rhinosecuritylabs / sleuthql Goto Github PK
View Code? Open in Web Editor NEWPython3 Burp History parsing tool to discover potential SQL injection points. To be used in tandem with SQLmap.
License: BSD 3-Clause Clear License
sleuthql's People
Contributors
Stargazers
Watchers
Forkers
ahboon mohammed-sec2010 thesirodin alex-dengx slowmistio goldrak weeshlow riviera12345 awesome-security hapazores jaikishantulswani nickhakkz gridl d066y samyoyo sitakom zshell mgcfish steveflys melkorazo subc0ol cmscardoso xxxxxyyyy dcmjid ashr mmg1 strunz983 loneboat hax0rg1rl teicu jishuzhain c4nnibal h3ll0w0lrd xstpl shantanu561993 donfanning adventurepatel w00t3k gavz 8l4nk czechflek shahid1996 dreroc sry309 trrnt modulexcite pentestbr d1pakda5 mrzzkllen attackgithub kakuye affilares gnebbia xmrseo netredo quixoticluck c0dak c0nn4ct1ngzzz seabreg hoodoer chaos-monkey-island 5l1v3r1 0x1234567890-0x1234567890 evrohachik ankurvaishley oakkaya 3453-315h weldingwit bill-bil slooppe https-github-com-mj521905 lonffy hartl3y94 sathishlkumar sdfmmbi averroes tommalvoriddle seeeyei srand2sleuthql's Issues
Implement More Verbose Error Messages
This should be done while parsing XML and while injecting asterisks into request files. VerboseErrors branch.
icon
doing distro ebuild.. any rate i'd offer the icon back...
[Desktop Entry]
Name=SleuthQL
GenericName=SleuthQL-cli
Exec=xterm -E /usr/bin/sleuthql
#/opt/SleuthQL/sleuthql.py @ SYM /usr/bin/sleuthql
StartupNotify=true
X-Enlightenment-WaitExit=false
Icon=/usr/share/icons/SleuthQL.PNG
Type=Application
Comment=Python3 Burp History parsing tool to discover potential SQL injection points. To be used in tandem with SQLmap.
Path=/opt/sitebroker
Terminal=false
Exec=sudo -E
Categories=Pentoo;X-Exploit;
Base64 checking
Hi, I really like the idea of this tool. I also noticed that the base64 encoding is broken so I had a couple ideas for you;
This regex will be able to tell; ([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==) of course there are issues with this because a string that looks like base64 will be returned as true.
You can check the length of the string and see if itβs divisible by 4;
def is_64(string):
if len(string) % 4 == 0:
try:
base64.b64decode(string)
except:
return False
return False;
You could also do a mixture of both if you wanted. Good luck and good job!
Needs a try/except to catch IndexError
This statement
Line 526 in 87ea35b
try / except IndexError block, or it will raise exceptions under some circumstances (not yet clear why):
[+] Loading data from x/sleuthql.xml...
[+] Found 575 requests from proxy history.
[+] Found 540 requests matching x.com hostname.
[+] Found 11 requests matching x.org hostname.
[+] Found 5 requests matching x.net hostname.
[+] Sorting...
Traceback (most recent call last):
File "sleuthql.py", line 815, in <module>
main()
File "sleuthql.py", line 788, in main
results = createResults(parsed_xml_results)
File "sleuthql.py", line 704, in createResults
sqlData = findSQLParams(params)
File "sleuthql.py", line 628, in findSQLParams
insertion_point, req = getSQLInsertionPoint(req, loc, key=key)
File "sleuthql.py", line 526, in getSQLInsertionPoint
if lines[i][-1] != "*":
IndexError: string index out of range
Invalid video in documentation
From the README (and official web), we are getting:
This video is no longer available because the uploader has closed their YouTube account.
Can we get reupload or something?
Thanks.
add support of burp project files
burp project file is a single "live" file which records all logs automatically and this is the preferable way.
The current approach (to export logs manually) seems not very practical.
btw, sqlmap can parse burp/webscarab log files, see:
sqlmap -l LOGFILE
So ideally, you should push your work back to sqlmap instead of creating yet another one-day script.
CLI update
Hi,
The CLI in the video is wrong. It should be:
find . -name "*.txt" -exec sqlmap --batch -r {} \;
Just saying.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.