eslam3kl/SQLiDetector eslam3kl/SQLiDetector

  • Stars
    star
    568
  • Rank 77,973 (Top 2 %)
  • Language BlitzBasic
  • Created about 2 years ago
  • Updated 2 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
eslam3kl/SQLiDetector
github

eslam3kl

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Simple python script supported with BurpBouty profile that helps you to detect SQL injection "Error based" by sending multiple requests with 14 payloads and checking for 152 regex patterns for different databases.

SQLiDetector

Simple python script supported with BurpBouty profile that helps you to detect SQL injection "Error based" by sending multiple requests with 14 payloads and checking for 152 regex patterns for different databases.

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
| S|Q|L|i| |D|e|t|e|c|t|o|r|
| Coded By: Eslam Akl @eslam3kll & Khaled Nassar @knassar702
| Version: 1.0.0
| Blog: eslam3kl.medium.com
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

Header

Description

The main idea for the tool is scanning for Error Based SQL Injection by using different payloads like

'123
''123
`123
")123
"))123
`)123
`))123
'))123
')123"123
[]123
""123
'"123
"'123
\123

And match for 152 error regex patterns for different databases.
Source: https://github.com/sqlmapproject/sqlmap/blob/master/data/xml/errors.xml

How does it work?

It's very simple, just organize your steps as follows

  1. Use your subdomain grabber script or tools.
  2. Pass all collected subdomains to httpx or httprobe to get only live subs.
  3. Use your links and URLs tools to grab all waybackurls like waybackurls, gau, gauplus, etc.
  4. Use URO tool to filter them and reduce the noise.
  5. Grep to get all the links that contain parameters only. You can use Grep or GF tool.
  6. Pass the final URLs file to the tool, and it will test them.

The final schema of URLs that you will pass to the tool must be like this one

https://aykalam.com?x=test&y=fortest
http://test.com?parameter=ayhaga

Installation and Usage

Just run the following command to install the required libraries.

~/eslam3kl/SQLiDetector# pip3 install -r requirements.txt

To run the tool itself.

# cat urls.txt
http://testphp.vulnweb.com/artists.php?artist=1

# python3 sqlidetector.py -h
usage: sqlidetector.py [-h] -f FILE [-w WORKERS] [-p PROXY] [-t TIMEOUT] [-o OUTPUT]
A simple tool to detect SQL errors
optional arguments:
  -h, --help            show this help message and exit]
  -f FILE, --file FILE  [File of the urls]
  -w WORKERS, --workers [WORKERS Number of threads]
  -p PROXY, --proxy [PROXY Proxy host]
  -t TIMEOUT, --timeout [TIMEOUT Connection timeout]
  -o OUTPUT, --output [OUTPUT [Output file]

# python3 sqlidetector.py -f urls.txt -w 50 -o output.txt -t 10

BurpBounty Module

I've created a burpbounty profile that uses the same payloads add injecting them at multiple positions like

  • Parameter name
  • Parameter value
  • Headers
  • Paths

I think it's more effective and will helpful for POST request that you can't test them using the Python script. burpbounty1

burpbounty2

How does it test the parameter?

What's the difference between this tool and any other one? If we have a link like this one https://example.com?file=aykalam&username=eslam3kl so we have 2 parameters. It creates 2 possible vulnerable URLs.

  1. It will work for every payload like the following
https://example.com?file=123'&username=eslam3kl
https://example.com?file=aykalam&username=123'
  1. It will send a request for every link and check if one of the patterns is existing using regex.
  2. For any vulnerable link, it will save it at a separate file for every process.

Upcoming updates

  • Output json option.
  • Adding proxy option.
  • Adding threads to increase the speed.
  • Adding progress bar.
  • Adding more payloads.
  • Adding BurpBounty Profile.
  • Inject the payloads in the parameter name itself.

If you want to contribute, feel free to do that. You're welcome :)

Thanks to

Thanks to Mohamed El-Khayat and Orwa for the amazing paylaods and ideas. Follow them and you will learn more

https://twitter.com/Mohamed87Khayat
https://twitter.com/GodfatherOrwa

Contributors

contributors

Stay in touch <3

LinkedIn | Blog | Twitter

More Repositories

1

3klCon

Automation Recon tool which works with Large & Medium scopes. It performs a lot of tasks and gets back all the results in separated files.
Shell
676
star
2

crtfinder

Fast tool to extract all subdomains from crt.sh website. Output will be up to sub.sub.sub.subdomain.com with standard and advanced search techniques
Python
111
star
3

GG-Dorking

GG Dorking is a tool to generate GitHub and Google dorking for pentesters and bug bounty hunters.
Python
92
star
4

ShoLister

ShoLister is a tool that collects all available subdomains for specific hostname or organization from Shodan. The tool is designed to be used from Penetration Tester and Bug Bounty Hunters.
Python
56
star
5

3klector

3klector is an automation Recon tool which collecting information about Acquisitions and ASN which related to Big Scope company
Python
49
star
6

Explorer

Explorer is a very useful tool which will help you in the Recon phase in Bug Bounty hunting or Web Pentesting. It can perform a lot of things individually or all together.
Python
23
star
7

PackSniff

PackSniff tool is used to sniff the packet which come to your machine after performing ARP Spoofing as a part of the Man-In-The-Middle attacks.
Python
6
star
8

ARP-Spoofer

This tool used to be MITM Attack. To be in the middle between 2 machines like victim machine and the router.
Python
4
star
9

MAC_Changer

This is simple tool to change your MAC address in specific Interface. This tool written in python.
Python
4
star
10

NetScanner

This simple tool is used ot get the IPs and MAC addresses of the devices which connect to your network.
Python
3
star
11

My_CVEs

This repository contain all my assigned CVEs. Some of them are public and the other will be published soon.
2
star