Context-aware SQL injection scanner with WAF detection and evasion
Project description
BreachSQL
Context-aware SQL injection scanner — error-based, boolean-blind, time-blind, UNION, and stacked injection detection across MySQL, MariaDB, PostgreSQL, SQLite, MSSQL, and Oracle. WAF detection and evasion built in. No Burp license. Just findings.
pip install breachsql
Point it at a target. Get findings. Drop it in a pipeline.
Why BreachSQL?
- Multi-technique — error-based, boolean-blind, time-blind, UNION extraction, stacked queries, all in one pass
- Multi-backend — MySQL, MariaDB, PostgreSQL, SQLite, MSSQL, and Oracle detection and technique selection
- Context-aware — numeric, string, quoted, parenthesised, and header/cookie injection contexts
- WAF-aware — detects common WAFs and applies evasion transforms automatically
- Every injection surface — query params, POST form, JSON body, path parameters, cookies, headers
- Two-step injection — inject at one URL, observe the result at another
- Pipeline-native — JSON output, clean exit codes, Python API
Quick Start
# GET parameter
breachsql -u "https://target.com/item?id=1"
# POST form
breachsql -u "https://target.com/login" -d "username=admin&password=x"
# JSON body
breachsql -u "https://target.com/api/user" -d '{"user_id": 1}'
# Cookie injection
breachsql -u "https://target.com/profile" --cookies "session_id=abc" --cookie-params session_id
# Path parameter
breachsql -u "https://target.com/item/1" --path-params id
# Time-blind with custom threshold
breachsql -u "https://target.com/search?name=x" -t T --time-threshold 3
# Specific backend and technique
breachsql -u "https://target.com/users?id=1" --dbms mysql -t E
# Full multi-technique scan
breachsql -u "https://target.com/report?id=1" --dbms mysql -t EBTUS --level 2 --risk 2
Techniques
| Flag | Technique | Description |
|---|---|---|
E |
Error-based | Database errors leak schema/data via malformed syntax |
B |
Boolean-blind | True/false response differences reveal data bit by bit |
T |
Time-blind | SLEEP() / pg_sleep() / randomblob() timing confirms injection |
U |
UNION-based | Column-count probing + data extraction via UNION SELECT |
S |
Stacked | Semicolon-delimited second statement injection |
Combine with -t EBTUS to run all techniques in a single pass.
Python API
from breachsql.engine import scan, ScanOptions
result = scan(
"https://target.com/users?id=1",
ScanOptions(dbms="mysql", technique="E", risk=1),
)
print(f"{result.total_findings} finding(s) in {result.duration_s:.1f}s")
for f in result.error_based:
print(f" [{f.technique}] {f.param} — {f.evidence}")
Options
| Option | Default | Description |
|---|---|---|
-u |
— | Target to use |
--crawl |
— | Crawl target |
--dbms |
auto | Target backend: mysql, mariadb, postgres, sqlite, mssql, oracle |
-t / --technique |
EBTUS |
Techniques to run (any combo of E B T U S) |
--level |
1 |
Payload depth: 1 = standard, 2 = extended, 3 = extended + data extraction |
--risk |
1 |
Payload aggression: 1 = low, 2 = medium, 3 = high |
--time-threshold |
5 |
Seconds to consider a time-blind hit (T technique) |
-d / --data |
— | POST body — form-encoded or JSON |
--cookies |
— | Cookie string: name=val; name2=val2 |
--cookie-params |
— | Which cookie names to inject |
--header-params |
— | HTTP header names to inject (e.g. X-Forwarded-For) |
--path-params |
— | Path segment names to treat as injection points |
--second-url |
— | Read URL for two-step injection |
--timeout |
10 |
Per-request timeout in seconds |
-o |
— | Write findings to JSON file |
Fire Range
The BreachSQL Fire Range is a deliberately vulnerable Flask + MySQL + PostgreSQL + SQLite app that ships with OctoRig (lab slot 7). It provides injectable endpoints that the scanner is verified against on every change.
# Start the Fire Range (OctoRig required)
./octorig.sh start 7
# Run the full end-to-end test suite
pytest tests/test_firerange.py -v
Install from source
git clone https://github.com/CommonHuman-Lab/breachsql.git
cd breachsql
pip install -e .
pip install -e ".[dev]" # + pytest, mypy, ruff
Requires Python 3.10+. No C extensions.
License
Licensed under the AGPLv3. You are free to use, modify, and distribute this software. If you run it as a service or distribute it, the source must remain open.
For commercial licensing, contact the author.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file breachsql-0.1.0.tar.gz.
File metadata
- Download URL: breachsql-0.1.0.tar.gz
- Upload date:
- Size: 83.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e048c6acc9fdc13ea5f05975c1ca6629d04e81881c2ff96f6c941271cbdbc1c0
|
|
| MD5 |
feebcb0c5375a8826125c8c815bf4df7
|
|
| BLAKE2b-256 |
667f23529a14d97010b9025fc4c66f2179b636bd0e72d4c82d16b6c72eb2c8ab
|
File details
Details for the file breachsql-0.1.0-py3-none-any.whl.
File metadata
- Download URL: breachsql-0.1.0-py3-none-any.whl
- Upload date:
- Size: 77.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0e05033dae50dc671d4659e1734b24433a0c3bbcac9a19008b6647bf178f9a0c
|
|
| MD5 |
89f00d7e3e24d35b91657f41dbfc7270
|
|
| BLAKE2b-256 |
1600d1d04f95b19dc4a136da69234c529b176fd992791f7be550b01c08e02976
|
