Duncan - Blind SQL injector skeleton
Failed to load latest commit information.
duncan.py Allowing command line parameters to be passed to modules May 15, 2015
run_duncan.py removed unnecessary list creation May 4, 2016


Duncan - Blind SQL injector skeleton

"I may be blind, but there are some things I still see."

There are moments in life when automated SQL injection tools are overcomplicating their task, become hard or impossible to properly configure but writing and debugging your own specialized exploit still seems like a lot of trouble. How nice would it be if you had most of the boiler plate ready and had to write only the "interessting" parts of the sploit?

Duncan is a skeleton to implement custom blind SQL injection exploits. It implements binary search and supports multi-threading.

You should implement Duncan.decide() for yourself in accordance with the provided comments. In a typical HTTP(S) scenario I prefer Requests, but you can implement your exploit over arbitrary protocol, Duncan only provides some platform (protocol, DBMS, OS ...) independent boiler plate.

Code Examples

You can find some basic examples in duncansamples.py

Command Line Examples

Basic usage

run_duncan.py --use mymodule.MyDuncan --query "select version()"

Streching the window

By default we look for the first 5 characters of the result. You can expand this:

run_duncan.py --use mymodule.MyDuncan --query "select version()" --pos-end 10

Or you can look up specific parts of the output:

run_duncan.py --use mymodule.MyDuncan --query "select version()" --pos-begin 10 --pos-end 20

Duncan starts an individual thread for each tested character position, so large windows can result in high load at server side.

Strictly typed database backends


run_duncan.py --use mymodule.MyDuncan --query "select cast(123 as char)"

Limited charset

run_duncan.py --use mymodule.MyDuncan --query "SELECT some_hex_value FROM t" --charset 0123456789abcdef

Charset characters can be duplicated and be provided in arbitrary order.

Custom charset

Only test uppercase letters:

run_duncan.py --use mymodule.MyDuncan --query "SELECT some_hex_value FROM t" --ascii-start 64 -ascii-end 91

Further info

run_duncan.py -h
cat duncan.py


  • Samples for optimized test strategies