Skip to main content

Context-aware SQL injection scanner with WAF detection and evasion

Project description

BreachSQL

Python PyPI License Security WAF Evasion

Context-aware SQL injection scanner — error-based, boolean-blind, time-blind, UNION, and stacked injection detection across MySQL, MariaDB, PostgreSQL, SQLite, MSSQL, and Oracle. WAF detection and evasion built in. No Burp license. Just findings.

pip install breachsql

# from source
git clone https://github.com/CommonHuman-Lab/breachsql.git
cd breachsql
python -m breachsql

Point it at a target. Get findings. Drop it in a pipeline.


Why BreachSQL?

  • Multi-technique — error-based, boolean-blind, time-blind, UNION extraction, stacked queries, all in one pass
    • Multi-backend — MySQL, MariaDB, PostgreSQL, SQLite, MSSQL, and Oracle detection and technique selection
  • Context-aware — numeric, string, quoted, parenthesised, and header/cookie injection contexts
  • WAF-aware — detects common WAFs and applies evasion transforms automatically
  • Every injection surface — query params, POST form, JSON body, path parameters, cookies, headers
  • Two-step injection — inject at one URL, observe the result at another
  • Pipeline-native — JSON output, clean exit codes, Python API

Quick Start

# GET parameter
breachsql -u "https://target.com/item?id=1"

# POST form
breachsql -u "https://target.com/login" -d "username=admin&password=x"

# JSON body
breachsql -u "https://target.com/api/user" -d '{"user_id": 1}'

# Cookie injection
breachsql -u "https://target.com/profile" --cookies "session_id=abc" --cookie-params session_id

# Path parameter
breachsql -u "https://target.com/item/1" --path-params id

# Time-blind with custom threshold
breachsql -u "https://target.com/search?name=x" -t T --time-threshold 3

# Specific backend and technique
breachsql -u "https://target.com/users?id=1" --dbms mysql -t E

# Full multi-technique scan
breachsql -u "https://target.com/report?id=1" --dbms mysql -t EBTUS --level 2 --risk 2

Techniques

Flag Technique Description
E Error-based Database errors leak schema/data via malformed syntax
B Boolean-blind True/false response differences reveal data bit by bit
T Time-blind SLEEP() / pg_sleep() / randomblob() timing confirms injection
U UNION-based Column-count probing + data extraction via UNION SELECT
S Stacked Semicolon-delimited second statement injection

Combine with -t EBTUS to run all techniques in a single pass.


Python API

from breachsql.engine import scan, ScanOptions

result = scan(
    "https://target.com/users?id=1",
    ScanOptions(dbms="mysql", technique="E", risk=1),
)

print(f"{result.total_findings} finding(s) in {result.duration_s:.1f}s")
for f in result.error_based:
    print(f"  [{f.technique}] {f.param}{f.evidence}")

Options

Option Default Description
-u Target to use
--crawl Crawl target
--dbms auto Target backend: mysql, mariadb, postgres, sqlite, mssql, oracle
-t / --technique EBTUS Techniques to run (any combo of E B T U S)
--level 1 Payload depth: 1 = standard, 2 = extended, 3 = extended + data extraction
--risk 1 Payload aggression: 1 = low, 2 = medium, 3 = high
--time-threshold 5 Seconds to consider a time-blind hit (T technique)
-d / --data POST body — form-encoded or JSON
--cookies Cookie string: name=val; name2=val2
--cookie-params Which cookie names to inject
--header-params HTTP header names to inject (e.g. X-Forwarded-For)
--path-params Path segment names to treat as injection points
--second-url Read URL for two-step injection
--timeout 10 Per-request timeout in seconds
-o Write findings to JSON file

Fire Range

The BreachSQL Fire Range is a deliberately vulnerable Flask + MySQL + PostgreSQL + SQLite app that ships with OctoRig (lab slot 7). It provides injectable endpoints that the scanner is verified against on every change.

# Start the Fire Range (OctoRig required)
./octorig.sh start 7

# Run the full end-to-end test suite
pytest tests/test_firerange.py -v

Fire Range README


Install from source

git clone https://github.com/CommonHuman-Lab/breachsql.git
cd breachsql
pip install -e .
pip install -e ".[dev]"   # + pytest, mypy, ruff

Requires Python 3.10+. No C extensions.


License

Licensed under the AGPLv3. You are free to use, modify, and distribute this software. If you run it as a service or distribute it, the source must remain open.

For commercial licensing, contact the author.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

breachsql-0.1.1.tar.gz (60.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

breachsql-0.1.1-py3-none-any.whl (52.4 kB view details)

Uploaded Python 3

File details

Details for the file breachsql-0.1.1.tar.gz.

File metadata

  • Download URL: breachsql-0.1.1.tar.gz
  • Upload date:
  • Size: 60.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.12

File hashes

Hashes for breachsql-0.1.1.tar.gz
Algorithm Hash digest
SHA256 1a0d2438c9014b616a70f259874e415b6547f42c88ff3386b6d3843da6c602a1
MD5 67058e44b1e7abbef97e9dca847d1ba0
BLAKE2b-256 edf94ec13e61a18e1b53f64de1a7c84cd2bed2dba751eb887429038dbbea2f10

See more details on using hashes here.

File details

Details for the file breachsql-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: breachsql-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 52.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.12

File hashes

Hashes for breachsql-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 8c578a5c369fc1088fb88bec7c801fe1f4e2a2074fc7cf6775bae81fe8c618fb
MD5 e884551eaa17ca44a4cb491e0607f1b4
BLAKE2b-256 160f26af51803959a1deb78cd02eb509f365cecaa9a75f40aa13b4791c10be2b

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page