Skip to content
Go to file

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

Duncan - Blind SQL injector skeleton

"I may be blind, but there are some things I still see."

There are moments in life when automated SQL injection tools are overcomplicating their task, become hard or impossible to properly configure but writing and debugging your own specialized exploit still seems like a lot of trouble. How nice would it be if you had most of the boiler plate ready and had to write only the "interessting" parts of the sploit?

Duncan is a skeleton to implement custom blind SQL injection exploits. It implements binary search and supports multi-threading.

You should implement Duncan.decide() for yourself in accordance with the provided comments. In a typical HTTP(S) scenario I prefer Requests, but you can implement your exploit over arbitrary protocol, Duncan only provides some platform (protocol, DBMS, OS ...) independent boiler plate.

Code Examples

You can find some basic examples in

Command Line Examples

Basic usage --use mymodule.MyDuncan --query "select version()"

Streching the window

By default we look for the first 5 characters of the result. You can expand this: --use mymodule.MyDuncan --query "select version()" --pos-end 10

Or you can look up specific parts of the output: --use mymodule.MyDuncan --query "select version()" --pos-begin 10 --pos-end 20

Duncan starts an individual thread for each tested character position, so large windows can result in high load at server side.

Strictly typed database backends

Like MSSQL: --use mymodule.MyDuncan --query "select cast(123 as char)"

Limited charset --use mymodule.MyDuncan --query "SELECT some_hex_value FROM t" --charset 0123456789abcdef

Charset characters can be duplicated and be provided in arbitrary order.

Custom charset

Only test uppercase letters: --use mymodule.MyDuncan --query "SELECT some_hex_value FROM t" --ascii-start 64 -ascii-end 91

Further info -h


  • Samples for optimized test strategies


Duncan - Blind SQL injector skeleton




No releases published


No packages published


You can’t perform that action at this time.