Share
## https://sploitus.com/exploit?id=13F85568-F74C-55EB-8487-54869ADA0F2E
# Sqlinject ๐
### Advanced SQL Injection Scanner with WAF Bypass
Detects error-based, boolean-blind, time-based blind, union-based, header injection.
Supports GET, POST, JSON body, HTTP headers. Built-in WAF detection + bypass.
---
## โก Setup
```bash
pip3 install rich
python3 sqlinject.py -u "https://example.com/page?id=1"
```
Zero external dependencies beyond `rich`.
---
## ๐ Commands
```bash
# Scan GET parameter
python3 sqlinject.py -u "https://example.com/page?id=1"
# Scan POST login form
python3 sqlinject.py -u "https://example.com/login" \
--method POST --data "user=admin&pass=test"
# Scan JSON API endpoint
python3 sqlinject.py -u "https://api.example.com/user" \
--json '{"id": 1}'
# Level 3 โ time-based blind + advanced payloads
python3 sqlinject.py -u "https://example.com/page?id=1" --level 3
# WAF bypass mode
python3 sqlinject.py -u "https://example.com/page?id=1" --waf-bypass
# Also test HTTP headers (X-Forwarded-For, Referer, etc.)
python3 sqlinject.py -u "https://example.com/page?id=1" --scan-headers
# With auth token
python3 sqlinject.py -u "https://api.example.com/data?id=1" \
--headers "Authorization: Bearer YOUR_TOKEN"
# With cookies
python3 sqlinject.py -u "https://example.com/page?id=1" \
--cookies "session=abc123; token=xyz"
# Scan a list of URLs
python3 sqlinject.py --list urls.txt
# Verbose output
python3 sqlinject.py -u "https://example.com/page?id=1" --verbose
```
---
## ๐ฏ Detection Methods
| Type | How It Works |
|---|---|
| **Error-based** | Injects `'` and similar โ detects DB error messages |
| **Boolean-based Blind** | Compares `OR 1=1` vs `OR 1=2` responses |
| **Time-based Blind** | Uses `SLEEP(3)` / `WAITFOR DELAY` โ measures response time |
| **Union-based** | Tests `UNION SELECT` column count matching |
| **Header Injection** | Tests X-Forwarded-For, Referer, User-Agent, Cookie |
| **JSON Injection** | Tests each key in JSON request body |
---
## ๐ก๏ธ WAF Bypass Techniques (--waf-bypass)
- Case variation (`SeLeCt` instead of `SELECT`)
- URL encoding / double URL encoding
- Comment injection (`SE/**/LECT`)
- Whitespace variation (`SELECT\n`)
- Null byte injection
- Plus sign space bypass
- Inline comment obfuscation
---
## ๐๏ธ Database Detection
Detects: **MySQL**, **PostgreSQL**, **MSSQL**, **Oracle**, **SQLite**
---
## ๐ Scan Levels
| Level | Payloads | Best For |
|---|---|---|
| `--level 1` | Basic `'`, `"`, `\\` | Quick check |
| `--level 2` | + Boolean, Union (default) | Standard scan |
| `--level 3` | + Time-based, Advanced | Deep / blind injection |
---
## ๐ Output Files
```
sqlinject_output/
โโโ sqli_findings.json โ Structured findings
โโโ SQLI_REPORT.md โ Full report with evidence + remediation
```
---
## โ ๏ธ Legal Notice
Only test applications you own or have written authorization to test.