SleuthQL: A SQL Injection Discovery Tool

Posted on May 22, 2018

SleuthQL: A SQL Injection Discovery Tool

SleuthQL aims to augment an assessor’s ability to discover SQL injection points by automating some of the request analysis required during a web application assessment. SleuthQL is a Python 3 script to search Burp Suite’s request history for parameters and values that match syntax matching that of database languages, such as SQL. It judges a parameter or value based on whether it matches a regular expression associated with database queries.

SleuthQL can scan json, xml, form-data and url-encoded data without issue. These regex matches include database names, common operands, common variable names and more. Once a match is discovered, it will create a list of vulnerable parameters per endpoint and per method the endpoint was requested with.

Once this list is compiled, it will then iterate over all requests matching that endpoint and method, appending a custom injection marker (*) at the point of each potentially vulnerable parameter. It then writes this request out to a directory matching the domain name. You could then feed every request file in that directory into SQLmap for processing with the following command: