Hello cyberwarriors!
This is Overwatch from Ukraine again!
In the first segment of this series, we walked through different modifications of SQLMap payloads. Today, we’re continuing our SQL injection series, but will focus on automating the scanning process to save time and make it easier to work with larger sets of websites. We’ll use a tool called Nuclei to run the scans, and a few other tools to prepare the data before feeding it into Nuclei.
Let’s break it down step-by-step. It might look advanced for some of you, but I will guide you through each step of the way.
Step 1: Set Up Your Environment
Before we start scanning, we need to install a few tools.
Install Go (Golang)
Go (this is google’s language that is becoming increasingly popular in cybsecurity) is needed to install most of the recon tools we’ll be using. The one specified down below is the latest at the time of writing
kali> rm -rf /usr/local/go && tar -C /usr/local -xzf go1.24.2.linux-amd64.tar.gz
Note: Don’t untar Go into an existing /usr/local/go folder. It can mess up the installation.
Now add Go to your system path by appending the following line to /etc/profile:
kali> export PATH=$PATH:/usr/local/go/bin
Update the source
kali> source /etc/profile
Check that it’s working:
kali> go version
You should see:
kali >go version go1.24.2 linux/amd64
Install Waybackurls and Gf
These tools will help us find URLs and filter them for SQLi patterns.
kali> go install github.com/tomnomnom/waybackurls@latest
kali> go install github.com/tomnomnom/gf@latest
Then make a directory for gf patterns and move them there:
kali> mkdir ~/.gf
kali> git clone https://github.com/1ndianl33t/Gf-Patterns.git
kali> mv ~/Gf-Patterns/*.json ~/.gf
Install Python Dorking Script
We’ll use a script to search Google for potentially vulnerable sites.
You should also add this library that the script depends on
kali> pip3 install googlesearch-python
Get a Nuclei Template
This is a specific template for detecting SQL injection:
Install gawk
Finally, you will need gawk to edit the output. It has a simple installation:
kali> sudo apt install gawk
Step 2: Run the Recon
Start by launching the dorking.py script:
python3 dorking.py
You can customize the dorks in the script if you want, or just run it as is to test. It will return a list of URLs from Google that might be vulnerable.
Step 3: Clean and Filter the Results
Once you get the results, clean them up to isolate the domains:
cat id.sqli.results.txt | awk -F/ ‘{print $3}’ | sort -u | tee id.sqli.websites.txt
Then, gather historical URLs for each domain, filter for SQLi patterns using gf, and clean them up using uro:
cat id.sqli.websites.txt | waybackurls | gf sqli | uro > output.txt
If you’re just testing this process or want faster results, try with just one website:
cat single.txt | waybackurls | gf sqli | uro > output.txt
You’ll end up with a list of potential SQL injection points.
Step 4: Reduce Noise
If you’re working with many URLs, it can get messy. To avoid scanning too many similar pages on the same domain, filter the list to include only one URL per domain:
cat output.txt | gawk -F/ ‘{host=$3; sub(/:80$/, “”, host); if (!(host in seen)) { print $0; seen[host] } }’ | tee reduced.single.output.txt
This gives you one solid URL per host to test.
Step 5: Scan with Nuclei
Now that we have a clean list of targets, it’s time to run the actual scan:
cat reduced.single.output.txt | nuclei -t errsqli.yaml -dast
Let Nuclei go through each URL and check for SQL injection vulnerabilities using the template we downloaded earlier.
Final Thoughts
At first, the results might not be what you expect. Don’t get discouraged. Sometimes targets don’t respond as expected, and sometimes tools miss things. That’s just how it goes. But the more you refine your approach, the better the outcome.
See you in Part 3, where I’ll show you how a single SQL injection can compromise an entire server. Until then, it’s your turn to hunt!
