SqliSniper is a sturdy Python instrument designed to detect time-based blind SQL injections in HTTP request headers. It enhances the safety evaluation course of by quickly scanning and figuring out potential vulnerabilities utilizing multi-threaded, guaranteeing velocity and effectivity. Not like different scanners, SqliSniper is designed to eliminates false positives via and ship alerts upon detection, with the built-in Discord notification performance.
Key Options
- Time-Based mostly Blind SQL Injection Detection: Pinpoints potential SQL injection vulnerabilities in HTTP headers.
- Multi-Threaded Scanning: Provides quicker scanning capabilities via concurrent processing.
- Discord Notifications: Sends alerts through Discord webhook for detected vulnerabilities.
- False Constructive Checks: Implements response time evaluation to distinguish between true positives and false alarms.
- Customized Payload and Headers Assist: Permits customers to outline customized payloads and headers for focused scanning.
Set up
git clone https://github.com/danialhalo/SqliSniper.git
cd SqliSniper
chmod +x sqlisniper.py
pip3 set up -r necessities.txt
It will show assist for the instrument. Listed here are all of the choices it helps.
ubuntu:~/sqlisniper$ ./sqlisniper.py -h███████╗ ██████╗ ██╗ ██╗ ███████╗███╗ ██╗██╗██████╗ ███████╗██████╗
██╔════╝██╔═══██╗██║ ██║ ██╔════╝████╗ ██║██║██╔══██╗██╔════╝██╔══██╗
██████╗██║ ██║██║ ██║ ███████╗██╔██╗ ██║██║██████╔╝█████╗ ██████╔╝
╚════██║██║▄▄ ██║██║ ██║ ╚════██║██║╚██╗██║██║██╔═══╝ ██╔══╝ ██╔══██╗
███████║╚██ ███╔╝███████╗██║ ███████║██║ ╚████║██║██║ ███████╗██║ ██║
╚══════╝ ╚══▀▀═╝ ╚══════╝╚═╝ ╚══════╝╚═╝ ╚═══╝╚═╝╚═╝ ╚══════╝╚═╝ ╚═╝
-: By Muhammad Danial :-
utilization: sqlisniper.py [-h] [-u URL] [-r URLS_FILE] [-p] [--proxy PROXY] [--payload PA YLOAD] [--single-payload SINGLE_PAYLOAD] [--discord DISCORD] [--headers HEADERS]
[--threads THREADS]
Detect SQL injection by sending malicious queries
choices:
-h, --help present this assist message and exit
-u URL, --url URL Single URL for the goal
-r URLS_FILE, --urls_file URLS_FILE
File containing a listing of URLs
-p, --pipeline Learn from pipeline
--proxy PROXY Proxy for intercepting requests (e.g., http://127.0.0.1:8080)
--payload PAYLOAD File containing malicious payloads (default is payloads.txt)
--single-payload SINGLE_PAYLOAD
Single payload for testing
--discord DISCORD Discord Webhook URL
--headers HEADERS File containing headers (default is headers.txt)
--threads THREADS Variety of threads
Single Url Scan
The url might be supplied with -u flag for single web site scan
./sqlisniper.py -u http://instance.com
File Enter
The -r flag permits SqliSniper to learn a file containing a number of URLs for simultaneous scanning.
./sqlisniper.py -r url.txt
piping URLs
The SqliSniper may labored with the pipeline enter with -p flag
cat url.txt | ./sqlisniper.py -p
The pipeline characteristic facilitates seamless integration with different instruments. As an illustration, you’ll be able to make the most of instruments like subfinder and httpx, after which pipe their output to SqliSniper for mass scanning.
subfinder -silent -d google.com | kind -u | httpx -silent | ./sqlisniper.py -p
Scanning with customized payloads
By default the SqliSniper use the payloads.txt file. Nonetheless --payload flag can be utilized for offering customized payloads file.
./sqlisniper.py -u http://instance.com --payload mssql_payloads.txt
Whereas utilizing the customized payloads file, be sure that you substitute the sleep time with %__TIME_OUT__%. SqliSniper dynamically adjusts the sleep time iteratively to mitigate potential false positives. The payloads file ought to appear to be this.
ubuntu:~/sqlisniper$ cat payloads.txt
0"XOR(if(now()=sysdate(),sleep(%__TIME_OUT__%),0))XOR"Z
"0"XOR(if(now()=sysdate()%2Csleep(%__TIME_OUT__%)%2C0))XOR"Z"
0'XOR(if(now()=sysdate(),sleep(%__TIME_OUT__%),0))XOR'Z
Scanning with Single Payloads
If you wish to solely check with the one payload --single-payload flag can be utilized. Ensure that to switch the sleep time with %__TIME_OUT__%
./sqlisniper.py -r url.txt --single-payload "0'XOR(if(now()=sysdate(),sleep(%__TIME_OUT__%),0))XOR'Z"
Scanning Customized Header
Headers are saved within the file headers.txt for scanning customized header save the customized HTTP Request Header in headers.txt file.
ubuntu:~/sqlisniper$ cat headers.txt
Person-Agent: Mozilla/5.0 (Home windows NT 10.0; Win64; x64)
X-Forwarded-For: 127.0.0.1
Sending Discord Alert Notifications
SqliSniper additionally presents Discord alert notifications, enhancing its performance by offering real-time alerts via Discord webhooks. This characteristic proves invaluable throughout large-scale scans, permitting immediate notifications upon detection.
./sqlisniper.py -r url.txt --discord <web_hookurl>
Multi-Threading
Threads might be outlined with --threads flag
./sqlisniper.py -r url.txt --threads 10
Be aware: It’s essential to contemplate that using a better variety of threads would possibly result in potential false positives or overlooking legitimate points. Because of the nature of time-based SQL injection it is strongly recommended to make use of decrease thread for extra correct detection.
OnePlus Bullets Wireless Z2 ANC Bluetooth in Ear Earphones with Mic, 45dB Hybrid ANC, Bombastic Bass - 12.4 mm Drivers, 10 Mins Charge - 20 Hrs Music, 28 Hrs Battery (Black)
₹1,999.00 (as of February 9, 2024 20:45 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Redmi Note 13 5G (Arctic White, 6GB RAM, 128GB Storage) | MTK Dimensity 6080 5G | 7.6mm, Slimmest Note Ever
₹17,999.00 (as of February 9, 2024 20:45 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Redmi 13C (Starshine Green, 4GB RAM, 128GB Storage) | Powered by 4G MediaTek Helio G85 | 90Hz Display | 50MP AI Triple Camera
₹7,999.00 (as of February 9, 2024 20:45 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
OnePlus 12R (Cool Blue, 16GB, 256GB)
(as of February 9, 2024 20:45 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
boAt Newly Launched Rockerz 255 ANC Bluetooth Neckband w/ 100 HRS Playback, Spatial Audio, 32dB ANC, ASAP Charge(10Mins=24HRS), 3 Mics AI ENx Tech,13mm Drivers & Dual EQ Modes(Marine Blue)
₹1,899.00 (as of February 9, 2024 20:45 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Portronics Konnect L 1.2M POR-1401 Fast Charging 3A 8 Pin USB Cable with Charge & Sync Function (White)
₹129.00 (as of February 9, 2024 20:41 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Dell KB216/KB216d1 Multimedia USB Keyboard with Super Quite Plunger Keys with Spill-Resistant Wired Keybaord Black
₹569.00 (as of February 9, 2024 20:41 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
TP-Link AC750 Wifi Range Extender | Up to 750Mbps | Dual Band WiFi Extender, Repeater, Wifi Signal Booster, Access Point| Easy Set-Up | Extends Wifi to Smart Home & Alexa Devices (RE200)
₹1,799.00 (as of February 9, 2024 20:41 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Storio Kids Toys LCD Writing Tablet 8.5Inch E-Note Pad Best Birthday Gift for Girls Boys, Multicolor
₹129.00 (as of February 9, 2024 20:41 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
HP X1000 Wired USB Mouse with 3 Handy Buttons, Fast-Moving Scroll Wheel and Optical Sensor works on most Surfaces, 3 years warranty
₹279.00 (as of February 9, 2024 20:41 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
UnionSine 1TB Ultra Slim Portable External Hard Drive HDD-USB 3.0 for PC, Mac, Laptop, PS4, Xbox one,Xbox 360-Super Fast Transmission-HD-2510(Black)
$52.79 (as of February 8, 2024 20:39 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Western Digital 4TB My Passport Portable External Hard Drive with backup software and password protection, Black - WDBPKJ0040BBK-WESN
$94.99 (as of February 8, 2024 20:39 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
SanDisk 1TB Extreme Portable SSD - Up to 1050MB/s, USB-C, USB 3.2 Gen 2, IP65 Water and Dust Resistance, Updated Firmware - External Solid State Drive - SDSSDE61-1T00-G25
$99.00 (as of February 8, 2024 20:39 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
ARCTIC MX-4 (incl. Spatula, 4 g) - Premium Performance Thermal Paste for all processors (CPU, GPU - PC, PS4, XBOX), very high thermal conductivity, long durability, safe application, CPU Thermal Paste
$5.38 (as of February 8, 2024 20:39 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)