The Mole – Automatic SQL Injection Exploitation Tool

The Mole is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the vulnerability and exploit it, either by using the union technique or a boolean query based technique.

It uses a command based interface, allowing the user to indicate the action he wants to perform easily. The CLI also provides auto-completion on both commands and command arguments, making the user type as less as possible.
Note: It requires Python 3 and python3-lxml.


  • Support for Mysql, Postgres, SQL Server and Oracle.
  • Automatic SQL injection exploitation using union technique.
  • Automatic blind SQL injection exploitation.
  • Exploits SQL Injections in GET/POST/Cookie parameters.
  • Support for filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily.
  • Exploits SQL Injections that return binary data.
  • Powerful command interpreter to simplify its usage.

How To Use The Mole

Execute The Mole using the parameter “-u” to indicate which URL we will be using, and “-n” to indicate the needle/string. The command should look like this:
./ -u '' -n 'admin'
The mole will start and show a prompt:

By default, the last parameter on the URL is used as the vulnerable parameter. If you want to specify another parameter as the vulnerable one, you can use the “-p” command line argument, or use the “injectable_field” command.

For Windows Users

Windows users shoud be aware that when using the “-u” command line argument, the “&” characters have to be escaped manually using the “^” character. Therefore, if the URL has two parameters, it should look like this:

mole.exe -u^&id=1 -n 'admin'

You can also set the URL by using the “url” command, so you can paste the URL without quoting it. The needle can also be set using the “needle” command.

The Mole Tutorial


Download The Mole

%d bloggers like this: