HackfutSec/SQLwp
A specialized SQL injection scanner targeting WordPress sites with the TO MiniProgram plugin vulnerable endpoint.
TO MiniProgram SQLi Scanner
A specialized SQL injection scanner targeting WordPress sites with the TO MiniProgram plugin vulnerable endpoint.
Features
- ๐ High-performance scanning with multi-threading support
- ๐ฏ Accurate detection of time-based blind SQL injection vulnerabilities
- ๐ Multiple target support (single URL or file with URL list)
- ๐ Clear reporting with color-coded results
- ๐พ Automatic saving of vulnerable targets to
vulnerable.txt
Installation
-
Clone the repository:
git clone https://github.com/HackfutSec/SQLwp.git cd SQLwp -
Install required dependencies:
pip3 install -r requirements.txt
Usage
Basic scan (single target)
python3 scanner.py -u http://target-site.com -d 5Bulk scan (from file)
python3 scanner.py -l targets.txt -t 10 -d 5Options
| Option | Description | Default |
|---|---|---|
-u, --url |
Single target URL | - |
-l, --list |
File containing list of target URLs | - |
-d, --delay |
Sleep time for time-based detection (in seconds) | 5 |
-t, --threads |
Number of concurrent threads | 5 |
Technical Details
Vulnerability Tested
The scanner checks for SQL injection in the TO MiniProgram WordPress plugin's endpoint:
/wp-json/watch-life-net/v1/comment/getcomments
Payload Used
The scanner sends a time-based blind SQL injection payload:
DESC,(SELECT(1)FROM(SELECT(SLEEP(5)))a)--Detection Logic
- The scanner measures response time
- If response time exceeds the specified delay, vulnerability is confirmed
Output Example
Ethical Use
Contribution
Contributions are welcome! Please open an issue or pull request for:
- Bug fixes
- Feature enhancements
- Documentation improvements
License
This project is licensed under the MIT License - see the LICENSE file for details.
Contact
- GitHub: @HackfutSec
- For security concerns: HackfutSec404@proton.com
๐ Happy (ethical) hacking! ๐