{"id":25406089,"url":"https://github.com/JaveleyQAQ/SQL-Injection-Scout","last_synced_at":"2025-10-31T01:32:07.447Z","repository":{"id":270813036,"uuid":"911533726","full_name":"JaveleyQAQ/SQL-Injection-Scout","owner":"JaveleyQAQ","description":"SQL Injection Scout 是一个用于 Burp Suite 的扩展，专为帮助安全研究人员和开发人员检测和分析 SQL 注入漏洞而设计。该扩展提供了丰富的配置选项和直观的用户界面，便于用户自定义扫描和分析过程。","archived":false,"fork":false,"pushed_at":"2025-02-07T08:27:51.000Z","size":2016,"stargazers_count":50,"open_issues_count":1,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-07T09:22:45.314Z","etag":null,"topics":["burp","burp-extensions","burp-plugin","burpsuite","sqlinject","sqlinjection","sqlinjectionattack"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JaveleyQAQ.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-01-03T08:42:22.000Z","updated_at":"2025-02-07T09:13:16.000Z","dependencies_parsed_at":"2025-01-03T09:27:40.740Z","dependency_job_id":"ada49047-c48a-4b0c-9c73-ac2ae61f7528","html_url":"https://github.com/JaveleyQAQ/SQL-Injection-Scout","commit_stats":null,"previous_names":["javeleyqaq/sql-injection-scout"],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JaveleyQAQ%2FSQL-Injection-Scout","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JaveleyQAQ%2FSQL-Injection-Scout/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JaveleyQAQ%2FSQL-Injection-Scout/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JaveleyQAQ%2FSQL-Injection-Scout/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JaveleyQAQ","download_url":"https://codeload.github.com/JaveleyQAQ/SQL-Injection-Scout/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239088383,"owners_count":19579434,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["burp","burp-extensions","burp-plugin","burpsuite","sqlinject","sqlinjection","sqlinjectionattack"],"created_at":"2025-02-16T05:06:46.761Z","updated_at":"2025-10-31T01:32:07.441Z","avatar_url":"https://github.com/JaveleyQAQ.png","language":null,"funding_links":[],"categories":["burpsuite插件","Others"],"sub_categories":[],"readme":"# SQL Injection Scout\n\nSQL Injection Scout 是一个用于 Burp Suite 的扩展，专为帮助安全研究人员和开发人员检测和分析 SQL 注入漏洞而设计。该扩展提供了丰富的配置选项和直观的用户界面，便于用户自定义扫描和分析过程。\n\n---\n\n## 💯 功能特性\n\n- **被动检测SQL**：支持对 `GET/POST` 请求的参数进行 `FUZZ` 测试，支持 `XML`、`JSON`、`FORM`表单数据格式。\n- **最小化探测**：通过最小化的 `payload` 探测，减少对目标的影响。\n- **响应差异分析**：对响应进行 `diff` 分析，自动标记无趣（灰色）和有趣（绿色）的响应。\n    - **Interesting**：标记为值得进一步分析的响应。\n    - **Boring**：标记为可以跳过的响应。\n    - **判断原理**：假设页面参数为反射类型，通过比较 `payload` 和 `diff` 的长度，相同则认为无趣。\n    - **重复内容过滤**：对绿色标记的分组进行进一步分析，出现`8`次以上重复的 `diff` 被标记为无趣。\n    - **结果排序**：根据颜色对最终结果进行排序展示。\n- **自动匹配**：在扫描页面的响应中自动匹配 `diff` 结果，默认取第一处的差异。\n- **正则匹配**：正则匹配无需扫描的`URL`\n- **内置范围**：支持内置的 `scope` 范围设置。\n- **延时扫描**：支持固定抖动+随机抖动发包检测，更精准规避 `WAF`。\n- **自定义扫描参数数量**：防止参数过多导致的性能问题或误报，默认`30`\n- 🔥 **`Fuzz`隐藏参数`SQL`注入**: 支持用户插入隐藏参数列表，进行`FUZZ`测试\n\n## ✅️ 安装\n\n1. 确保已安装 [Burp Suite](https://portswigger.net/burp)。\n2. 下载或克隆此项目到本地:\n   ```bash\n   git clone  https://github.com/JaveleyQAQ/SQL-Injection-Scout.git\n   ```\n3. 使用 Gradle 构建项目：\n   ```bash\n   cd SQL-Injection-Scout\n   ./gradlew build\n   ```\n4. 在 `Burp Suite` 中加载生成的 `JAR` 文件：\n    - 打开 `Burp Suite`，导航到 `Extender` -\u003e `Extensions`。\n    - 点击 `Add` 按钮，选择生成的 `JAR` 文件（位于 `build/libs` 目录下）。\n\n## 🥰  使用指南\n\n1. 启动 Burp Suite 并确保 SQL Injection Scout 扩展已加载。\n2. 在 `Extender` 选项卡中，找到 SQL Injection Scout 并打开其配置面板。\n3. 根据需要调整参数和模式设置。\n   ![img_1.png](src/main/resources/img_1.png)\n4. 使用 Burp Suite 的代理、扫描器等功能进行测试，SQL Injection Scout 将自动应用配置并提供结果。\n   ![img_2.png](src/main/resources/img_2.png)\n## 🔖 待办事项\n\u003e 先画饼\n\n- ~~**数据持久化：**~~  配置持久化✅ ｜ 数据持久化❌\n- ~~**启发式检测**：支持自定义 response 的无趣匹配特征，无需再担心频繁误报。~~ ✅ \n- ~~**不安全的直接对象引用**：检测和报告不安全的直接对象引用。~~ ✅\n- **diff 差异面板**：提供更详细的差异分析面板。\n- **多处 diff 内容查看**：支持查看响应中多处差异。\n- **颜色自定义**：允许用户自定义响应的颜色标记。\n- **二次确认注入**：提供二次确认存在注入的条目。\n- **性能优化**：进一步优化扫描性能，减少资源消耗。\n\n---\n\n####  [🔥 Update History](CHANGELOG.md)\n\n\n## 联系\n\n如有任何问题或建议，请通过 [JaveleyQAQ@outlook.com](mailto:your.email@example.com) 联系我。\n\n## Start Hitory\n![](https://star-history.com/#JaveleyQAQ/SQL-Injection-Scout\u0026Timeline)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FJaveleyQAQ%2FSQL-Injection-Scout","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FJaveleyQAQ%2FSQL-Injection-Scout","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FJaveleyQAQ%2FSQL-Injection-Scout/lists"}