SQLMap is a powerful open-source automated SQL injection tool designed to help penetration testers quickly discover and exploit SQL injection vulnerabilities. It has features such as automated detection, vulnerability exploitation, and data extraction. The main function of SQLMap is to scan, discover, and exploit SQL injection vulnerabilities in a given URL. It also includes many bypass plugins and supports multiple databases, including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, and SAPMaxDB. By using SQLMap, penetration testers can efficiently detect and exploit SQL injection vulnerabilities.
Below is a batch detection tool written in Python that can import a list of URLs from multiple websites at once and automatically scan them. This greatly improves the efficiency of vulnerability scanning and saves time and effort.
Execution effect:
Before running this program, please make sure that SQLMap is installed on your computer and added to the environment variables. This will allow you to use this tool for SQL injection detection in any directory.
import tkinter as tk
from tkinter import ttk
import tkinter.filedialog as fd
import subprocess
import threading
class Application(tk.Tk):
def __init__(self, title, geometry):
super().__init__()
self.title(title)
self.geometry(geometry)
self.columns = ("URL", "Injection", "Payload")
self.tree = ttk.Treeview(self, columns=self.columns, show="headings")
for col in self.columns:
self.tree.heading(col, text=col)
self.tree.column(col, width=200, anchor="center")
self.tree.pack(fill="both", expand=True)
self.text_widget = tk.Text(self, height=20)
self.text_widget.pack(fill="x")
buttons_frame = tk.Frame(self)
buttons_frame.pack(fill="x", pady=10)
import_data_btn = tk.Button(buttons_frame, text="Import URLs", command=self.import_data)
import_data_btn.pack(side="left", padx=10)
tk.Label(buttons_frame, text="sqlmap -u url --batch").pack(side="left")
self.params_entry = tk.Entry(buttons_frame, width=50)
self.params_entry.pack(side="left", padx=10)
self.params_entry.insert(0, "--level 3")
self.run_btn = tk.Button(buttons_frame, text="Run", command=self.run)
self.run_btn.pack(side="left", padx=10)
self.pause_btn = tk.Button(buttons_frame, text="Pause", command=self.pause)
self.pause_btn.pack(side="left", padx=10)
clear_btn = tk.Button(buttons_frame, text="Clear", command=self.clear_content)
clear_btn.pack(side="left", padx=10)
self.is_paused = False
self.thread = None
def import_data(self):
file_path = fd.askopenfilename(defaultextension=".txt", filetypes=[("Text Files", "*.txt")])
if file_path:
self.tree.delete(*self.tree.get_children())
with open(file_path, "r") as file:
for line in file:
line = line.strip().split(",")
self.tree.insert("", "end", values=line)
def run(self):
params = self.params_entry.get()
self.run_btn.config(text="Running", state="disabled")
self.pause_btn.config(state="normal")
self.is_paused = False
self.thread = threading.Thread(target=self._run_scan, args=(params,))
self.thread.start()
def pause(self):
self.is_paused = True
def _run_scan(self, params):
for index, item in enumerate(self.tree.get_children()):
if self.is_paused:
self.run_btn.config(text="Resume", state="normal")
return
url = self.tree.item(item)["values"][0]
result = subprocess.run(['sqlmap', '-u', url] + params.split() + ['--batch'], stdout=subprocess.PIPE, stderr=subprocess.PIPE, encoding="utf-8")
result_output = result.stdout + result.stderr
self.text_widget.insert(tk.END, result_output)
self.text_widget.update_idletasks()
if "Parameter: " in result_output:
self.tree.set(item, "Injection", "Yes")
payload_start = result_output.index("Payload:") + len("Payload:")
payload_end = result_output.index("\n", payload_start)
self.tree.set(item, "Payload", result_output[payload_start:payload_end].strip())
else:
self.tree.set(item, "Injection", "No")
self.run_btn.config(text="Run", state="normal")
self.pause_btn.config(state="disabled")
def clear_content(self):
self.text_widget.delete("1.0", "end")
for item in self.tree.get_children():
for column in self.columns:
self.tree.set(item, column, "")
if __name__ == "__main__":
app = Application("SQLMAP - Injection Batch Detection", "900x750")
app.mainloop()
The code uses the tkinter library to create a GUI application for batch detection of SQL injection vulnerabilities. It provides a user interface where users can import a URL list and run the detection. The program will automatically check if each URL has a SQL injection vulnerability and display the detection results.
The Application class in the code inherits from the Tk class of the tkinter library, representing the window of the entire application. In the initialization method, the title and size of the window are set, and a Treeview control is created to display the URL, injection status, and payload information, as well as a Text control to display the detection results.
The main functions of the application include importing a URL list, running the detection, pausing the detection, and clearing the results. The import_data method for importing the URL list uses a file dialog to select a text file, reads the URL list from it, and inserts it into the Treeview control.
The run method for running the detection gets the parameters entered by the user, sets the run button to disabled state, and the pause button to enabled state. Then it creates a new thread and calls the _run_scan method to perform the detection.
In the _run_scan method, it iterates through each URL in the Treeview control. If the pause flag is True, it stops the detection. Otherwise, it uses the subprocess library to call the sqlmap command for detection and outputs the result to the Text control. Based on the detection result, it updates the injection status and payload information in the Treeview control. Finally, it sets the run button to enabled state and the pause button to disabled state.
The clear_content method is used to clear the content of the Text control and the Treeview control.
In the main program, an instance of the Application class is created, and the mainloop method is called to start the event loop of the application.