SleuthQL – SQL Injection Discovery Tool

SleuthQL is a python3 script to identify parameters and values that contain SQL-like syntax. Once identified, SleuthQL will then insert SQLMap identifiers (*) into each parameter where the SQL-esque variables were identified.

SleuthQL aims to augment an assessor’s ability to discover SQL injection points by automating some of the request analysis required during a web application assessment. SleuthQL is a Python 3 script to search Burp Suite’s request history for parameters and values that match syntax matching that of database languages, such as SQL. It judges a parameter or value based on whether it matches a regular expression associated with database queries. SleuthQL can scan json, xml, form-data and url-encoded data without issue.

These regex matches include database names, common operands, common variable names and more. Once a match is discovered, it will create a list of vulnerable parameters per endpoint and per method the endpoint was requested with. Once this list is compiled, it will then iterate over all requests matching that endpoint and method, appending a custom injection marker (*) at the point of each potentially vulnerable parameter. It then writes this request out to a directory matching the domain name. You could then feed every request file in that directory into SQLmap for processing with the following command:

find $domainName -name “*.txt” -exec sqlmap -r {} –batch \;

If terminal output is preferred, it also prints each path and method that is vulnerable, followed by a list of variable names for an assessor to manually investigate by hand.

Supported Request Types

SleuthQL requires an export of Burp’s Proxy History. To gain this export, simply navigate to your proxy history tab, highlight every item and click “Save Items”. Ensure that each request is saved using base64 encoding. When SleuthQL scans the proxy history file, outside of the regular URL parameters, it will be able to identify vulnerable parameters from the following request content-types:

• application/json
• application/x-www-form-urlencoded
• multipart/form-data

There are cases where this tool will break down. Namely, if there is nested content-types (such as a base64 encoded parameter within JSON data), it will not be able to identify those parameters. It also does not cover Cookies, as too often something such as CloudFlare will flag a parameter we’re not interested in.

What does SleuthQL not do?

Currently, there are a few limitations of the tool, such as parsing of nested parameters of different types. For example, there have been instances where JSON POST data is sent to an application with parameter values that are base-64 encoded. That value would not be able to be parsed by SleuthQL and would require an expert’s eye.

Moreover, it does not scan an application’s cookies for potential injection points. This is because cookies often interfere with session state (and invalidate the current session), and have a particularly high number of false positives, such as CDN identifiers.

In conclusion, SleuthQL aims to discover potentially vulnerable SQL injection points in web applications by parsing parameter names and values for potentially dangerous values. Using this in tandem with a tool like SQLMap can help augment a regular application audit and ensure a total depth of coverage.