SQL Power Injector is a graphical application created in .NET 1.1 that helps the penetrating tester to inject SQL commands on a web page.

For now it is SQL Server, Oracle and MySQL compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal mode).

Moreover this application will get all the parameters you need to test the SQL injection, either by GET or POST method, avoiding thus the need to use several applications or a proxy to intercept the data.

The emphasis for this release is maturity, stability and reliability with secondary goals of usability, documentation and innovation.

There’s also a nifty Firefox Extension now.

One of the major improvements is an innovative way to optimize and accelerate the dichotomy in the Blind SQL injection, saving time/number of requests up to 25%.

Added to this it’s now possible to define a range list that will replace a variable (<<@>>) inside a blind SQL injection string and automatically play them for you. That means you can get all the database names from the sysdatabases table in MS SQL without having to input the dbid each time for example.

Also another great time saver is a new Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context. No more time wasted to copy paste the session cookies after you logged… And of course you can make the easy SQL tests in your browser and you use the plugin once you want to search more thoroughly.

To make your life easier there is now a new feature that will search the diff between a positive condition (1=1) response with a negative condition (1=2) and display the list for you.

Last major addition is the extensive databases Help file (chm) that contains most of the information you need when you SQL inject. It covers the 5 DBMS supported by SQL Power Injector. You can find in it the system tables and views with their columns, environment variables, the useful functions and stored procedures. All this with some notes to how to use them and why it’s useful for SQL injection.

You can download the latest version here:

SQL Power Injector 1.2

Or read more here.

SQL Power Injector is a graphical application created in .Net 1.1 that helps the penetrating tester to inject SQL commands on a web page.

For now it is SQL Server, Oracle and MySQL compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal Mode).

Moreover this application will get all the parameters you need to test the SQL injection, either by GET or POST method, avoiding thus the need to use several applications or a proxy to intercept the data.

Features

• Supported on Windows, Unix and Linux operating systems
• SQL Server, Oracle, MySQL and Sybase/Adaptive Server compliant
• SSL support
• Load automatically the parameters from a form or a IFrame on a web
  page (GET or POST)
• Detect and browse the framesets
• Option that auto detects the language of the web site
• Find automatically the submit page(s) with its method (GET or POST)
  displayed in a different color
• Single SQL injection
• Blind SQL injection
• Comparison of true and false response of the page or results in
  the cookie
• Time delay
• Response of the SQL injection in a customized browser
• Fine tuning parameters injection
• Can parameterize the size of the length and count of the expected
  result to optimize the time taken by the application to execute the SQL
  injection
• Multithreading
• Option to replace space by empty comments /**/ against IDS or filter
  detection
• Automatically encode special characters before sending them
• Automatically detect predefined SQL errors in the response page
• Automatically detect a predefined word or sentence in the response page
• Real time result
• Possibility to inject an authentication cookie
• Can view the HTML code source of the returned page
• Save and load sessions in a XML file

You can find out more here:

SQL Power Injector

Download the latest version now.