SQLMAP详细参数级使用教程，人人都会用SQLMAP

简介

SQLMAP是神器，很多同学可能只知道其中某些参数，如果只会用其中的一些参数，那么就埋没了SQLMAP这款神器了，官方的教程里面其实已经够详细了，但是是英文的，这篇博客主要核心还是翻译官方的教程(也参考了前辈的文章)。主要是是对参数进行详细解释，来达到对SQLMAP有一个更深入的了解。

基础参数

基础用法：

Usage: python sqlmap.py [options]

Options

选项的详细解释：

-h, --help Show basic help message and exit => 显示最为基本的帮助信息
-hh Show advanced help message and exit => 显示进一步、更为详细的帮助信息
--version Show program's version number and exit => 显示程序版本什么的
-v VERBOSE Verbosity level: 0-6 (default 1)=> sqlmap上显示信息的复杂程度

Target

目标相关的选项：

At least one of these options has to be provided to define the
target(s) => 在使用sqlmap连接目标时 至少带有一个下列选项
-d DIRECT Connection string for direct database connection =>直接连接数据库
-u URL, --url=URL Target URL (e.g."http://www.xxx.com/vuln.php?id=1") => 跟目标的url
-l LOGFILE Parse target(s) from Burp or WebScarab proxy logfile => 从Burp或者代理软件的日志文件中解析目标
-x SITEMAPURL Parse target(s) from remote sitemap(.xml) file =>从远程网站地图(就是xml文件)解析这个目标
-m BULKFILE Scan multiple targets given in a textual file => 从文件中扫描多个目标
-r REQUESTFILE Load HTTP request from a file => 从文件中读取HTTP request
-g GOOGLEDORK Process Google dork results as target URLs => 把google 搜索中的结果作为目标地址
-c CONFIGFILE Load options from a configuration INI file => 从配置文件中读取配置

Request

请求相关的选项：

These options can be used to specify how to connect to thetarget URL => 下列选项时用作如何连接目标地址的
--method=METHOD Force usage of given HTTP method (e.g. POST) =>使用所给的方法连接目标
--data=DATA Data string to be sent through POST => 填写要用post提交的数据
--param-del=PARA.. Character used for splitting parametervalues => 用于分割参数值的字符
--cookie=COOKIE HTTP Cookie header value => 填写HTTP Cookie 头的值
--cookie-del=COO.. Character used for splitting cookie values=> 用于分割cookie值的字符
--load-cookies=L.. File containing cookies in Netscape/wget format => 使用Netscape/wget 这两种文件中包含的cookies
--drop-set-cookie Ignore Set-Cookie header from response => 忽视response中的Set-Cookie的头
--user-agent=AGENT HTTP User-Agent header value => http 用户代理数据头的值
--random-agent Use randomly selected HTTP User-Agent header value => 使用随机选择的HTTP用户代理数据头值
--host=HOST HTTP Host header value => 可以手动设置host的值
--referer=REFERER HTTP Referer header value => 手动设置referer头的值
-H HEADER, --hea.. Extra header (e.g. "X-Forwarded-For:127.0.0.1") => 可以手动添加头
--headers=HEADERS Extra headers (e.g. "Accept-Language:fr\nETag: 123") => 手动添加更加复杂的头
--auth-type=AUTH.. HTTP authentication type (Basic, Digest,NTLM or PKI) => http认证模式
--auth-cred=AUTH.. HTTP authentication credentials(name:password) => http身份认证
--auth-file=AUTH.. HTTP authentication PEM cert/private key file => http PEM身份认证 从文件中读取公钥、私钥
--ignore-401 Ignore HTTP Error 401 (Unauthorized) => 忽视HTTP 401错误 （非法的）
--proxy=PROXY Use a proxy to connect to the target URL => 使用代理连接目标地址
--proxy-cred=PRO.. Proxy authentication credentials(name:password) => 代理身份验证
--proxy-file=PRO.. Load proxy list from a file => 从文件读取代理名单
--ignore-proxy Ignore system default proxy settings => 忽视系统默认的代理设置
--tor Use Tor anonymity network => 使用tor的匿名网络
--tor-port=TORPORT Set Tor proxy port other than default => 使用其他端口而非tor默认端口
--tor-type=TORTYPE Set Tor proxy type (HTTP (default), SOCKS4 or SOCKS5) => 设置Tor代理模式
--check-tor Check to see if Tor is used properly => 检查Tor是否适当使用？
--delay=DELAY Delay in seconds between each HTTP request =>HTTP请求之间添加几秒延迟
--timeout=TIMEOUT Seconds to wait before timeout connection(default 30) => 超时时间的设置
--retries=RETRIES Retries when the connection timeouts (default 3) => 超时之后的重试
--randomize=RPARAM Randomly change value for given parameter(s)=> 随机改变所给变量的值
--safe-url=SAFEURL URL address to visit frequently during testing => 测试时保持成功连接URL
--safe-post=SAFE.. POST data to send to a safe URL => 发送正确的post
--safe-req=SAFER.. Load safe HTTP request from a file => 从文件中读取安全的HTTP request
--safe-freq=SAFE.. Test requests between two visits to a given safe URL => 两次正常发送请求之间进行测试
--skip-urlencode Skip URL encoding of payload data => 跳过对payload的URL编码
--csrf-token=CSR.. Parameter used to hold anti-CSRF token => 采用变量阻挡anti-CSRF
--csrf-url=CSRFURL URL address to visit to extract anti-CSRF token => 用其他URL来测试是否有其他的anti-CSRF
--force-ssl Force usage of SSL/HTTPS => 使用SSL/HTTPS
--hpp Use HTTP parameter pollution method => 采用 HTTP变量污染工具
--eval=EVALCODE Evaluate provided Python code before the request (e.g."import hashlib; id2=hashlib.md5(id).hexdigest()")=> 发送request前利用自带Python再编码一次

Optimization

关于优化相关的参数：

These options can be used to optimize the performance of sqlmap
=> 这些选项是为了最佳化sqlmap的功能
-o Turn on all optimization switches => 打开所有最佳化开关
--predict-output Predict common queries output => 预测所有通用查询输出
--keep-alive Use persistent HTTP(s) connections => 使用稳定的HTTP连接
--null-connection Retrieve page length without actual HTTP response body => 不发送HTTP response来重载网页
--threads=THREADS Max number of concurrent HTTP(s) requests(default 1) => 最大使用线程数

Injection

注入相关的选项：

These options can be used to specify which parameters to test
for,provide custom injection payloads and optional tampering
scripts => 这些选项是用来指定哪些参数是用来测试的 使用常用的注入payload和可选的混淆脚本
-p TESTPARAMETER Testable parameter(s) => 可测试的变量
--skip=SKIP Skip testing for given parameter(s) => 跳过测试给出的变量
--skip-static Skip testing parameters that not appear to be dynamic => 跳过测试不是动态的参数
--param-exclude=.. Regexp to exclude parameters from testing(e.g. "ses") => 使用正则排除测试中的参数
--dbms=DBMS Force back-end DBMS to this value => 测试后台DBMS时使用给出的这个
--dbms-cred=DBMS.. DBMS authentication credentials(user:password) => DBMS身份验证
--os=OS Force back-end DBMS operating system to this value =>验证后台DBMS的OS时使用这个值
--invalid-bignum Use big numbers for invalidating values => 使用数值很大的数字作为无效数字
--invalid-logical Use logical operations for invalidating values => 使用逻辑运算作为无效的值
--invalid-string Use random strings for invalidating values =>用随机字符串作为i无效值
--no-cast Turn off payload casting mechanism => 关闭payload类型转换机制
--no-escape Turn off string escaping mechanism => 关闭字符串逃逸机制
--prefix=PREFIX Injection payload prefix string => 给注入的payload加上前缀
--suffix=SUFFIX Injection payload suffix string => 注入payload加上后缀
--tamper=TAMPER Use given script(s) for tampering injection data => 用给出的脚本对注入数据进行混淆

Detection

自定义值的选项：

These options can be used to customize the detection phase =>这些选项用于自定义检测
--level=LEVEL Level of tests to perform (1-5, default 1) => 测试结果展现的级别
--risk=RISK Risk of tests to perform (1-3, default 1) => 危险等级展现的级别
--string=STRING String to match when query is evaluated to True=> 查询结果为真时用字符串进行匹配
--not-string=NOT.. String to match when query is evaluated to False => 查询结果为假时用字符串进行匹配
--regexp=REGEXP Regexp to match when query is evaluated to True=> 查询为真时用正则表达式进行匹配
--code=CODE HTTP code to match when query is evaluated to True=> 查询为真时对HTTP code进行匹配
--text-only Compare pages based only on the textual content =>通过文本内容进行页面比较
--titles Compare pages based only on their titles => 通过title进行页面比较

Techniques

特殊SQL注入需要用的选项：

These options can be used to tweak testing of specific SQL
injection techniques => 这些是用于对特殊的SQL injection进行微调
--technique=TECH SQL injection techniques to use (default "BEUSTQ") => 使用这几种SQL注入技术
--time-sec=TIMESEC Seconds to delay the DBMS response (default 5) => 设置延迟注入的时间
--union-cols=UCOLS Range of columns to test for UNION query SQL injection => 设定UNION查询的的字段数
--union-char=UCHAR Character to use for bruteforcing number of columns => 设定暴力破解列数的字段
--union-from=UFROM Table to use in FROM part of UNION query SQL injection => 使用之前获得的表名进行UNION查询
--dns-domain=DNS.. Domain name used for DNS exfiltration attack=> DNS溢出攻击所用域名
--second-order=S.. Resulting page URL searched for second-order response => 用响应页面的URL进行查询另外一个响应

Fingerprint

-f, --fingerprint Perform an extensive DBMS version fingerprint=> 测试大量的DBMS版本的指纹

Enumeration

枚举相关选项：

These options can be used to enumerate the back-end database
management system information, structure and data contained in
the tables. Moreover you can run your own SQL statements
=>这些选项可以用作枚举DBMS的信息以及他的表的结构和信息 当然你也可以使用你的SQL语句

-a, --all Retrieve everything => 检索之前的动作
-b, --banner Retrieve DBMS banner => 检索DBMS的版本号
--current-user Retrieve DBMS current user => 检索DBMS当前登录的用户
--current-db Retrieve DBMS current database => 检索DBMS当前所处的数据库
--hostname Retrieve DBMS server hostname => 检索DBMS服务器的主机名称
--is-dba Detect if the DBMS current user is DBA => 检测DBMS当前的用户是否是DBA
--users Enumerate DBMS users => 枚举DBMS用户
--passwords Enumerate DBMS users password hashes => 枚举DBMS用户密码的哈希值
--privileges Enumerate DBMS users privileges => 枚举DBMS用户的权限
--roles Enumerate DBMS users roles => 枚举DBMS用户的功能？
--dbs Enumerate DBMS databases => 枚举DBMS数据库
--tables Enumerate DBMS database tables => 枚举DBMS数据库的表
--columns Enumerate DBMS database table columns => 枚举DBMS数据库的表和列
--schema Enumerate DBMS schema => 枚举DBMS的模式
--count Retrieve number of entries for table(s) => 检索有多少的表
--dump Dump DBMS database table entries => 下载DBMS中当前所在的表
--dump-all Dump all DBMS databases tables entries => 下载所有的表
--search Search column(s), table(s) and/or database name(s) =>搜索列 表 或者数据库的名称
--comments Retrieve DBMS comments => 检索DBMS的解释？
-D DB DBMS database to enumerate => 枚举DBMS的数据库
-T TBL DBMS database table(s) to enumerate => 枚举表
-C COL DBMS database table column(s) to enumerate => 枚举表中的列
-X EXCLUDECOL DBMS database table column(s) to not enumerate =>不枚举表中的
-U USER DBMS user to enumerate => 枚举DBMS的用户
--exclude-sysdbs Exclude DBMS system databases when enumerating tables => 枚举时不显示系统的数据库
--pivot-column=P.. Pivot column name => 挖掘列名
--where=DUMPWHERE Use WHERE condition while table dumping => 下载表时使用WHERE语句
--start=LIMITSTART First query output entry to retrieve => 下载时选择项从哪里开始下载
--stop=LIMITSTOP Last query output entry to retrieve => 下载时项到哪里结束
--first=FIRSTCHAR First query output word character to retrieve=> 下载时选择几个字符开始
--last=LASTCHAR Last query output word character to retrieve =>下载时选择几个字符结束
--sql-query=QUERY SQL statement to be executed => 要执行的SQL语句
--sql-shell Prompt for an interactive SQL shell => 执行shell
--sql-file=SQLFILE Execute SQL statements from given file(s) =>从文件中执行SQL语句

Brute force

These options can be used to run brute force checks => 用于暴力检查的选项
--common-tables Check existence of common tables => 检查存在的常见table
--common-columns Check existence of common columns => 检查常见的column

User-defined function injection

These options can be used to create custom user-defined
functions => 用于运行用于自定义函数的选项
--udf-inject Inject custom user-defined functions => 使用用户自定义的注入
--shared-lib=SHLIB Local path of the shared library => 本地分享的函数库

File system access

These options can be used to access the back-end database
management system underlying file system
=>用于对数据管理系统的文件进行读写
--file-read=RFILE Read a file from the back-end DBMS file system => 从DBMS中读取文件
--file-write=WFILE Write a local file on the back-end DBMS file system => 往DBMS中写入文件
--file-dest=DFILE Back-end DBMS absolute filepath to write to=> 使用绝对路径写入文件

Operating system access

These options can be used to access the back-end database
management system underlying operating system
=>用于对操作系统的文件进行读写
--os-cmd=OSCMD Execute an operating system command => 运行系统命令行
--os-shell Prompt for an interactive operating system shell =>运行shell
--os-pwn Prompt for an OOB shell, Meterpreter or VNC => 运行 OOBshell metrepreter VNC
--os-smbrelay One click prompt for an OOB shell, Meterpreter orVNC => 一键进行smb注入
--os-bof Stored procedure buffer overflow exploitation => 一种溢出攻击(SQL server)
--priv-esc Database process user privilege escalation => 用户特权提升
--msf-path=MSFPATH Local path where Metasploit Framework is installed => 输入msf安装的位置
--tmp-path=TMPPATH Remote absolute path of temporary files directory => 远程文件的绝对路径

Windows registry access

These options can be used to access the back-end database
management system Windows registry
=>Windows下可以对注册表进行写入
--reg-read Read a Windows registry key value => 读取注册表的值
--reg-add Write a Windows registry key value data => 写入注册表的值
--reg-del Delete a Windows registry key value => 删除一个注册表的值
--reg-key=REGKEY Windows registry key => 手动输入创建一个注册表的项
--reg-value=REGVAL Windows registry key value => 手动输入注册表的值
--reg-data=REGDATA Windows registry key value data => 手动输入注册表的数据
--reg-type=REGTYPE Windows registry key value type => 手动输入注册表的类型

General

These options can be used to set some general workingparameters => 设置一些通用的参数
-s SESSIONFILE Load session from a stored (.sqlite) file => 从文件中读取会话
-t TRAFFICFILE Log all HTTP traffic into a textual file => 把所有HTTP中的问题写入文件中
--batch Never ask for user input, use the default behaviour =>一直使用默认选项
--binary-fields=.. Result fields having binary values (e.g."digest") => 结果都用二进制进行存储
--charset=CHARSET Force character encoding used for data retrieval => 检索时对字符进行编码
--crawl=CRAWLDEPTH Crawl the website starting from the target URL => 从目标地址开始爬取网站
--crawl-exclude=.. Regexp to exclude pages from crawling (e.g."logout") => 爬取网站时用正则排除部分网页
--csv-del=CSVDEL Delimiting character used in CSV output(default ",") => 定义在CSV输出中运用的字符
--dump-format=DU.. Format of dumped data (CSV (default), HTML or SQLITE) => 格式化下载的东西
--eta Display for each output the estimated time of arrival =>显示输出预计达到时间
--flush-session Flush session files for current target => 清空当前目标的缓存
--forms Parse and test forms on target URL => 分析测试目标URL中的表单
--fresh-queries Ignore query results stored in session file =>忽略缓存文件中的查询结果
--hex Use DBMS hex function(s) for data retrieval => 检索时使用hex函数进行
--output-dir=OUT.. Custom output directory path => 自定义输出的目录
--parse-errors Parse and display DBMS error messages from responses => 显示DBMS回复头中的错误信息
--save=SAVECONFIG Save options to a configuration INI file =>把选项保存在配置文件中
--scope=SCOPE Regexp to filter targets from provided proxy log=> 从代理日志中用正则筛选
--test-filter=TE.. Select tests by payloads and/or titles (e.g.ROW) => 对输入的条件在payload中进行筛选并测试
--test-skip=TEST.. Skip tests by payloads and/or titles (e.g.BENCHMARK) => 对输入的条件在payload中进行剔除并测试
--update Update sqlmap => 升级

Miscellaneous

杂项

-z MNEMONICSUse short mnemonics (e.g. "flu,bat,ban,tec=EU") =>使用简写
--alert=ALERT Run host OS command(s) when SQL injection is found => 发现SQL注入时运行主机的cmd
--answers=ANSWERS Set question answers (e.g. "quit=N,follow=N")=> 对填写的关键字进行设置
--beep Beep on question and/or when SQL injection is found =>发现SQL注入时bee bee bee的响o
--cleanup Clean up the DBMS from sqlmap specific UDF and tables=> 清除DBMS中的sqlmap特殊的函数和表
--dependencies Check for missing (non-core) sqlmap dependencies=> 检查SQLMAP缺失的依赖
--disable-coloring Disable console output coloring => 显示控制台输出的颜色
--gpage=GOOGLEPAGE Use Google dork results from specified page number => 使用google搜索结果中特定的网页数
--identify-waf Make a thorough testing for a WAF/IPS/IDS protection => 对WAF之类的进行检测测试
--skip-waf Skip heuristic detection of WAF/IPS/IDS protection=> 跳过WAF的启发式保护
--mobileImitate smartphone through HTTP User-Agent header => 模仿手机的HTTP头
--offline Work in offline mode (only use session data) => 离线模式运行
--purge-output Safely remove all content from output directory=> 安全删除目录下的内容
--smart Conduct thorough tests only if positive heuristic(s) =>智能判断注入
--sqlmap-shell Prompt for an interactive sqlmap shell => 运行sqlmap shell
--wizardSimple wizard interface for beginner users => 对于初学者简单的向导