Ghauri: SQL Injection Automation That Actually Resumes Your Work

Hook

Most SQL injection tools make you start from scratch if your connection drops mid-exploitation. Ghauri was built by someone who got tired of losing hours of enumeration progress.

Context

SQL injection remains one of the most critical web vulnerabilities despite decades of awareness, consistently ranking in OWASP's Top 10. While SQLMap has dominated the automated exploitation landscape since 2006, penetration testers face real-world friction: sessions that can't be resumed after network interruptions, cumbersome syntax for complex injection contexts, and workflows that don't align with modern testing methodologies involving Burp Suite request captures.

Ghauri emerged from this frustration—a Python-based framework designed for the contemporary penetration tester who works with request files, needs reliable session management, and wants a tool that handles JSON/XML injection contexts without gymnastics. With nearly 4,000 stars and active maintenance, it represents a generational shift in SQL injection tooling: moving from comprehensive feature bloat toward targeted usability for common testing scenarios.

Technical Insight

Ghauri's architecture centers on a stateful detection engine that systematically fingerprints targets through a cascade of injection techniques. The tool starts with boolean-based blind injection (the most reliable but slowest), then attempts error-based extraction (fastest when available), time-based blind (for heavily filtered contexts), and finally stacked queries for privilege escalation scenarios. This isn't revolutionary, but Ghauri's implementation of session persistence sets it apart.

The session management system serializes the entire exploitation state—detected injection point, successful payload patterns, DBMS fingerprint, and extraction progress—into a JSON session file. When resuming, Ghauri reconstructs the exact exploitation context without re-running detection:

# Example session resume workflow
python ghauri.py -u "https://target.com/page?id=1" --resume

# Behind the scenes, Ghauri loads:
# - Injection type: boolean-based blind
# - Payload prefix: "' AND "
# - Payload suffix: " AND '1'='1"
# - Current extraction: databases enumerated, currently dumping 'users' table
# - Progress: 127/500 rows extracted

This stateful approach proves invaluable during time-based blind injections, which can take hours. Drop your VPN connection 3 hours into dumping a table? Resume exactly where you left off instead of restarting.

The payload generation engine demonstrates intelligent context awareness. When you feed Ghauri a raw HTTP request file (exported from Burp Suite or similar), it automatically identifies potential injection points across parameters, headers, and cookies. For JSON contexts, it correctly handles nested object properties:

# Example: Testing JSON payload injection
python ghauri.py -r request.txt --data '{"user":{"id":"1*","role":"admin"}}' --batch

# Ghauri parses the JSON structure and tests:
# {"user":{"id":"1' AND 1=1 AND '1'='1","role":"admin"}}
# Rather than naive string concatenation that breaks JSON syntax

The tool maintains JSON validity while injecting, wrapping payloads appropriately and escaping quotes—a detail that matters when targeting modern APIs that strictly validate content types.

For database enumeration, Ghauri employs adaptive extraction algorithms based on injection type. Boolean-based blind extraction uses binary search for character discovery rather than sequential iteration, reducing the number of requests from 95 per character (for printable ASCII) to approximately log₂(95) ≈ 7 requests:

# Conceptual implementation of Ghauri's binary search approach
def extract_character_position(position, table_name):
    low, high = 32, 126  # Printable ASCII range
    while low <= high:
        mid = (low + high) // 2
        payload = f"' AND ASCII(SUBSTRING((SELECT column FROM {table_name}),{position},1))>{mid}--"
        if send_payload(payload):
            low = mid + 1
        else:
            high = mid - 1
    return chr(low)

This optimization dramatically accelerates blind injection exploitation, though it still requires patience—extracting a 100-character database name at 2 seconds per request (conservative for time-based) takes roughly 23 minutes with binary search versus 5+ hours with sequential iteration.

Ghauri's multi-threading implementation allows concurrent extraction of different data types (database names, table names, column names) when multiple injection points exist or when using techniques like UNION-based that support simultaneous queries. The --threads flag controls concurrency, though stability varies:

# Extract all databases using 5 concurrent threads
python ghauri.py -u "https://target.com/page?id=1" --dbs --threads 5 --batch

The request handling layer includes production-grade features: custom proxy support (critical for routing through Burp), randomized User-Agent rotation, configurable delays between requests (to avoid rate limiting), and automatic retry logic with exponential backoff. The --flush-session flag clears cached session data when you need fresh fingerprinting after the target changes.

Gotcha

Ghauri's experimental features carry significant caveats. The SQL shell mode, which provides an interactive interface for executing arbitrary queries through the injection point, works inconsistently across DBMS types and injection techniques. Time-based blind injections make the shell practically unusable—each query character takes seconds to extract, turning simple SELECTs into minute-long waits. The feature works reliably only with error-based or UNION injections where response extraction is immediate.

Microsoft Access support remains severely limited. While Ghauri can fingerprint Access databases through boolean-based blind techniques, full exploitation capabilities aren't implemented. You'll successfully identify "Yes, this is MS Access," then hit a wall when attempting database enumeration or data extraction. This matters for penetration testers targeting legacy enterprise applications still running Access backends.

The bulk scanning functionality (--list flag for multiple targets) lacks sophisticated rate limiting or failure isolation. One unresponsive target can stall the entire queue, and there's no built-in reporting to aggregate results across multiple hosts. You're better off scripting your own wrapper with proper error handling if scanning dozens of endpoints.

WAF evasion remains Ghauri's most glaring gap compared to SQLMap. There's no equivalent to SQLMap's extensive tamper script library (space2comment, randomcase, etc.), no automatic encoding chain attempts, and limited options for bypassing signature-based detection. Against modern WAFs from Cloudflare, Imperva, or AWS WAF, Ghauri often fails where SQLMap's mature evasion techniques succeed. The tool works excellently against unprotected applications or basic filtering, but sophisticated defenses require manual payload crafting that defeats the purpose of automation.

Verdict

Use if: You're conducting penetration tests against modern web applications with JSON/XML APIs, need reliable session resumption for long-running blind injections, work primarily from Burp Suite request captures, and target environments without advanced WAFs. Ghauri's user experience improvements over SQLMap—particularly session management and request file parsing—provide genuine productivity gains for these scenarios. Skip if: You need battle-tested reliability for critical security assessments (SQLMap's maturity matters), require advanced WAF bypass capabilities, need to exploit Microsoft Access beyond fingerprinting, or depend on stable experimental features like interactive SQL shells. Also skip if your workflow requires extensive DBMS-specific exploitation beyond data extraction—Ghauri optimizes for the 80% use case of "dump the database," not the edge cases of privilege escalation or OS command execution that SQLMap handles comprehensively.