Share
## https://sploitus.com/exploit?id=13F85568-F74C-55EB-8487-54869ADA0F2E
# Sqlinject ๐Ÿ’‰
### Advanced SQL Injection Scanner with WAF Bypass

Detects error-based, boolean-blind, time-based blind, union-based, header injection.
Supports GET, POST, JSON body, HTTP headers. Built-in WAF detection + bypass.

---

## โšก Setup

```bash
pip3 install rich
python3 sqlinject.py -u "https://example.com/page?id=1"
```

Zero external dependencies beyond `rich`.

---

## ๐Ÿš€ Commands

```bash
# Scan GET parameter
python3 sqlinject.py -u "https://example.com/page?id=1"

# Scan POST login form
python3 sqlinject.py -u "https://example.com/login" \
  --method POST --data "user=admin&pass=test"

# Scan JSON API endpoint
python3 sqlinject.py -u "https://api.example.com/user" \
  --json '{"id": 1}'

# Level 3 โ€” time-based blind + advanced payloads
python3 sqlinject.py -u "https://example.com/page?id=1" --level 3

# WAF bypass mode
python3 sqlinject.py -u "https://example.com/page?id=1" --waf-bypass

# Also test HTTP headers (X-Forwarded-For, Referer, etc.)
python3 sqlinject.py -u "https://example.com/page?id=1" --scan-headers

# With auth token
python3 sqlinject.py -u "https://api.example.com/data?id=1" \
  --headers "Authorization: Bearer YOUR_TOKEN"

# With cookies
python3 sqlinject.py -u "https://example.com/page?id=1" \
  --cookies "session=abc123; token=xyz"

# Scan a list of URLs
python3 sqlinject.py --list urls.txt

# Verbose output
python3 sqlinject.py -u "https://example.com/page?id=1" --verbose
```

---

## ๐ŸŽฏ Detection Methods

| Type | How It Works |
|---|---|
| **Error-based** | Injects `'` and similar โ€” detects DB error messages |
| **Boolean-based Blind** | Compares `OR 1=1` vs `OR 1=2` responses |
| **Time-based Blind** | Uses `SLEEP(3)` / `WAITFOR DELAY` โ€” measures response time |
| **Union-based** | Tests `UNION SELECT` column count matching |
| **Header Injection** | Tests X-Forwarded-For, Referer, User-Agent, Cookie |
| **JSON Injection** | Tests each key in JSON request body |

---

## ๐Ÿ›ก๏ธ WAF Bypass Techniques (--waf-bypass)

- Case variation (`SeLeCt` instead of `SELECT`)
- URL encoding / double URL encoding
- Comment injection (`SE/**/LECT`)
- Whitespace variation (`SELECT\n`)
- Null byte injection
- Plus sign space bypass
- Inline comment obfuscation

---

## ๐Ÿ—„๏ธ Database Detection

Detects: **MySQL**, **PostgreSQL**, **MSSQL**, **Oracle**, **SQLite**

---

## ๐Ÿ“Š Scan Levels

| Level | Payloads | Best For |
|---|---|---|
| `--level 1` | Basic `'`, `"`, `\\` | Quick check |
| `--level 2` | + Boolean, Union (default) | Standard scan |
| `--level 3` | + Time-based, Advanced | Deep / blind injection |

---

## ๐Ÿ“ Output Files

```
sqlinject_output/
โ”œโ”€โ”€ sqli_findings.json    โ† Structured findings
โ””โ”€โ”€ SQLI_REPORT.md        โ† Full report with evidence + remediation
```

---

## โš ๏ธ Legal Notice

Only test applications you own or have written authorization to test.