SQLi-Hunter

We know that SQLMAP is very good tool to perform SQL-injection on any type of SQL server. This tool is automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine. But with “SQLi-Hunter” that use sqlmap API make SQLi digging more easily.

SQLi-Hunter is a simple HTTP proxy server and a SQLMAP API wrapper that makes digging SQLi easy.

Installation

Using Docker

Build the Docker image:

docker build -t sqli-hunter https://github.com/zt2/sqli-hunter.git

Run the Docker image:

docker run -ti -p 8080:8080 -v /tmp:/tmp –rm sqli-hunter -p 8080

The volume argument allows SQLi-Hunter to persist output files to be accessed on the host system. The port mapping argument will enable SQLi-Hunter to start a proxy server to be accessed on the host system.

Setup proxy in the browser and you are ready to go.

From source

Build from the latest release of the source code:

git clone https://github.com/sqlmapproject/sqlmap.git
git clone https://github.com/zt2/sqli-hunter.git
cd sqli-hunter
gem install bundler
bundler install

Start SQLMAP API server manually.

python sqlmapapi.py -s

Run SQLi-Hunter

ruby bin/sqli-hunter.rb

Configure proxy server settings in your browser

Usage

  _____ _____ __    _     _____         _
  |   __|     |  |  |_|___|  |  |_ _ ___| |_ ___ ___
  |__   |  |  |  |__| |___|     | | |   |  _| -_|  _|
  |_____|__  _|_____|_|   |__|__|___|_|_|_| |___|_|
  |__|
 
      SQLMAP API wrapper by ztz (github.com/zt2)
 
  Usage: bin/sqli-hunter.rb [options]
 
Common options:
    -h, --host=[HOST]                Bind host for proxy server (default is localhost)
    -p, --port=<PORT>                Bind port for proxy server (default is 8080)
        --sqlmap-host=[HOST]         Host for sqlmap api (default is localhost)
        --sqlmap-port=[PORT]         Port for sqlmap api (default is 8775)
        --targeted-hosts=[HOSTS]     Targeted hosts split by comma (default is all)
        --version                    Display version
 
SQLMAP options
        --technique=[TECH]           SQL injection techniques to use (default "BEUSTQ")
        --threads=[THREADS]          Max number of concurrent HTTP(s) requests (default 5)
        --dbms=[DBMS]                Force back-end DBMS to this value
        --os=[OS]                    Force back-end DBMS operating system to this value
        --tamper=[TAMPER]            Use given script(s) for tampering injection data
        --level=[LEVEL]              Level of tests to perform (1-5, default 1)
        --risk=[RISK]                Risk of tests to perform (0-3, default 1)
        --mobile                     Imitate smartphone through HTTP User-Agent header
        --smart                      Conduct through tests only if positive heuristic(s)
        --random-agent               Use randomly selected HTTP User-Agent header value

Output :

➜  sqli-hunter git:(master) ruby bin/sqli-hunter.rb --targeted-hosts=demo.aisec.cn --threads=15 --random-agent --smart
  [01:50:17] [INFO] [bdf9f3495bb70fbc] task created
  [01:50:17] [INFO] [bdf9f3495bb70fbc] task started
  [01:50:20] [INFO] [bdf9f3495bb70fbc] task finished
  [01:50:20][SUCCESS] [bdf9f3495bb70fbc] task vulnerable, use 'sqlmap -r /var/folders/kb/rwf8j7051x71q4flc_s39wzm0000gn/T/d20191021-40013-17a62ve/5f8a3ad452a15777219b8a5c8c7ec3b6' to exploit

Download SQLi Hunter