User-Agent , X-Forwarded-For and Referer SQLI Fuzzer made with python
Works on linux and unix based systems

Legal Disclaimer Usage of userefuzz for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

Installation

pip

sudo pip install userefuzz

setup

git clone https://github.com/root-tanishq/userefuzz
cd userefuzz
sudo python3 setup.py install

Usage

Parsing URLs

Parsing a list of URLs

$ userefuzz -l <LIST>

Parsing a URL

$ userefuzz -u <URL>

Parsing stdin URLs

$ <STDIN LIST> | userefuzz

Use -v switch for verbose(includes non-vuln detected URLs) output

Multi Processing

Multi Processing will create more process and will increase the speed of the tool.

$ userefuzz <LIST / URL> -w <WORKER COUNT>

Proxy Interception And Custom Injection

Proxy interception of vulnerable request

$ userefuzz <LIST/URL> -p <PROXY>

Custom message in request

$ userefuzz <LIST/URL> -m <MESSAGE>

Custom payload with custom sleep

Replace sleep time with $UFZ$ variable for double verification of userefuzz

$ userefuzz <LIST/URL> -i <CUSTOM SQLI PAYLOAD> -s <SLEEP COUNT IN THE PAYLOAD>

Multi payload with custom sleep

Replace sleep time with $UFZ$ variable for double verification of userefuzz

$ userefuzz <LIST/URL> -i <SQLI PAYLOAD FILE> -s <SLEEP COUNT IN THE PAYLOAD>

Custom header injection

$ userefuzz <LIST/URL> -ch <CUSTOM HEADER NAME>

Multi header injection

For multiple headers use | as shown below.

$ userefuzz <LIST/URL> -ch <CUSTOM HEADER NAME|OTHER HEADERS> 

Output

Markdown output

$ userefuzz <LIST/URL> -o <OUTPUT FILE NAME WITHOUT EXT>

Output file content