Application Security // Database Security
07:42 PM
Dark Reading
Dark Reading
Connect Directly

Slide Show: 10 SQL Injection Tools For Database Pwnage

Black hat hackers and pen testers alike use these tools to dump data, perform privilege escalations, and effectively take over sensitive databases

Developed by Portcullis Labs, BSQL Hacker is an automated SQL injection framework that facilitates blind SQL injection, time-based blind SQL injection, deep blind SQL injection and error based SQL injection attacks. Attacks can be automated against Oracle and MySQL databases, with power to automatically extract all database data and schemas.

An open source tool, The Mole can bypass some IPS/IDS systems using generic filters. It is able to detect and exploit injections using only a vulnerable URL and a valid string on the site using union or Boolean query techniques. The command line tool offers support for attacks against MySQL, SQL Server, Postgres and Oracle databases.

Produced by the same firm that wrote the JSky tool, NOSEC, Pangolin is a thorough SQL injection testing tool with a user-friendly GUI and a wide base of support for just about every database on the market. Primarily used by the white hat community as a comprehensive pen test tool, Pangolin offers its users the capability to create a comprehensive database management system fingerprint, to enumerate users, dump table and column information and run the users' own SQL statements.

A self-proclaimed automatic SQL injection and database takeover tool, the open source sqlmap tool sports the ability to attack via five different SQL injection techniques or directly if the user has DBMS credentials, IP address, port and database name. It can enumerate users and password hashes, with inline support to crack them with a dictionary-based attack and supports privilege escalation through Metasploit's getsystem command. It offers the ability to dump database tables and for MySQL, PostgreSQL or SQL server to download and upload any file and execute arbitrary code.

A popular tool used by black hats worldwide, Havij was developed by Iranian coders who named it for the Farsi word for carrort, a moniker that doubles as slang for the male appendage. With a simple GUI, Havij brags about a success rate of 95 percent at injecting vulnerable targets on MySQL, Oracle, PostgreSQL, MS Access and Sybase databases. In addition to being able perform a back-end fingerprint, retrieve usernames and password hashes, dump tables and columns, fetch data and run SQL statements on vulnerable systems, it can also access the underlying file system and execute commands on the operating system.

Unlike many automated tools designed for users with less than abundant technical knowledge, Enema isn't autohacking software, according to its developer, "mastermind." As mastermind says, "This is dynamic tool for people, who knows what to do." Grammatical issues notwithstanding, the tool gives users the ability to customize queries and use plugins to automate attacks against SQL Server and MySQL databases, using error-based, Union-based and blind time-based injection attacks.

Sqlninja's developer, icesurfer, puts it best explaining his creation, "Take a few new SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have just one of the attack modules of sqlninja!" Targeted against SQL Server environments, the tool offers database fingerprint, privilege escalation, and all the tools necessary to gain remote access of a database vulnerable to injection attacks.

An open source MySQL injection and takeover tool, sqlsus runs with a command line interface and lets users inject their own SQL queries, download files from the attached Web server, crawl the website for writable directories, clone databases and upload and control backdoors.

Widely known as one of the easiest to use SQL injection automation tools circulating the Internet, Safe3 SI offers a set of features that enable automatic detection and exploitation of SQL injection flaws and eventual database server takeover. The tool recognizes the database type and finds the best method of SQL injection, with support for blind, error-based UNION query and force guess injection techniques. It supports MySQL, Oracle, PostgreSQL, SQL Server, Access, SQLite, Firebird, Sybase and SAP MaxDB, with ability to read, list and write any file when the DBMS is MySQL or SQL Server and support for arbitrary command execution for SQL Server and Oracle DBMS.

A SQL injection scanner/hunter tool, SQL Poizon takes advantage of search engine "dorks" to trawl the Internet for sites with SQL injection vulnerabilities. The tool has a built-in browser and injection builder to carry out and check the impact of an injection. It's simple GUI provides an easy interface to carry out an attack without a deep technical knowledge base.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/16/2013 | 2:59:05 AM
re: Slide Show: 10 SQL Injection Tools For Database Pwnage
it-á is an automated SQL injection framework.-á LF353

User Rank: Ninja
4/12/2012 | 6:40:49 AM
re: Slide Show: 10 SQL Injection Tools For Database Pwnage
Some tips for fighting SQL injections:-á
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

Published: 2014-10-25
D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.