sqlget is a blind SQL injection tool developed in Perl, it lets you get databases schemas and tables rows. Using a single GET/POST you can access quietly the database structure and using a single GET/POST you can dump every table row to a csv-like file.
Databases supported:
- IBM DB2
- Microsoft SQL Server
- Oracle
- Postgres
- Mysql
- IBM Informix
- Sybase
- Hsqldb
- Mime
- Pervasive
- Virtuoso
- SQLite
- Interbase/Yaffil/Firebird (Borland)
- H2
- Mckoi
- Ingres
- MonetDB
- MaxDB
- ThinkSQL
- SQLBase
Evasion features:
- Full-width/Half-width Unicode encoding
- Apache non standard CR bypass
- mod_security bypass
- Random uppercase request transform
- PHP Magicquotes: encode every string using db CHR function or similar.
- Convert requests to hexadecimal values
- Avoid non-space replacing for /**/ or (\t) tab
- Avoid non || or + concatenation using db concat function or similar.
- Random user-agent
- Random proxy-server
- Random delay request
Common features:
- Database schemate download blacklist
- Cookie array support
- SSL support
- Proxy server support
- Database information dumped in csv format
You can find a demo here bypassing IBM ISS Proventia IPS:
ISR sqlget ISS Proventia Bypass
And you can download sqlget here:
Or read more here.
Subscribe to Darknet RSS Feed Stored in: Database Hacking, Hacking Tools, Web Hacking
Related Posts:
- Bsqlbf V2 - Blind SQL Injection Brute Forcer Tool
- bsqlbf 1.1 - Blind SQL Injection Tool
- FG-Injector - SQL Injection & Proxy Tool
- BSQL Hacker - Automated SQL Injection Framework
- Absinthe Blind SQL Injection Tool/Software
- SQLBrute - SQL Injection Brute Force Tool
| 5,095 views |
Lovely. Another fine toy to play with.
Thanks Chap(s/ettes).
Yah I like the evasion features of this one, you can really tell it’s written by a pen-tester
No chapettes here tho heh.
One must not assume.
Again the flash example is quite instructive. Great for just jumping in and having a bash. The README contains plenty of info also.
The flash player it’s running in is also good. Not having a complete mental when you drag it fore & back in time. Some of them are rubbish.
well it sounds promising, I’ll have to try it out….
I am going to check this out. Let’s see if it crashes my site.
seems to be a good tool with such a long list of supported databases. ill check this one out..
Hi Guys
anybody tried this out? I did but sorry to say that I didnt find it much impressive. although it offers a great database support and some nice features such as proxy server supoort and ssl support.
But i found OWASP sqlix better than this. better results…
let me know if your opinion differs from me…
I didn’t even succeed with the compilation of it :-\