Features

• Support for injections using Mysql, SQL Server, Postgres and Oracle databases.
• Command line interface. Different commands trigger different actions.
• Auto-completion for commands, command arguments and database, table and columns names.
• Support for query filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily.
• Developed in python 3.

If you want to know how to use The Mole there’s a good tutorial here.

You can download The Mole here:

Windows: themole-0.2.6-win32.zip
Linux: themole-0.2.6-lin-src.tar.gz

Or read more here.

sqlsus focuses on speed and efficiency, optimising the available injection space, making the best use (I can think of) of MySQL functions. It uses stacked subqueries and an powerful blind injection algorithm to maximise the data gathered per web server hit. Using multithreading on top of that, sqlsus is an extremely fast database dumper, be it for inband or blind injection.If the privileges are high enough, sqlsus will be a great help for uploading a backdoor through the injection point, and takeover the web server.

It uses SQLite as a backend, for an easier use of what has been dumped, and integrates a lot of usual features (see below) such as cookie support, socks/http proxying, https..

What’s New

Starting with version 0.7, sqlsus now supports time-based blind injection and automatically detects web server / suhosin / etc.. length restrictions.

• Added time-based blind injection support (added option “blind_sleep”, and renamed “string_to_match” to “blind_string”).
• It is now possible to force sqlsus to exit when it’s hanging (i.e.: retrieving data), by hitting Ctrl-C more than twice.
• Rewrite of “autoconf max_sendable”, so that sqlsus will properly detect which length restriction applies (WEB server / layer above). (removed option “max_sendable”, added options “max_url_length” and “max_inj_length”)
• Uploading a file now sends it into chunks under the length restriction.
• sqlsus now saves variables after each command, so that forcing it to quit (or killing it) will not discard the changes that were made.
• Added a progress bar to inband mode, sqlsus now determines the number of rows to be returned prior to fetching them.
• get db (tables/columns) in inband mode now uses multithreading (like everything else).
• clone now uses count(*) if available (set by “get count” / “get db”), instead of using fetch-ahead.
• In blind mode, “start” will now test if things work the way they should, by injecting 2 queries : one true and one false.
• sqlsus now prints what configuration options are overridden (when a saved value differs from the configuration file).

You can download sqlsus 0.7.1 here:

sqlsus-0.7.1.tgz

Or read more here.

Well sqlmap 0.9 has been released and has a considerable amount of changes including an almost entirely re-written SQL Injection detection engine.

For those that aren’t familiar with the tool, sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

New Features/Changes

• Rewritten SQL injection detection engine (Bernardo and Miroslav).
• Support to directly connect to the database without passing via a SQL injection, -d switch (Bernardo and Miroslav).
• Added full support for both time-based blind SQL injection and error-based SQL injection techniques (Bernardo and Miroslav).
• Implemented support for SQLite 2 and 3 (Bernardo and Miroslav).
• Implemented support for Firebird (Bernardo and Miroslav).
• Implemented support for Microsoft Access, Sybase and SAP MaxDB (Miroslav).
• Added support to tamper injection data with –tamper switch (Bernardo and Miroslav).
• Added automatic recognition of password hashes format and support to crack them with a dictionary-based attack (Miroslav).
• Added support to fetch unicode data (Bernardo and Miroslav).
• Added support to use persistent HTTP(s) connection for speed improvement, –keep-alive switch (Miroslav).
• Implemented several optimization switches to speed up the exploitation of SQL injections (Bernardo and Miroslav).
• Support to parse and test forms on target url, –forms switch (Bernardo and Miroslav).
• Added switches to brute-force tables names and columns names with a dictionary attack, –common-tables and –common-columns.

The complete changelog is available for viewing here.

You can also download the user manual here [PDF] – sqlmap README

You can download sqlmap 0.9 here:

sqlmap-0.9.tar.gz

Or read more here.

The output includes:

• The suspicious IP address
• The attacked webpage
• The parameter and value used
• The frame number of the packet within the pcap (can be used to find exactly where the packet is in Wireshark)
• The reason why the request was flagged

Requirements

This script was tested using Python 2.6.5. Other versions are not guaranteed to work.

This script depends on the dpkt libraries.

You can download SQLInject-Finder here:

sqlinject-finder.py

Or read more here.

We have featured some other database-fingerprinting tools before such as SQLmap the automated SQL injection tool, which also carries out fingerprinting and the Microsoft SQL Server Fingerprint Tool aimed specifically at MS-SQL installs similar to ESF.

The Exploit Next Generation SQL Fingerprint (ESF) is a powerful tool which performs version fingerprinting for:

• Microsoft SQL Server 2000;
• Microsoft SQL Server 2005; and
• Microsoft SQL Server 2008.

The Exploit Next Generation SQL Fingerprint uses well-known techniques based on several public tools that are capable to identify the Microsoft SQL Server version (such as: SQLping and SQLver), but, instead of showing only the “raw version” (i.e., Microsoft SQL Version 10.00.2746), the Exploit Next Generation SQL Fingerprint shows the mapped Microsoft SQL Server version (i.e., Microsoft SQL 2008 SP1 (CU5)).

The strengths of Exploit Next Generation SQL Fingerprint are:

• It uses both TCP and UDP protocols to determine the Microsoft SQL Server version, making it much more reliable than any other public or commercial tool.
• It is capable to identify multiple Microsoft SQL Server instances and their TCP communication ports.
• It does not require any authentication method to identify the Microsoft SQL Server version.
• It uses probabilistic algorithm to identify the Microsoft SQL Server version, combining both TCP and UDP fingerprint.

The Exploit Next Generation SQL Fingerprint can also be used to identify vulnerable/unpatched Microsoft SQL Server version, and it is based on some techniques used by Exploit Next Generation Compliance Methodology to perform automated penetration testing.

SQL Server fingerprinting is necessary before performing any kind of penetration testing on database server and if you find its Microsoft SQL Server then this tool will surely help identifying granular level findings to further exploit database.

You can download ESF v1.10 here:

ESF.exe

Or read more here.

It’s been 2 years, but a new version of sqlninja is out at Sourceforge, we wrote about the previous release back in 2008 and we’ve actually been following this tool since 2006!

Sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide an interactive access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

Features

• Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
• Bruteforce of ‘sa’ password (in 2 flavors: dictionary-based and incremental)
• Privilege escalation to sysadmin group if ‘sa’ password has been found
• Creation of a custom xp_cmdshell if the original one has been removed
• Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
• TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
• Direct and reverse bindshell, both TCP and UDP
• DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames
• Evasion techniques to confuse a few IDS/IPS/WAF
• Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection

What’s New?

• Proxy support (it was about time!)
• No more 64k bytes limit in upload mode
• Upload mode is also massively faster
• Privilege escalation through token kidnapping (kudos to Cesar Cerrudo)
• Other minor improvements

Compatibility

It is written in Perl, it is released under the GPLv2 and so far has been successfully tested on:

• Linux
• FreeBSD
• Mac OS X

You can download sqlninja v0.2.5 here:

sqlninja-0.2.5.tgz

Or read more here.

We’ve been following sqlmap since it first came out in Feburary 2007 and it’s been quite some time since the last update sqlmap 0.6.3 in December 2008.

For those not familiar with the tool, sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications.

Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.

Recent Changes

Along all the takeover features introduced in sqlmap 0.7 release candidate 1, some of the new features include:

• Adapted Metasploit wrapping functions to work with latest 3.3 development version too.
• Adjusted code to make sqlmap 0.7 to work again on Mac OSX too.
• Reset takeover OOB features (if any of –os-pwn, –os-smbrelay or –os-bof is selected) when running under Windows because msfconsole and msfcli are not supported on the native Windows Ruby interpreter.
• This make sqlmap 0.7 to work again on Windows too.
• Minor improvement so that sqlmap tests also all parameters with no value (eg. par=).
• HTTPS requests over HTTP proxy now work on either Python 2.4, 2.5 and 2.6+.

For a complete list of changes view the ChangeLog.

The manual is available here – README.pdf [PDF]

You can download sqlmap 0.7 here:

Linux Source: sqlmap-0.7.tar.gz
Windows Portable: sqlmap-0.7_exe.zip

Or read more here.

sqlsus is an open source MySQL injection and takeover tool, written in perl.

Via a command line interface that mimics a mysql console, you can retrieve the database structure, inject a SQL query, download files from the web server, upload and control a backdoor, and much more…

It is designed to maximize the amount of data gathered per web server hit, making the best use of MySQL functions to optimize the available injection space.

sqlsus is focused on PHP/MySQL installations, and integrates some neat features, some of them being really specific to this DBMS.

It is not and won’t ever be a SQL injection scanner, it starts its job on the next step.

Both quoted and numeric injections are supported.

All quoted texts can be translated as their hex equivalent (eg : “sqlsus” will become 0x73716c737573)

sqlsus also supports these 2 scenarios of injection :

• sighted : the result of the request will be in the HTML returned by the web server
• blind : when you can’t see the result of the request directly

Support for GET and POST parameters injections.

Support for HTTP proxy and HTTP simple authentication.

Full logging support of your queries and the answers, allowing you to recall a command and its cached answer, even in a later re-use of the session.

Key variables can be edited on the fly, saved per session, and can be loaded in a later session on the same target server.

Requirements

On a Debian system, in addition to perl, you will need the following packages :

• libterm-readline-perl-perl
• libipc-shareable-perl
• libwww-mechanize-perl

It also requires previous SQL injection knowledge, and.. well.. a brain helps.

You can download sqlsus 0.2 here:

sqlsus-0.2.tgz

Or read more here.

sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more..

Changes

Some of the new features include:

• Major enhancement to get list of targets to test from Burp proxy requests log file path or WebScarab proxy ‘conversations/’ folder path with option -l;
• Major enhancement to support Partial UNION query SQL injection technique;
• Major enhancement to test if the web application technology sup ports stacked queries (multiple statements) by providing option –stacked-test which will be then used someday also by takeover functionality;
• Major enhancement to test if the injectable parameter is affected by a time based blind SQL injection technique by providing option –time-test;
• Major bug fix to correctly enumerate columns on Microsoft SQL Server;
• Major bug fix so that when the user provide a SELECT statement to be processed with an asterisk as columns, now it also work if in the FROM
  there is no database name specified;

Complete ChangeLog

You can download sqlmap 0.6.3 here:

sqlmap-0.6.3.tar.gz (Linux)
sqlmap-0.6.3_exe.zip (Windows)

Or read more here (User Manual).

sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.

Features

• Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server back-end database management systems. Besides these four database management systems, sqlmap can also identify Microsoft Access, DB2, Informix, Sybase and Interbase.
• Extensive back-end database management system fingerprint based upon inband error messages, banner parsing, functions output comparison and specific features such as MySQL comment injection. It is also possible to force the back-end database management system name if you already know it.
• Full support for two SQL injection techniques: blind SQL injection and inband SQL injection.

Changes

Some of the new features include:

• Added a Metasploit Framework 3 auxiliary module to run sqlmap;
• Implemented possibility to test for and inject also on LIKE statements;
• Implemented –start and –stop options to set the first and the last table entry to dump;
• Added non-interactive/batch-mode (–batch) option to make it easy to wrap sqlmap in Metasploit and any other tool.

Complete list of changes at ChangeLog.

You can also grab the User Manual here.

You can download sqlmap 0.6.1 here:

Source – sqlmap-0.6.1.tar.gz

Windows – sqlmap-0.6.1_exe.zip

Or read more here.