SQL Injection Scanners List
Am Thursday, 30. Jun 2011 im Topic 'Pentest'
WebRaider
Idea of this attack is very simple. Getting a reverse shell from an SQL Injection with one request without using an extra channel such as TFTP, FTP to upload the initial payload.
Download
http://code.google.com/p/webraider/downloads/list
Download PDF
http://www.mavitunasecurity.com/s/research/OneClickOwnage.pdf
Havij Advanced SQL Injection
Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.
It can take advantage of a vulnerable web application. By using this software user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system.
The power of Havij that makes it different from similar tools is its injection methods. The success rate is more than 95% at injectiong vulnerable targets using Havij.
The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users…..
e.g.
Havij v1.14
http://www.itsecteam.com/files/havij/Havij1.14Free.rar
Downlaod Help (pdf format)
http://www.itsecteam.com/files/havij/havij_help-english.pdf
Downlaod Help (chm format)
http://www.itsecteam.com/files/havij/havij_help-english.chm
Pangolin free edition released
Pangolin is an automatic SQL injection penetration testing (Pen-testing) tool
for Website manager or IT Security analyst. Its goal is to detect and take
advantage of SQL injection vulnerabilities on web applications. Once it detects
one or more SQL injections on the target host, the user can choose among a
variety of options to perform an extensive back-end database management system
fingerprint, retrieve DBMS session user and database, enumerate users, password
hashes, privileges, databases, dump entire or users specific DBMS
tables/columns, run his own SQL statement, read specific files on the file
system and more.
Test many types of databases
Your web applications using Access,DB2,Informix,Microsoft SQL Server
2000,Microsoft SQL Server 2005,Microsoft SQL Server
2008,MySQL,Oracle,PostgreSQL,Sqlite3,Sybase?
Pangolin supports all of them.
Features: Auto-analyzing keyword, HTTPS support, Pre-Login, Bypass firewall
setting, Injection Digger, Data dumper, etc.
Download:
http://down3.nosec.org/pangolin_free_edition_3.2.3.1105.zip
SQLIer
SQLIer takes an SQL Injection vulnerable URL and attempts to determine all the necessary information to build and exploit an SQL Injection hole by itself, requiring no user interaction at all (unless it can't guess the table/field names correctly). By doing so, SQLIer can build a UNION SELECT query designed to brute force passwords out of the database. This script also does not use quotes in the exploit to operate, meaning it will work for a wider range of sites.
An 8 character password (containing any character from decimal ASCII code 1-127) takes approximately 1 minute to crack.
Download:
http://bcable.net/releases.php?sqlier
SQID
SQL Injection digger (SQLID) is a command line program that looks for SQL injections and common errors in websites. It can perform the follwing operations: look for SQL injection in a web pages and test submit forms for possible SQL injection vulnerabilities.
Download:
http://sqid.rubyforge.org/#download
FJ-Injector Framwork
FG-Injector is a free open source framework designed to help find SQL injection vulnerabilities in web applications. It includes a proxy feature for intercepting and modifying HTTP requests, and an interface for automating SQL injection exploitation
Download:
http://sourceforge.net/projects/injection-fwk/files/
Safe3 Sql Injector
Features:
Full support for http, https website.
Full support for Basic, Digest, NTLM http authentications.
Full support for GET, Post, Cookie sql injection.
Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
Full support for four SQL injection techniques: blind, error-based, UNION query and force guess.
Powerful AI engine to automatic recognite injection type, database type, sql injection best way.
Support to enumerate databases, tables, columns and data.
Support to read,list and write any file from the database server underlying file system when the database software is MySQL or Microsoft SQL Server.
Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is Oracle or Microsoft SQL Server.
Support to ip domain query,web path guess,md5 crack etc.
Support for sql injection scan.
Download:
http://sourceforge.net/projects/safe3si/files/Safe3SI-8.1.rar/download
Sqlninja
Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.Sqlninja is written in Perl and should run on any UNIX based platform with a Perl interpreter, as long as all needed modules have been installed. So far it has been successfully tested on:
.Linux
.FreeBSD
.Mac OS X
It is basically an official release with all the new features that have been in the SVN for a while (most of them for almost 1 year, ouch). More specifically:
.ICMP-based shell
.CVE-2010-0232 support to escalate the sqlsrvr.exe process to SYSTEM (greetz Tavis)
.Header-based injection support
Download:
http://sqlninja.sourceforge.net/download.html
Sqlmap
is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
Full support: MySQL, Oracle, PostgreSQL and Microsoft SQL Server.
Partial support for: Microsoft Access, DB2, Informix, Sybase and Interbase.
Download
http://sqlmap.sourceforge.net/#download
Download Gui-for-sqlmap
http://code.google.com/p/gui-for-sqlmap/downloads/list
SQL Power Injector
is an application created in .Net 1.1 that helps the penetration tester to find and exploit SQL injections on a web page.
Supports: Microsoft SQL Server, Oracle, MySQL, Sybase / Adaptive Server and DB2.
Download
http://www.sqlpowerinjector.com/download.htm
Absinthe
is a gui-based tool that automates the process of downloading the schema & contents of a database that is vulnerable to Blind SQL Injection.
Absinthe does not aid in the discovery of SQL Injection holes. This tool will only speed up the process of data recovery.
Supports: Microsoft SQL Server, MSDE, Oracle, and Postgres.
Download
http://www.0x90.org/releases/absinthe/download.php
bsqlbf-v2:
This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections. Databases supported:
0. MS-SQL
1. MySQL
2. PostgreSQL
3. Oracle
Download
http://code.google.com/p/bsqlbf-v2/downloads/list
Marathon Tool
Marathon Tool is a POC for using heavy queries to perform a Time-Based Blind SQL Injection attack. This tool is still work in progress but is right now in a very good alpha version to extract information from web applications using Microsoft SQL Server, Microsoft Access, MySQL or Oracle Databases.
Download
http://marathontool.codeplex.com/#
pysqlin
Pysqlin is a console python tool to exploit SQL Injection vulnerabilities. It has 3 main adaptable components via a plugin framework:
Plugin: Adds functionality to the main program.
Injector: Provides injection methods.
Filter: Allows to modify the final http request and DDBB query in order to perform any kind of transformation.
Implemented: Oracle, MySQL and Microsoft SQL Server.
Download
http://code.google.com/p/pysqlin/source/checkout
BSQL Hacker
BSQL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database
Implemented: Oracle and Microsoft SQL Server.
Available experimental support for MySQL.
Download
http://labs.portcullis.co.uk/application/bsql-hacker/
sqlus
sqlsus is an open source MySQL injection and takeover tool, written in perl.
Supports only MySQL.
Download
http://sqlsus.sourceforge.net/download.html
DarkMySQLi16.py
SQL Injection tool's by rsauron written in Python
Download
http://www.multiupload.com/NV6T2XOI1A
Source
darkc0de Crew
SQL TOOL
This is an auto SQL injection Tool. Supports MySQL & MsSQL. The Old SQL Tool will no longer be supported.
Download
http://sourceforge.net/projects/sqltool/files/SQL%20Tool.rar/download?_test=goal
mySQLenum
is a command line automatic blind sql injection tool for web application that uses MySql server as its back-end. Its main goal is to provide an easy to use command line interface.
Supports only MySQL
Download
http://sourceforge.net/projects/mysqlenum/files/mysqlenum-0.3.tar.gz/download?_test=goal
PRIAMOS
is a powerful SQL Injector & Scanner
You can search SQL Injection vulnerabilities and inject vulnerable string to get all
Databases, Tables and Column datas with injector module.
Supports only Microsoft SQL Server.
Download
http://www.priamos-project.com/versions.htm
SFX-SQLi
Supports only Microsoft SQL Server.
Download
http://www.kachakil.com/default.htm
yInjector
yInjector is a MySQL Injection penetration tool
Supports only MySQL.
Download
http://y-osirys.com/softwares/s-softwares/id10#subsec=s-softwares,id=10,title=yInjector%20-%20SQL%20Inj%20Penetration%20Tool
Bobcat
is a tool to aid a security consultant in taking full advantage of SQL injection vulnerabilities. It was originally created to build and extend upon the capabilities of a tool named "Data Thief".
Download
http://www.northern-monkee.co.uk/pub/bobcat.html
ExploitMyUnion
is a tool written in Python with a PyQt user interface made to automate sql injection exploitation.
Download
http://sourceforge.net/projects/exploitmyunion/files/v2.x/exploitmyunion-2.1_win32.zip/download?_test=goal
Laudanum
is a collection of injectable files, designed to be used in a pentest when SQL injection flaws are found and are in multiple languages for different environments.They provide functionality such as shell, DNS query, LDAP retrieval and others.
Download
http://sourceforge.net/projects/laudanum/files/laudanum-0.2/laudanum-0.2.tar.gz/download?_test=goal
Hexjector
is an Opensource,Cross Platform PHP script to automate Site Pentest for SQL Injection Vulnerabilties.
Download
http://sourceforge.net/projects/hexjector/files/Hexjector%20%28Win32%29/Hexjector%20v1.0.7.4.zip/download?_test=goal
Toolza
UTF-8 perlsсriрt
SQL injection DB supported: Mysql, Mssql, Sybase, Postgresql, Access, Oracle, Firebird/Interbase
include Blind Mysql injection + alternative methods
Download
http://pastebin.com/QJ1MMiux
SQL TOOL
This is an auto SQL injection Tool. Supports MySQL & MsSQL.
Download
http://sourceforge.net/projects/sqltool/files/SQL%20Tool.rar/download?_test=goal
aidsql - Linux
Is a PHP application provided for detecting security holes in your website/s. It's a modular application, meaning that you can develop your very own plugins for SQL injection detection & exploitation.
Download
http://code.google.c.../downloads/list
The Mole
The Mole is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the injection and exploit it, either by using the union technique or a boolean query based technique.
Tutorial
http://themole.sourceforge.net/?q=tutorial
Download
http://sourceforge.net/projects/themole/files/themole-0.2.6/themole-0.2.6-win32.zip/download
http://sourceforge.net/projects/themole/files/themole-0.2.6/themole-0.2.6-lin-src.tar.gz/download
NTO SQL Invader
NTO SQL Invader gives the ability to quickly and easily exploit or demonstrate SQL Injection vulnerabilities in Web applications. With a few simple clicks, you will be able to exploit a vulnerability to view the list of records,tables and user accounts of the back-end database.
Download
http://go.ntobjectives.com/
FatCat Auto SQLl Injector
This is an automatic SQL Injection tool called as FatCat , Use of FatCat for testing your web application and exploit your application more deeper. FatCat Features that help you to extract the Database information, Table information, and Column information from web application. Only If it is vulnerable to SQL Injection Vulnerability.
Requirement:
PHP Verison 5.3.0
Enable file_get_function
Video
http://dl.dropbox.com/u/18007092/FatCat.swf
Download
http://code.google.com/p/fatcat-sql-injector/downloads/list
SQLol v.....
SQLol is a configurable SQL injection testbed. SQLol allows
you to exploit SQL injection flaws, but furthermore allows
a large amount of control over the manifestation of the flaw.
Options:
Type of query
Location within query
Type and level of sanitization
Level of query output
Verbosity of error messages
Visibility of query
Injection string entry point
Other cool things:
Reset button
Challenges
Support for multiple database systems
Download
https://github.com/SpiderLabs/SQLol/downloads
Enema
Enema is not autohacking software. This is dynamic tool for people, who knows what to do.Not supported old database versions (e. g. mysql 4.x). Development targeted to modern versions.
Features:
Multi-platform.
User-friendly graphical interface.
Multithreaded.
Dump.
Customise your queries
Plugins to automate attacks
Supported for today:
POST, GET, Cookies
MSSQL >=2000 and MySQL>=5.0
Injection methods supported:
Error based injection.
Union based injection (using subquery).
Blind Time-based MSSQL(waitfor), MySQL(sleep)
Download
http://code.google.com/p/enema/downloads/list
SQLI Hunter: SQL Injection Hunter
“SQLI Hunter” SQL Injection Hunter 1.0 dari namanya sudah jelas bahwa aplikasi ini berfungsi untuk mencari website yang rentan terhadap serangan SQL Injection. Dilengkapi 4493 Dorks, dan dalam sekali scan mendapatkan 96 hasil. Dilengkapi juga Pencari Login Page Admin.
Dowload
http://adf.ly/313683/http://www.mediafire.com/download.php?pvvp3jx23fps750
Portable
http://adf.ly/313683/http://www.mediafire.com/?qe646an7woqbcmo
sqlifuzzer
sqlifuzzer is a command line scanner that seeks to identify SQL injection vulnerabilities. It parses Burp logs to create a list of fuzzable requests... then fuzzes them.
Download
http://code.google.com/p/sqlifuzzer/downloads/list
sqlcake
Automatic dump database & interactive sql shell tool dumps the current database structure including tables and columns and turns into an interactive mysql prompt with extra features
- sqlcake is an automatic SQL injection exploitation kit written in Ruby. It's designed for system administration and penetration testing.
- sqlcake offers a few useful functions to gather database information easily by sql injection usage.
- sqlcake also allows you to bypass magic quotes, dump tables and columns and gives you the possibility to run an interactive MySQL shell.
- sqlcake supports union stacked queries for real fast processing and blind injections with logarithmic techniques for saving time.
Download
http://sourceforge.net/projects/sqlcake/files/
Idea of this attack is very simple. Getting a reverse shell from an SQL Injection with one request without using an extra channel such as TFTP, FTP to upload the initial payload.
Download
http://code.google.com/p/webraider/downloads/list
Download PDF
http://www.mavitunasecurity.com/s/research/OneClickOwnage.pdf
Havij Advanced SQL Injection
Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.
It can take advantage of a vulnerable web application. By using this software user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system.
The power of Havij that makes it different from similar tools is its injection methods. The success rate is more than 95% at injectiong vulnerable targets using Havij.
The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users…..
e.g.
Havij v1.14
http://www.itsecteam.com/files/havij/Havij1.14Free.rar
Downlaod Help (pdf format)
http://www.itsecteam.com/files/havij/havij_help-english.pdf
Downlaod Help (chm format)
http://www.itsecteam.com/files/havij/havij_help-english.chm
Pangolin free edition released
Pangolin is an automatic SQL injection penetration testing (Pen-testing) tool
for Website manager or IT Security analyst. Its goal is to detect and take
advantage of SQL injection vulnerabilities on web applications. Once it detects
one or more SQL injections on the target host, the user can choose among a
variety of options to perform an extensive back-end database management system
fingerprint, retrieve DBMS session user and database, enumerate users, password
hashes, privileges, databases, dump entire or users specific DBMS
tables/columns, run his own SQL statement, read specific files on the file
system and more.
Test many types of databases
Your web applications using Access,DB2,Informix,Microsoft SQL Server
2000,Microsoft SQL Server 2005,Microsoft SQL Server
2008,MySQL,Oracle,PostgreSQL,Sqlite3,Sybase?
Pangolin supports all of them.
Features: Auto-analyzing keyword, HTTPS support, Pre-Login, Bypass firewall
setting, Injection Digger, Data dumper, etc.
Download:
http://down3.nosec.org/pangolin_free_edition_3.2.3.1105.zip
SQLIer
SQLIer takes an SQL Injection vulnerable URL and attempts to determine all the necessary information to build and exploit an SQL Injection hole by itself, requiring no user interaction at all (unless it can't guess the table/field names correctly). By doing so, SQLIer can build a UNION SELECT query designed to brute force passwords out of the database. This script also does not use quotes in the exploit to operate, meaning it will work for a wider range of sites.
An 8 character password (containing any character from decimal ASCII code 1-127) takes approximately 1 minute to crack.
Download:
http://bcable.net/releases.php?sqlier
SQID
SQL Injection digger (SQLID) is a command line program that looks for SQL injections and common errors in websites. It can perform the follwing operations: look for SQL injection in a web pages and test submit forms for possible SQL injection vulnerabilities.
Download:
http://sqid.rubyforge.org/#download
FJ-Injector Framwork
FG-Injector is a free open source framework designed to help find SQL injection vulnerabilities in web applications. It includes a proxy feature for intercepting and modifying HTTP requests, and an interface for automating SQL injection exploitation
Download:
http://sourceforge.net/projects/injection-fwk/files/
Safe3 Sql Injector
Features:
Full support for http, https website.
Full support for Basic, Digest, NTLM http authentications.
Full support for GET, Post, Cookie sql injection.
Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
Full support for four SQL injection techniques: blind, error-based, UNION query and force guess.
Powerful AI engine to automatic recognite injection type, database type, sql injection best way.
Support to enumerate databases, tables, columns and data.
Support to read,list and write any file from the database server underlying file system when the database software is MySQL or Microsoft SQL Server.
Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is Oracle or Microsoft SQL Server.
Support to ip domain query,web path guess,md5 crack etc.
Support for sql injection scan.
Download:
http://sourceforge.net/projects/safe3si/files/Safe3SI-8.1.rar/download
Sqlninja
Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.Sqlninja is written in Perl and should run on any UNIX based platform with a Perl interpreter, as long as all needed modules have been installed. So far it has been successfully tested on:
.Linux
.FreeBSD
.Mac OS X
It is basically an official release with all the new features that have been in the SVN for a while (most of them for almost 1 year, ouch). More specifically:
.ICMP-based shell
.CVE-2010-0232 support to escalate the sqlsrvr.exe process to SYSTEM (greetz Tavis)
.Header-based injection support
Download:
http://sqlninja.sourceforge.net/download.html
Sqlmap
is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
Full support: MySQL, Oracle, PostgreSQL and Microsoft SQL Server.
Partial support for: Microsoft Access, DB2, Informix, Sybase and Interbase.
Download
http://sqlmap.sourceforge.net/#download
Download Gui-for-sqlmap
http://code.google.com/p/gui-for-sqlmap/downloads/list
SQL Power Injector
is an application created in .Net 1.1 that helps the penetration tester to find and exploit SQL injections on a web page.
Supports: Microsoft SQL Server, Oracle, MySQL, Sybase / Adaptive Server and DB2.
Download
http://www.sqlpowerinjector.com/download.htm
Absinthe
is a gui-based tool that automates the process of downloading the schema & contents of a database that is vulnerable to Blind SQL Injection.
Absinthe does not aid in the discovery of SQL Injection holes. This tool will only speed up the process of data recovery.
Supports: Microsoft SQL Server, MSDE, Oracle, and Postgres.
Download
http://www.0x90.org/releases/absinthe/download.php
bsqlbf-v2:
This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections. Databases supported:
0. MS-SQL
1. MySQL
2. PostgreSQL
3. Oracle
Download
http://code.google.com/p/bsqlbf-v2/downloads/list
Marathon Tool
Marathon Tool is a POC for using heavy queries to perform a Time-Based Blind SQL Injection attack. This tool is still work in progress but is right now in a very good alpha version to extract information from web applications using Microsoft SQL Server, Microsoft Access, MySQL or Oracle Databases.
Download
http://marathontool.codeplex.com/#
pysqlin
Pysqlin is a console python tool to exploit SQL Injection vulnerabilities. It has 3 main adaptable components via a plugin framework:
Plugin: Adds functionality to the main program.
Injector: Provides injection methods.
Filter: Allows to modify the final http request and DDBB query in order to perform any kind of transformation.
Implemented: Oracle, MySQL and Microsoft SQL Server.
Download
http://code.google.com/p/pysqlin/source/checkout
BSQL Hacker
BSQL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database
Implemented: Oracle and Microsoft SQL Server.
Available experimental support for MySQL.
Download
http://labs.portcullis.co.uk/application/bsql-hacker/
sqlus
sqlsus is an open source MySQL injection and takeover tool, written in perl.
Supports only MySQL.
Download
http://sqlsus.sourceforge.net/download.html
DarkMySQLi16.py
SQL Injection tool's by rsauron written in Python
Download
http://www.multiupload.com/NV6T2XOI1A
Source
darkc0de Crew
SQL TOOL
This is an auto SQL injection Tool. Supports MySQL & MsSQL. The Old SQL Tool will no longer be supported.
Download
http://sourceforge.net/projects/sqltool/files/SQL%20Tool.rar/download?_test=goal
mySQLenum
is a command line automatic blind sql injection tool for web application that uses MySql server as its back-end. Its main goal is to provide an easy to use command line interface.
Supports only MySQL
Download
http://sourceforge.net/projects/mysqlenum/files/mysqlenum-0.3.tar.gz/download?_test=goal
PRIAMOS
is a powerful SQL Injector & Scanner
You can search SQL Injection vulnerabilities and inject vulnerable string to get all
Databases, Tables and Column datas with injector module.
Supports only Microsoft SQL Server.
Download
http://www.priamos-project.com/versions.htm
SFX-SQLi
Supports only Microsoft SQL Server.
Download
http://www.kachakil.com/default.htm
yInjector
yInjector is a MySQL Injection penetration tool
Supports only MySQL.
Download
http://y-osirys.com/softwares/s-softwares/id10#subsec=s-softwares,id=10,title=yInjector%20-%20SQL%20Inj%20Penetration%20Tool
Bobcat
is a tool to aid a security consultant in taking full advantage of SQL injection vulnerabilities. It was originally created to build and extend upon the capabilities of a tool named "Data Thief".
Download
http://www.northern-monkee.co.uk/pub/bobcat.html
ExploitMyUnion
is a tool written in Python with a PyQt user interface made to automate sql injection exploitation.
Download
http://sourceforge.net/projects/exploitmyunion/files/v2.x/exploitmyunion-2.1_win32.zip/download?_test=goal
Laudanum
is a collection of injectable files, designed to be used in a pentest when SQL injection flaws are found and are in multiple languages for different environments.They provide functionality such as shell, DNS query, LDAP retrieval and others.
Download
http://sourceforge.net/projects/laudanum/files/laudanum-0.2/laudanum-0.2.tar.gz/download?_test=goal
Hexjector
is an Opensource,Cross Platform PHP script to automate Site Pentest for SQL Injection Vulnerabilties.
Download
http://sourceforge.net/projects/hexjector/files/Hexjector%20%28Win32%29/Hexjector%20v1.0.7.4.zip/download?_test=goal
Toolza
UTF-8 perlsсriрt
SQL injection DB supported: Mysql, Mssql, Sybase, Postgresql, Access, Oracle, Firebird/Interbase
include Blind Mysql injection + alternative methods
Download
http://pastebin.com/QJ1MMiux
SQL TOOL
This is an auto SQL injection Tool. Supports MySQL & MsSQL.
Download
http://sourceforge.net/projects/sqltool/files/SQL%20Tool.rar/download?_test=goal
aidsql - Linux
Is a PHP application provided for detecting security holes in your website/s. It's a modular application, meaning that you can develop your very own plugins for SQL injection detection & exploitation.
Download
http://code.google.c.../downloads/list
The Mole
The Mole is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the injection and exploit it, either by using the union technique or a boolean query based technique.
Tutorial
http://themole.sourceforge.net/?q=tutorial
Download
http://sourceforge.net/projects/themole/files/themole-0.2.6/themole-0.2.6-win32.zip/download
http://sourceforge.net/projects/themole/files/themole-0.2.6/themole-0.2.6-lin-src.tar.gz/download
NTO SQL Invader
NTO SQL Invader gives the ability to quickly and easily exploit or demonstrate SQL Injection vulnerabilities in Web applications. With a few simple clicks, you will be able to exploit a vulnerability to view the list of records,tables and user accounts of the back-end database.
Download
http://go.ntobjectives.com/
FatCat Auto SQLl Injector
This is an automatic SQL Injection tool called as FatCat , Use of FatCat for testing your web application and exploit your application more deeper. FatCat Features that help you to extract the Database information, Table information, and Column information from web application. Only If it is vulnerable to SQL Injection Vulnerability.
Requirement:
PHP Verison 5.3.0
Enable file_get_function
Video
http://dl.dropbox.com/u/18007092/FatCat.swf
Download
http://code.google.com/p/fatcat-sql-injector/downloads/list
SQLol v.....
SQLol is a configurable SQL injection testbed. SQLol allows
you to exploit SQL injection flaws, but furthermore allows
a large amount of control over the manifestation of the flaw.
Options:
Type of query
Location within query
Type and level of sanitization
Level of query output
Verbosity of error messages
Visibility of query
Injection string entry point
Other cool things:
Reset button
Challenges
Support for multiple database systems
Download
https://github.com/SpiderLabs/SQLol/downloads
Enema
Enema is not autohacking software. This is dynamic tool for people, who knows what to do.Not supported old database versions (e. g. mysql 4.x). Development targeted to modern versions.
Features:
Multi-platform.
User-friendly graphical interface.
Multithreaded.
Dump.
Customise your queries
Plugins to automate attacks
Supported for today:
POST, GET, Cookies
MSSQL >=2000 and MySQL>=5.0
Injection methods supported:
Error based injection.
Union based injection (using subquery).
Blind Time-based MSSQL(waitfor), MySQL(sleep)
Download
http://code.google.com/p/enema/downloads/list
SQLI Hunter: SQL Injection Hunter
“SQLI Hunter” SQL Injection Hunter 1.0 dari namanya sudah jelas bahwa aplikasi ini berfungsi untuk mencari website yang rentan terhadap serangan SQL Injection. Dilengkapi 4493 Dorks, dan dalam sekali scan mendapatkan 96 hasil. Dilengkapi juga Pencari Login Page Admin.
Dowload
http://adf.ly/313683/http://www.mediafire.com/download.php?pvvp3jx23fps750
Portable
http://adf.ly/313683/http://www.mediafire.com/?qe646an7woqbcmo
sqlifuzzer
sqlifuzzer is a command line scanner that seeks to identify SQL injection vulnerabilities. It parses Burp logs to create a list of fuzzable requests... then fuzzes them.
Download
http://code.google.com/p/sqlifuzzer/downloads/list
sqlcake
Automatic dump database & interactive sql shell tool dumps the current database structure including tables and columns and turns into an interactive mysql prompt with extra features
- sqlcake is an automatic SQL injection exploitation kit written in Ruby. It's designed for system administration and penetration testing.
- sqlcake offers a few useful functions to gather database information easily by sql injection usage.
- sqlcake also allows you to bypass magic quotes, dump tables and columns and gives you the possibility to run an interactive MySQL shell.
- sqlcake supports union stacked queries for real fast processing and blind injections with logarithmic techniques for saving time.
Download
http://sourceforge.net/projects/sqlcake/files/
