Summary • Requirements • Installation • Usage • To Do • License
SQLi Fuzzer is a tool made for personal use. This tool fuzzes for URL or input parameters vulnerable to SQL Injections. The file url_fuzz.txt currently contains basic ORDER BY SQL queries passed in URL parameter. The default wordlist includes SQL queries in plaintext, url encoding and hex encoding.
Warning: The tool is currently under development. I cannot gurantee successful utilisation.
- Python 3.xx
There are two ways to install sqlifuzzer:
Install the tool directly with pip
pip install sqlifuzzerOr, you can build from source. Download the latest release.
Use the --help switch to read the OPTIONS available.
$ sqlifuzzer --help
Usage: sqlifuzzer.py [OPTIONS]
Options:
-u, --url TEXT The URL to fuzz
-v, --verify BOOLEAN SSL certificate verification. Default True
-w, --wordlist TEXT /path/to/wordlist.txt
--help Show this message and exit.Example:
$ sqlifuzzer -u https://redtiger.labs.overthewire.org/level1.php -v False -w url_fuzz.txtA generic wordlist named url_fuzz.txt is available in the source code. You can use this wordlist or create your own!
Upcoming features:
- Input parameters fuzzing
- HTTP Verbs (GET, POST, PUT) fuzzing
- Diverse wordlist
All contributions are welcome. Just fork this repository, make your changes and open a pull request!
Distributed under MIT License.