• Usage
  • Output verbosity
  • Target
  • Direct connection to the database
  • Target URL
  • Parse targets from Burp or WebScarab proxy logs
  • Scan multiple targets enlisted in a given textual file
  • Load HTTP request from a file
  • Parse target addresses from piped-input (i.e. stdin)
  • Process Google dork results as target addresses
  • Load options from a configuration INI file
  • Request
  • HTTP method
  • HTTP data
  • Parameter splitting character
  • HTTP Cookie header
  • HTTP User-Agent header
  • HTTP Host header
  • HTTP Referer header
  • Extra HTTP headers
  • HTTP protocol authentication
  • HTTP protocol private key authentication
  • Ignore (problematic) HTTP error code
  • HTTP(S) proxy
  • Tor anonymity network
  • Delay between each HTTP request
  • Seconds to wait before timeout connection
  • Maximum number of retries when the HTTP connection timeouts
  • Randomly change value for given parameter(s)
  • Filtering targets from provided proxy log using regular expression
  • Avoid your session to be destroyed after too many unsuccessful requests
  • Turn off URL encoding of parameter values
  • Bypass anti-CSRF protection
  • Force usage of SSL/HTTPS
  • Evaluate custom python code during each request
  • Optimization
  • Bundle optimization
  • Output prediction
  • HTTP Keep-Alive
  • HTTP NULL connection
  • Concurrent HTTP(S) requests
  • Injection
  • Testable parameter(s)
  • URI injection point
  • Arbitrary injection point
  • Force the DBMS
  • Force the database management system operating system name
  • Force usage of big numbers for invalidating values
  • Force usage of logical operations for invalidating values
  • Force usage of random strings for invalidating values
  • Turn off payload casting mechanism
  • Turn off string escaping mechanism
  • Custom injection payload
  • Tamper injection data
  • Detection
  • Level
  • Risk
  • Page comparison
  • Techniques
  • SQL injection techniques to test for
  • Seconds to delay the DBMS response for time-based blind SQL injection
  • Number of columns in UNION query SQL injection
  • Character to use to test for UNION query SQL injection
  • Table to use in FROM part of UNION query SQL injection
  • DNS exfiltration attack
  • Second-order attack
  • Fingerprint
  • Extensive database management system fingerprint
  • Enumeration
  • Retrieve all
  • Banner
  • Session user
  • Current database
  • Server hostname
  • Detect whether or not the session user is a database administrator
  • List database management system users
  • List and crack database management system users password hashes
  • List database management system users privileges
  • List database management system users roles
  • List database management system's databases
  • Enumerate database's tables
  • Enumerate database table columns
  • Enumerate database management system schema
  • Retrieve number of entries for table(s)
  • Dump database table entries
  • Dump all databases tables entries
  • Search for columns, tables or databases
  • Run custom SQL statement
  • Brute force
  • Brute force tables names
  • Brute force columns names
  • User-defined function injection
  • Inject custom user-defined functions (UDF)
  • File system access
  • Read a file from the database server's file system
  • Upload a file to the database server's file system
  • Operating system takeover
  • Run arbitrary operating system command
  • Out-of-band stateful connection: Meterpreter & friends
  • Windows registry access
  • Read a Windows registry key value
  • Write a Windows registry key value
  • Delete a Windows registry key
  • Auxiliary registry options
  • General
  • Load session from a stored (.sqlite) file
  • Log HTTP(s) traffic to a textual file
  • Set answers for questions
  • Declare parameters containing Base64 encoded data
  • Act in non-interactive mode
  • Binary content retrieval
  • Custom (blind) SQL injection charset
  • Crawl the website starting from the target URL
  • Delimiting character used in CSV output
  • DBMS authentication credentials
  • Format of dumped data
  • Force character encoding used for data retrieval
  • Estimated time of arrival
  • Flush session files
  • Parse and test forms' input fields
  • Ignore query results stored in session file
  • Use DBMS hex function(s) for data retrieval
  • Custom output directory path
  • Parse DBMS error messages from response pages
  • Preprocess (request)
  • Postprocess (response)
  • Save options in a configuration INI file
  • Update sqlmap
  • Miscellaneous
  • Use short mnemonics
  • Alerting on successful SQL injection detection
  • Make a beep sound when SQL injection is found
  • Cleanup the DBMS from sqlmap specific UDF(s) and table(s)
  • Check for dependencies
  • Disable console output coloring
  • Use Google dork results from specified page number
  • Use HTTP parameter pollution
  • Skip heuristic detection of WAF/IPS protection
  • Imitate smartphone
  • Work in offline mode (only use session data)
  • Safely remove all content from data directory
  • Conduct thorough tests only if positive heuristic(s)
  • Select (or skip) tests by payloads and/or titles
  • Interactive sqlmap shell
  • Simple wizard interface for beginner users
  • API (REST-JSON)