sqlifuzzer is a command line scanner that seeks to identify SQL injection vulnerabilities. It parses Burp logs to create a list of fuzzable requests… then fuzzes them.
What is sqlifuzzer?
It’s a wrapper for curl written in bash. It’s also a tool that can be used to remotely identify SQL (and XPath) injection vulnerabilities. It does this by sending a range of injection payloads and examining the responses for signs of ‘injectability’. If a parameter appears to be vulnerable, sqlifuzzer sends exploit payloads to extract data.
Like almost all web app scanners, sqlifuzzer includes OR 1=1 payloads; this means that there is a significant risk of data destruction, Denial of Service, and/or other undesirable implications for any host (or intermediary device) scanned using sqlifuzzer. sqlifuzzer is beta; don’t use it in an environment that matters to you or anyone else. Do not use sqlifuzzer to scan hosts without the owner’s permission.
- Payloads/tests for numeric, string, error and time-based SQL injection
- Support for MSSQL, MYSQL and Oracle DBMS’s
- Automated testing of ‘tricky’ parameters like POST URL query and mulipart form parameters
- A range of filter evasion options:
- case variation, nesting, double URL encoding, comments for spaces, ‘like’ for ‘equals’ operator, intermediary characters, null and CRLF prefixes, HTTP method swapping (GETs become POSTs / POSTs become GETs)
- ORDER BY and UNION SELECT tests on vulnerable parameters to:
- enumerate select query column numbers
- identify data-type string columns in select queries
- extract database schema and configuration information
- Conditional tests to extract DBMS info when data extraction via UNION SELECT fails (i.e. no string type columns)
- Time delay based tests to extract DBMS info when data extraction via conditional methods fails (i.e. fully blind scenarios)
- Boolean response-based XPath injection testing and data extraction
- Support for automated detection and testing of parameters in POST URIs and multipart forms
- Scan ‘state’ maintenance:
- Halt a scan at any time – scan progress is saved and you can easily resume a scan from the URL where you stopped
- Specify a specific request number to resume a scan from
- Optional exclusion of a customizable list of parameters from scanning scope
- Tracking of parameters scanned and avoidance of re-scanning scanned parameters
- HTML format output with:
- links/buttons to send Proof of Concept SQL injection requests
- links to response difference files and to extracted data
Our Post Before :