹

枚举参数

# Enumeration options
        enumeration = OptionGroup(parser, "Enumeration", "These options can "
                                  "be used to enumerate the back-end database "
                                  "management system information, structure "
                                  "and data contained in the tables. Moreover "
                                  "you can run your own SQL statements")

        enumeration.add_option("-a", "--all", dest="getAll",
                               action="store_true", help="Retrieve everything")

        enumeration.add_option("-b", "--banner", dest="getBanner",
                               action="store_true", help="Retrieve DBMS banner")

        enumeration.add_option("--current-user", dest="getCurrentUser",
                               action="store_true",
                               help="Retrieve DBMS current user")

        enumeration.add_option("--current-db", dest="getCurrentDb",
                               action="store_true",
                               help="Retrieve DBMS current database")

        enumeration.add_option("--hostname", dest="getHostname",
                               action="store_true",
                               help="Retrieve DBMS server hostname")

        enumeration.add_option("--is-dba", dest="isDba",
                               action="store_true",
                               help="Detect if the DBMS current user is DBA")

        enumeration.add_option("--users", dest="getUsers", action="store_true",
                               help="Enumerate DBMS users")

        enumeration.add_option("--passwords", dest="getPasswordHashes",
                               action="store_true",
                               help="Enumerate DBMS users password hashes")

        enumeration.add_option("--privileges", dest="getPrivileges",
                               action="store_true",
                               help="Enumerate DBMS users privileges")

        enumeration.add_option("--roles", dest="getRoles",
                               action="store_true",
                               help="Enumerate DBMS users roles")

        enumeration.add_option("--dbs", dest="getDbs", action="store_true",
                               help="Enumerate DBMS databases")

        enumeration.add_option("--tables", dest="getTables", action="store_true",
                               help="Enumerate DBMS database tables")

        enumeration.add_option("--columns", dest="getColumns", action="store_true",
                               help="Enumerate DBMS database table columns")

        enumeration.add_option("--schema", dest="getSchema", action="store_true",
                               help="Enumerate DBMS schema")

        enumeration.add_option("--count", dest="getCount", action="store_true",
                               help="Retrieve number of entries for table(s)")

        enumeration.add_option("--dump", dest="dumpTable", action="store_true",
                               help="Dump DBMS database table entries")

        enumeration.add_option("--dump-all", dest="dumpAll", action="store_true",
                               help="Dump all DBMS databases tables entries")

        enumeration.add_option("--search", dest="search", action="store_true",
                               help="Search column(s), table(s) and/or database name(s)")

        enumeration.add_option("--comments", dest="getComments", action="store_true",
                               help="Retrieve DBMS comments")

        enumeration.add_option("-D", dest="db",
                               help="DBMS database to enumerate")

        enumeration.add_option("-T", dest="tbl",
                               help="DBMS database table(s) to enumerate")

        enumeration.add_option("-C", dest="col",
                               help="DBMS database table column(s) to enumerate")

        enumeration.add_option("-X", dest="excludeCol",
                               help="DBMS database table column(s) to not enumerate")

        enumeration.add_option("-U", dest="user",
                               help="DBMS user to enumerate")

        enumeration.add_option("--exclude-sysdbs", dest="excludeSysDbs",
                               action="store_true",
                               help="Exclude DBMS system databases when "
                                    "enumerating tables")

        enumeration.add_option("--pivot-column", dest="pivotColumn",
                               help="Pivot column name")

        enumeration.add_option("--where", dest="dumpWhere",
                               help="Use WHERE condition while table dumping")

        enumeration.add_option("--start", dest="limitStart", type="int",
                               help="First query output entry to retrieve")

        enumeration.add_option("--stop", dest="limitStop", type="int",
                               help="Last query output entry to retrieve")

        enumeration.add_option("--first", dest="firstChar", type="int",
                               help="First query output word character to retrieve")

        enumeration.add_option("--last", dest="lastChar", type="int",
                               help="Last query output word character to retrieve")

        enumeration.add_option("--sql-query", dest="query",
                               help="SQL statement to be executed")

        enumeration.add_option("--sql-shell", dest="sqlShell",
                               action="store_true",
                               help="Prompt for an interactive SQL shell")

        enumeration.add_option("--sql-file", dest="sqlFile",
                               help="Execute SQL statements from given file(s)")

 Enumeration:

    These options can be used to enumerate the back-end database

    management system information, structure and data contained in the

    tables. Moreover you can run your own SQL statements

    -a, --all           Retrieve everything

    -b, --banner        Retrieve DBMS banner

    --current-user      Retrieve DBMS current user

    --current-db        Retrieve DBMS current database

    --hostname          Retrieve DBMS server hostname

    --is-dba            Detect if the DBMS current user is DBA

    --users             Enumerate DBMS users

    --passwords         Enumerate DBMS users password hashes

    --privileges        Enumerate DBMS users privileges

    --roles             Enumerate DBMS users roles

    --dbs               Enumerate DBMS databases

    --tables            Enumerate DBMS database tables

    --columns           Enumerate DBMS database table columns

    --schema            Enumerate DBMS schema

    --count             Retrieve number of entries for table(s)

    --dump              Dump DBMS database table entries

    --dump-all          Dump all DBMS databases tables entries

    --search            Search column(s), table(s) and/or database name(s)

    --comments          Retrieve DBMS comments

    -D DB               DBMS database to enumerate

    -T TBL              DBMS database table(s) to enumerate

    -C COL              DBMS database table column(s) to enumerate

    -X EXCLUDECOL       DBMS database table column(s) to not enumerate

    -U USER             DBMS user to enumerate

    --exclude-sysdbs    Exclude DBMS system databases when enumerating tables

    --pivot-column=P..  Pivot column name

    --where=DUMPWHERE   Use WHERE condition while table dumping

    --start=LIMITSTART  First query output entry to retrieve

    --stop=LIMITSTOP    Last query output entry to retrieve

    --first=FIRSTCHAR   First query output word character to retrieve

    --last=LASTCHAR     Last query output word character to retrieve

    --sql-query=QUERY   SQL statement to be executed

    --sql-shell         Prompt for an interactive SQL shell

    --sql-file=SQLFILE  Execute SQL statements from given file(s)

 -a, --all 获取一切的一切(0.0)

  -b, --banner  获取数据库标语(这个有什么鬼用)

  --current-user  当前用户

  --current-db  当前数据库

  --hostname  主机名

  --is-dba  如果当前用户是DBA就开始检测

  --users   枚举所有用户

  --passwords  枚举所有用户的密码(hash)

  --privileges 枚举所有用户权限

  --roles   枚举所有用户组

  --dbs   枚举所有库

  --tables  枚举所有表

  --columns 枚举所有列

  --schema 枚举所有概要

  --count  检索表中的条目数

  --dump 列出指定数据库的表的字段的数据

  --dump-all 列出所有表的数据

  --search 查找指定表,字段,库等数据

   --comments 枚举所有注释

    -D DB               所枚举的库

    -T TBL              所枚举的表

    -C COL              所枚举的列

    -X EXCLUDECOL      不枚举的列

    -U USER    所枚举的用户

    --exclude-sysdbs  枚举表的时候排除系统表

     --pivot-column=P..  关键列的名称

    --where=DUMPWHERE  dump表的时候使用where?

   --start=LIMITSTART  第一个输出的查询条目

    --stop=LIMITSTOP    最后一个输出的查询条目

   --first=FIRSTCHAR  第一个输出的查询字符

    --last=LASTCHAR   最后一个输出的查询字符

    --sql-query=QUERY  执行sql语句

   --sql-shell  执行指定的sql命令

 --sql-file=SQLFILE 执行的sql文件

爆破参数

 # Brute force options
        brute = OptionGroup(parser, "Brute force", "These "
                          "options can be used to run brute force "
                          "checks")

        brute.add_option("--common-tables", dest="commonTables", action="store_true",
                               help="Check existence of common tables")

        brute.add_option("--common-columns", dest="commonColumns", action="store_true",
                               help="Check existence of common columns")

Brute force:

    These options can be used to run brute force checks

    --common-tables     Check existence of common tables

    --common-columns    Check existence of common columns

 --common-tables  爆破表

  --common-columns  爆破列

自定义函数参数

udf = OptionGroup(parser, "User-defined function injection", "These "
                          "options can be used to create custom user-defined "
                          "functions")

        udf.add_option("--udf-inject", dest="udfInject", action="store_true",
                       help="Inject custom user-defined functions")

        udf.add_option("--shared-lib", dest="shLib",
                       help="Local path of the shared library")

User-defined function injection:

    These options can be used to create custom user-defined functions

    --udf-inject        Inject custom user-defined functions

    --shared-lib=SHLIB  Local path of the shared library

  --udf-inject  注入缺省的已经定义过的函数

   --shared-lib=SHLIB 注入外部的库(自定义函数)

文件系统参数

filesystem = OptionGroup(parser, "File system access", "These options "
                                 "can be used to access the back-end database "
                                 "management system underlying file system")

        filesystem.add_option("--file-read", dest="rFile",
                              help="Read a file from the back-end DBMS "
                                   "file system")

        filesystem.add_option("--file-write", dest="wFile",
                              help="Write a local file on the back-end "
                                   "DBMS file system")

        filesystem.add_option("--file-dest", dest="dFile",
                              help="Back-end DBMS absolute filepath to "
                                   "write to")

File system access:

    These options can be used to access the back-end database management

    system underlying file system

    --file-read=RFILE   Read a file from the back-end DBMS file system

    --file-write=WFILE  Write a local file on the back-end DBMS file system

    --file-dest=DFILE   Back-end DBMS absolute filepath to write to

 --file-read=RFILE  通过数据库的文件系统读取一个文件

  --file-write=WFILE  写文件

   --file-dest=DFILE  定义写文件的绝对路径

操作系统参数

        # Takeover options
        takeover = OptionGroup(parser, "Operating system access", "These "
                               "options can be used to access the back-end "
                               "database management system underlying "
                               "operating system")

        takeover.add_option("--os-cmd", dest="osCmd",
                            help="Execute an operating system command")

        takeover.add_option("--os-shell", dest="osShell",
                            action="store_true",
                            help="Prompt for an interactive operating "
                                 "system shell")

        takeover.add_option("--os-pwn", dest="osPwn",
                            action="store_true",
                            help="Prompt for an OOB shell, "
                                 "Meterpreter or VNC")

        takeover.add_option("--os-smbrelay", dest="osSmb",
                            action="store_true",
                            help="One click prompt for an OOB shell, "
                                 "Meterpreter or VNC")

        takeover.add_option("--os-bof", dest="osBof",
                            action="store_true",
                            help="Stored procedure buffer overflow "
                                 "exploitation")

        takeover.add_option("--priv-esc", dest="privEsc",
                            action="store_true",
                            help="Database process user privilege escalation")

        takeover.add_option("--msf-path", dest="msfPath",
                            help="Local path where Metasploit Framework "
                                 "is installed")

        takeover.add_option("--tmp-path", dest="tmpPath",
                            help="Remote absolute path of temporary files "
                                 "directory")

Operating system access:

    These options can be used to access the back-end database management

    system underlying operating system

    --os-cmd=OSCMD      Execute an operating system command

    --os-shell          Prompt for an interactive operating system shell

    --os-pwn            Prompt for an OOB shell, Meterpreter or VNC

    --os-smbrelay       One click prompt for an OOB shell, Meterpreter or VNC

    --os-bof            Stored procedure buffer overflow exploitation

    --priv-esc          Database process user privilege escalation

    --msf-path=MSFPATH  Local path where Metasploit Framework is installed

    --tmp-path=TMPPATH  Remote absolute path of temporary files directory

  --os-cmd=OSCMD 执行cmd命令

   --os-shell  提供一个交互式shell

   --os-pwn  提供一个OOB shell, Meterpreter or VNC

   --os-smbrelay  SMBRelay攻击

   --os-bof 使用一个缓冲区溢出

  --priv-esc 数据库用户提权

   --msf-path=MSFPATH   Metasploit框架安装的路径

   --tmp-path=TMPPATH  临时文件目录的绝对路径 

windows注册表参数

 # Windows registry options
        windows = OptionGroup(parser, "Windows registry access", "These "
                               "options can be used to access the back-end "
                               "database management system Windows "
                               "registry")

        windows.add_option("--reg-read", dest="regRead",
                            action="store_true",
                            help="Read a Windows registry key value")

        windows.add_option("--reg-add", dest="regAdd",
                            action="store_true",
                            help="Write a Windows registry key value data")

        windows.add_option("--reg-del", dest="regDel",
                            action="store_true",
                            help="Delete a Windows registry key value")

        windows.add_option("--reg-key", dest="regKey",
                            help="Windows registry key")

        windows.add_option("--reg-value", dest="regVal",
                            help="Windows registry key value")

        windows.add_option("--reg-data", dest="regData",
                            help="Windows registry key value data")

        windows.add_option("--reg-type", dest="regType",
                            help="Windows registry key value type")

 Windows registry access:

    These options can be used to access the back-end database management

    system Windows registry

    --reg-read          Read a Windows registry key value

    --reg-add           Write a Windows registry key value data

    --reg-del           Delete a Windows registry key value

    --reg-key=REGKEY    Windows registry key

    --reg-value=REGVAL  Windows registry key value

    --reg-data=REGDATA  Windows registry key value data

    --reg-type=REGTYPE  Windows registry key value type

 --reg-read  读取一个注册表的键值

  --reg-add   写一个注册表的键值

  --reg-del     删除一个注册表的键值

   --reg-key=REGKEY  windows注册表的键

   --reg-value=REGVAL  windows注册表的值

  --reg-data=REGDATA  windows注册表的值的数据

   --reg-type=REGTYPE  windows注册表的值的类型

一般工作参数

        # General options
        general = OptionGroup(parser, "General", "These options can be used "
                             "to set some general working parameters")

        #general.add_option("-x", dest="xmlFile",
        #                    help="Dump the data into an XML file")

        general.add_option("-s", dest="sessionFile",
                            help="Load session from a stored (.sqlite) file")

        general.add_option("-t", dest="trafficFile",
                            help="Log all HTTP traffic into a "
                            "textual file")

        general.add_option("--batch", dest="batch",
                            action="store_true",
                            help="Never ask for user input, use the default behaviour")

        general.add_option("--binary-fields", dest="binaryFields",
                          help="Result fields having binary values (e.g. \"digest\")")

        general.add_option("--charset", dest="charset",
                            help="Force character encoding used for data retrieval")

        general.add_option("--crawl", dest="crawlDepth", type="int",
                            help="Crawl the website starting from the target URL")

        general.add_option("--crawl-exclude", dest="crawlExclude",
                           help="Regexp to exclude pages from crawling (e.g. \"logout\")")

        general.add_option("--csv-del", dest="csvDel",
                                  help="Delimiting character used in CSV output "
                                  "(default \"%s\")" % defaults.csvDel)

        general.add_option("--dump-format", dest="dumpFormat",
                                  help="Format of dumped data (CSV (default), HTML or SQLITE)")

        general.add_option("--eta", dest="eta",
                            action="store_true",
                            help="Display for each output the "
                                 "estimated time of arrival")

        general.add_option("--flush-session", dest="flushSession",
                            action="store_true",
                            help="Flush session files for current target")

        general.add_option("--forms", dest="forms",
                                  action="store_true",
                                  help="Parse and test forms on target URL")

        general.add_option("--fresh-queries", dest="freshQueries",
                            action="store_true",
                            help="Ignore query results stored in session file")

        general.add_option("--hex", dest="hexConvert",
                            action="store_true",
                            help="Use DBMS hex function(s) for data retrieval")

        general.add_option("--output-dir", dest="outputDir",
                            action="store",
                            help="Custom output directory path")

        general.add_option("--parse-errors", dest="parseErrors",
                                  action="store_true",
                                  help="Parse and display DBMS error messages from responses")

        general.add_option("--save", dest="saveConfig",
                            help="Save options to a configuration INI file")

        general.add_option("--scope", dest="scope",
                           help="Regexp to filter targets from provided proxy log")

        general.add_option("--test-filter", dest="testFilter",
                           help="Select tests by payloads and/or titles (e.g. ROW)")

        general.add_option("--test-skip", dest="testSkip",
                           help="Skip tests by payloads and/or titles (e.g. BENCHMARK)")

        general.add_option("--update", dest="updateAll",
                            action="store_true",
                            help="Update sqlmap")

General:

    These options can be used to set some general working parameters

    -s SESSIONFILE      Load session from a stored (.sqlite) file

    -t TRAFFICFILE      Log all HTTP traffic into a textual file

    --batch             Never ask for user input, use the default behaviour

    --binary-fields=..  Result fields having binary values (e.g. "digest")

    --charset=CHARSET   Force character encoding used for data retrieval

    --crawl=CRAWLDEPTH  Crawl the website starting from the target URL

    --crawl-exclude=..  Regexp to exclude pages from crawling (e.g. "logout")

    --csv-del=CSVDEL    Delimiting character used in CSV output (default ",")

    --dump-format=DU..  Format of dumped data (CSV (default), HTML or SQLITE)

    --eta               Display for each output the estimated time of arrival

    --flush-session     Flush session files for current target

    --forms             Parse and test forms on target URL

    --fresh-queries     Ignore query results stored in session file

    --hex               Use DBMS hex function(s) for data retrieval

    --output-dir=OUT..  Custom output directory path

    --parse-errors      Parse and display DBMS error messages from responses

    --save=SAVECONFIG   Save options to a configuration INI file

    --scope=SCOPE       Regexp to filter targets from provided proxy log

    --test-filter=TE..  Select tests by payloads and/or titles (e.g. ROW)

    --test-skip=TEST..  Skip tests by payloads and/or titles (e.g. BENCHMARK)

    --update            Update sqlmap

 -s SESSIONFILE  从一个保存文件中读取session

  -t TRAFFICFILE  记录所有的http流量到一个文本文件

  --batch  使用默认配置,不询问用户输入

  --binary-fields=..  具有二进制值的结果字段 

   --charset=CHARSET  用于数据检索的字符强制编码 

   --crawl=CRAWLDEPTH 从指定的url开始爬网站

   --crawl-exclude=.   爬取指定的正则规则的站点

   --csv-del=CSVDEL  限定使用CSV输出字符

   --dump-format=DU..  格式化dump的内容

   --eta   显示每个输出的估计到达时间

   --flush-session 为当前的标签清空所有session文件

   --forms  解析并测试目标url的所有表单

  --fresh-queries  忽略存储在会话文件中的查询结果

   --hex 使用数据库的hex函数编码数据

  --output-dir=OUT..  自定义输出目录路径 

   --parse-errors  解析并显示数据库错误信息

  --save=SAVECONFIG 保存配置信息到ini文件

   --scope=SCOPE  正则表达式过滤代理日志

   --test-filter=TE..  选择payload或者标题

   --test-skip=TEST..  跳过测试payload或者标题

   --update  更新sqlmap

其他配置参数

 # Miscellaneous options
        miscellaneous = OptionGroup(parser, "Miscellaneous")

        miscellaneous.add_option("-z", dest="mnemonics",
                               help="Use short mnemonics (e.g. \"flu,bat,ban,tec=EU\")")

        miscellaneous.add_option("--alert", dest="alert",
                                  help="Run host OS command(s) when SQL injection is found")

        miscellaneous.add_option("--answers", dest="answers",
                                  help="Set question answers (e.g. \"quit=N,follow=N\")")

        miscellaneous.add_option("--beep", dest="beep", action="store_true",
                                  help="Beep on question and/or when SQL injection is found")

        miscellaneous.add_option("--cleanup", dest="cleanup",
                                  action="store_true",
                                  help="Clean up the DBMS from sqlmap specific "
                                  "UDF and tables")

        miscellaneous.add_option("--dependencies", dest="dependencies",
                                  action="store_true",
                                  help="Check for missing (non-core) sqlmap dependencies")

        miscellaneous.add_option("--disable-coloring", dest="disableColoring",
                                  action="store_true",
                                  help="Disable console output coloring")

        miscellaneous.add_option("--gpage", dest="googlePage", type="int",
                                  help="Use Google dork results from specified page number")

        miscellaneous.add_option("--identify-waf", dest="identifyWaf",
                                  action="store_true",
                                  help="Make a thorough testing for a WAF/IPS/IDS protection")

        miscellaneous.add_option("--skip-waf", dest="skipWaf",
                                  action="store_true",
                                  help="Skip heuristic detection of WAF/IPS/IDS protection")

        miscellaneous.add_option("--mobile", dest="mobile",
                                  action="store_true",
                                  help="Imitate smartphone through HTTP User-Agent header")

        miscellaneous.add_option("--offline", dest="offline",
                                  action="store_true",
                                  help="Work in offline mode (only use session data)")

        miscellaneous.add_option("--page-rank", dest="pageRank",
                                  action="store_true",
                                  help="Display page rank (PR) for Google dork results")

        miscellaneous.add_option("--purge-output", dest="purgeOutput",
                                  action="store_true",
                                  help="Safely remove all content from output directory")

        miscellaneous.add_option("--smart", dest="smart",
                                  action="store_true",
                                  help="Conduct thorough tests only if positive heuristic(s)")

        miscellaneous.add_option("--sqlmap-shell", dest="sqlmapShell", action="store_true",
                            help="Prompt for an interactive sqlmap shell")

        miscellaneous.add_option("--wizard", dest="wizard",
                                  action="store_true",
                                  help="Simple wizard interface for beginner users")

 Miscellaneous:

    -z MNEMONICS        Use short mnemonics (e.g. "flu,bat,ban,tec=EU")

    --alert=ALERT       Run host OS command(s) when SQL injection is found

    --answers=ANSWERS   Set question answers (e.g. "quit=N,follow=N")

    --beep              Beep on question and/or when SQL injection is found

    --cleanup           Clean up the DBMS from sqlmap specific UDF and tables

    --dependencies      Check for missing (non-core) sqlmap dependencies

    --disable-coloring  Disable console output coloring

    --gpage=GOOGLEPAGE  Use Google dork results from specified page number

    --identify-waf      Make a thorough testing for a WAF/IPS/IDS protection

    --skip-waf          Skip heuristic detection of WAF/IPS/IDS protection

    --mobile            Imitate smartphone through HTTP User-Agent header

    --offline           Work in offline mode (only use session data)

    --page-rank         Display page rank (PR) for Google dork results

    --purge-output      Safely remove all content from output directory

    --smart             Conduct thorough tests only if positive heuristic(s)

    --sqlmap-shell      Prompt for an interactive sqlmap shell

    --wizard            Simple wizard interface for beginner users

  -z MNEMONICS  使用短记忆法 (e.g. "flu,bat,ban,tec=EU")

  --alert=ALERT  当sql注入发现的时候运行主机os cmd命令

   --answers=ANSWERS  设置问题和答案 (e.g. "quit=N,follow=N")

  --beep  当发现注入时弹窗出来

   --cleanup  清理sqlmap特定的UDF和表

  --dependencies 检查缺失(非核心)的sqlmap依赖 

  --disable-coloring  关闭彩色文字

  --gpage=GOOGLEPAGE 使用Google dork指定结果页数

   --identify-waf  对waf进行全面绕过测试

    --skip-waf  跳过WAF/IPS / IDS保护启发式检测

    --mobile  伪造手机的agent

    --offline  脱机模式

    --page-rank 显示google dork的排名结果

  --purge-output 安全的从输出目录移除所有内容

  --smart  如果具有很强的可探索性就使用彻底的测试方法

   --sqlmap-shell 提供一个可交互的sqlmap shell

   --wizard 为新手配置简单的页面

  • 用支付宝打我
  • 用微信打我

一条回应:“SQLMAP|阅读手记一{从sqlmap.py开始到参数分析}”

  1. […] SQLMAP|阅读手记一{从sqlmap.py开始到参数分析} […]

发表评论

电子邮件地址不会被公开。 必填项已用*标注