The following are 7 tools that are regularly used and regarded highly as a substitution for sqlmap or an additional tool to sqlmap during live pentesting, bug bounty programs, Capture-The-Flag competitions, and <a href="/service/red-teaming">red teaming</a>.
1. SQLiv – This is a lightning-fast scanner that focuses on pinpointing Blind, Time-Based and Error Based injectable locations with little to no noise. This tool is useful for reconnaissance on larger scales and fitting into Burp/ZAP workflows.
GitHub: https://github.com/the-robot/sqliv
Quick command line usage:
python3 sqliv.py -t 50 -d -u https://target.com --crawl
2. NoSQLMap – This is the standard for performing NoSQL injection against the primary NoSQL databases (MongoDB, CouchDB, Redis, Cassandra, DynamoDB). NoSQLMap is essential as most modern applications use NoSQL as the database type. The capabilities of NoSQLMap are to enumerate users, extract data, create shells on target servers, and escalate privilege.
GitHub: https://github.com/codingo/NoSQLMap
3. jsql Injection – This is another Java based GUI tool that has a rich set of automation features but allows the user to control exactly what happens with strong blind/time-based support. This tool is still used by many newer practitioners moving towards the use of GUI tools and it has built in features that help locate an administration account, as well as crack hashed passwords. There are many active community forks of this project that have kept it up to date.
Download: https://sourceforge.net/projects/jsql-injection/
4. SQLninja is an older tool that is still widely used for MSSQL exploits (especially xp_cmdshell and OLE automation abuse). It is primarily used in legacy enterprise environments that are still using older versions of SQL Server. Featured capabilities of SQLninja: perform OS commands and DNS tunneling, create custom payloads.
GitHub mirror at https://github.com/bernardo/sqlninja
5. BBQSQL is a tool that allows for performing Blind SQL injection by utilizing timing attacks based on Binary search techniques. It is very useful against slow targets or those that are heavily filtered with a WAF where sqlmap has problems.
Github mirror at: https://github.com/Neohapsis/bbqsql An example of its use is shown below:
bbqsql -u "http://target.com/page?id=1" --technique time --dbms mysql
6. The Whitewidow automated scanner provides the user with a high rate of accuracy (low false positive rate), supports active exploitation/Google dorking/crawling, and is popular with those who automate bug bounty program testing.
This tool can be found on GitHub, at https://github.com/WhitewidowScanner/whitewidow
7. DSSS (Damn Small SQL Injection Scanner) is an extremely lightweight (approx. ~200 lines) Python script for scanning for error-based and union-based SQL Injection vulnerabilities. The DSSS scanner is a favorite among pentesters due to its small footprint (can run anywhere, including Termux on cell phones) and allows for quick reconnaissance prior to using more heavy-duty tools.
It can be found on GitHub at https://github.com/stamparm/DSSS
Quick Guidance
1. Bug Bounties / Web Recon → Whitewidow, SQLiv, jSQL
2. Contemporary NoSQL Backends → NoSQLMap (Almost Requirement)
3. Targets That are Chronically/Blind → BBQSQL or Your Own Timing Scripts
4. Expedient/Lightweight Scanning → DSSS, SQLiv
5. MSSQL Privileges Escalation → SQLninja
6. ALWAYS Manually Validate Results Using Burp Suite & ZAP; Automation will Still Create False Positives.
Use these tools in an ethical manner and only on systems that you own or have prior written consent from the system owner to test. Each of these tools is meant for use in a legal, ethical manner. Use these tools at your own risk; no one, including the authors, accepts any responsibility for loss or damage resulting from your use of these tools.
