[ad]<\/p>\n
This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections.<\/p>\n
We reported bsqlbf when it first hit the net back in April 2006 with bsqlbf v1.1<\/a>, then the v2.0 update<\/a> in June 2008. This new update adds much better Oracle support.<\/p>\n Databases supported:<\/p>\n The 6 Attack Models<\/strong><\/p>\n New additions<\/strong><\/p>\n -type: Type of injection:<\/p>\n 3: Type 3 is extracting data with DBA privileges Type 4 (O.S code execution) supports the following sub types:<\/p>\n -stype: How you want to execute command:<\/p>\n 0: SType 0 (default) is based on java, You can download bsqlbf v2.3 here:<\/p>\n\n
\n
\n (e.g. Oracle password hashes from sys.user$)
\n 4: Type 4 is O.S code execution(default: ping 127.0.0.1)
\n 5: Type 5 is Reading O.S files(default: c:\\boot.ini)<\/p>\n
\n universal but won’t work against XE
\n 1: SType 1 against oracle 9 with plsql_native_make_utility
\n 2: SType 2 against oracle 10 with dbms_scheduler<\/p>\n