# 🛡️ Shastra
**Shastra** is a powerful and flexible SQL Injection (SQLi) scanner and static analyzer built using [Playwright](https://playwright.dev/), with support for dynamic form fuzzing, header injection, parameter tampering, and optional static code analysis via Bandit. 
## ⚙️ Features
- 🔎 Dynamic SQL Injection detection using full browser emulation (Playwright)
- 🧪 Automatic fuzzing of:
- Query parameters
- Form inputs
- HTTP headers
- URL path
- 🐛 Optional static analysis using Bandit
- 🧰 Customizable payloads and error signature detection
- 🖥️ Debug mode to dump raw HTTP requests/responses
- 📦 JSON output for easy reporting or integration
- 🎨 Colorful terminal output with [Rich](https://github.com/Textualize/rich)
---
## 🛠 Installation
### 1. Clone the Repository
```bash
git clone https://github.com/MrGreyHat07/SHASTRA.git
cd shastra
pip install -r requirements.txtplaywright installpython shastra.py -u https://example.com/page.php?id=1python shastra.py -l urls.txtpython shastra.py -u https://example.com -o results.jsonpython shastra.py -u https://target.com -H Referer -H X-Forwarded-Forpython shastra.py -l urls.txt --threads 5 --delay 0.5python shastra.py -u https://example.com --debug{
"dynamic": [
{
"https://example.com/page.php?id=1": [
[
"https://example.com/page.php?id='",
"param id",
"'",
["error signature"]
]
]
}
],
"static": [
{
"filename": "somefile.py",
"line_number": 23,
"issue_text": "Possible SQL injection via string-based query construction",
...
}
]
}Edit the SQL_PAYLOADS list in shastra.py:
SQL_PAYLOADS = ["'", "''", "--", "-- OR 1=1", "--1=1"]Edit the ERROR_SIGNS list:
ERROR_SIGNS = ["sql syntax", "mysql", "ora-", "syntax error", "unclosed quotation"]Shastra is intended for ethical and legal use only. Do not use it on websites or systems you do not own or have explicit permission to test. Unauthorized usage may be illegal.
Shastra is developed by mrgreyhat07 Contributions, ideas, and pull requests are welcome!