BBQSQL – for Delicious SQL Injection Testing


Official Kali Linux BBQSQL site:

BBQSQL is a Python based blind SQL injection tool to test your SQL connections on the Internet.  (why bbq? because SQL injection is delicious)

This is a bit more advanced than the SVA -(Scan Vulnerability Analysis) within the SVAPE & C

SQL injection is more like the PE portion  Penetrate Exploit(SQLi is successful with an exploit)

As the Screnshot mentions, there are many parameters to enter before one can enter 5 (Run Exploit)

In http setup parameters there are a few items you should add url of the website that hosts the sql site for one.

Allow redirects  means a Boolean value  to be entered (0 or 1)

proxies to be entered if needed

data is either a string or dictionary value

method is an http request (get, options, head, post, put, patch, delete)

cookies can be a cookie value that may be needed by the sql website.

auth is the best one – since here is where  one would add a username/password combination  like (“username”,”thepassword”)

Once all the essential http parameters are set up then we  add the sql commands in the query config parameter.

there are other parameters if needed, csv_output_file, technique(Value is a binary search), comparison attribute(Value is size), concurrency(value is 30), and hooks_file.


You can see that the actual parameters  will matter depending on the sql database to be accessed, of course one can do the basic parameters like 1=1 where if there are no safeguards set up all the data can be listed.


If you want to learn more about SQL injection here is a good site:


adding language_id HTTP cookie: -1+UNION+ALL+SELECT+

The idea is to use parameters that will obtain SQL data without authorization.


We can help test your website with SQL databases.  first with Alpha and then with Sigma Scans


Contact Us