You may remember a while back we did a Review of Acunetix Web Vulnerability Scanner 6 – the very full featured web vulnerability scanning software.

Well the latest version has been released recently with some updates, bug fixes and improvements on the web application security front.
I’m hoping to try out the AcuSensor on a PHP install [...]

Pangolin is an automatic SQL injection penetration testing tool developed by NOSEC. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management [...]

sqlsus is an open source MySQL injection and takeover tool, written in perl.
Via a command line interface that mimics a mysql console, you can retrieve the database structure, inject a SQL query, download files from the web server, upload and control a backdoor, and much more…
It is designed to maximize the amount of data gathered [...]

The latest big news is that on February 6th the Kaspersky Customer Records database was hacked through a simple SQL injection flaw on the website. The hacker claimed it was possible to expose all customer data including users, activation codes, lists of bugs, admins, shot and so on. The anonymous hacker hasn’t actually posted any [...]

As you might know if you’ve been reading for some time, I do occasionally review commercial software if it’s interesting and relevant – the last one I remember doing was back in 2007 “Outpost Security Suite PRO Review“.
This time it’s for a much more relevant piece of software IMHO, and one which I actually like [...]

WITOOL is an graphical based SQL Injection Tool written in dotNET.
- For SQL Server, Oracle
- Error Base and Union Base

Interface

Features

Retrieve schema : DB/TableSpace, Table, Column, other object
Retrieve data : retrive paging, dump xml file
Log : View the raw data HTTP log

Environment
OS: Windows 2000/XP/VISTA
Requirement: Microsoft .NET(2.0) Library (Download Here).

You can download WITOOL v0.1 here:
WITOOL_V0.1_081231.zip
Or read more [...]

Another big flaw has been discovered in Microsoft software just a few days after they broke their patch cycle to issue a patch for the IE bug that allowed remote code execution.
This time however it doesn’t really effect home users or the general consumer, it’s a more specific server side vulnerability affecting Microsoft SQL Server [...]

You might remember a while ago we posted about MultiInjector which claims to the first configurable automatic website defacement tool, it got quite a bit of interest and shortly after that it was updated. Anyway, good or bad I think people deserve to know what is out there.

Features

Receives a list of URLs as input
Recognizes the [...]

sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back end database management system [...]

sapyto is the first SAP Penetration Testing Framework, sapyto provides support to information security professionals in SAP platform discovery, investigation and exploitation activities.
sapyto is periodically updated with the outcome of the deep research on the various security aspects in SAP systems.

Although sapyto is a versatile and powerful tool, it is of major importance for it [...]

MultiInjector claims to the first configurable automatic website defacement software, I’m not sure if that’s a good thing – or a bad thing.
But well here it is anyway.

Features

Receives a list of URLs as input
Recognizes the parameterized URLs from the list
Fuzzes all URL parameters to concatenate the desired payload once an injection is successful
Automatic defacement – [...]

Google hacking was the big thing back in 2004, I actually did a talk on it in Hack in the Box 2004, it’s resurfaced again as a serious threat with Google noticing more queries relating to things like social security numbers.
The Google Hacking Database has been active for years now and there are hundreds of [...]

sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, [...]

BSQL Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities in virtually any database.
It ships with Automated Attack modules which allows the dumping of whole databases for the following DBMS:

MS-SQL Server

ORACLE
MySQL (experimental)

Attack Templates for:

MS Access
MySQL

ORACLE
PostgreSQL

MS-SQL Server

Also you can write your own attack template for any other database as well [...]

There are quite a lot of SQL Injection Tools available and now there is one more to add to the stable for testing – Bsqlbf V2, which is a Blind SQL Injection Brute Forcer.

The original tool (bsqlbfv1.2-th.pl) was intended to exploit blind sql injection against a mysql backend database, this new version supports blind sql [...]

We’ve been folowing the development of sqlninja since the early days, it’s growing into a well matured and more polished tool with advanced features.
Sqlninja is a tool written in PERL to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote [...]

Sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of [...]

For those that don’t know, Inguma is an open source penetration testing and vulnerability research toolkit written completely in Python. The environment is mainly oriented to attack Oracle related systems but, anyway, it can be used against any other kind of systems.
It’s becoming a mature and useful package! I’m glad to see continued developing and [...]

sqlmap is an automatic SQL injection tool entirely developed in Python. It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.

Features

Full support for [...]

As you all seem to pretty interested in Inguma, there’s something else similar called w3af – the fifth BETA was released a while back and the team are now working on the sixth.
w3af is a Web application attack and Audit Framework. The project goal is to create a framework to find and exploit web application [...]

Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process [...]

SQL Power Injector is a graphical application created in .NET 1.1 that helps the penetrating tester to inject SQL commands on a web page.
For now it is SQL Server, Oracle and MySQL compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal mode).
Moreover this application will get [...]

A pretty cool tool was released a while back called w3af ( Web Application Attack and Audit Framework ), a fully automated auditing and exploiting framework for the web. This framework has been in development for almost a year and has the following features:

Audit

SQL injection detection
XSS detection
SSI detection
Local file include detection
Remote file include detection
Buffer Overflow [...]

mssql-hax0r v0.9 is a Multi-purpose MS-SQL injection attack tool for advanced Microsoft SQL Server exploitation. Three modes of operation are currently available: info (Information Gathering), dump (Record Dump), and brute (Brute Force).
You may need to tweak the code a bit to make it fit your needs (i.e. modifying the injection string and/or the language used [...]

Inguma is a penetration testing toolkit entirely written in python. The framework includes modules to discover hosts, gather information about, fuzz targets, brute force user names and passwords and, of course, exploits for many products.
Inguma the word is the name of a Basque’s mythological spirit who kills people while sleeping and, also, the one who [...]

Piggy is yet another tool for performing online password guessing against Microsoft SQL servers.
It supports scanning multiple servers using a dictionary file or a file with predefined accounts (username and password combinations).

It’s a pretty simple tool and has a Win32 binary verson – it is a command line tool however.
Piggy v1.0.1 by patrik@cqure.net
——————————–
usage: piggy [options]

options:
[...]

It not surprising SQL Injection and database hacking are getting more frequent as people ramp up perimeter security more often than not they forget about interior security, software application security and most of all database security.

Of the 2007 total corporate IT budget, respondents said they have allocated 34 percent for database infrastructure and 20.6 percent [...]

FG-Injector Framework is a set of tools designed to help find SQL injection vulnerabilities in web applications, and help the analyst assess their severity. It includes a powerful proxy feature for intercepting and modifying HTTP requests, and an inference engine for automating SQL injection exploitation.

Often web developers think that by disabling error messages in their [...]

sqlget is a blind SQL injection tool developed in Perl, it lets you get databases schemas and tables rows. Using a single GET/POST you can access quietly the database structure and using a single GET/POST you can dump every table row to a csv-like file.

Databases supported:

IBM DB2
Microsoft SQL Server
Oracle
Postgres
Mysql
IBM Informix
Sybase
Hsqldb
Mime
Pervasive
Virtuoso
SQLite
Interbase/Yaffil/Firebird (Borland)
H2
Mckoi
Ingres
MonetDB
MaxDB
ThinkSQL
SQLBase

Evasion features:

Full-width/Half-width Unicode encoding
Apache non [...]

We got an e-mail a while back about this new and apparently simple Oracle Application Server scanner.
It detects web pages, DADs (Database Access Descriptors) and test applications installed by default.

It may be useful for system hardening and pen-test.
You can download OAPScan here:
OAPScan.tar.gz

sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment.
It should be used by penetration testers to help and automate the process of taking [...]

PRIAMOS is a powerful SQL Injector & Scanner

You can search for SQL Injection vulnerabilities and inject vulnerable string to get all Database names, Tables and Column data with the injector module.
You should only use PRIAMOS to test the security vulnerabilities of your own web applications (obviously).
The first release of PRIAMOS contain only SQL Server Database [...]

SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and doesn’t require non-standard libraries (there is some code in there for pycurl, [...]

SQLiX, coded in Perl, is a SQL Injection scanner, able to crawl, detect SQL injection vectors, identify the back-end database and grab function call/UDF results (even execute system commands for MS-SQL). The concepts in use are different than the one used in other SQL injection scanners. SQLiX is able to find normal and blind SQL [...]

A reader e-mailed me a while ago about a fairly comprehensive SQL Injection ‘Cheat Sheet’ they had created and posted up.
I compared it to the other ones I had bookmarked, and it was different enough to be worth posting.

Currently only for MySQL and Microsoft SQL Server, some ORACLE and some PostgreSQL. Most of samples are [...]

Oracle in its very own style recently published a mega patch, it could be called the mother of all patches.
Actually 101 bugs…the scary part is 45 can be exploited remotely.

Oracle published the mother of all security patches containing 101 fixes for flaws in its database, application server, E-Business Suite and PeopleSoft and JD Edwards applications.
Almost [...]

BobCat is a tool to aid a security consultant in taking full advantage of SQL injection vulnerabilities. It is based on a tool named “Data Thief” that was published as PoC by appsecinc. BobCat can list the linked severs, database schema, and allow the retrieval of data from any table that the current application user [...]

Absinthe is a gui-based tool that automates the process of downloading the schema & contents of a database that is vulnerable to Blind SQL Injection.

Absinthe does not aid in the discovery of SQL Injection holes. This tool will only speed up the process of data recovery.
Features:

Automated SQL Injection
Supports MS SQL Server, MSDE, Oracle, Postgres
Cookies / [...]

sqlninja is a little toy that has been coded during a couple of pen-tests done lately and it is aimed to exploit SQL Injection vulnerabilities on web applications that use Microsoft SQL Server as their back-end.
It borrows some ideas from similar tools like bobcat, but it is more targeted in providing a remote shell even [...]

Microsoft has taken a bit of a leap with the integration of .net into SQL Server, and a lot of developers(Myself included) are worrying about what security implications this could have. DevX.com have taken an in-depth look into the guts of it, and spilled them onto a page for us all to look at.
CAS [...]

SQL Power Injector is a graphical application created in .Net 1.1 that helps the penetrating tester to inject SQL commands on a web page.
For now it is SQL Server, Oracle and MySQL compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal Mode).
Moreover this application will get [...]

So over a month down the line, our SQL2005 upgrade project should now be in the workable prototype stage. But as with all things that “should” be(More security in IE, Great Britain ruling the world and my kitchen being fitted), it’s not, it’s not even close. On top of this our company is [...]

Oracle is getting serious with security? Again..?
Oracle Corp. has published a collection of software patches that address security vulnerabilities in a range of the company’s products, including its database and application server software. As part of this update, it also released a tool designed to ferret out commonly used default passwords that theoretically could [...]

bsqlbf is a tool for Blind SQL Injection attacks, a pretty nifty one too!
The author says there are similar tools about, but he’s tried to combine all the techniques into one compact but complete tool.

# CHANGELOG:
# -get now support resume (with -start option)
# -get to fetch files (thank you ilo AGAIN)
# + -time option added [...]

A competitor for our buddy Google Desktop perhaps?
ORACLE, the world’s third- biggest software maker, has begun selling software that allows users to search only personal data on their work computers such as email, word documents and calendar appointments.
Chief executive Larry Ellison says the California company’s new search program “is one of the biggest products in [...]

Haha, well serves them right, get out and get laid guys.

Online payment company iBill on Thursday said a massive cache of stolen consumer data uncovered by security experts did not come from its database.
“I’m the first person that would have taken this to the FBI and the first person to have gone on 60 Minutes [...]

At the place I pretend to work, the time has come that most developers equally fear and love, upgrade time. We’ve been using MSSQL2000 for 90% of our work for about 4 years now, and it’s served us well, but when a change as big as 2005 server comes along, you have to make the [...]