rhinosecuritylabs / sleuthql Goto Github PK
View Code? Open in Web Editor NEWPython3 Burp History parsing tool to discover potential SQL injection points. To be used in tandem with SQLmap.
License: BSD 3-Clause Clear License
Python3 Burp History parsing tool to discover potential SQL injection points. To be used in tandem with SQLmap.
License: BSD 3-Clause Clear License
This should be done while parsing XML and while injecting asterisks into request files. VerboseErrors branch.
doing distro ebuild.. any rate i'd offer the icon back...
[Desktop Entry]
Name=SleuthQL
GenericName=SleuthQL-cli
Exec=xterm -E /usr/bin/sleuthql
#/opt/SleuthQL/sleuthql.py @ SYM /usr/bin/sleuthql
StartupNotify=true
X-Enlightenment-WaitExit=false
Icon=/usr/share/icons/SleuthQL.PNG
Type=Application
Comment=Python3 Burp History parsing tool to discover potential SQL injection points. To be used in tandem with SQLmap.
Path=/opt/sitebroker
Terminal=false
Exec=sudo -E
Categories=Pentoo;X-Exploit;
Hi, I really like the idea of this tool. I also noticed that the base64 encoding is broken so I had a couple ideas for you;
This regex will be able to tell; ([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)
of course there are issues with this because a string that looks like base64 will be returned as true.
You can check the length of the string and see if itβs divisible by 4;
def is_64(string):
if len(string) % 4 == 0:
try:
base64.b64decode(string)
except:
return False
return False;
You could also do a mixture of both if you wanted. Good luck and good job!
This statement
Line 526 in 87ea35b
try / except IndexError
block, or it will raise exceptions under some circumstances (not yet clear why):
[+] Loading data from x/sleuthql.xml...
[+] Found 575 requests from proxy history.
[+] Found 540 requests matching x.com hostname.
[+] Found 11 requests matching x.org hostname.
[+] Found 5 requests matching x.net hostname.
[+] Sorting...
Traceback (most recent call last):
File "sleuthql.py", line 815, in <module>
main()
File "sleuthql.py", line 788, in main
results = createResults(parsed_xml_results)
File "sleuthql.py", line 704, in createResults
sqlData = findSQLParams(params)
File "sleuthql.py", line 628, in findSQLParams
insertion_point, req = getSQLInsertionPoint(req, loc, key=key)
File "sleuthql.py", line 526, in getSQLInsertionPoint
if lines[i][-1] != "*":
IndexError: string index out of range
From the README (and official web), we are getting:
This video is no longer available because the uploader has closed their YouTube account.
Can we get reupload or something?
Thanks.
burp project file is a single "live" file which records all logs automatically and this is the preferable way.
The current approach (to export logs manually) seems not very practical.
btw, sqlmap can parse burp/webscarab log files, see:
sqlmap -l LOGFILE
So ideally, you should push your work back to sqlmap instead of creating yet another one-day script.
Hi,
The CLI in the video is wrong. It should be:
find . -name "*.txt" -exec sqlmap --batch -r {} \;
Just saying.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.