Web Application Security

ScanQLi – Simple SQL injection Scanner with additionals


ScanQLi is a simple SQL injection scanner with somes additionals features. This tool can’t exploit the SQLi, it just detect them.

Tested on Debian 9


  • Classic
  • Blind
  • Time based
  • GBK (soon)
  • Recursive scan (follow all hrefs of the scanned web site)
  • Cookies integration
  • Adjustable wait delay between requests
  • Ignore given URLs


1. Install git tool.

apt update
apt install git

2. Clone the repo.

git clone https://github.com/bambish/ScanQLi

3. Install python required libs

apt install python-pip
cd ScanQLi
pip install -r requirements.txt

For Python 3 please install python3-pip and use pip3.


python scanqli -u [URL] [OPTIONS]


Simple URL scan with output file:

python scanqli.py -u '' -o output.log

Recursive URL scanning with cookies:

python scanqli.py -u '' -r -c '{"PHPSESSID":"4bn7uro8qq62ol4o667bejbqo3" , "Session":"Mzo6YWMwZGRmOWU2NWQ1N2I2YTU2YjI0NTMzODZjZDVkYjU="}'


ScanQLi was created to perform pentest or others legal stuffs (like bug bounty). Using ScanQLi against web site without authorization is forbidden.

I’m not responsible of your usage of ScanQLi. At your own risk.


JSMon – JavaScript Change Monitor for BugBounty

Previous article

Pentestly – Combination of Expanding Python Tools

Next article

You may also like


Leave a reply

Your email address will not be published. Required fields are marked *