HI,

To test for remote injections there is either a terminal-based or proxy-based option, but what about a third one? There are some people like myself who like form-like tools with bullet options rather than terminal tools with overwhelming parameters, I believe this new kind of tool is going to be popular especially among the beginner hackers and pentesters.

InjectBot is going to be a first release with this new idea, and it came up for now with SQLi injection vuln only to check the consent of the users to this tool. However, there is a plan to expand support for other types of injection, such as xss, xxe, rce, and others..

The current features are:

• Check only for the vulnerability.. no further checking or attack, which's helpful at the enum phase to narrow down the attack vectors, that recommended in CTF contests to avoid fake and rabbit holes.

• Fetch DBMS and system information.

• Fetch table schemas.

• Retrieve data records from the selected schema (discovered schemas from above will be saved and listed).

InjectBot designed to target three objectives:
1- High speed response and less impact on the target, leveraging some cool techniques cush as:

- Web features like session management, has helped the tool to not repeat any request to the target, so if a request send to confirm the vulnerability, it will be saved for the entire time of the user’s session with the tool, and that alone reduced a lot of connection numbers and hence reduced the impact on the target.-   
- Used multi curl functions. This function has proved by benchmarks its unbelievable speed response compared to normal curl and other functions like file_get_content or get_headers.

2- Friendly, good look interface. 

- InjectBot's front-end was built using bootstrap4, which ensures responsive and compatible application.

- Focus the script on the bullet options, and avoid the script from fetching less important schemas "such as tables inside information_schema database" to save time and resources for the user.

3- Light-weight script. 

- InjectBot doesn't use any kind of database. The data that is being processed is stored in and retrieved from PHP session only.

- It uses very clean programming practice, with classes and reduced lines techniques so the data flow is moving efficiently inside the script and hence minimizes the utilization of the resources.

Here is a quick demo showing how it works.
https://www.tariqhawis.com/img/injectbot/injectbot-demo.gif

For Installation:

The project can be cloned from its github link:
https://github.com/tariqhawis/injectbot

To run the script, simply run from terminal the file: ./run.sh
The script is now up and running, to launch it, open this url in your browser: http://localhost:11111

Please I would like to add InjectBot to Kali tools

If you have any question or need more details about the script please let me know.

Regards,
Tariq