sqlifuzzer – Command Line SQL Injection Web Scanner

sqlifuzzer is a command line scanner that seeks to identify SQL injection vulnerabilities. It parses Burp logs to create a list of fuzzable requests… then fuzzes them.What is sqlifuzzer?
It’s a wrapper for curl written in bash. It’s also a tool that can be used to remotely identify SQL injection vulnerabilities. It does this by sending some SQL injection payloads and examining the responses for signs of ‘injectability’. Like almost all web app scanners, sqlifuzzer includes OR 1=1 payloads; this means that there is a significant risk of data destruction, Denial of Service, and/or other undesirable implications for any host (or intermediary device) scanned using sqlifuzzer. sqlifuzzer is very beta; don’t use it in an environment that matters to you or anyone else. Do not use sqlifuzzer to scan hosts without the owner’s permission.


  • Payloads/tests for numeric, string, error and time-based SQL injection
  • Support for MSSQL, MYSQL and Oracle DBMS’s
  • A range of filter evasion options:
  • case variation (lame, but wtf)
  • nesting
  • double URL encoding
  • comments for spaces
  • ‘like’ for ‘equals’ operator
  • intermediary characters and quotes for spaces
  • null and CRLF prefixes
  • ORDER BY and UNION SELECT tests on vulnerable parameters to:
  • enumerate select query column numbers
  • identify data-type string columns in select queries
  • extract database schema and configuration information
  • Conditional tests to extract DBMS info when data extraction via UNION SELECT fails (i.e. no string type columns)
  • Blind, boolean response-based XPath injection testing and data extraction
  • Scan ‘state’ maintenance:
  • Halt a scan at any time – scan progress is saved and you can easily resume a scan from the URL where you stopped
  • Or specify a specific request number to resume a scan from
  • Optional exclusion of a customizable list of parameters from scanning scope
  • Tracking of parameters scanned and avoidance of re-scanning scanned parameters
  • Optional method swapping (where GET requests are converted into POSTs and vice-versa to evade filters)
  • HTML format output with:
  • links/buttons to send Proof of Concept SQL injection requests
  • links to response difference files and to extracted dat

Platform : Unix/linux

Download : sqlifuzzer-0.5f.tgz (55.1KB)
Find other version |
Read more in here : http://code.google.com/p/sqlifuzzer/