auto_SQLi, an automatic blind SQLi Tool that dumps tables from POST or GET requests.
- Copy a request from a webpage that you try the BSQLi on. (Check examples for how it should look)
- Save the request to a file (This file will be used by the tool)
- run
python3 auto_SQLi.py <request file> <common tables wordlist> <common columns wordlist> - See results in the output file
table.txt.
- If you want to cahnge the output file name run with
-o, --output, followed by the output file name of your choice.
- Setting the string of the differnet outputs that the webpage responds with. Such as: "database error", "Wrong password", "login successfull"
- Defines the method that the request uses (POST or GET)
- Trying different injection brackets until a successfull found.
- Union Automation.
- Guessing table name from word list.
- Guessing column names from word list.
- Guessing number of rows in the table.
- Fetches all data in columns and rows (Brute Force)
- Creating data frame to output as a formmated table, prints table and saves to the output file.
- bs4
- Python 3
- Burpee module. (Added in Main branch)
- urllib.parse
- argparse