RSS Feed for This PostCurrent Article

SQL Injection Tool

SQL Power Injector is an application created in .Net 1.1 that helps the penetration tester to find and exploit SQL injections on a web page.

For now it is SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal mode). Indeed, the normal mode is basically the SQL command that someone will put in the parameter sent to the server.

image

Features

  • Supported on Windows, Unix and Linux operating systems
  • SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant
  • SSL support
  • Load automatically the parameters from a form or a IFrame on a web page (GET or POST)
  • Detect and browse the framesets
  • Option that auto detects the language of the web site
  • Detect and add cookies used during the Load Page process (Set-Cookie detection)
  • Find automatically the submit page(s) with its method (GET or POST) displayed in a different color
  • Can create/modify/delete loaded string and cookies parameters directly in the Datagrids
  • Single SQL injection
  • Blind SQL injection
    • Comparison of true and false response of the page or results in the cookie
    • Time delay
  • Response of the SQL injection in a customized browser
  • Can view the HTML code source of the returned page in HTML contextual colors and search in it
  • Fine tuning parameters and cookies injection
  • Can parameterize the size of the length and count of the expected result to optimize the time taken by the application to execute the SQL injection
  • Create/edit ASCII characters preset in order to optimize the blind SQL injection number of requests/speed
  • Multithreading (configurable up to 50)
  • Option to replace space by empty comments /**/ against IDS or filter detection
  • Automatically encode special characters before sending them
  • Automatically detect predefined SQL errors in the response page
  • Automatically detect a predefined word or sentence in the response page
  • Real time result
  • Save and load sessions in a XML file
  • Feature that automatically finds the differences between the response page of a positive answer with a negative one
  • Can create a range list that will replace the variable (<<@>>) inside a blind SQL injection string and automatically play them for you
  • Automatic replaying a variable range with a predefined list from a text file
  • Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context (parameters and cookies)
  • Two integrated tools: Hex and Char encoder and MS SQL @options interpreter
  • Can edit the Referer
  • Can choose a User-Agent (or even create one in the User-Agent XML file)
  • Can configure the application with the settings window
  • Support configurable proxies

Popularity: 2% [?]


Trackback URL


RSS Feed for This Post1 Comment(s)

  1. anonymous | Jun 6, 2010 | Reply

    WebCruiser – Web Vulnerability Scanner
    WebCruiser – Web Vulnerability Scanner, a compact but powerful web security scanning tool that will aid you in auditing your site! It has a Vulnerability Scanner and a series of security tools.

    It can support scanning website as well as POC( Prooving of concept) for web vulnerabilities: SQL Injection, Cross Site Scripting, XPath Injection etc. So, WebCruiser is also an automatic SQL injection tool, a XPath injection tool, and a Cross Site Scripting tool!

    Function:
    * Crawler(Site Directories And Files);
    * Vulnerability Scanner(SQL Injection, Cross Site Scripting, XPath Injection etc.);
    * POC(Proof of Concept): SQL Injection, Cross Site Scripting, XPath Injection etc.;
    * GET/Post/Cookie Injection;
    * SQL Server: PlainText/Union/Blind Injection;
    * MySQL: PlainText/Union/Blind Injection;
    * Oracle: PlainText/Union/Blind/CrossSite Injection;
    * DB2: Union/Blind Injection;
    * Access: Union/Blind Injection;
    * Post Data Resend;
    * Administration Entrance Search;
    * Time Delay For Search Injection;
    * Auto Get Cookie From Web Browser For Authentication;
    * Report Output.

    http://sec4app.com/

RSS Feed for This PostPost a Comment