Share
## https://sploitus.com/exploit?id=DEEA7396-B411-5055-91CB-5F5B8DC24893
# InjectProof
> The SQL injection scanner that finds what sqlmap, Havij, and every other tool miss.
**InjectProof** is a self-hosted web vulnerability scanner built for penetration testers who refuse to settle for basic detection. It crawls your target with a stealth headless browser, discovers forms (including JavaScript-rendered ones), fingerprints the tech stack, finds exposed admin panels and backup files, then runs a **full adaptive exploitation chain** β from context-aware detection through database dumping β with a smart mutation engine that auto-bypasses WAFs. No sqlmap, no external tools, no manual configuration.
Built on Next.js 15, runs in your browser, stores everything locally.



---
## Why InjectProof?
Most SQL injection tools fall into two camps: automated scanners that produce false positives and miss anything behind a login form, or manual exploitation tools that require you to configure every parameter by hand.
InjectProof sits in between. It uses a headless browser (Puppeteer with stealth plugins) to interact with your target like a real user β filling forms, clicking buttons, handling CSRF tokens β while running an exploitation engine that automatically escalates from detection to full database extraction.
### What it does that Havij / sqlmap don't
| Feature | Havij | sqlmap | InjectProof |
|---------|-------|--------|-------------|
| Browser-based form interaction | β | β | β
|
| Automatic CSRF token handling | β | β | β
|
| JavaScript-rendered page crawling | β | β | β
|
| Auth bypass + recursive post-auth scan | β | β | β
|
| **SQL context detection (32 contexts)** | β | Partial | β
|
| **Stacked queries detection** | β | β
| β
|
| **Second-order SQLi** | β | β | β
|
| **Cookie/Header injection (12+ headers)** | β | Partial | β
|
| **Smart payload mutation (30+ tampers)** | β | β
| β
|
| **PHP addslashes/GBK bypass** | β | β
| β
|
| Admin panel discovery (300+ paths) | β
| β | β
|
| Technology fingerprinting | β | β | β
|
| WAF detection + adaptive evasion (7+ WAFs) | Partial | β
| β
|
| Multi-technique exploitation (UNION/Error/Blind/Time) | Partial | β
| β
|
| Password hash extraction + cracking | β
| β
| β
|
| File read / OS command execution | β
| β
| β
|
| Out-of-Band DNS exfiltration payloads | β | β
| β
|
| Professional HTML reports | β | β | β
|
| Modern web UI with real-time progress | β | β | β
|
| Self-hosted, no cloud dependency | β
| β
| β
|
---
## Quick Start
```bash
# Clone and install
git clone https://github.com/YOUR_USERNAME/injectproof.git
cd injectproof
npm run setup
# Start the scanner
npm run dev
```
Open **http://localhost:3000** β login with `admin@injectproof.local` / `admin123`.
Add a target, start a scan, and watch InjectProof work through each phase in real time.
---
## How It Works
InjectProof runs scans in seven phases:
**1. Crawling** β Discovers pages and endpoints using both static HTTP requests and a stealth headless browser. Captures forms, query parameters, AJAX endpoints, and JavaScript-rendered content.
**2. Intelligent Analysis** β The scanner brain analyzes every page: classifies forms (15 types: login, search, upload, comment, etc.), scores each field's attack priority, discovers hidden AJAX endpoints from inline JavaScript, maps interactive elements (buttons, tabs, pagination, sort controls, modals), classifies page types, extracts HTML comments for info leaks, and generates a prioritized attack plan. Discovered AJAX endpoints are automatically merged into the scan queue.
**3. Vulnerability Detection** β Runs 11 detector modules against every discovered endpoint (including AJAX endpoints found by the intelligence phase). Each detector sends targeted payloads and analyzes responses for evidence of exploitable vulnerabilities.
**4. Reconnaissance** β Probes for admin panels across 300+ common paths, scans for exposed backup files and database dumps, and fingerprints the target's technology stack (server, framework, CMS, CDN, WAF).
**5. Smart Form SQLi** β Opens a headless browser, navigates to pages with forms, fills them with SQLi payloads (handling CSRF tokens automatically), submits them, and analyzes responses. If a login form is vulnerable, it bypasses auth and scans post-login pages recursively.
**6. Adaptive Context Detection** β The V2 engine analyzes how each parameter is embedded in SQL: detects 32 injection contexts, identifies the exact closing characters and comment style needed, fingerprints the DBMS, and detects PHP backends. It also probes 12+ HTTP headers and tests for stacked query support and second-order SQLi.
**7. Deep Exploitation** β When SQLi is confirmed, the exploitation engine kicks in with context-aware payloads. It fingerprints the DBMS, detects the column count, finds injectable columns, and extracts:
- Database names, table structures, column types
- Full row data from every discovered table
- User accounts and password hashes (with dictionary cracking)
- Server files (`/etc/passwd`, config files)
- OS command execution (when running as DBA)
All extraction uses four techniques in priority order: UNION β Error-based β Boolean-blind β Time-blind. If a WAF blocks a payload, the **smart mutation engine** auto-applies 30+ tamper functions (spaceβcomment, hex encoding, case alternation, inline MySQL comments, keyword splitting, etc.) and chains them in 2-deep combinations until the WAF is bypassed. Supports WAF-specific bypasses for Cloudflare, ModSecurity, AWS WAF, Akamai, Imperva, Sucuri, and F5 BigIP.
---
## Scanner Modules
### Vulnerability Detectors
| Module | CWE | What it finds |
|--------|-----|---------------|
| SQL Injection | CWE-89 | Error-based, boolean-blind, time-based detection across MySQL, PostgreSQL, MSSQL, SQLite |
| Cross-Site Scripting | CWE-79 | Reflected, stored, and DOM-based XSS with context-aware payloads |
| Server-Side Request Forgery | CWE-918 | Internal IP access, redirect chains, cloud metadata endpoints |
| Path Traversal | CWE-22 | Directory traversal with encoding bypass variants |
| Open Redirect | CWE-601 | URL parameter redirect validation bypass |
| CORS Misconfiguration | CWE-942 | Origin reflection, null origin, wildcard with credentials |
| Security Headers | β | Missing CSP, HSTS, X-Frame-Options, referrer policy |
### Advanced Detectors
| Module | What it finds |
|--------|---------------|
| Race Condition | HTTP/2 single-packet TOCTOU vulnerabilities |
| HTTP Request Smuggling | CL.TE and TE.CL desync attacks |
| Prototype Pollution | `__proto__` and `constructor.prototype` injection |
| Cloud Metadata SSRF | AWS IMDSv1/v2, GCP, Azure, DigitalOcean metadata endpoints |
### Reconnaissance
| Module | What it finds |
|--------|---------------|
| Admin Panel Finder | 300+ common admin paths with smart login form detection |
| Backup File Scanner | Exposed `.sql`, `.zip`, `.bak`, `.env`, config files |
| Technology Fingerprinter | Server, framework, CMS, CDN, WAF, JS libraries |
### Intelligent Scanner Brain
| Capability | Details |
|-----------|---------|
| Form Classification | 15 form types: login, registration, search, upload, comment, contact, profile-edit, password-change, password-reset, admin-action, filter, settings, payment, newsletter, delete-confirm |
| Field Analysis | Per-field SQLi/XSS priority scoring (0-10). Detects: injectable params, credentials, tokens, identifiers, content fields, file inputs |
| AJAX Discovery | Extracts hidden endpoints from inline JS: `fetch()`, `$.ajax()`, `axios`, `XMLHttpRequest`, `/api/*`, `.php` paths (10+ regex patterns) |
| Interactive Element Mapping | Discovers buttons, tabs, pagination, sort controls, dropdowns, modal triggers, and `data-*` URL attributes |
| Page Classification | 12 page types: login, dashboard, listing, detail, search-results, admin-panel, settings, profile, registration, error, api-docs, file-manager |
| Attack Plan Generator | Auto-generates prioritized attack steps based on form types, field analysis, and page context |
| HTML Comment Extraction | Finds developer comments that may leak paths, credentials, TODO items, or debug info |
| Risk Scoring | Per-page risk score (0-100) based on form types, interactive elements, AJAX count, auth/admin status |
### Adaptive SQLi Engine V2
| Capability | Details |
|-----------|---------|
| Context Detection | 32 SQL contexts: WHERE (string/numeric/paren/double-quote/backtick), ORDER BY, INSERT, UPDATE, LIKE, IN, HAVING, GROUP BY, LIMIT, BETWEEN, CASE WHEN, CONCAT, subquery, JSON, REST path |
| PHP-Specific | GBK/Big5 multibyte `addslashes()` bypass, numeric type juggling, PHP backend auto-detection (10 signatures) |
| MSSQL-Specific | Bracket notation `[col]`, EXEC stored procedure injection, xp_cmdshell probes |
| Stacked Queries | Auto-detects multi-statement support on MySQL, MSSQL, PostgreSQL, SQLite |
| Second-Order SQLi | Injects in one endpoint, triggers in another β supports auth-bypass, error-trigger, time-trigger markers |
| Header/Cookie Injection | Probes 12+ headers: Cookie, Referer, X-Forwarded-For, X-Client-IP, X-Real-IP, User-Agent, Accept-Language, X-Original-URL, X-Rewrite-URL, and more |
| Smart Mutation Engine | 30+ tamper functions with auto-chaining (2-deep combos). Spaceβcomment, hex encoding, case swap, keyword split, scientific notation, null-byte, unicode fullwidth |
| WAF Bypass | Specific bypasses for Cloudflare, ModSecurity, AWS WAF, Akamai, Imperva, Sucuri, F5 BigIP + double URL encode + mixed encoding chains |
| Response Diff Engine | Statistical response comparison: length, word count, status code, title hash, content hash β not just length diff |
| Out-of-Band | DNS exfiltration payloads: MySQL `LOAD_FILE`, MSSQL `xp_dirtree`/`xp_subdirs`, PostgreSQL `COPY TO PROGRAM`, Oracle `UTL_HTTP` |
### Deep Exploitation
| Capability | Details |
|-----------|---------|
| DBMS Fingerprinting | MySQL, PostgreSQL, MSSQL, Oracle, SQLite (22 MySQL + 18 MSSQL error patterns) |
| Database Enumeration | Lists all databases, tables, columns with types |
| Data Extraction | Dumps rows from any table using 4 extraction techniques |
| User Enumeration | Extracts DB users, hostnames, privileges |
| Hash Extraction | Pulls password hashes with built-in dictionary cracking |
| File Read | Reads server files via LOAD_FILE / pg_read_file |
| OS Commands | Executes commands via xp_cmdshell / UDF (DBA only) |
---
## Tech Stack
| Layer | Technology |
|-------|-----------|
| Frontend | Next.js 15 (App Router), React 19, Tailwind CSS |
| API | tRPC v11 with type-safe end-to-end contracts |
| Database | SQLite via Prisma ORM (zero config) |
| Auth | JWT with bcrypt password hashing |
| Scanner | Custom TypeScript engine (no external dependencies) |
| Browser | Puppeteer with stealth anti-detection |
| Reports | HTML, Markdown, and JSON export |
---
## Configuration
Create a `.env` file:
```env
DATABASE_URL="file:./injectproof.db"
JWT_SECRET=change-this-to-a-random-64-char-string
NEXT_PUBLIC_APP_NAME=InjectProof
NEXT_PUBLIC_APP_URL=http://localhost:3000
SCANNER_USER_AGENT=InjectProof-Scanner/1.0
```
### Default Credentials
| Role | Email | Password |
|------|-------|----------|
| Admin | `admin@injectproof.local` | `admin123` |
| Pentester | `pentester@injectproof.local` | `pentester123` |
> Change these before exposing the instance to any network.
---
## Reports
InjectProof generates four report types:
- **Executive** β one-page summary with risk score and severity breakdown. For management.
- **Technical** β full payload details, request/response artifacts, reproduction steps. For developers.
- **Compliance** β findings mapped to OWASP Top 10, NIST 800-53, ASVS. For auditors.
- **Full** β everything above in a single document.
Each report includes CVSS v3.1 scores, CWE classifications, and actionable remediation guidance.
---
## Project Structure
```
src/
βββ app/ # Next.js pages
β βββ login/ # Authentication
β βββ api/trpc/ # API handler
β βββ (platform)/ # Dashboard, targets, scans, vulns, reports, settings
βββ scanner/ # Core engine
β βββ index.ts # Scan orchestrator (7-phase pipeline)
β βββ crawler.ts # HTTP crawler
β βββ headless-browser.ts # Stealth Chromium manager
β βββ headless-crawler.ts # JS-aware SPA crawler
β βββ intelligent-scanner.ts # π§ Scanner brain (form classification, AJAX discovery, attack planning)
β βββ detectors.ts # 11 standard vuln detectors + V2 integration
β βββ advanced-detectors.ts # 4 advanced detectors
β βββ recon-scanner.ts # Admin finder + backup scanner + fingerprinting
β βββ smart-form-sqlmap.ts # Browser-based form SQLi engine
β βββ sqli-adaptive.ts # π₯ V2 Adaptive engine (context detection, mutation, stacked queries, header injection)
β βββ sqli-exploiter.ts # Deep exploitation engine (UNION/Error/Blind/Time)
β βββ post-exploit.ts # Post-exploitation evidence gathering
β βββ easm.ts # External attack surface management
β βββ cloud-exploit.ts # Cloud infrastructure testing
β βββ cognitive-exploit.ts # Context-aware fuzzing
βββ lib/ # Utilities (auth, CVSS calc, CWE database)
βββ server/ # tRPC routers
βββ types/ # Shared TypeScript types
```
---
## Recommended Test Targets
> Only scan systems you own or have written authorization to test.
| Target | URL | Notes |
|--------|-----|-------|
| OWASP Juice Shop | `https://juice-shop.herokuapp.com` | Modern vulnerable web app |
| DVWA | `http://localhost/dvwa` | Classic PHP vulnerable app |
| WebGoat | `http://localhost:8080/WebGoat` | Java-based learning platform |
| bWAPP | `http://localhost/bWAPP` | 100+ vulnerabilities |
| SQLi-labs | `http://localhost/sqli-labs` | Dedicated SQLi practice |
---
## Scripts
| Command | What it does |
|---------|-------------|
| `npm run setup` | Full install β generate β push β seed |
| `npm run dev` | Start dev server at localhost:3000 |
| `npm run build` | Production build |
| `npm run db:reset` | Wipe and re-seed the database |
| `npm run db:studio` | Open Prisma visual DB browser |
---
## Security
InjectProof enforces security on its own platform:
- JWT authentication with HttpOnly cookies
- bcrypt (12 rounds) password hashing
- Five-tier RBAC (viewer β developer β pentester β security_lead β admin)
- CSP, HSTS, X-Frame-Options, X-Content-Type-Options headers
- tRPC middleware-level authorization on every route
---
## Legal
This software is designed for authorized penetration testing only. Running it against targets without explicit written permission is illegal in most jurisdictions. The authors are not responsible for misuse.
---
## License
Private β All rights reserved.