SQL INJECTION

ISR-SQLGET

http://www.infobyte.com.ar/development.html

ISR-SQLGET: IT'S A BLIND SQL INJECTION TOOL DEVELOPED IN PERL. IT LETS YOU GET DATABASES SCHEMAS AND TABLES ROWS. USING A SINGLE GET/POST YOU CAN ACCESS QUIETLY THE DATABASE STRUCTURE AND USING A SINGLE GET/POST YOU CAN DUMP EVERY TABLE ROW TO A CSV-LIKE FILE.

DATABASES SUPPORTED:

- IBM DB2
- MICROSOFT SQL SERVER
- ORACLE
- POSTGRES
- MYSQL
- IBM INFORMIX
- SYBASE
- HSQLDB (WWW.HSQLDB.ORG)
- MIMER (WWW.MIMER.COM)
- PERVASIVE (WWW.PERVASIVE.COM)
- VIRTUOSO (VIRTUOSO.OPENLINKSW.COM)
- SQLITE
- INTERBASE/YAFFIL/FIREBIRD (BORLAND)
- H2 (HTTP:WWW.H2DATABASE.COM)
- MCKOI (HTTP:
MCKOI.COM/DATABASE/)
- INGRES (HTTP:WWW.INGRES.COM)
- MONETDB (HTTP:
WWW.MONETDB.NL)
- MAXDB (WWW.MYSQL.COM/PRODUCTS/MAXDB/)
- THINKSQL (HTTP:WWW.THINKSQL.CO.UK/)
- SQLBASE (HTTP:
WWW.UNIFY.COM)

EVASION FEATURES:

- FULL-WIDTH/HALF-WIDTH UNICODE ENCODING
- APACHE NON STANDARD CR BYPASS
- MOD_SECURITY BYPASS
- RANDOM UPPERCASE REQUEST TRANSFORM
- PHP MAGICQUOTES: ENCODE EVERY STRING USING DB CHR FUNCTION OR SIMILAR.
- CONVERT REQUESTS TO HEXADECIMAL VALUES
- AVOID NON-SPACE REPLACING FOR /**/ OR (\T) TAB
- AVOID NON || OR + CONCATENATION USING DB CONCAT FUNCTION OR SIMILAR.
- RANDOM USER-AGENT
- RANDOM PROXY-SERVER
- RANDOM DELAY REQUEST

COMMON FEATURES:

- DATABASE SCHEMATE DOWNLOAD BLACKLIST
- COOKIE ARRAY SUPPORT
- SSL SUPPORT
- PROXY SERVER SUPPORT
- DATABASE INFORMATION DUMPED IN CSV FORMAT

REPORTING:

- DATABASE STRUCTURE GRAPHICATION TO CREATE IMPACT EXECUTIVE REPORTS REQUIRE GRAPHVIZ LIBRARY (HTTP://WWW.GRAPHVIZ.ORG/)

DEMO:

- DEMO FEATURES (BYPASSING IBM ISS PROVENTIA IPS) –

http://www.infobyte.com.ar/demo/ISR_sqlget_ISS_proventia_bypass.html

> PIXY

http://pixybox.seclab.tuwien.ac.at/pixy/

THE SECURE SYSTEMS LAB AT THE TECHNICAL UNIVERSITY OF VIENNA HAS RELEASED THE NEWEST VERSION OF PIXY, AN OPEN-SOURCE VULNERABILITY SCANNER. HERE ARE SOME OF THE HIGHLIGHTS:

* DETECTION OF SQL INJECTION AND XSS VULNERABILITIES IN PHP SOURCE CODE
* AUTOMATIC RESOLUTION OF FILE INCLUSIONS
* COMPUTATION OF DEPENDENCE GRAPHS THAT HELP YOU UNDERSTAND THE CAUSES OF REPORTED VULNERABILITIES
* STATIC ANALYSIS ENGINE (FLOW-SENSITIVE, INTERPROCEDURAL, CONTEXT-SENSITIVE)
* PLATFORM-INDEPENDENT (WRITTEN IN JAVA)

> PRIAMOS

http://www.priamos-project.com/whatis.htm

PRIAMOS IS A POWERFUL SQL INJECTOR & SCANNER
YOU CAN SEARCH SQL INJECTION VULNERABILITIES AND INJECT VULNERABLE STRING TO GET ALL DATABASES, TABLES AND COLUMN DATA WITH INJECTOR MODULE.

ABSINTHE

http://www.0x90.org/releases/absinthe/

ABSINTHE IS A GUI-BASED TOOL THAT AUTOMATES THE PROCESS OF DOWNLOADING THE SCHEMA & CONTENTS OF A DATABASE THAT IS VULNERABLE TO BLIND SQL INJECTION.

ABSINTHE DOES NOT AID IN THE DISCOVERY OF SQL INJECTION HOLES. THIS TOOL WILL ONLY SPEED UP THE PROCESS OF DATA RECOVERY.

FEATURES:

  • AUTOMATED SQL INJECTION
  • SUPPORTS MS SQL SERVER, MSDE, ORACLE, POSTGRES
  • COOKIES / ADDITIONAL HTTP HEADERS
  • QUERY TERMINATION
  • ADDITIONAL TEXT APPENDED TO QUERIES
  • SUPPORTS USE OF PROXIES / PROXY ROTATION
  • MULTIPLE FILTERS FOR PAGE PROFILING
  • CUSTOM DELIMITERS

BSQLBF 1.1 - BLIND SQL INJECTION TOOL

http://www.514.es/html/2006/04/05

THE AUTHOR SAYS THERE ARE SIMILAR TOOLS ABOUT, BUT HE'S TRIED TO COMBINE ALL THE TECHNIQUES INTO ONE COMPACT BUT COMPLETE TOOL.

NOTE: WEBSITE OF WHERE THE TOOL IS LOCATED IS IN SPANISH

BOBCAT

http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html

BOBCAT IS A TOOL TO AID A SECURITY CONSULTANT IN TAKING FULL ADVANTAGE OF SQL INJECTION VULNERABILITIES. IT IS BASED ON A TOOL NAMED "DATA THIEF" THAT WAS PUBLISHED AS POC BY APPSECINC. BOBCAT CAN LIST THE LINKED SEVERS, DATABASE SCHEMA, AND ALLOW THE RETRIEVAL OF DATA FROM ANY TABLE THAT THE CURRENT APPLICATION USER HAS ACCESS TO.

THE METHODS THAT BOBCAT INCORPRATES ARE BASED ON THOSE DISCUSSED IN THE FOLLOWING PAPERS:

  • ADVANCED SQL INJECTION
  • MORE ADVANCED SQL INJECTION
  • ADVANCED SQL INJECTION
  • MANIPULATING SQL SERVER USIG SQL INJECTION

SQLMAP

http://sqlmap.sourceforge.net/

SQLMAP IS AN AUTOMATIC BLIND SQL INJECTION TOOL, DEVELOPED IN PYTHON, CAPABLE TO PERFORM AN ACTIVE DATABASE MANAGEMENT SYSTEM FINGERPRINT, ENUMERATE ENTIRE REMOTE DATABASES AND MUCH MORE. THE AIM OF THIS PROJECT IS TO IMPLEMENT A FULLY FUNCTIONAL DATABASE MANAGEMENT SYSTEM TOOL WHICH TAKES ADVANTAGES OF WEB APPLICATION PROGRAMMING SECURITY FLAWS WHICH LEAD TO SQL INJECTION VULNERABILITIES.

SQLPING

http://www.sqlsecurity.com/Tools/FreeTools/tabid/65/Default.aspx

GUI VERSION OF SQLPING THAT ALSO INCLUDES IP RANGE SCANNING AND BRUTE FORCING PASSWORD CHECKING. ON A LARGE DEVELOPMENT NETWORK, PUT IN THE NETWORK BROADCAST ADDRESS IN THE DISCOVERY FORM. HOW MANY SQL SERVERS CAN YOU FIND?

SQLRECON

http://www.sqlsecurity.com/Tools/FreeTools/tabid/65/Default.aspx

SQLRECON PERFORMS BOTH ACTIVE AND PASSIVE SCANS OF YOUR NETWORK IN ORDER TO IDENTIFY ALL OF THE SQL SERVER/MSDE INSTALLATIONS IN YOUR ENTERPRISE. DUE TO THE PROLIFERATION OF PERSONAL FIREWALLS, INCONSISTENT NETWORK LIBRARY CONFIGURATIONS, AND MULTIPLE-INSTANCE SUPPORT, SQL SERVER INSTALLATIONS ARE BECOMING INCREASINGLY DIFFICULT TO DISCOVER, ASSESS, AND MAINTAIN. SQLRECON IS DESIGNED TO REMEDY THIS PROBLEM BY COMBINING ALL KNOWN MEANS OF SQL SERVER/MSDE DISCOVERY INTO A SINGLE TOOL WHICH CAN BE USED TO FERRET-OUT SERVERS YOU NEVER KNEW EXISTED ON YOUR NETWORK SO YOU CAN PROPERLY SECURE THEM. .NET FRAMEWORK V1.1 REQUIRED. (NOTE: DUE TO .NET POLICY RESTRICTIONS ON MOST COMPUTERS, YOU'LL NEED TO EXECUTE THE SQLRECON.EXE PROGRAM FROM A LOCAL DRIVE IN ORDER TO GET THE FULL FUNCTIONALITY)

DOCUMENTATION AVAILABLE AT:

http://www.specialopssecurity.com/labs/sqlrecon

VULNERABILITY SCAN SCRIPT

http://www.sqlsecurity.com/Tools/FreeTools/tabid/65/Default.aspx

THIS IS A VULNERABILITY SCANNING SCRIPT SUBMITTED BY CARLOS PEREZ. IT SCANS YOUR SQL SERVER INSTANCE LOOKING FOR MISCONFIGURATIONS OR INSECURE SETTINGS THAT YOU SHOULD INVESTIGATE.

SQID

http://sqid.rubyforge.org/

SQL INJECTION DIGGER IS A COMMAND LINE PROGRAM THAT LOOKS FOR SQL INJECTIONS AND COMMON ERRORS IN WEBSITES. IT CAN PERFORM THE FOLLWING OPERATIONS:

  • LOOK FOR SQL INJECTION IN A WEBPAGE, BY LOOKING FOR LINKS.
  • SUBMIT FORMS IN A WEBPAGE TO LOOK FOR SQL INJECTION.
  • CRAWL A WEBSITE TO PERFORM THE ABOVE LISTED OPERATIONS.
  • PERFORM A GOOGLE SEARCH FOR A QUERY AND LOOK FOR SQL INJECTIONS IN THE URLS FOUND.

SQID IS WRTTEN IN RUBY AND ADDITIONALLY REQUIRES HTTP-ACCESS2 MODULE FOR OPERATION. FIND OUT MORE ABOUT SQL INJECTION.
SQID IS EXTENSIBLE BY ADDING MORE SIGNATURES TO ITS DATABASE (SQID.DB). THE SIGNATURES SIMPLY USE REGULAR EXPRESSIONS.
CURRENT VERSION LOOKS FOR SQL INJECTIONS AND COMMON ERRORS IN WEBSITE URLS FOUND BY PERFORMING A GOOGLE SEARCH. THE USE OF GOOGLE SEARCH SOAP API HAS BEEN REMOVED DUE TO NO MORE ISSUING OF KEYS. NOW IT DIRECTLY PERFORMS SEARCH OVER THE WEB.

SQLBRUTE

http://www.securiteam.com/tools/5IP0L20I0E.html

SQLBRUTE – MULTI THREADED BLIND SQL INJECTION BRUTEFORCER

WEBGOAT

http://www.owasp.org/software/webgoat.html

WEBGOAT IS WRITTEN IN JAVA AND THEREFORE INSTALLS ON ANY PLATFORM WITH A JAVA VIRTUAL MACHINE. THERE ARE AUTOMATED INSTALLERS FOR LINUX, OS X TIGER AND WINDOWS.

CURRENT LESSONS INCLUDE:

  • CROSS SITE SCRIPTING
  • SQL INJECTION
  • THREAD SAFETY
  • HIDDEN FORM FIELD MANIPULATION
  • PARAMETER MANIPULATION
  • WEAK SESSION COOKIES
  • FAIL OPEN AUTHENTICATION
  • DANGERS OF HTML COMMENTS
  • WEB SERVICES LESSONS
  • BLIND SQL LESSON
  • WEAK SESSION IDENTIFIER LESSON
  • SPLIT SQL LESSON INTO NUMERIC AND STRING SQL LESSONS
  • ADDED PARAMETERIZED QUERY STAGE TO SQL LESSONS
  • ADDITIONAL STAGE FOR BASIC AUTHENTICATION LESSON
  • SUMMARY REPORT CARD FOR MULTI-USER ENVIRONMENT
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License