Summary • Requirements • Installation • Usage • To Do • License
SQLi Fuzzer is a tool made for personal use. This tool fuzzes for URL or input parameters vulnerable to SQL Injections. The file url_fuzz.txt currently contains basic ORDER BY SQL queries passed in URL parameter. The default wordlist includes SQL queries in plaintext, url encoding and hex encoding.
Warning: The tool is currently under development. I cannot gurantee successful utilisation.
- Python 3.xx
A few Python libraries are required for successfully usage. These libraries can be downloaded with the requirements.txt file.
# Clone this repository
$ git clone https://github.com/sapphicart/sqli-fuzzer.git
# Change directories
$ cd sqli-fuzzer
# Install required dependencies
pip install -r requirements.txtUse the --help switch to read the OPTIONS available.
$ python sqlifuzzer.py --help
Usage: sqlifuzzer.py [OPTIONS]
Options:
-u, --url TEXT The URL to fuzz
-v, --verify BOOLEAN SSL certificate verification. Default True
-w, --wordlist TEXT /path/to/wordlist.txt
--help Show this message and exit.Example:
$ python sqlifuzzer.py -u https://redtiger.labs.overthewire.org/level1.php -v False -w url_fuzz.txtUpcoming features:
- Input parameters fuzzing
- HTTP Verbs (GET, POST, PUT) fuzzing
- Diverse wordlist
Distributed under MIT License.