For those not familiar with the tool, sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications.

Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.

Recent Changes

Along all the takeover features introduced in sqlmap 0.7 release candidate 1, some of the new features include:

• Adapted Metasploit wrapping functions to work with latest 3.3 development version too.
• Adjusted code to make sqlmap 0.7 to work again on Mac OSX too.
• Reset takeover OOB features (if any of –os-pwn, –os-smbrelay or –os-bof is selected) when running under Windows because msfconsole and msfcli are not supported on the native Windows Ruby interpreter.
• This make sqlmap 0.7 to work again on Windows too.
• Minor improvement so that sqlmap tests also all parameters with no value (eg. par=).
• HTTPS requests over HTTP proxy now work on either Python 2.4, 2.5 and 2.6+.

For a complete list of changes view the ChangeLog.

The manual is available here – README.pdf [PDF]

You can download sqlmap 0.7 here:

Linux Source: sqlmap-0.7.tar.gz
Windows Portable: sqlmap-0.7_exe.zip

Or read more here.

Via a command line interface that mimics a mysql console, you can retrieve the database structure, inject a SQL query, download files from the web server, upload and control a backdoor, and much more…

It is designed to maximize the amount of data gathered per web server hit, making the best use of MySQL functions to optimize the available injection space.

sqlsus is focused on PHP/MySQL installations, and integrates some neat features, some of them being really specific to this DBMS.

It is not and won’t ever be a SQL injection scanner, it starts its job on the next step.

Both quoted and numeric injections are supported.

All quoted texts can be translated as their hex equivalent (eg : “sqlsus” will become 0×73716c737573)

sqlsus also supports these 2 scenarios of injection :

• sighted : the result of the request will be in the HTML returned by the web server
• blind : when you can’t see the result of the request directly

Support for GET and POST parameters injections.

Support for HTTP proxy and HTTP simple authentication.

Full logging support of your queries and the answers, allowing you to recall a command and its cached answer, even in a later re-use of the session.

Key variables can be edited on the fly, saved per session, and can be loaded in a later session on the same target server.

Requirements

On a Debian system, in addition to perl, you will need the following packages :

• libterm-readline-perl-perl
• libipc-shareable-perl
• libwww-mechanize-perl

It also requires previous SQL injection knowledge, and.. well.. a brain helps.

You can download sqlsus 0.2 here:

sqlsus-0.2.tgz

Or read more here.

Changes

Some of the new features include:

• Major enhancement to get list of targets to test from Burp proxy requests log file path or WebScarab proxy ‘conversations/’ folder path with option -l;
• Major enhancement to support Partial UNION query SQL injection technique;
• Major enhancement to test if the web application technology sup ports stacked queries (multiple statements) by providing option –stacked-test which will be then used someday also by takeover functionality;
• Major enhancement to test if the injectable parameter is affected by a time based blind SQL injection technique by providing option –time-test;
• Major bug fix to correctly enumerate columns on Microsoft SQL Server;
• Major bug fix so that when the user provide a SELECT statement to be processed with an asterisk as columns, now it also work if in the FROM
  there is no database name specified;

Complete ChangeLog

You can download sqlmap 0.6.3 here:

sqlmap-0.6.3.tar.gz (Linux)
sqlmap-0.6.3_exe.zip (Windows)

Or read more here (User Manual).

Features

• Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server back-end database management systems. Besides these four database management systems, sqlmap can also identify Microsoft Access, DB2, Informix, Sybase and Interbase.
• Extensive back-end database management system fingerprint based upon inband error messages, banner parsing, functions output comparison and specific features such as MySQL comment injection. It is also possible to force the back-end database management system name if you already know it.
• Full support for two SQL injection techniques: blind SQL injection and inband SQL injection.

Changes

Some of the new features include:

• Added a Metasploit Framework 3 auxiliary module to run sqlmap;
• Implemented possibility to test for and inject also on LIKE statements;
• Implemented –start and –stop options to set the first and the last table entry to dump;
• Added non-interactive/batch-mode (–batch) option to make it easy to wrap sqlmap in Metasploit and any other tool.

Complete list of changes at ChangeLog.

You can also grab the User Manual here.

You can download sqlmap 0.6.1 here:

Source – sqlmap-0.6.1.tar.gz

Windows – sqlmap-0.6.1_exe.zip

Or read more here.

Sqlninja is a tool written in PERL to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

Features

• Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, authentication mode)
• Bruteforce of ’sa’ password, both dictionary-based and incremental
• Privilege escalation to ’sa’ if its password has been found
• Creation of a custom xp_cmdshell if the original one has been disabled
• Upload of netcat.exe (or any other executable) using only 100% ASCII GET/POST requests, so no need for FTP connections
• TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
• Direct and reverse bindshell, both TCP and UDP
• DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames
• Evasion techniques, in order to obfuscate the injected code and confuse/bypass signature-based IPS and application firewalls

Fancy going from a SQL Injection to a full GUI access on the DB server? What about extracting password hashes on the fly? Take a few SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have the latest release of sqlninja! See it in action here.

What’s new in 0.2.3?

• A Metasploit3 wrapper, which allows the user to use SQL Injection to execute Metasploit payloads on the remote DB server
• Several other minor improvements

You can download sqlninja 0.2.3 here:

sqlninja-0.2.3.tgz

Or read more here.

It is written in Perl, it is released under the GPLv2 and so far has been successfully tested on:

• Linux
• FreeBSD
• Mac OS X

Features

• Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, authentication mode)
• Bruteforce of ’sa’ password, both dictionary-based and incremental
• Privilege escalation to ’sa’ if its password has been found
• Creation of a custom xp_cmdshell if the original one has been disabled
• Upload of netcat.exe (or any other executable) using only 100% ASCII GET/POST requests, so no need for FTP connections
• TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
• Direct and reverse bindshell, both TCP and UDP
• DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames

What’s new

• Evasion techniques, in order to obfuscate the injected code and confuse/bypass signature-based IPS and application firewalls
• A more sophisticated upload module
• A new ‘blind execution’ attack mode, useful to issue commands and performs diagnostics when other modes fail
• Automatic URL-encoding now is performed only on sqlninja generated SQL code, giving the user a more granular control on the exploit strings

You can download Sqlninja 0.2.2 here:

sqlninja-0.2.2.tgz

Or read more here.

Features

• Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server database management system back-end.
• Can also identify Microsoft Access, DB2, Informix and Sybase;
• Extensive database management system back-end fingerprint based upon:
• - Inband DBMS error messages
• – DBMS banner parsing
• – DBMS functions output comparison
• – DBMS specific features such as MySQL comment injection
• – Passive SQL injection fuzzing
• It fully supports two SQL injection techniques:
• – Blind SQL injection, also known as Inference SQL injection
• – Inband SQL injection, also known as UNION query SQL injection

You can find the documentation here:

sqlmap README (HTML and PDF)

You can download sqlmap 0.5 here:

sqlmap-0.5 (tar/zip)

Or read more here.

It is written in perl and so far has been successfully tested on:

• Linux
• FreeBSD
• Mac OS X

Features

• Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
• Bruteforce of ’sa’ password (in 2 flavors: dictionary-based and incremental)
• Privilege escalation to sysadmin group if ’sa’ password has been found
• Creation of a custom xp_cmdshell if the original one has been removed
• Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
• TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
• Direct and reverse bindshell, both TCP and UDP
• DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)

What’s New

• A new flavor of bruteforce attack, performed remotely on the target DB Server by using its own CPU resources (use it with caution !)
• Detection of the authentication mode (mixed or Windows-only), which is useful to understand whether the bruteforce attack to the ’sa’ account can succeed or not
• Documentation is now in HTML format, which should make things much easier for new users
• Several bugfixes and minor improvements

You can download sqlninja 0.2.1-r1 here:

sqlninja 0.2.1-r1

Or read more here.

You may need to tweak the code a bit to make it fit your needs (i.e. modifying the injection string and/or the language used by the RDBMS).

TODO (v1.0):

• fix italian language support (test platform needed)
• info mode: add logins target (master..sysxlogins) [name,dbname,password]
• brute mode: automatic login grabbing feature?
• info mode: add sys target (xtype=’S')?
• info mode: implement better types/keys dumping
• add a command execution mode via master..xp_cmdshell?
• add a privileged testing mode for post-auth vulnerabilities

It’s a fairly early version, I’ve been watching it since v0.1 – it’s a little more polished now but it’s still definitely a tool for more advanced users.

I’m sure some of you will find it useful.

Grab it here:

mssql-hax0r

Inguma the word is the name of a Basque’s mythological spirit who kills people while sleeping and, also, the one who make the nightmares.

It was initially oriented to attack Oracle related systems but it can be used for any kind of setup.

What are the discover and gather modules you may ask? Discover modules are used to detect networks and host; gather modules are used to determine what services are listening at the host, what operative system is being used, what service pack, etc…

Sadly at this time it doesn’t work at all on Win32, again the problem with RAW sockets and the Scapy library won’t work for Win32. If you are running Win2k you might have less problems.

It’s a very early version of the software and development seems to have been quiet lately, I hope more people can contribute to this project and get it moving again.

It certainly has promise!

You can download Inguma here:

inguma0.0.2.tar.gz

Or read more here.