Ghauri: Building a Modern SQL Injection Framework with Session Management and Multi-Technique Detection
Hook
SQL injection remains one of the top 10 web vulnerabilities in 2024, yet most penetration testers still rely on tools built over a decade ago. What does a modern SQLi exploitation framework look like when rebuilt from scratch in Python?
Context
SQL injection testing has long been dominated by sqlmap, a tool first released in 2006. While sqlmap remains powerful, its codebase carries the architectural decisions of a different era—before JSON APIs, before containerized applications, before cloud-native infrastructure became the norm. Enter Ghauri, a cross-platform SQL injection framework written in Python 3 that rethinks automated SQLi exploitation for modern web applications.
Ghauri addresses the reality that today’s web applications aren’t just simple PHP forms with GET parameters. Security researchers need to test JSON APIs, XML SOAP services, complex multipart forms, and applications hiding injection points in HTTP headers or cookies. They need tools that can pause long-running exploitation tasks and resume them later, that can handle modern authentication flows with proxies, and that provide fine-grained control over payload customization. Ghauri was built to handle these scenarios while maintaining compatibility with traditional injection vectors.
Technical Insight
At its core, Ghauri implements a multi-technique detection engine that systematically tests for four primary SQL injection types: boolean-based blind, error-based, time-based blind, and stacked queries. The tool identifies vulnerabilities and can escalate to full data extraction.
The session management system is where Ghauri distinguishes itself. Unlike tools that force you to restart from scratch if a scan is interrupted, Ghauri maintains persistent session files that track discovered injection points and exploitation progress. This becomes critical when dealing with time-based blind injections that might take hours to extract even basic information. The --flush-session flag clears these cached results when you need a fresh start, while --fresh-queries ignores stored query results but preserves other session data.
Request handling in Ghauri is particularly flexible. Rather than forcing you to construct URLs with parameters, you can capture a complete HTTP request in Burp Suite or any proxy tool, save it to a text file, and feed it to Ghauri with the -r flag:
ghauri -r request.txt --batch --dbsThis approach preserves exact request formatting, headers, cookies, and body content—critical when testing authenticated endpoints or complex API structures. The tool automatically detects injection points in GET parameters, POST data, cookies, HTTP headers, JSON fields, and XML nodes.
For payload customization, Ghauri provides prefix and suffix injection switches that let you handle scenarios where you need to break out of existing SQL context. The --test-filter flag (marked experimental) allows selecting test payloads by titles, useful when you’ve already identified that only certain injection techniques work.
The DBMS support spans MySQL, Microsoft SQL Server, PostgreSQL, and Oracle with exploitation capabilities. Here’s a typical workflow pattern:
# Initial detection and fingerprinting
ghauri -u "http://testsite.com/product.php?id=1" --batch
# Extract database names
ghauri -u "http://testsite.com/product.php?id=1" --batch --dbs
# Further enumeration uses --tables, --columns, --dump flags
# with --start and --stop to limit extraction rangesThe --start and --stop flags control data extraction ranges, essential when dealing with large tables where dumping all rows isn’t practical. The --count switch retrieves entry counts before extraction, helping you decide whether to dump the entire table or sample specific ranges.
Ghauri also includes experimental features for advanced scenarios. The --sql-shell provides an interactive SQL command interface once exploitation succeeds, letting you run arbitrary queries directly. The -m flag enables multi-target scanning from a text file containing multiple URLs, useful for batch vulnerability assessments across similar endpoints. Perhaps most interesting is the automatic base64 parameter detection—Ghauri can identify when GET parameters contain base64-encoded data, decode them, test for injections, and re-encode payloads automatically.
The verification system for boolean and time-based injections adds reliability by cross-checking extracted characters through multiple requests. When Ghauri extracts data character-by-character through blind injection, it appears to confirm each character before proceeding. This verification overhead slows extraction but aims to increase accuracy, particularly important in production assessments.
Gotcha
Microsoft Access support is explicitly limited to fingerprinting in boolean-based blind scenarios—you can detect an Access database, but full exploitation capabilities aren’t implemented. This is a significant limitation if you’re testing legacy ASP applications still running on Access backends, where you’ll need to switch to alternative tools for complete data extraction.
Several features are marked as ‘experimental’ in the documentation: SQL shell functionality (--sql-shell), multi-target scanning with -m, payload filtering with --test-filter, and base64 parameter detection. In security tooling, ‘experimental’ typically means ‘works in common cases but may fail unpredictably in edge scenarios.’ Don’t rely on these features for critical penetration testing deliverables without thorough validation of results. The SQL shell in particular can behave inconsistently depending on DBMS-specific syntax requirements and privilege levels.
Installation requires manual dependency management—there’s no standalone binary distribution. You need a working Python 3 environment, must install dependencies via pip (python3 -m pip install --upgrade -r requirements.txt), and then run python3 setup.py install or python3 -m pip install -e .. While this is standard for Python tools, it creates friction compared to single-binary tools that just work after download. The README does provide alternative installation guidance for users hitting issues, but expect to troubleshoot Python environment problems on some systems.
Verdict
Use Ghauri if you’re conducting modern web application penetration tests where you need to test JSON APIs, XML services, or complex authenticated endpoints. The session management and resume capabilities make it ideal for time-based blind injections against production systems where you can only test during specific maintenance windows. The request file parsing with -r is genuinely useful for preserving exact HTTP formatting from proxy tools, and the active development (with --update support for GitHub installations) suggests ongoing maintenance. Skip it if you need complete Microsoft Access exploitation beyond fingerprinting, require GUI interfaces over command-line tools, or need battle-tested stability for compliance assessments where you can’t afford experimental feature failures. Also skip if you’re new to SQL injection testing—Ghauri assumes you understand injection techniques and doesn’t provide educational scaffolding for beginners. For experienced penetration testers wanting a modern, actively maintained Python 3 tool with session management and support for modern web application architectures, Ghauri deserves evaluation alongside established alternatives.
