Bom, estou realizando alguns testes de sql injection, testando algumas ferramentas para automatizar o processo de descoberta de vulnerabilidade de SQLi. Apesar de apoiar o conhecimento e a utilização manual da técnica usada para explorar uma vulnerabilidade de SQli as ferramentas são de grande utilidade para agilizar todo o processo e lhe dá um pouco de tempo para a exploração manual de servidores mais seguros.
Por isso, reuni neste post algumas ferramentas que julgo ser importante e fundamentais para auxiliar no processo de descoberta de falhas de injection. Ainda não tive tempo de traduzir, por isso segue abaixo exatamente como copiei dos sites dos desenvolvedores.
1- Havij v Advanced SQL Injection
Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.
It can take advantage of a vulnerable web application. By using this software user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system.
The power of Havij that makes it different from similar tools is its injection methods. The success rate is more than 95% at injectiong vulnerable targets using Havij.
The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users.
- Oracle error based database added with ability to execute query.
- Getting tables and column when database name is unknown added (mysql)
- Another method added for finding columns count and string column in PostgreSQL
- Automatic keyword finder optimized and some bugs fixed.
- A bug in finding valid string column in mysql fixed.
- 'Key is not unique' bug fixed
- Getting data starts from row 2 when All in One fails - bug fixed
- Run time error when finding keyword fixed.
- False table finding in access fixed.
- keyword correction method made better
- A bug in getting current data base in mssql fixed.
- A secondary method added when input value doesn't return a normal page (usually not found)
- Data extraction bug in html-encoded pages fixed.
- String or integer type detection made better.
- A bug in https injection fixed.
1. Supported Databases with injection methods:
a. MsSQL / with error
b. MsSQL / no error union based
c. MsSQL Blind
d. MySQL union based
e. MySQL Blind
f. MySQL error based
g. Oracle union based
h. Oracle error based
i. PostgreSQL union based
j. MsAccess union based
k. MsAccess Blind
2. HTTPS Support
3. Proxy support
4. Automatic database detection
5. Automatic type detection (string or integer)
6. Automatic keyword detection (finding difference between the positive and negative response)
7. Trying different injection syntaxes
8. Options for replacing space by /**/,+, against IDS or filters
9. Avoid using strings (magic_quotes similar filters bypass)
Manual injection syntax support
Manual queries with result
Bypassing illegal union
Full customizable http headers (like referer,user agent and )
Load cookie from site for authentication
Real time result
Guessing tables and columns in mysql<5 (also in blind) and MsAccess
Fast getting tables and columns for mysql
Executing SQL query in Oracle database
Getting one row in one request (all in one request)
Dumping data into file
Saving data as XML format
View every injection request sent by program
Enabling xp_cmdshell and remote desktop
Multi thread Admin page finder
Multi thread Online MD5 cracker
Getting DBMS Informations
Getting tables, columns and data
Command executation (mssql only)
Reading system files (mysql only)
2 - Sqlmap
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end database servers. It comes with a broad range of features lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
Features implemented in sqlmap include:
Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server back-end database management systems. Besides these four database management systems software, sqlmap can also identify Microsoft Access, DB2, Informix, Sybase and Interbase.
Full support for three SQL injection techniques: inferential blind SQL injection, UNION query (inband) SQL injection and batched queries support. sqlmap can also test for time based blind SQL injection.
It is possible to provide a single target URL, get the list of targets from Burp proxy requests log file or WebScarab proxy conversations/ folder, get the whole HTTP request from a text file or get the list of targets by providing sqlmap with a Google dork which queries Google search engine and parses its results page. You can also define a regular-expression based scope that is used to identify which of the parsed addresses to test.
Automatically tests all provided GET parameters, POST parameters, HTTP Cookie header values and HTTP User-Agent header value to find the dynamic ones, which means those that vary the HTTP response page content. On the dynamic ones sqlmap automatically tests and detects the ones affected by SQL injection. Each dynamic parameter is tested for numeric, single quoted string, double quoted string and all of these three data-types with zero to two parenthesis to correctly detect which is the SELECT statement syntax to perform further injections with. It is also possible to specify the only parameter(s) that you want to perform tests and use for injection on.
Option to specify the maximum number of concurrent HTTP requests to speed up the inferential blind SQL injection algorithms (multi-threading). It is also possible to specify the number of seconds to wait between each HTTP request.
HTTP Cookie header string support, useful when the web application requires authentication based upon cookies and you have such data or in case you just want to test for and exploit SQL injection on such header. You can also specify to always URL-encode the Cookie header.
Automatically handle HTTP Set-Cookie header from the application, re-establishing of the session if it expires. Test and exploit on these values is supported too. You can also force to ignore any Set-Cookie header.
HTTP Basic, Digest, NTLM and Certificate authentications support.
Anonymous HTTP proxy support to pass by the requests to the target application that works also with HTTPS requests.
Options to fake the HTTP Referer header value and the HTTP User-Agent header value specified by user or randomly selected from a text file.
Support to increase the verbosity level of output messages: there exist six levels. The default level is 1 in which information, warnings, errors and tracebacks (if any occur) will be shown.
Granularity in the user's options.
Estimated time of arrival support for each query, updated in real time while fetching the information to give to the user an overview on how long it will take to retrieve the output.
Automatic support to save the session (queries and their output, even if partially retrieved) in real time while fetching the data on a text file and resume the injection from this file in a second time.
Support to read options from a configuration INI file rather than specify each time all of the options on the command line. Support also to save command line options on a configuration INI file.
Option to update sqlmap as a whole to the latest development version from the Subversion repository.
Integration with other IT security open source projects, Metasploit and w3af.
Fingerprint and enumeration features
Extensive back-end database software version and underlying operating system fingerprint based upon inband error messages, banner parsing,functions output comparison and specific features such as MySQL comment injection. It is also possible to force the back-end database management system name if you already know it.
Basic web server software and web application technology fingerprint.
Support to retrieve the DBMS banner, session user and current database information. The tool can also check if the session user is a database administrator (DBA).
Support to enumerate database users, users' password hashes, users' privileges, databases, tables and columns.
Support to dump database tables as a whole or a range of entries as per user's choice. The user can also choose to dump only specific column(s).
Support to automatically dump all databases' schemas and entries. It is possibly to exclude from the dump the system databases.
Support to enumerate and dump all databases' tables containing user provided column(s). Useful to identify for instance tables containing custom application credentials.
Support to run custom SQL statement(s) as in an interactive SQL client connecting to the back-end database. sqlmap automatically dissects the provided statement, determines which technique to use to inject it and how to pack the SQL payload accordingly.
Some of these techniques are detailed in the white paper Advanced SQL injection to operating system full control and in the slide deck Expanding the control over the operating system from the database.
Support to inject custom user-defined functions: the user can compile shared object then use sqlmap to create within the back-end DBMS user-defined functions out of the compiled shared object file. These UDFs can then be executed, and optionally removed, via sqlmap too.
Support to read and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
o On MySQL and PostgreSQL via user-defined function injection and execution.
o On Microsoft SQL Server via xp_cmdshell() stored procedure. Also, the stored procedure is re-enabled if disabled or created from scratch if removed.
Support to establish an out-of-band stateful TCP connection between the user machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user's choice. sqlmap relies on Metasploit to create the shellcode and implements four different techniques to execute it on the database server. These techniques are:
o Database in-memory execution of the Metasploit's shellcode via sqlmap own user-defined function sys_bineval(). Supported on MySQL and PostgreSQL.
o Upload and execution of a Metasploit's stand-alone payload stager via sqlmap own user-defined function sys_exec() on MySQL and PostgreSQL or via xp_cmdshell() on Microsoft SQL Server.
o Execution of Metasploit's shellcode by performing a SMB reflection attack ( MS) with a UNC path request from the database server to the user's machine where the Metasploit smb_relay server exploit runs.
o Database in-memory execution of the Metasploit's shellcode by exploiting Microsoft SQL Server and sp_replwritetovarbin stored procedure heap-based buffer overflow ( MS) with automatic DEP bypass.
Support for database process' user privilege escalation via Metasploit's getsystem command which include, among others, the kitrap0d technique (MS) or via Windows Access Tokens kidnapping by using Meterpreter's incognito extension.
Support to access (read/add/delete) Windows registry hives.
SQLiX, coded in Perl, is a SQL Injection scanner, able to crawl, detect SQL injection vectors, identify the back-end database and grab function call/UDF results (even execute system commands for MS-SQL). The concepts in use are different than the one used in other SQL injection scanners. SQLiX is able to find normal and blind SQL injection vectors and doesn't need to reverse engineer the original SQL request (using only function calls).
If you are a developer interested in remediating or avoiding the kinds of SQL Injection vulnerabilities this tool can find, check out the OWASP SQL Injection Prevention Cheat Sheet.
SQLiX is a SQL Injection scanner which attempts to fill the gap between what commercial software available on the market can do and what can really be done to detect and identify SQL injection.
Current injection methods used by commercial web assessment software are based on error generation or statement injections.
The error generation method is quite simple and is based on meta characters like single quotes or double quotes. By injecting these characters in the original SQL request, you generate a syntax error which could result in an SQL error message displayed in the HTTP reply. The main issue with this technique is the fact that it's only based on pattern matching. There is no way to handle multiple languages or complex behaviors when the error message is filtered by the server-side scripts.
The second method used is statement injection. Let's look at an example:
The target URL
The scanner will try to compare the HTML content of the original request with the HTML content of
If the request (1) provides the same result as request (0) and request (2) doesn't, the scanner will conclude that SQL injection is possible. This method works fine, but is very limited by the syntax of the original request. If the original request contains parentheses, store procedures or function calls, this method will rarely work. Worse, if the variable is used by multiple SQL requests, all with different syntaxes, there is no automatic way to make them all work simultaneously.
Frequently you will see more advanced scanners like SQLBrute from sprers.eu trying to reverse engineer the original SQL syntax by injecting multiple requests with different sets of parentheses or comas. This method is a little more time consuming but does provide better results (for free), especially when error messages are not displayed.
Another global issue concerning SQL injection is the fact that pen testers frequently conclude that a given SQL injection vulnerability can't be exploited. By concluding this incorrect statement they are inviting their customers to not patch the vulnerability.
How could SQLiX help to fill the gap?
SQLiX uses multiple techniques to determine if the current server-side script is vulnerable to SQL Injection
conditional errors injection
blind injection based on integers, strings or statements
MS-SQL verbose error messages ("taggy" method)
SQLiX using UDF (User defined functions) or function calls thus no need to reverse engineer the original SQL syntax
SQLix is able to identify the database version and gather sensitive information for the following SQL servers: MS-Access, MS-SQL, MySQL, Oracle and PostgreSQL.
The comparison module of SQLiX is able to deal with complex HTML contents even when they include dynamic ads
SQLiX contains an exploit module to demonstrate how a hacker could exploit the found SQL injection to gather sensitive information
Sqlninja is finally available!! It's been 2 years since the previous release, and in this time I have been working on completely different things (see the FAQ for more info on this). However, there were some things that really needed to be added to this tool, so here are the new features:
Upload mode is not limited to files of 64k bytes anymore
Uploading files is also *massively* faster
Proxy support (it was ***ing time!)
Support for token kidnapping (thanks Cesar!)
Lots of other minor improvements
The TODO list is not empty yet, and I am already working on which should be out fairly soon.
Fancy going from a SQL Injection on Microsoft SQL Server to a full GUI access on the DB? Take a few new SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have just one of the attack modules of sqlninja!
Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.
Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.
Have a look at the flash demo and then feel free to download. It is released under the GPLv2
The full documentation can be found in the tarball and also here, but here's a list of what the Ninja does:
Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
Bruteforce of 'sa' password (in 2 flavors: dictionary-based and incremental)
Privilege escalation to sysadmin group if 'sa' password has been found
Creation of a custom xp_cmdshell if the original one has been removed
Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
Direct and reverse bindshell, both TCP and UDP
DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)
Evasion techniques to confuse a few IDS/IPS/WAF
Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection
Integration with sprers.eu, to escalate privileges to SYSTEM on w2k3 via token kidnapping
Sqlninja is written in Perl and should run on any UNIX based platform with a Perl interpreter, as long as all needed modules have been installed. So far it has been successfully tested on:
Mac OS X
SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Microsoft SQL Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and doesnt require non-standard libraries (there is some code in there for pycurl, but it is disabled because it isnt finished).
Website : sprers.eu
Discussion Forum :
Mailing List :
Platforms : Windows, Linux, Unix
Author : Justin Clarke
Contact Email : sprers.eu
Usage: ./sprers.eu options url [--help SELECT * FROM main.
|Generic CIL Executable (.NET, Mono, etc.) ()|
|.exe|| quote(name) |
Have thought: Havij runtime error 5
|Havij runtime error 5
|Boot error ghb ecnfyjdrt linux
|Sharp copier code f2-74 cartridge error
|Error - 1270001 - memory allocation failed