Blind SQL injection - BBQSQL



Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don’t you have to write something custom. This is time-consuming and tedious. BBQSQL can help you address those issues.

BBQSQL is a blind SQL injection framework written in Python. It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast.


Similar to other SQL injection tools you provide certain request information.

Must provide the usual information:

ºURL
ºHTTP Method
ºHeaders
ºCookies
ºEncoding methods
ºRedirect behavior
ºFiles
ºHTTP Auth
ºProxies

HTTP Parameters
BBQSQL has many http parameters you can configure when setting up your attack. At a minimum you must provide the URL, where you want the injection query to run, and the method. The following options can be set:

ºfiles
ºheaders
ºcookies
ºurl
ºallow_redirects
ºproxies
ºdata
ºmethod
ºauth

Blind SQL injection: BBQSQL Install

This should be straight forward, but what ever is. Try running:

sudo pip install bbqsql


If that doesn’t work for you, you can install from source. The tool requires gevent,requests.