We’ve been following sqlmap since it first came out in Feburary 2007 and it’s been quite some time since the last update sqlmap 0.6.3 in December 2008.
For those not familiar with the tool, sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection [...]
Another big flaw has been discovered in Microsoft software just a few days after they broke their patch cycle to issue a patch for the IE bug that allowed remote code execution.
This time however it doesn’t really effect home users or the general consumer, it’s a more specific server side vulnerability affecting Microsoft SQL Server [...]
sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back end database management system [...]
sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, [...]
BSQL Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities in virtually any database.
It ships with Automated Attack modules which allows the dumping of whole databases for the following DBMS:
MS-SQL Server
ORACLE
MySQL (experimental)
Attack Templates for:
MS Access
MySQL
ORACLE
PostgreSQL
MS-SQL Server
Also you can write your own attack template for any other database as well [...]
It not surprising SQL Injection and database hacking are getting more frequent as people ramp up perimeter security more often than not they forget about interior security, software application security and most of all database security.
Of the 2007 total corporate IT budget, respondents said they have allocated 34 percent for database infrastructure and 20.6 percent [...]
sqlget is a blind SQL injection tool developed in Perl, it lets you get databases schemas and tables rows. Using a single GET/POST you can access quietly the database structure and using a single GET/POST you can dump every table row to a csv-like file.
Databases supported:
IBM DB2
Microsoft SQL Server
Oracle
Postgres
Mysql
IBM Informix
Sybase
Hsqldb
Mime
Pervasive
Virtuoso
SQLite
Interbase/Yaffil/Firebird (Borland)
H2
Mckoi
Ingres
MonetDB
MaxDB
ThinkSQL
SQLBase
Evasion features:
Full-width/Half-width Unicode encoding
Apache non [...]
We got an e-mail a while back about this new and apparently simple Oracle Application Server scanner.
It detects web pages, DADs (Database Access Descriptors) and test applications installed by default.
It may be useful for system hardening and pen-test.
You can download OAPScan here:
OAPScan.tar.gz
PRIAMOS is a powerful SQL Injector & Scanner
You can search for SQL Injection vulnerabilities and inject vulnerable string to get all Database names, Tables and Column data with the injector module.
You should only use PRIAMOS to test the security vulnerabilities of your own web applications (obviously).
The first release of PRIAMOS contain only SQL Server Database [...]
Oracle in its very own style recently published a mega patch, it could be called the mother of all patches.
Actually 101 bugs…the scary part is 45 can be exploited remotely.
Oracle published the mother of all security patches containing 101 fixes for flaws in its database, application server, E-Business Suite and PeopleSoft and JD Edwards applications.
Almost [...]
