🗡️ Stiletto v0.2.0

Next-Generation SQL Injection Scanner

     _____ _   _ _      _   _        
    / ____| | (_) |    | | | |       
   | (___ | |_ _| | ___| |_| |_ ___  
    \___ \| __| | |/ _ \ __| __/ _ \ 
    ____) | |_| | |  __/ |_| || (_) |
   |_____/ \__|_|_|\___|\__|\__\___/ 
                                      
        🗡️ Precision SQL Injection

A cutting-edge SQL injection vulnerability scanner with AI-powered payload generation, WAF bypass techniques, CVE integration from Trickest repository, and async concurrent scanning.

Built for learning, authorized penetration testing, and security research.

🆕 What's New in v0.2.0

• CVE Sync: Automatically sync SQL injection CVEs from Trickest's 23K+ CVE repository
• PoC Fetcher: Extracts real payloads from GitHub exploit repositories
• Dynamic Payloads: Scanner uses 115+ payloads extracted from real-world CVEs (2023-2025)
• Data-driven WAF engine: Provider definitions in YAML (waf_signatures/providers/), passive header + active probe fingerprinting, charset (IBM037) and header-injection probes, provider-specific bypass chains
• Latest Techniques: Stay current with latest SQLi bypasses, WAF evasions, and PoCs
• Threat Intelligence: 500+ SQLi CVEs catalogued with PoC references
• Enhancements: Second-order SQLi, HPP, GraphQL SQLi, OOB, exploit chains, compliance (PCI-DSS/ASVS/GDPR), remediation verification, genetic fuzzer, cloud-specific tests, CISA KEV/ExploitDB enrichment, and CI/CD config generator

---

🔧 Enhancements (v0.2.0+)

Stiletto includes optional enhancement modules for deeper testing and enterprise workflows.

Enhancement Modules

Module	Flag	Description
Second-Order SQLi	--second-order	Injects at write endpoints (register, profile update) and checks trigger endpoints (profile view, search) for stored SQLi
HTTP Parameter Pollution	--hpp	Tests duplicate parameters (?id=1&id=2) to bypass WAFs that only inspect the first value
Report Generation	--report FMT	Generates HTML, JSON, Markdown, or PDF reports with findings, severity, PoC, and remediation
GraphQL SQLi	--graphql	Detects GraphQL endpoints, introspects schema, and tests query/mutation arguments for SQLi
Out-of-Band (OOB)	--oob --collaborator-domain DOMAIN	DNS exfiltration tests for MySQL/MSSQL/Oracle (requires your collaborator domain)
Exploit Chain Discovery	--exploit-chains	Maps SQLi → File Read → RCE–style chains and tests transitions (e.g. MySQL LOAD_FILE)
Compliance Check	--compliance-check	Maps findings to PCI-DSS 6.5.1, OWASP ASVS V5.3.4, GDPR Article 32 and outputs a compliance report
Remediation Verification	--verify-remediation FILE	Re-tests findings from a previous scan JSON to verify fixes or detect bypasses
Genetic Fuzzer	--fuzzer	Evolves payloads with mutations (comment, encoding, case) and fitness-based selection
Cloud-Specific	--cloud-specific	Tests AWS RDS, Azure SQL, and version/metadata-related payloads when DBMS is known
Threat Intelligence	--threat-intel	Enriches findings with CISA KEV and ExploitDB; elevates severity when CVE is actively exploited
CI/CD Config	--generate-cicd PLATFORM	Emits GitHub Actions, GitLab CI, Jenkins, Azure Pipelines, or CircleCI config and exits

Enhancement Usage Examples

# Second-order + HTML report
python stiletto.py -u "http://example.com/page?id=1" --second-order --report html

# HPP + GraphQL + compliance report
python stiletto.py -u "http://example.com/api?id=1" --hpp --graphql --compliance-check

# Threat intel enrichment + JSON report
python stiletto.py -u "http://example.com/page?id=1" --threat-intel --report json

# Verify fixes from a previous scan
python stiletto.py -u "http://example.com/page?id=1" --verify-remediation previous_scan.json

# OOB with collaborator domain (e.g. Burp Collaborator)
python stiletto.py -u "http://example.com/page?id=1" --oob --collaborator-domain your-id.burpcollaborator.net

# Generate GitHub Actions workflow
python stiletto.py --generate-cicd github

# Full enhancement run: second-order, HPP, GraphQL, exploit chains, cloud, threat intel, report, compliance
python stiletto.py -u "http://example.com/page?id=1" --second-order --hpp --graphql --exploit-chains --cloud-specific --threat-intel --report html --compliance-check

Enhancement Options Reference

Option	Description
--second-order	Test for second-order SQL injection
--hpp	Test HTTP Parameter Pollution for SQLi bypass
--report {html,json,markdown,pdf}	Generate report in specified format
--graphql	Detect and test GraphQL endpoints for SQLi
--oob	Test out-of-band SQLi (use with --collaborator-domain)
--collaborator-domain DOMAIN	Your DNS collaborator domain for OOB
--exploit-chains	Discover and test exploit chains (SQLi → RCE)
--compliance-check	Generate PCI-DSS / ASVS / GDPR compliance report
--fuzzer	Run genetic fuzzer on first parameter
--verify-remediation FILE	Verify fixes from previous scan JSON file
--cloud-specific	Test cloud-specific attack vectors
--threat-intel	Enrich with CISA KEV and ExploitDB
--generate-cicd {github,gitlab,jenkins,azure,circleci,all}	Generate CI/CD config and exit

---

✨ Key Features

🎯 Detection Techniques

Technique	Description	DBMS Support
Error-Based	Database error message analysis	All
Boolean-Based Blind	TRUE/FALSE condition testing	All
Time-Based Blind	Response delay analysis (SLEEP/WAITFOR)	All
UNION-Based	Column enumeration & data extraction	All
JSON-Based	WAF bypass via JSON syntax	MySQL, PostgreSQL, MongoDB
Stacked Queries	Multiple statement execution	MSSQL, PostgreSQL

🛡️ WAF Detection & Bypass (Data-Driven Engine)

• Provider YAML definitions: 10 major WAFs (Cloudflare, AWS WAF, Azure, Akamai, F5, Imperva, ModSecurity/CRS, Google Cloud Armor, Fortinet, Palo Alto) with signatures and blind spots in src/waf_signatures/providers/*.yaml
• Passive + active fingerprinting: Header-based detection first; if inconclusive, a probe suite sends targeted SQLi payloads and scores providers by which probes get blocked
• Probe suite: Standard GET/POST parameter probes, plus charset probe (IBM037-encoded body with Content-Type: charset=ibm037) and header-injection probe (payload in X-Forwarded-For) to detect WAFs that don’t inspect those vectors
• Provider-specific bypass chains: Each provider has an ordered list of strategies (encoding, comment, charset, JSON syntax, size overflow, header abuse, etc.); the engine applies the chain to generate obfuscated payload variants
• 20+ transform techniques: randomcase, space2comment, mysql_version_comment, double_urlencode, encode_ibm037, prepend_json_operator, pad_to_8kb, move_to_header, and more
• Backward compatibility: Scanner still uses WAFDetector.detect() and get_bypass_payloads(); legacy WAFType / WAFDetectionResult / TamperEngine remain for compatibility

🤖 AI-Powered Features

• GPT-4 Payload Generation: Context-aware payloads that adapt to WAF blocks
• Learning from Failures: Improves payload selection based on results
• Smart Bypass Suggestions: AI recommends bypass techniques

🔥 Modern Architecture

• Async Scanning: Concurrent requests for 3-5x faster scans
• Lazy Loading: Memory-efficient payload management
• Modular Design: Easy to extend and customize
• Plugin Ready: Extensible architecture for custom modules
• Comprehensive Logging: Winston-style logging with colors

📡 CVE Integration (NEW)

• Trickest Sync: Pulls SQL injection CVEs from Trickest CVE Repository
• 23K+ CVEs: Access to comprehensive vulnerability database
• Payload Extraction: Automatically extracts payloads from CVE descriptions/PoCs
• DBMS Detection: Categorizes CVEs by target database system
• Auto-Update: Keep your payload library current with latest techniques

📊 Database Support

• MySQL / MariaDB
• PostgreSQL
• Microsoft SQL Server
• Oracle
• SQLite
• MongoDB (NoSQL injection)

---

🚀 Quick Start

Installation

# Clone repository
git clone https://github.com/fevra-dev/Stiletto.git
cd stiletto

# Create virtual environment (recommended)
python3 -m venv venv
source venv/bin/activate  # Linux/Mac
# venv\Scripts\activate   # Windows

# Install dependencies
pip install -r requirements.txt

# Run scanner
python stiletto.py -u "http://testphp.vulnweb.com/artists.php?artist=1"

Basic Usage

# GET parameter scanning
python stiletto.py -u "http://example.com/page?id=1"

# POST request scanning
python stiletto.py -u "http://example.com/login" --data "user=admin&pass=test"

# With authentication cookie
python stiletto.py -u "http://example.com/profile?id=1" --cookie "session=abc123"

# All techniques including JSON-based WAF bypass
python stiletto.py -u "http://example.com/api?id=1" --technique EBTUJ

# Enable AI payload generation
python stiletto.py -u "http://example.com/page?id=1" --ai

---

💻 Command Reference

Target Options

Option	Description	Example
-u, --url	Target URL with parameter	-u "http://site.com/page?id=1"
--data	POST data string	--data "user=admin&pass=test"

Request Options

Option	Description	Example
--cookie	HTTP cookies	--cookie "session=abc123"
--header	Custom headers (repeatable)	--header "Authorization: Bearer token"
--user-agent	Custom User-Agent	--user-agent "Custom/1.0"
--timeout	Request timeout (seconds)	--timeout 15
--delay	Delay between requests	--delay 0.5

Detection Options

Option	Description	Default
--technique	Techniques: E/B/T/U/J/S	EBTU
--level	Testing depth (1-5)	1
--risk	Aggressiveness (1-3)	1
--time-sec	Time-based delay	5

WAF & AI Options

Option	Description
--waf-detect	Enable WAF detection (default)
--no-waf-detect	Disable WAF detection
--waf-bypass	Enable bypass attempts (default)
--tamper	Specific tamper script(s)
--ai	Enable AI payload generation
--ai-key	OpenAI API key

CVE Integration Options

Option	Description
--cve-payloads	Use CVE-sourced payloads (default: enabled)
--no-cve-payloads	Disable CVE-sourced payloads
cve-sync	Subcommand to sync CVEs from Trickest
cve-stats	Show CVE payload statistics

CVE Sync Subcommand Options

Option	Description
--year, -y	Year(s) to sync (can repeat)
--no-update	Don't update payload library
--no-cache	Ignore cached data
--list-cves	List all found SQLi CVEs
--output, -o	Output file for payload JSON

Output Options

Option	Description
-o, --output	Format: console/json/html
--out-file	Save results to file
--log-file	Log all activity
-v, --verbose	Verbose output
-q, --quiet	Minimal output

---

🔬 Detection Techniques Explained

Error-Based SQLi

Triggers database errors to extract information:

' AND EXTRACTVALUE(1,CONCAT(0x7e,@@version))--
' AND 1=CONVERT(int,@@version)--

Boolean-Based Blind SQLi

Compares TRUE/FALSE conditions:

' AND '1'='1  → Normal response (TRUE)
' AND '1'='2  → Different response (FALSE)

Time-Based Blind SQLi

Injects delays to detect vulnerability:

' AND SLEEP(5)--          → MySQL
' AND pg_sleep(5)--       → PostgreSQL
'; WAITFOR DELAY '0:0:5'--  → MSSQL

UNION-Based SQLi

Extracts data via UNION queries:

' UNION SELECT NULL,@@version,NULL--
' UNION SELECT table_name FROM information_schema.tables--

JSON-Based SQLi (WAF Bypass)

Exploits WAF blind spot for JSON syntax:

{"id": {"$gt": ""}}  // MongoDB
' AND JSON_EXTRACT(@@version,'$')--  // MySQL

---

🛡️ WAF Bypass Techniques

Tamper Scripts Available

Category	Techniques
Comment-Based	space2comment, space2hash, space2morecomment
Encoding	unicode_encode, hex_encode, base64_encode, url_encode
Case Manipulation	randomcase, uppercase, lowercase
Keyword Replacement	between, concat2concat, if2case
Whitespace	space2newline, space2tab, space2plus
Advanced	json_injection, inline_comment, version_comment

Example: Bypass Cloudflare

# Automatic bypass (recommended)
python stiletto.py -u "http://example.com/page?id=1" --waf-bypass

# Manual tamper selection
python stiletto.py -u "http://example.com/page?id=1" --tamper "space2comment,randomcase,unicode_encode"

---

🤖 AI-Powered Scanning

Setup

# Set OpenAI API key
export OPENAI_API_KEY="sk-your-key-here"

# Or pass via command line
python stiletto.py -u "URL" --ai --ai-key "sk-your-key"

How It Works

1. Context Analysis: AI analyzes target WAF and failed payloads
2. Adaptive Generation: GPT-4 generates novel bypass payloads
3. Learning: Successful payloads inform future attempts

---

📡 CVE Sync - Trickest Integration

Stiletto integrates with the Trickest CVE Repository to keep your payload library up-to-date with the latest SQL injection techniques from real-world vulnerabilities.

Quick Sync

# Sync 2025 SQLi CVEs (default)
python stiletto.py cve-sync

# Sync multiple years
python stiletto.py cve-sync --year 2024 --year 2025

# List all found CVEs
python stiletto.py cve-sync --year 2025 --list-cves

# Force fresh fetch (ignore cache)
python stiletto.py cve-sync --year 2025 --no-cache

# View CVE payload statistics
python stiletto.py cve-stats

What Gets Synced

The CVE sync searches for these SQL injection patterns:

• Core SQLi: sql injection, sqli, sqlmap
• Techniques: union injection, blind sql, time-based, boolean-based, error-based, stacked queries
• NoSQL: nosql injection, mongodb injection, $where injection
• Bypass: waf bypass, filter evasion, authentication bypass
• DBMS-specific: MySQL, PostgreSQL, MSSQL, Oracle, SQLite, MongoDB

CVE Categories Detected

Category	Description
Error-Based	Database error message extraction
Boolean-Based Blind	TRUE/FALSE condition analysis
Time-Based Blind	Response delay injection
UNION-Based	Column enumeration attacks
Stacked Queries	Multi-statement execution
Out-of-Band	DNS/HTTP exfiltration
Second-Order	Stored/delayed injection
NoSQL Injection	MongoDB, CouchDB, Redis attacks

Payload Extraction

From each CVE, Stiletto extracts:

• Payloads: Actual injection strings from descriptions/PoCs
• PoC URLs: Links to GitHub exploits, Nuclei templates
• Bypass Techniques: WAF evasion methods mentioned
• DBMS Tags: Target database identification
• CVSS Scores: Severity ratings

Using CVE Payloads in Scans

# CVE payloads are enabled by default
python stiletto.py -u "http://example.com/page?id=1"

# Disable CVE payloads (use only built-in)
python stiletto.py -u "http://example.com/page?id=1" --no-cve-payloads

Example Sync Output

╔══════════════════════════════════════════════════════════════════════╗
║  Stiletto CVE Sync - Year 2025                                        ║
╚══════════════════════════════════════════════════════════════════════╝

[*] Fetching 2025 CVEs from Trickest repository...
[*] Scanning 1847 CVEs for SQL injection patterns...
[+] Found SQLi CVE: CVE-2025-1234 (Error-Based SQLi)
[+] Found SQLi CVE: CVE-2025-5678 (Time-Based Blind SQLi)
...

[+] Generated payload update: data/cve_payloads.json
    - Total payloads: 156
    - CVEs processed: 47
    - Bypass techniques: 12
    - PoC references: 89

══════════════════════════════════════════════════════════════════════
  CVE Sync Complete!
  Total SQLi CVEs: 47
  Total Payloads: 156
  Total PoC URLs: 89
══════════════════════════════════════════════════════════════════════

CVE Data Storage

data/
├── cve_cache/
│   ├── sqli_cves_2024.json    # Cached CVE data (24h)
│   └── sqli_cves_2025.json
└── cve_payloads.json          # Extracted payloads for scanner

Programmatic Usage

from src.cve_sync import StilettoSync
from src.cve_loader import CVEPayloadLoader

# Sync CVEs
sync = StilettoSync()
cves = sync.fetch_sqli_cves(2025)

# Generate payload update
sync.update_payload_library(cves)

# Load CVE payloads in your code
loader = CVEPayloadLoader()
payloads = loader.get_by_technique('time_blind')
mysql_payloads = loader.get_by_dbms('mysql')

---

📊 Example Output

     _____ _   _ _      _   _        
    / ____| | (_) |    | | | |       
   | (___ | |_ _| | ___| |_| |_ ___  
    \___ \| __| | |/ _ \ __| __/ _ \ 
    ____) | |_| | |  __/ |_| || (_) |
   |_____/ \__|_|_|\___|\__|\__\___/ 
                                      
   🗡️  Stiletto v0.2.0 - Precision SQL Injection
   ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

[*] Target: http://testphp.vulnweb.com/artists.php?artist=1
[*] Method: GET
[*] Parameters: artist
[*] Techniques: Error-Based, Boolean-Based, Time-Based, UNION-Based

[*] Performing WAF detection...
[*] No WAF detected

======================================================================
Testing parameter: artist
======================================================================

[*] Establishing baseline for parameter: artist
[*] Baseline: 4532b | 0.23s
[*] Testing error-based injection...

 VULNERABILITY FOUND 
  Type: Error-Based SQLi (MySQL)
  Parameter: artist
  Payload: '
  Evidence: You have an error in your SQL syntax; check the manual...

======================================================================
  🗡️  Stiletto Scan Results
======================================================================

⚠  Found 1 SQL injection vulnerability(s):

[1] CRITICAL - Error-Based
    URL: http://testphp.vulnweb.com/artists.php?artist=1
    Parameter: artist
    DBMS: MySQL/MariaDB
    Payload: '
    Evidence: You have an error in your SQL syntax; check the manual...

---

🧪 Testing Environments

Recommended Vulnerable Apps

DVWA (Damn Vulnerable Web Application)

docker run -d -p 80:80 vulnerables/web-dvwa
# Access: http://localhost (admin/password)

bWAPP

docker run -d -p 80:80 raesene/bwapp
# Access: http://localhost/install.php

Public Test Sites

• http://testphp.vulnweb.com/artists.php?artist=1
• http://testaspnet.vulnweb.com/

---

📈 What Makes This Different from SQLMap

Feature	SQLMap	Stiletto
Payload Generation	Static library	AI-powered, adaptive
WAF Bypass	Manual tamper scripts	Auto-detection + bypass
JSON SQLi	Not by default	Native support
CVE Testing	Manual	Automated from feed
Learning	None	Learns from failures
Speed	Moderate	Async concurrent
Memory	Load all payloads	Lazy loading
Codebase	100k+ LOC	~2k LOC (readable)
Purpose	Production	Learning & Portfolio

---

🔒 Secure Coding (Prevention)

❌ Vulnerable Code

# Python (BAD)
query = f"SELECT * FROM users WHERE id = {user_id}"
cursor.execute(query)

✅ Secure Code

# Python (GOOD) - Parameterized query
query = "SELECT * FROM users WHERE id = ?"
cursor.execute(query, (user_id,))

---

📁 Project Structure

stiletto/
├── stiletto.py            # Main CLI entry point
├── requirements.txt       # Dependencies
├── README.md              # This file
├── src/
│   ├── __init__.py        # Package info
│   ├── logger.py          # Winston-style logging
│   ├── scanner.py         # Core scanner engine
│   ├── payloads.py        # Payload library + AI generation
│   ├── waf.py             # WAF detection & bypass
│   ├── extractor.py       # Data extraction module
│   ├── cve_sync.py        # CVE sync (Trickest)
│   ├── cve_loader.py      # CVE payload loader
│   ├── poc_fetcher.py     # PoC fetcher
│   ├── second_order.py    # Second-order SQLi detector
│   ├── hpp.py             # HTTP Parameter Pollution tester
│   ├── reporter.py        # Report generator (HTML/JSON/MD/PDF)
│   ├── graphql.py         # GraphQL endpoint detection & SQLi
│   ├── oob.py             # Out-of-band (DNS) tester
│   ├── exploit_chain.py   # Exploit chain discovery
│   ├── compliance.py      # PCI-DSS, ASVS, GDPR checker
│   ├── remediation.py     # Remediation verifier
│   ├── fuzzer.py          # Genetic payload fuzzer
│   ├── cloud.py           # Cloud-specific SQLi tests
│   ├── threat_intel.py    # CISA KEV + ExploitDB enrichment
│   └── cicd_integration.py # CI/CD config generator
└── tests/
    └── test_scanner.py    # Unit tests

---

🚨 Legal & Ethical Use

This tool is for authorized testing only.

✅ Authorized Use

• Your own applications
• Penetration testing with written permission
• Bug bounty programs (follow scope)
• Academic research on vulnerable labs

❌ Unauthorized Use

• Testing websites without permission
• Exploiting vulnerabilities for personal gain
• Accessing or modifying data without authorization

Unauthorized access to computer systems is illegal in most jurisdictions.

---

🤝 Contributing

Contributions welcome! Areas for improvement:

• HTML/JSON/Markdown/PDF report generation
• Second-order SQLi detection
• HTTP Parameter Pollution testing
• GraphQL SQLi testing
• Compliance reporting (PCI-DSS, ASVS, GDPR)
• Additional DBMS support (Cassandra, Redis)
• More WAF signatures
• Browser extension for Burp/ZAP integration
• Mobile app testing support
• Plugin system for custom payloads

---

🆚 Stiletto vs sqlmap

Feature	Stiletto	sqlmap
CVE Integration	✅ Auto-sync from Trickest (500+ SQLi CVEs)	❌ Static payloads
PoC Extraction	✅ Fetches real payloads from GitHub	❌ Manual updates
JSON-Based SQLi	✅ First-class WAF bypass technique	⚠️ Limited
AI Payloads	✅ GPT-4 adaptive generation	❌ Not available
Async Scanning	✅ Concurrent requests	❌ Sequential
Modern Codebase	✅ Clean Python 3.8+	⚠️ Legacy Python
Maturity	🆕 New project	✅ 10+ years
Payload Count	~300 (growing via CVE sync)	1000+
Data Extraction	⚠️ Basic	✅ Full dump/takeover
OS Command Exec	❌ Not yet	✅ Full support

Bottom Line: Stiletto isn't meant to replace sqlmap—it's a modern complement. Use Stiletto for:

• Latest CVE-based payloads that sqlmap doesn't have yet
• JSON-based WAF bypass techniques
• AI-powered adaptive testing
• Fast async scanning for large parameter sets

Use sqlmap for comprehensive data extraction, OS takeover, and battle-tested reliability.

---

📚 References & Inspiration

• OWASP SQL Injection
• PortSwigger SQL Injection Guide
• PayloadsAllTheThings SQLi
• Trickest CVE Repository - Source for CVE sync
• sqlmap Project
• Hakuin - Blind SQLi Optimization

---

📄 License

MIT License - See LICENSE file for details.

---

⚡ Quick Reference

# Basic scan
python stiletto.py -u "http://target.com/page?id=1"

# With cookie
python stiletto.py -u "URL" --cookie "session=abc123"

# POST request
python stiletto.py -u "URL" --data "user=admin&pass=test"

# All techniques including JSON WAF bypass
python stiletto.py -u "URL" --technique EBTUJ

# With AI payloads
python stiletto.py -u "URL" --ai

# Sync latest CVEs (2023-2025) with real payloads
python stiletto.py cve-sync --fetch-pocs

# View CVE threat intel stats
python stiletto.py cve-stats

# JSON output
python stiletto.py -u "URL" -o json --out-file results.json

# Enhancements: report + compliance
python stiletto.py -u "URL" --report html --compliance-check

# Generate GitHub Actions workflow
python stiletto.py --generate-cicd github

---

⚠️ Remember: Only test on systems you own or have explicit permission to test.