Posts Tagged ‘sql injection’

splmap 0.6 released

Monday, September 1st, 2008

My friend inquis today released one of the best SQL injection tools available to the public: sqlmap.
For the ones of you that do not know this tool yet, sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.

After almost a year of extensive programming I am done with complete code refactoring, many bugs fixes and many new features.
Some of the new features include:

  • Added multithreading support to set the maximum number of concurrent HTTP requests.
  • Implemented SQL shell (–sql-shell) functionality and fixed SQL query (–sql-query, before called -e) to be able to run whatever SELECT statement and get its output in both inband and blind SQL injection attack.
  • Added an option (–privileges) to retrieve DBMS users privileges, it also notifies if the user is a DBMS administrator.
  • Added support (-c) to read options from configuration file, an example of valid INI file is sqlmap.conf and support (–save) to save command line options on a configuration file.
  • Implemented support for HTTPS requests over HTTP(S) proxy.
  • Enhanced logging system: added three more levels of verbosity to show also HTTP sent and received traffic.

Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.

Database datatype comparison sheet

Sunday, July 6th, 2008

Sometimes when writing automated SQL injection tools or exploit based on SQLi vulnerabilities you can fight with the different implementation of standard SQL datatype of DBMS.
Reading a lot of documentation i wrote a  comparison sheet between datatypes used by Mysql, SQL Server, Oracle, DB2, SQLite, PostgreSQL, Sybase ASE, Firebird.
You can download Adobe Acrobat [PDF] or OpenOffice [ODS].

References:

Famola strana (la SQL Injection)

Saturday, May 3rd, 2008

Provate a pensare a tutti i sistemi di controllo del traffico autostradale quali ad esempio i famosi autovelox "Tutor" il cui funzionamento e` basato sul riconoscimento automatico della targa
di un autoveicolo. Una telecamera inquadra l’autoveicolo e un software riconosce la targa e ne interpreta i caratteri, trasformando un’immagine in un un dato che puo` essere successivamente utilizzato, nel caso la targa dell’autoveicolo.

Ora questo dato sara` utilizzato in varie elaborazione e plausibilmente in un’interrogazione ad una base dati, quindi questa cosa e` una geniata:

(Immagine presa da http://www.areino.com/hackeando/)

Rails Security: Secure your Ruby on Rails web application

Saturday, July 14th, 2007

Ruby on Rails is a great Ruby framework for rapid development of web applications.
But default Rails comes with some (in)security features that must be hardened and fixed.
And a lot of the how to and tutorials in internet that publish the sponsor “websites in 5 minutes” help people to write insecure code.
Some examples:
File permission: default Rails cames with leak permission, all can read DB config and all can read and write log files.
Sessions: session does not expire server side
Validate input: the input must be properly validated to avoid sql injection and xss
Escape output: rember to use html_escape if you display user input data
Here is some links to secure your Rails installation and secure your web application from sql injections, xss and other stuff.

Links:

Free SQL Injection Scanners

Monday, May 28th, 2007

SQLIer – SQLIer takes a vulnerable URL and attempts to determine all the necessary information to exploit the SQL Injection vulnerability by itself, requiring no user interaction at all. Get SQLIer.

SQLbftools – SQLbftools is a collection of tools to retrieve MySQL information available using a blind SQL Injection attack. Get SQLbftools.

SQL Injection Brute-forcer – SQLibf is a tool for automatizing the work of detecting and exploiting SQL Injection vulnerabilities. SQLibf can work in Visible and Blind SQL Injection. It works by doing simple logic SQL operations to determine the exposure level of the vulnerable application. Get SQLLibf.

SQLBrute – SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and doesn’t require non-standard libraries. Get SQLBrute.

BobCat – BobCat is a tool to aid an auditor in taking full advantage of SQL injection vulnerabilities. It is based on AppSecInc research. It can list the linked severs, database schema, and allow the retrieval of data from any table that the current application user has access to. Get BobCat.

SQLMap – SQLMap is an automatic blind SQL injection tool, developed in python, capable to perform an active database management system fingerprint, enumerate entire remote databases and much more. The aim of SQLMap is to implement a fully functional database management system tool which takes advantages of web application programming security flaws which lead to SQL injection vulnerabilities. Get SQLMap.

Absinthe – Absinthe is a GUI-based tool that automates the process of downloading the schema and contents of a database that is vulnerable to Blind SQL Injection. Get Absinthe.

SQL Injection Pen-testing Tool – The SQL Injection Tool is a GUI-based utility designed to examine database through vulnerabilities in web-applications. Get SQL Injection Pen-testing tool.

SQID – SQL Injection digger (SQLID) is a command line program that looks for SQL injections and common errors in websites. It can perform the follwing operations: look for SQL injection in a web pages and test submit forms for possible SQL injection vulnerabilities. Get SQID.

Blind SQL Injection Perl Tool – bsqlbf is a Perl script that lets auditors retrieve information from web sites that are vulnerable to SQL Injection. Get Blind SQL Injection Perl Tool.

SQL Power Injection Injector – SQL Power Injection helps the penetration tester to inject SQL commands on a web page. It’s main strength is its capacity to automate tedious blind SQL injection with several threads. Get SQL Power Injection.

FJ-Injector Framwork – FG-Injector is a free open source framework designed to help find SQL injection vulnerabilities in web applications. It includes a proxy feature for intercepting and modifying HTTP requests, and an interface for automating SQL injection exploitation. Get FJ-Injector Framework.

SQLNinja – SQLNinja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end database. Get SQLNinja.

Automagic SQL Injector – The Automagic SQL Injector is an automated SQL injection tool designed to help save time on penetration testing. It is only designed to work with vanilla Microsoft SQL injection holes where errors are returned. Get Automagic SQL Injector.

NGSS SQL Injector – NGSS SQL Injector exploit vulnerabilities in SQL injection on disparate database servers to gain access to stored data. It currently supports the following databases: Access, DB2, Informix, MSSQL, MySQL, Oracle, Sysbase. Get NGSS SQL Injector.