sqlifuzzer is a free and open-source command line scanner that was designed to identify SQL injection vulnerabilities. It parses Burp logs to create a list of fuzzable requests, then fuzzes them.
More specifically, sqlifuzzer is a wrapper for curl written in bash. sqlifuzzer is also a tool that can be used to remotely identify SQL (and XPath) injection vulnerabilities. It does this by sending a range of injection payloads and examining the responses for signs of 'injectability'. If a parameter is vulnerable, sqlifuzzer sends exploit payloads to extract data.
Note that sqlifuzzer is beta, so don't use it in an environment that matters to you or anyone else. Also, do not use sqlifuzzer to scan hosts without the owner's permission.
sqlifuzzer is cross-platform and it works on Mac OS X, Windows and Linux.
Detailed instructions on how to install and use the sqlifuzzer utility on your Mac are available HERE.
Here are some key features of "sqlifuzzer":
· Payloads/tests for numeric, string, error and time-based SQL injection
· Support for MSSQL, MYSQL and Oracle DBMS's
A range of filter evasion options:
ORDER BY and UNION SELECT tests on vulnerable parameters to:
· Conditional tests to extract DBMS info when data extraction via UNION SELECT fails (i.e. no string type columns)
· Time delay based tests to extract DBMS info when data extraction via conditional methods fails (i.e. fully blind scenarios)
· Boolean response-based XPath injection testing and data extraction
· Support for automated detection and testing of parameters in POST URIs and multipart forms
Scan 'state' maintenance:
· Optional exclusion of a customizable list of parameters from scanning scope
· Tracking of parameters scanned and avoidance of re-scanning scanned parameters
· HTML format output with links/buttons to send Proof of Concept SQL injection requests and links to response difference files and to extracted data
What's New in This Release: [ read full changelog ]
· Fixed a bug preventing time based exploitation from being triggered.