malvads / sqlmc

Official Kali Linux tool to check all urls of a domain for SQL injections :)
https://www.kali.org/tools/sqlmc/
GNU Affero General Public License v3.0
275 stars 38 forks source link

Heavily Needed Feature: Pipe mode / Own SQLI Parameter File Input #7

Open N-N33 opened 5 months ago

N-N33 commented 5 months ago

I think this tool would be really great if it had a pipe mode or allowed the user to use their own sqli parameter files. Like a -L function where the user can either input a list of domains or a list of potentially vulnerable parameters.

malvads commented 5 months ago

i would take a look on it when i have some free time :)

tomaquet18 commented 5 months ago

I created this script to run the tool from a targets file.

# Creates outputs folder if not exists
if [ ! -d outputs ]; 
then
    mkdir "outputs"
fi

# Iterates over urls
for url in $(cat urls.txt)
do
    # Extracts domain from url
    domain=$(echo $url | sed -e 's|^[^/]*//||' -e 's|/.*$||')

    # Runs sqlmc
    sqlmc -u $url -d 1 -o outputs/$domain.txt;
done;
malvads commented 5 months ago

Cool! But I think it's a better approach to do this in the program itself, like you said, for both params and URL. PRs are open; you can create a fork of the program and develop it yourself, or you can wait for me to fully integrate this :)

tomaquet18 commented 5 months ago

Yeah, it's just a temporary fix until a version comes out with this feature, or maybe if I have a free moment I'll get into it :)

malvads commented 5 months ago

kkk, it would be great 👍🏻