09 July 2007 | 9,003 views

sqlget v1.0.0 – Blind SQL Injection Tool in PERL

Want to Learn Penetration Testing

sqlget is a blind SQL injection tool developed in Perl, it lets you get databases schemas and tables rows. Using a single GET/POST you can access quietly the database structure and using a single GET/POST you can dump every table row to a csv-like file.

Databases supported:

  • IBM DB2
  • Microsoft SQL Server
  • Oracle
  • Postgres
  • Mysql
  • IBM Informix
  • Sybase
  • Hsqldb
  • Mime
  • Pervasive
  • Virtuoso
  • SQLite
  • Interbase/Yaffil/Firebird (Borland)
  • H2
  • Mckoi
  • Ingres
  • MonetDB
  • MaxDB
  • ThinkSQL
  • SQLBase

Evasion features:

  • Full-width/Half-width Unicode encoding
  • Apache non standard CR bypass
  • mod_security bypass
  • Random uppercase request transform
  • PHP Magicquotes: encode every string using db CHR function or similar.
  • Convert requests to hexadecimal values
  • Avoid non-space replacing for /**/ or (\t) tab
  • Avoid non || or + concatenation using db concat function or similar.
  • Random user-agent
  • Random proxy-server
  • Random delay request

Common features:

  • Database schemate download blacklist
  • Cookie array support
  • SSL support
  • Proxy server support
  • Database information dumped in csv format

You can find a demo here bypassing IBM ISS Proventia IPS:


ISR sqlget ISS Proventia Bypass

And you can download sqlget here:

ISR-sqlget v.1.0.0

Or read more here.

Post to Twitter Post to Facebook Post to Google Buzz Post to Delicious Post to Digg Post to Reddit Post to StumbleUpon


Tags: , , , , , , , , , ,


# Posted in: Database Hacking, Hacking Tools, Web Hacking | * 8 Comments


Recent in Database Hacking:
- The Mole – Automatic SQL Injection SQLi Exploitation Tool
- sqlsus 0.7.1 Released – MySQL Injection & Takeover Tool
- w3af v1.1 Released For Download – Web Application Attack & Audit Framework

Related Posts:
- Bsqlbf V2 – Blind SQL Injection Brute Forcer Tool
- bsqlbf v2.3 Released – Blind SQL Injection Brute Forcing Tool
- sqlsus 0.2 Released – MySQL Injection & Takeover Tool

Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 54,413 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 51,171 views
- Absinthe Blind SQL Injection Tool/Software - 35,410 views

Advertise on Darknet


8 Responses to “sqlget v1.0.0 – Blind SQL Injection Tool in PERL”

  1. gyaresu 9 July 2007 at 6:31 am Permalink

    Lovely. Another fine toy to play with.

    Thanks Chap(s/ettes).

  2. Darknet 9 July 2007 at 7:40 am Permalink

    Yah I like the evasion features of this one, you can really tell it’s written by a pen-tester :)

    No chapettes here tho heh.

  3. gyaresu 9 July 2007 at 7:48 am Permalink

    No chapettes here tho heh.

    One must not assume.

    Again the flash example is quite instructive. Great for just jumping in and having a bash. The README contains plenty of info also.

    The flash player it’s running in is also good. Not having a complete mental when you drag it fore & back in time. Some of them are rubbish.

  4. backbone 9 July 2007 at 1:16 pm Permalink

    well it sounds promising, I’ll have to try it out….

  5. SN 9 July 2007 at 8:00 pm Permalink

    I am going to check this out. Let’s see if it crashes my site.

  6. Sandeep Nain 9 July 2007 at 11:52 pm Permalink

    seems to be a good tool with such a long list of supported databases. ill check this one out..

  7. Sandeep Nain 31 July 2007 at 11:41 pm Permalink

    Hi Guys

    anybody tried this out? I did but sorry to say that I didnt find it much impressive. although it offers a great database support and some nice features such as proxy server supoort and ssl support.

    But i found OWASP sqlix better than this. better results…

    let me know if your opinion differs from me…

  8. backbone 1 August 2007 at 3:36 am Permalink

    I didn’t even succeed with the compilation of it :-\