Sqlmap Wiki翻译

作者叙

之前在学习 sqlmap 的时候的确参考了网上面的很多文章， 结果发现很多内容都是千篇一律或者说是介绍的内容配不上 sqlmap “神器”的称号在看过官网的 wiki 之后不得不说 sqlmap 真的很厉害 但是很多人对于他的使用、理解 可能还是停留在单纯的某几个参数的使用上面 没有办法发挥出他完全的性能因此才有了翻译 wiki 的想法 如今已经完成了初步的翻译 翻译过程中已经发现wiki 里面有很多提到的技术自己所不清楚 因此在完成初步翻译的时候已经想到了下一个更详细的版本的雏形
1、首先是各种专业名词的解析
2、给出各个参数更加详细的例子
3、与所提到的工具结合使用的例子
4、关于 API 接口， 提供 Demo
此文档中如果存在翻译或者解释上面错误 欢迎各位指出o(￣▽￣)ブ

基础参数解释

Usage: python sqlmap.py [options] 

Options:

-h, --help Show basic help message and exit => 显示最为基本的帮助信息 

-hh Show advanced help message and exit => 显示进一步、更为详细的帮助信息 

--version Show program's version number and exit => 显示程序版本什么的 

-v VERBOSE Verbosity level: 0-6 (default 1)=> sqlmap上显示信息的复杂程度 

Target:

At least one of these options has to be provided to define the target(s) => 在使用sqlmap连接目标时 至少带有一个下列选项 

-d DIRECT Connection string for direct database connection =>直接连接数据库 

-u URL, --url=URL Target URL (e.g."http://www.site.com/vuln.php?id=1") => 跟目标的url 

-l LOGFILE Parse target(s) from Burp or WebScarab proxy logfile => 从Burp或者代理软件的日志文件中解析目标 

-x SITEMAPURL Parse target(s) from remote sitemap(.xml) file => 从远程网站地图(就是xml文件)解析这个目标 

-m BULKFILE Scan multiple targets given in a textual file => 从文件中扫描多个目标 

-r REQUESTFILE Load HTTP request from a file => 从文件中读取HTTP request 

-g GOOGLEDORK Process Google dork results as target URLs => 把google搜索中的结果作为目标地址 

-c CONFIGFILE Load options from a configuration INI file => 从配置文件中读取配置 

Request:

These options can be used to specify how to connect to thetarget URL => 下列选项时用作如何连接目标地址的 

--method=METHOD Force usage of given HTTP method (e.g. PUT) =>使用所给的方法连接目标 

--data=DATA Data string to be sent through POST => 填写要用post提交的数据 

--param-del=PARA.. Character used for splitting parameter values => 用于分割参数值的字符 

--cookie=COOKIE HTTP Cookie header value => 填写HTTP Cookie 头的值 

--cookie-del=COO.. Character used for splitting cookie values=> 用于分割cookie值的字符 

--load-cookies=L.. File containing cookies in Netscape/wget format => 使用Netscape/wget这两种文件中包含的cookies 

--drop-set-cookie Ignore Set-Cookie header from response => 忽视response中的Set-Cookie的头 

--user-agent=AGENT HTTP User-Agent header value => http 用户代理数据头的值 

--random-agent Use randomly selected HTTP User-Agent header value => 使用随机选择的HTTP用户代理数据头值--host=HOST HTTP Host header value => 可以手动设置host的值 

--referer=REFERER HTTP Referer header value => 手动设置referer头的值 

-H HEADER, --hea.. Extra header (e.g. "X-Forwarded-For:127.0.0.1") => 可以手动添加头 

--headers=HEADERS Extra headers (e.g. "Accept-Language:fr\nETag: 123") => 手动添加更加复杂的头 

--auth-type=AUTH.. HTTP authentication type (Basic, Digest,NTLM or PKI) => http认证模式 

--auth-cred=AUTH.. HTTP authentication credentials(name:password) => http身份认证 

--auth-file=AUTH.. HTTP authentication PEM cert/private key file => http PEM身份认证 从文件中读取公钥、私钥 

--ignore-401 Ignore HTTP Error 401 (Unauthorized) => 忽视HTTP 401错误 （非法的） 

--proxy=PROXY Use a proxy to connect to the target URL => 使用代理连接目标地址 

--proxy-cred=PRO.. Proxy authentication credentials(name:password) => 代理身份验证 

--proxy-file=PRO.. Load proxy list from a file => 从文件读取代理名单 

--ignore-proxy Ignore system default proxy settings => 忽视系统默认的代理设置 

--tor Use Tor anonymity network => 使用tor的匿名网络 

--tor-port=TORPORT Set Tor proxy port other than default => 使用其他端口而非tor默认端口 

--tor-type=TORTYPE Set Tor proxy type (HTTP (default), SOCKS4 or SOCKS5) => 设置Tor代理模式 

--check-tor Check to see if Tor is used properly => 检查Tor是否适当使用？ 

--delay=DELAY Delay in seconds between each HTTP request =>HTTP请求之间添加几秒延迟 

--timeout=TIMEOUT Seconds to wait before timeout connection(default 30) => 超时时间的设置 

--retries=RETRIES Retries when the connection timeouts (default 3) => 超时之后的重试 

--randomize=RPARAM Randomly change value for given parameter(s)=> 随机改变所给变量的值 

--safe-url=SAFEURL URL address to visit frequently duringtesting => 测试时保持成功连接URL 

--safe-post=SAFE.. POST data to send to a safe URL => 发送正确的post 

--safe-req=SAFER.. Load safe HTTP request from a file => 从文件中读取安全的HTTP request 

--safe-freq=SAFE.. Test requests between two visits to a givensafe URL => 两次正常发送请求之间进行测试 

--skip-urlencode Skip URL encoding of payload data => 跳过对payload的URL编码 

--csrf-token=CSR.. Parameter used to hold anti-CSRF token => 采用变量阻挡anti-CSRF 

--csrf-url=CSRFURL URL address to visit to extract anti-CSRF token => 用其他URL来测试是否有其他的anti-CSRF``` 

--force-ssl Force usage of SSL/HTTPS => 使用SSL/HTTPS 

--hpp Use HTTP parameter pollution method => 采用 HTTP变量污染工具 

--eval=EVALCODE Evaluate provided Python code before therequest (e.g."import hashlib; id2=hashlib.md5(id).hexdigest()")=> 发送request前利用自带Python再编码一次 

Optimization:

These options can be used to optimize the performance of sqlmap => 这些选项是为了最佳化sqlmap的功能 

-o Turn on all optimization switches => 打开所有最佳化开关 

--predict-output Predict common queries output => 预测所有通用查询输出 

--keep-alive Use persistent HTTP(s) connections => 使用稳定的HTTP连接 

--null-connection Retrieve page length without actual HTTP response body => 不发送HTTP response来重载网页 

--threads=THREADS Max number of concurrent HTTP(s) requests (default 1) => 最大使用线程数 

Injection:

These options can be used to specify which parameters to test for,provide custom injection payloads and optional tampering scripts => 这些选项是用来指定哪些参数是用来测试的 使用常用的注入payload和可选的混淆脚本 

-p TESTPARAMETER Testable parameter(s) => 可测试的变量 

--skip=SKIP Skip testing for given parameter(s) => 跳过测试给出的变量 

--skip-static Skip testing parameters that not appear to bedynamic => 跳过测试不是动态的参数 

--param-exclude=.. Regexp to exclude parameters from testing (e.g. "ses") => 使用正则排除测试中的参数 

--dbms=DBMS Force back-end DBMS to this value => 测试后台DBMS时使用给出的这个 

--dbms-cred=DBMS.. DBMS authentication credentials(user:password) => DBMS身份验证 

--os=OS Force back-end DBMS operating system to this value => 验证后台DBMS的OS时使用这个值 

--invalid-bignum Use big numbers for invalidating values => 使用数值很大的数字作为无效数字 

--invalid-logical Use logical operations for invalidatingvalues => 使用逻辑运算作为无效的值 

--invalid-string Use random strings for invalidating values => 用随机字符串作为i无效值 

--no-cast Turn off payload casting mechanism => 关闭payload类型转换机制 

--no-escape Turn off string escaping mechanism => 关闭字符串逃逸机制 

--prefix=PREFIX Injection payload prefix string => 给注入的payload加上前缀 

--suffix=SUFFIX Injection payload suffix string => 注入payload加上后缀 

--tamper=TAMPER Use given script(s) for tampering injectiondata => 用给出的脚本对注入数据进行混淆 

Detection:

These options can be used to customize the detection phase => 这些选项用于自定义检测 

--level=LEVEL Level of tests to perform (1-5, default 1) => 测试结果展现的级别 

--risk=RISK Risk of tests to perform (1-3, default 1) => 危险等级展现的级别 

--string=STRING String to match when query is evaluated to True => 查询结果为真时用字符串进行匹配 

--not-string=NOT.. String to match when query is evaluated to False => 查询结果为假时用字符串进行匹配 

--regexp=REGEXP Regexp to match when query is evaluated to True => 查询为真时用正则表达式进行匹配 

--code=CODE HTTP code to match when query is evaluated to True => 查询为真时对HTTP code进行匹配 

--text-only Compare pages based only on the textual content => 通过文本内容进行页面比较 

--titles Compare pages based only on their titles => 通过title进行页面比较 

Techniques:

These options can be used to tweak testing of specific SQL injection techniques => 这些是用于对特殊的SQL injection进行微调 

--technique=TECH SQL injection techniques to use (default "BEUSTQ") => 使用这几种SQL注入技术 

--time-sec=TIMESEC Seconds to delay the DBMS response (default 5) => 设置延迟注入的时间 

--union-cols=UCOLS Range of columns to test for UNION query SQL injection => 设定UNION查询的的字段数 

--union-char=UCHAR Character to use for bruteforcing number of columns => 设定暴力破解列数的字段 

--union-from=UFROM Table to use in FROM part of UNION query SQL injection => 使用之前获得的表明进行UNION查询 

--dns-domain=DNS.. Domain name used for DNS exfiltration attack => DNS溢出攻击所用域名 

--second-order=S.. Resulting page URL searched for second-order response => 用响应页面的URL进行查询另外一个响应 

Fingerprint:

-f, --fingerprint Perform an extensive DBMS version fingerprint => 测试大量的DBMS版本的指纹 

Enumeration:

These options can be used to enumerate the back-end database management system information, structure and data contained in the tables. Moreover you can run your own SQL statements => 这些选项可以用作枚举DBMS的信息以及他的表的结构和信息 当然你也可以使用你的SQL语句 

-a, --all Retrieve everything => 检索之前的动作 

-b, --banner Retrieve DBMS banner => 检索DBMS的版本号 

--current-user Retrieve DBMS current user => 检索DBMS当前登录的用户 

--current-db Retrieve DBMS current database => 检索DBMS当前所处的数据库 

--hostname Retrieve DBMS server hostname => 检索DBMS服务器的主机名称 

--is-dba Detect if the DBMS current user is DBA => 检测DBMS当前的用户是否是DBA 

--users Enumerate DBMS users => 枚举DBMS用户 

--passwords Enumerate DBMS users password hashes => 枚举DBMS用户密码的哈希值 

--privileges Enumerate DBMS users privileges => 枚举DBMS用户的权限 

--roles Enumerate DBMS users roles => 枚举DBMS用户的功能？ 

--dbs Enumerate DBMS databases => 枚举DBMS数据库 

--tables Enumerate DBMS database tables => 枚举DBMS数据库的表 

--columns Enumerate DBMS database table columns => 枚举DBMS数据库的表和列 

--schema Enumerate DBMS schema => 枚举DBMS的模式 

--count Retrieve number of entries for table(s) => 检索有多少的表 

--dump Dump DBMS database table entries => 下载DBMS中当前所在的表 

--dump-all Dump all DBMS databases tables entries => 下载所有的表 

--search Search column(s), table(s) and/or database name(s) => 搜索列表或者数据库的名称 

--comments Retrieve DBMS comments => 检索DBMS的解释？ 

-D DB DBMS database to enumerate => 枚举DBMS的数据库 

-T TBL DBMS database table(s) to enumerate => 枚举表 

-C COL DBMS database table column(s) to enumerate => 枚举表中的列 

-X EXCLUDECOL DBMS database table column(s) to not enumerate => 不枚举表中的 

-U USER DBMS user to enumerate => 枚举DBMS的用户 

--exclude-sysdbs Exclude DBMS system databases when enumerating tables => 枚举时不显示系统的数据库 

--pivot-column=P.. Pivot column name => 挖掘列名 

--where=DUMPWHERE Use WHERE condition while table dumping => 下载表时使WHERE语句 

--start=LIMITSTART First query output entry to retrieve => 下载时选择项从哪里开始下载 

--stop=LIMITSTOP Last query output entry to retrieve => 下载时项到哪里结束 

--first=FIRSTCHAR First query output word character to retrieve => 下载时选择几个字符开始 

--last=LASTCHAR Last query output word character to retrieve => 下载时选择几个字符结束 

--sql-query=QUERY SQL statement to be executed => 要执行的SQL语句 

--sql-shell Prompt for an interactive SQL shell => 执行shell 

--sql-file=SQLFILE Execute SQL statements from given file(s) =>从文件中执行SQL语句 

Brute force:

These options can be used to run brute force checks => 用于暴力检查的选项 

--common-tables Check existence of common tables => 检查存在的常见table 

--common-columns Check existence of common columns => 检查常见的column 

User-defined function injection:

These options can be used to create custom user-defined functions => 用于运行用于自定义函数的选项 

--udf-inject Inject custom user-defined functions => 使用用户自定义的注入 

--shared-lib=SHLIB Local path of the shared library => 本地分享的函数库 

File system access:

These options can be used to access the back-end database management system underlying file system=>用于对数据管理系统的文件进行读写 

--file-read=RFILE Read a file from the back-end DBMS file system => 从DBMS中读取文件 

--file-write=WFILE Write a local file on the back-end DBMS file system => 往DBMS中写入文件 

--file-dest=DFILE Back-end DBMS absolute filepath to write to=> 使用绝对路径写入文件 

Operating system access:

These options can be used to access the back-end database management system underlying operating system=> 用于对操作系统的文件进行读写 

--os-cmd=OSCMD Execute an operating system command => 运行系统命令行 

--os-shell Prompt for an interactive operating system shell => 运行shell 

--os-pwn Prompt for an OOB shell, Meterpreter or VNC => 运行 OOB shell metrepreter VNC 

--os-smbrelay One click prompt for an OOB shell, Meterpreter or VNC => 一键进行smb注入 

--os-bof Stored procedure buffer overflow exploitation => 一种溢出攻击(SQL server) 

--priv-esc Database process user privilege escalation => 用户特权提升 

--msf-path=MSFPATH Local path where Metasploit Framework is installed => 输入msf安装的位置 

--tmp-path=TMPPATH Remote absolute path of temporary files directory => 远程文件的绝对路径 

Windows registry access:

These options can be used to access the back-end database management system Windows registry => Windows下可以对注册表进行写入 

--reg-read Read a Windows registry key value => 读取注册表的值 

--reg-add Write a Windows registry key value data => 写入注册表的值 

--reg-del Delete a Windows registry key value => 删除一个注册表的值 

--reg-key=REGKEY Windows registry key => 手动输入创建一个注册表的项 

--reg-value=REGVAL Windows registry key value => 手动输入注册表的值 

--reg-data=REGDATA Windows registry key value data => 手动输入注册表的数据 

--reg-type=REGTYPE Windows registry key value type => 手动输入注册表的类型 

General:

These options can be used to set some general workingparameters => 设置一些通用的参数 

-s SESSIONFILE Load session from a stored (.sqlite) file => 从文件中读取会话 

-t TRAFFICFILE Log all HTTP traffic into a textual file => 把所有HTTP中的问题写入文件中 

--batch Never ask for user input, use the default behaviour =>一直使用默认选项 

--binary-fields=.. Result fields having binary values (e.g. "digest") => 结果都用二进制进行存储 

--charset=CHARSET Force character encoding used for dataretrieval => 检索时对字符进行编码 

--crawl=CRAWLDEPTH Crawl the website starting from the target URL => 从目标地址开始爬取网站 

--crawl-exclude=.. Regexp to exclude pages from crawling (e.g. "logout") => 爬取网站时正则排除部分网页 

--csv-del=CSVDEL Delimiting character used in CSV output (default ",") => 定义在CSV输出中运用的字符 

--dump-format=DU.. Format of dumped data (CSV (default), HTML or SQLITE) => 格式化下载的东西 

--eta Display for each output the estimated time of arrival => 显示输出预计达到时间 

--flush-session Flush session files for current target => 清空当前目标的缓存 

--forms Parse and test forms on target URL => 分析测试目标URL中的表单 

--fresh-queries Ignore query results stored in session file => 忽略缓存文件中的查询结果 

--hex Use DBMS hex function(s) for data retrieval => 检索时使用hex函数进行 

--output-dir=OUT.. Custom output directory path => 自定义输出的目录 

--parse-errors Parse and display DBMS error messages from responses => 显示DBMS回复头中的错误信息 

--save=SAVECONFIG Save options to a configuration INI file => 把选项保存在配置文件中 

--scope=SCOPE Regexp to filter targets from provided proxy log => 从代理日志中用正则筛选 

--test-filter=TE.. Select tests by payloads and/or titles (e.g. ROW) => 对输入的条件在payload中进行筛选并测试 

--test-skip=TEST.. Skip tests by payloads and/or titles (e.g. BENCHMARK) => 对输入的条件在payload中进行剔除并测试 

--update Update sqlmap => 升级啊o(￣▽￣)ブ 

Miscellaneous:杂项

-z MNEMONICSUse short mnemonics (e.g. "flu,bat,ban,tec=EU") => 使用简写 

--alert=ALERT Run host OS command(s) when SQL injection is found => 发现SQL注入时运行主机的cmd 

--answers=ANSWERS Set question answers (e.g. "quit=N,follow=N") => 对填写的关键字进行设置 

--beep Beep on question and/or when SQL injection is found => 发现SQL注入时bee bee bee的响o(￣▽￣)ブ 

--cleanup Clean up the DBMS from sqlmap specific UDF and tables => 清除DBMS中的sqlmap特殊的函数和表 

--dependencies Check for missing (non-core) sqlmap dependencies => 检查SQLMAP缺失的依赖 

--disable-coloring Disable console output coloring => 显示控制台输出的颜色 

--gpage=GOOGLEPAGE Use Google dork results from specified page number => 使用google搜索结果中特定的网页数 

--identify-waf Make a thorough testing for a WAF/IPS/IDS protection => 对WAF之类的进行检测测试 

--skip-waf Skip heuristic detection of WAF/IPS/IDS protection => 跳过WAF的启发式保护 

--mobileImitate smartphone through HTTP User-Agent header => 模仿手机的HTTP头 

--offline Work in offline mode (only use session data) => 离线模式运行 

--purge-output Safely remove all content from output directory => 安全删除目录下的内容 

--smart Conduct thorough tests only if positive heuristic(s) => 智能判断注入 

--sqlmap-shell Prompt for an interactive sqlmap shell => 运行 sqlmap shell 

--wizardSimple wizard interface for beginner users => 对于初学者简单的向导 

输出的详细程度

Option: -v
This option can be used to set the verbosity level of outputmessages. There exist seven levels of verbosity. The default level is 1 in which information, warning, error, critical messages and Python tracebacks (if any occur) are displayed. 
=>
这个选项是用来设置输出信息的详细程度的 他就有七个级别 默认级别是1 这个级别下显示的有信息 警告 错误 关键信息以及 Python 的错误信息回显 

• 0: Show only Python tracebacks, error and critical messages. =>只是显示Python的错误回显 错误以及关键信息
• 1: Show also information and warning messages. => 增加显示信息以及警告消息
• 2: Show also debug messages. => 增加显示调试？排错信息
• 3: Show also payloads injected. => 增加显示注入使用的payload
• 4: Show also HTTP requests. => 还显示HTTP请求头
• 5: Show also HTTP responses' headers. => 还显示HTTP回应头
• 6: Show also HTTP responses' page content. => 显示HTTP回应的页面内容

A reasonable level of verbosity to further understand what sqlmap does under the hood is level 2, primarily for the detection phase and the take-over functionalities. Whereas if you want to see the SQL payloads the tools sends, level 3 is your best choice. This level is also recommended to be used when you feed the developers with a potential bug report, make sure you send along with the standard output the traffic log file generated with option -t.
=>
为了更好的取理解sqlmap到底在检测阶段都干了些什么 建议使用级别2的参数, 如果你想看到SQL payload所发送的注入 级别3是你最好的选择, 在告诉开发者一个可能存在的bug时 也推荐你使用这个级别当然 要确保你使用了-t 功能去生成一个标准的流量日志文件 

In order to further debug potential bugs or unexpectedbehaviours, we recommend you to set the verbosity to level 4 or above. It should be noted that there is also a possibility to set the verbosity by using the shorter version of this optionwhere number of letters v inside the provided switch (instead of option) determines the verbosity level (e.g. -v instead of -v 2, -vv instead of -v 3, -vvv instead of -v 4, etc.)
=>
为了获得更加多可能存在的bug或者一些不可预测的行为 我们推荐你设置级别4或者以上的数字 同时你应该知道 你也可以在设置级别的额时候使用缩写 例如-v来代替-v 2 -vv代替-v 3之类的 

指定目标

At least one of these options has be provided to set thetarget(s). 
=> 
下面选项中至少选择一项用于目标 

Direct connection to the database => 直接连接数据库

Option: -d
Run sqlmap against a single database instance. This option accepts a connection string in one of following forms: 
=>
用sqlmap直接连接上一个数据库 详细参数如下 

• DBMS://USER:PASSWORD@DBMS_IP:DBMS_PORT/DATABASE_NAME (MySQL,Oracle, Microsoft SQL Server, PostgreSQL, etc.)
• DBMS://DATABASE_FILEPATH (SQLite, Microsoft Access, Firebird,etc.)

For example:

$ python sqlmap.py -d
"mysql://admin:[email protected]:3306/testdb" -f --banner --dbs --users 

Target URL => 目标URL

Option: -u or --url
Run sqlmap against a single target URL. This option requires a target URL in following form:
=>
在sqlmap中连接目标URL 格式如下 : 

http(s)://targeturl[:port]/[...]
For example:

$ python sqlmap.py -u "http://www.target.com/vuln.php?id=1" -f --banner --dbs --users 

Parse targets from Burp or WebScarab proxy logs => 从Burp WebScarab中获取目标

Option: -l
Rather than providing a single target URL, it is possible to test and inject against HTTP requests proxied through Burp proxy or WebScarab proxy.
=>
相比提供一个单独的URL 你也可以直接通过Burp 和WebScarab 去测试、注入
HTTP请求 

This option requires an argument which is the proxy's HTTPrequests log file.
=>
这个选项需要你提供一个HTTP请求的日志 

Option: -l 

Rather than providing a single target URL, it is possible to test and inject against HTTP requests proxied through Burp proxy or WebScarab proxy.
=>
相比提供一个单独的URL 你也可以直接通过Burp 和WebScarab 去测试、注入HTTP请求
```

This option requires an argument which is the proxy's HTTPrequests log file.
=>
这个选项需要你提供一个HTTP请求的日志 

Parse targets from remote sitemap(.xml) file => 从xml文件中获取目标

Option: -x
A sitemap is a file where web admins can list the web page locations of their site to tell search engines about the site content's organization. You can provide a sitemap's location to sqlmap by using option -x (e.g. -x http://www.target.com/sitemap.xml) so it could find usable target URLs for scanning purposes.
=>
站图是一个Web管理员告诉搜索引擎自己网站上面所有页面的目录的结构 通过这个选项 你也可以提供这样的一个文件来找到对自己有用的目标URL 

Scan multiple targets enlisted in a given textual file => 扫描文件中的多个目标

Option: -m
Providing list of target URLs enlisted in a given bulk file,sqlmap will scan each of those one by one.
=>
提供含有大量的目标URL的文件 sqlmap会一个一个对他们进行扫描 

Sample content of a bulk file provided as an argument to this option:
=>
下面给出这样的一个例子
www.target1.com/vuln1.php?q=foobar
www.target2.com/vuln2.asp?id=1
www.target3.com/vuln3/id/1* 

Option: -r
One of the possibilities of sqlmap is loading of raw HTTPrequest from a textual file. That way you can skip usage of a number of other options (e.g. setting of cookies, POSTed data, etc).
=>
sqlmap也可以从文件中读取未修改过的HTTP请求 这样你就能避免使用大量的其他参数 例如 cookies POST data 这些 

Sample content of a HTTP request file provided as an argument to this option:
=>
这里又是一个例子(｡･∀･)ﾉﾞ嗨
POST /vuln.php HTTP/1.1
Host: www.target.com
User-Agent: Mozilla/4.0
id=1 

Note that if the request is over HTTPS, you can use this in conjunction with switch --force-ssl to force SSL connection to 443/tcp. Alternatively, you can append :443 to the end of the Host header value.
=>
请注意 如果请求是用HTTPS的 那么你可以用--force-ssl来用SSL连接上443/tcp 当然你也可以在HOST头值的后面跟上:443