{"id":21694422,"url":"https://github.com/pauloo27/morcego","last_synced_at":"2026-06-13T16:03:02.814Z","repository":{"id":118206882,"uuid":"266044037","full_name":"pauloo27/morcego","owner":"pauloo27","description":"🦇 Blind SQLI Tool to fetch size and data.","archived":false,"fork":false,"pushed_at":"2020-11-17T22:12:25.000Z","size":4044,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-10-31T10:34:26.550Z","etag":null,"topics":["blind-sql-injection","go","sqli"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pauloo27.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-05-22T07:14:42.000Z","updated_at":"2022-11-09T18:07:51.000Z","dependencies_parsed_at":null,"dependency_job_id":"da3d1eab-83a5-4ef8-8717-4b4454b39a79","html_url":"https://github.com/pauloo27/morcego","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/pauloo27/morcego","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pauloo27%2Fmorcego","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pauloo27%2Fmorcego/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pauloo27%2Fmorcego/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pauloo27%2Fmorcego/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pauloo27","download_url":"https://codeload.github.com/pauloo27/morcego/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pauloo27%2Fmorcego/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34290348,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-13T02:00:06.617Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blind-sql-injection","go","sqli"],"created_at":"2024-11-25T18:28:22.194Z","updated_at":"2026-06-13T16:03:02.773Z","avatar_url":"https://github.com/pauloo27.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Morcego\n\n**Blind SQLI Tool**\n\n```go\n       _,    _   _    ,_\n  .o888P     Y8o8Y     Y888o.\n d88888      88888      88888b\nd888888b_  _d88888b_  _d888888b\n8888888888888888888888888888888\n8888888888888888888888888888888\nYJGS8P\"Y888P\"Y888P\"Y888P\"Y8888P\n Y888   '8'   Y8P   '8'   888Y\n  '8o          V          o8'\n    '                     '\n```\n\n## What is it\nMorcego is a Blind SQL Injection tool to brute force size and values.\n\nMorcego is designed to localhost tests so it doesn't deal with rate limits and anything other than the SQLI.\n\n**ATENTION**: Usage of this program for attacking targets without prior mutual consent is illegal.\nIt is the end user's responsibility to obey all applicable local, state and federal laws.\nDevelopers assume no liability and are not responsible for any misuse or damage caused by this program\n\n## Build\nClone the repository, install a GoLang compiler and run `go build`.\n\n## Example Server\nYou can find the NodeJS server that was used to test this tool inside \n[./example-server](./example-server).\n\n## Usage\n![Screenshot](./screenshot.png)\n### Form\nRun `morcego`, then reply with:\n\n(as example to a form with a vulnerable input string)\n\n\u003e URL: The form URL\n\n\u003e Method: POST\n\n\u003e Value Type: STRING\n\n\u003e Target Column: The column name\n\n\u003e Vulnerable Input: The name of the vulnerable input\n\n\u003e Extra Inputs: Use if the form requires any other input\n\n\u003e Extra Condition: If you wanna limit the query, then use it\n\n\u003e Error Message: The expect error message found when the input value is false\n\n**Wait and done**\n\n### GET request with parameters in the end of the path\nRun `morcego`, then reply with:\n\n(as example to a vulnerable \"REST API\" to get a entry by the id: `http://localhost/users/1`)\n\n\u003e URL: The URL (without the parameter)\n\n\u003e Method: GET\n\n\u003e Value Type: INT\n\n\u003e Target Column: The column name\n\n\u003e Vulnerable Input: Leave it empty\n\n\u003e Extra Condition: If you wanna limit the query, then use it\n\n\u003e Error Message: The expect error message found when the input value is false\n\n**Wait and done**\n\n### GET request with parameters in the query\nRun `morcego`, then reply with:\n\n(as example to a vulnerable \"API\" to get a entry by the id in \"id\" parameter: `http://localhost/user?id=1`)\n\n\u003e URL: The URL (without the parameter)\n\n\u003e Method: GET\n\n\u003e Value Type: INT\n\n\u003e Target Column: The column name\n\n\u003e Vulnerable Input: id (use your own here)\n\n\u003e Extra Condition: If you wanna limit the query, then use it\n\n\u003e Error Message: The expect error message found when the input value is false\n\n**Wait and done**\n\n## The name\nMorcego was writen during the COVID-19 pandemic, so it's named after the goddam bat that locked us inside our houses (and that's not even the bad thing about it).\n\n**Morcego** = Bat (in portuguese)  \nMor**cego** = Blind (also in portuguese)  \nMorce**go** = Go (the programming language used in it)\n\n## License\n`GPL-2.0`, for more information, see the [LICENSE](./LICENSE) file.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpauloo27%2Fmorcego","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpauloo27%2Fmorcego","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpauloo27%2Fmorcego/lists"}