Who's Online
There are currently, 86 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here
|  |
The Professional Security Testers Warehouse for the GPEN GSEC GCIH GREM CEH QISP Q/ISP OPST CPTS: SQL Security
[ Go to Home | Select a New Topic ] |
|
Bizploit -- ERP Penetration Testing Framework
Posted by cdupuis on Tuesday, 01 June 2010 @ 21:35:56 EDT (1283 reads)
Topic SQL Security
Dear colleague,
We are proud to announce the release of Onapsis Bizploit, the first opensource ERP Penetration Testing framework.
Presented at the renowned HITB Dubai security conference, Bizploit is expected to provide the security community with a basic framework to support the discovery, exploration, vulnerability assessment and exploitation of ERP systems.
The term "ERP Security" has been so far understood by most of the IT Security and Auditing industries as a synonym of “Segregation of Duties”. While this aspect is absolutely important for the overall security of the Organization's core business platforms, there are many other threats that are still overlooked and imply much higher levels of risk.
Onapsis Bizploit is designed as an academic proof-of-concept that will help the general community to illustrate and understand this kind of risks.
Currently Onapsis Bizploit provides all the features available in the sapyto GPL project, plus several new plugins and connectors focused in the security of SAP business platforms. Updates for other popular ERPs are to be released in the short term.
Your can download the software freely from http://www.onapsis.com
Best regards,
sqlninja 0.2.5 released!
Posted by cdupuis on Sunday, 09 May 2010 @ 12:32:24 EDT (1528 reads)
Topic SQL Security
Anonymous writes "Hello security enthusiasts, It's been 2 years, but a new version of sqlninja is out at Sourceforge!
Introduction
=========
Sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.
Its main goal is to provide an interactive access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.
It is written in Perl, it is released under the GPLv2 and so far has been successfully tested on: - Linux - FreeBSD - Mac OS X
You can find it, together with a flash demo of its features, at the address http://sqlninja.sourceforge.net
What's new
========
# Proxy support (it was about time!)
# No more 64k bytes limit in upload mode
# Upload mode is also massively faster
# Privilege escalation through token kidnapping (kudos to Cesar Cerrudo)
# Other minor improvements
What's not so new
============
# Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
# Bruteforce of 'sa' password (in 2 flavors: dictionary-based and incremental)
# Privilege escalation to sysadmin group if 'sa' password has been found
# Creation of a custom xp_cmdshell if the original one has been removed
# Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
# TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
# Direct and reverse bindshell, both TCP and UDP
# DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)
# Evasion techniques to confuse a few IDS/IPS/WAF
# Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection Happy hacking !
-- icesurfer "
DBAPPSecurity web application scanner MatriXay 3.6 was released
Posted by cdupuis on Tuesday, 30 March 2010 @ 11:04:57 EDT (1296 reads)
Topic SQL Security
DBAPPSecurity web application scanner MatriXay 3.6 was released.
Web Application Vulnerabilities Scanner (MatriXay 3.6) not only has the remarkable scanning ability, but also provides powerful penetration testing functions and web Trojan detection.
MatriXay 1.0 was first released at the BlackHat Security Conference and Def-Con in August 2006; then in December 2007 , version 2.0 was released and it played an important role in Web security protection for the 2008 Olympic Games.
Released in 2009, MatriXay 3.0 not only has the remarkable scanning ability,but also provides powerful penetration testing tools and web Trojan detection. Therefore it is appraised as “The Best Web Security Evaluation Tool”.
MatriXay 3.6 was released recently:
Features:
- In-depth Scan: risk-oriented in-depth scanning on web application can access to back-end database information and web application list.
- Web Vulnerability Detection: detect all kinds of typical web vulnerabilities deeply (such as SQL injection, Xpath injection, XSS, the form around, form weak password, all kinds of CGL vulnerabilities.)
- Web Trojan Detection: analyze a variety of linked Trojan automatically, effectively and intellectually; make an accurate analysis to the spreading Trojan virus type; make the position for web Trojan host.
- Penetration Testing: make deep analysis to the target web application and implement sound attack to obtain direct evidence of system security threats by imitating the vulnerability discovery techniques and attack methods of the hacker to current vulnerability.
- DB Audit: By fully simulating hijack attack through current weakness, to realize database Audit function,to obtain configuration information such as background database connection information, database name, database version, Data Dictionary etc.
Benefits
- Complete, in-depth and accurate assessment of web application vulnerabilities can effectively enhance the active defense capabilities.
- Flexible and defined scanning working pattern
- Deep and intellectual Scan Engine
- Unique "evidence" model to ensure accurate and reliable results of the assessment
- Baseline audit of more than 10 kinds of database
- Complete risk assessment report
- Risk assessment report can support all kinds of file formats and can fully customize the content
- No third-party software support for installation and operation
More information, please check http://www.dbappsecurity.com/webscan.html
For Demo and free trial version, please check http://www.dbappsecurity.com/Download.html
Thanks
DBAPPSecurity
sqlmap 0.8 has been released
Posted by cdupuis on Thursday, 18 March 2010 @ 01:00:00 EDT (882 reads)
Topic SQL Security
Hi,
I am glad to release sqlmap version 0.8.
Introduction
========
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end database servers. It comes with a broad range of features lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
Changes
======
Some of the new features include:
* Support to enumerate and dump all databases' tables containing user provided column(s) by specifying for instance '--dump -C user,pass'. Useful to identify for instance tables containing custom application credentials (Bernardo).
* Support to parse -C (column name(s)) when fetching columns of a table with --columns: it will enumerate only columns like the provided one(s) within the specified table (Bernardo).
* Support for takeover features on PostgreSQL 8.4 (Bernardo).
* Enhanced --priv-esc to rely on new Metasploit Meterpreter's 'getsystem' command to elevate privileges of the user running the back-end DBMS instance to SYSTEM on Windows (Bernardo).
* Automatic support in --os-pwn to use the web uploader/backdoor to upload and execute the Metasploit payload stager when stacked queries SQL injection is not supported, for instance on MySQL/PHP and MySQL/ASP, but there is a writable folder within the web server document root (Bernardo and Miroslav).
* Added support for regular expression based scope when parsing Burp or Web Scarab proxy log file (-l), --scope (Miroslav).
* Major bug fix and enhancements to the multi-threading (--threads) functionality (Miroslav).
Complete list of changes at:
https://svn.sqlmap.org/sqlmap/trunk/sqlmap/doc/ChangeLog.
Download
======
You can download it in various formats:
* Source gzip compressed, http://downloads.sourceforge.net/sqlmap/sqlmap-0.8.tar.gz
* Source bzip2 compressed, http://downloads.sourceforge.net/sqlmap/sqlmap-0.8.tar.bz2
* Source zip compressed, http://downloads.sourceforge.net/sqlmap/sqlmap-0.8.zip
* DEB binary package, http://downloads.sourceforge.net/sqlmap/sqlmap_0.8-1_all.deb
* RPM binary package, http://downloads.sourceforge.net/sqlmap/sqlmap-0.8-1.noarch.rpm
* Portable executable for Windows that does not require the Python interpreter to be installed on the operating system,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.8_exe.zip
Documentation
==========
* sqlmap user's manual: http://sqlmap.sourceforge.net/doc/README.pdf
* Conferences' material (whitepaper and slides): http://sqlmap.sourceforge.net/#docs
Contribute
=======
I am looking for security geeks who can write some "clean" Python code, know about web application security, database takeover, post-exploitation techniques, software refactoring and are motivated to join the development team. If you are interested, please get back to me (bernardo.damele@gmail.com).
If you have no clue what the tool is about, are excited about joining the effort, but has never written a single line of code or you want only to appear in the AUTHORS file, please don't waste my and your time.
For the sceptical.. No, it's not only about web application. Yes, it helps you also to get a command prompt on the target system. Yes, it can be used to privilege escalate to SYSTEM if the target system is Windows.
Not yet convinced that this tool is worth a try? Get some popcorns, head to http://sqlmap.sourceforge.net/demo.html and watch some video demonstrations.
Happy hacking!
Bernardo and Miroslav
SQL Injection and Parameter Manipulation Video Clips
Posted by cdupuis on Wednesday, 03 March 2010 @ 10:13:58 EST (681 reads)
Topic SQL Security
NOTE FROM CLEMENT:
These two videos are very nice videos that demonstrate in simple terms what SQL Injections are and also what is Parameter Tampering. It is not for the purpose to learn everything there is to know about the subject, that would take weeks, the goal is to educate people and developers on the issue. They are great because of their short length and I like the animations as well. One picture is worth a thousand words they say. In this case on minute of video clip is worth 10 minutes of talks. I will most certainly use them in some of my classes. Job well done. Clement
One of the biggest challenges of the security community is to build true SDLC (Secure development Life Cycle).
The biggest obstacle is that application developers at large lack the know-how and motivation to address application risk.
At Checkmarx labs we thought that a new approach to application developers might help them cross the barrier.
We have developed as a pilot including two short animated clips that should help developers understand security flaws, how they can be detected and consequently prevented.
We built one clip for SQL Injection and another for Parameter Tampering - limited up to 5 minutes each.
We would appreciate feedback from the OWASP community whether the effort is meaningful and should it be extended.
Please feel free to use the clips freely.
The clips can be found at:
SQL Injection : http://www.youtube.com/watch?v=vjDrseRLyuA&hd=1
Parameter Tampering: http://www.youtube.com/watch?v=l5LCDEDn7FY&hd=1
Yours,
Maty Siman, CISSP
CTO
Checkmarx
Sqlmap version 0.7 has been released
Posted by cdupuis on Thursday, 06 August 2009 @ 21:01:06 EDT (1660 reads)
Topic SQL Security
Anonymous writes "Hi,
I am glad to release sqlmap version 0.7.
Introduction
============
sqlmap is an open source command-line automatic SQL injection tool.
Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's
specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.
Changes
=======
Along all the takeover features introduced in sqlmap 0.7 release candidate 1, some of the new features include:
* Adapted Metasploit wrapping functions to work with latest 3.3 development version too.
* Adjusted code to make sqlmap 0.7 to work again on Mac OSX too.
* Reset takeover OOB features (if any of --os-pwn, --os-smbrelay or --os-bof is selected) when running under Windows because msfconsole and msfcli are not supported on the native Windows Ruby interpreter. This make sqlmap 0.7 to work again on Windows too.
* Minor improvement so that sqlmap tests also all parameters with no value (eg. par=).
* HTTPS requests over HTTP proxy now work on either Python 2.4, 2.5 and 2.6+.
Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.
Download
========
You can download it in various formats:
* Source gzip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7.tar.gz
* Source bzip2 compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7.tar.bz2
* Source zip compressed, http://downloads.sourceforge.net/sqlmap/sqlmap-0.7.zip
* DEB binary package,
http://downloads.sourceforge.net/sqlmap/sqlmap_0.7-1_all.deb
* RPM binary package,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7-1.noarch.rpm
* Portable executable for Windows that does not require the Python interpreter to be installed on the operating system,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7_exe.zip
Documentation
=============
* sqlmap user's manual: http://sqlmap.sourceforge.net/doc/README.pdf
* sqlmap developer's documentation: http://sqlmap.sourceforge.net/dev/
Happy hacking!
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
"
sqlmap version 0.7rc1 has been released
Posted by cdupuis on Thursday, 21 May 2009 @ 07:13:47 EDT (1149 reads)
Topic SQL Security
Anonymous writes "Hi,
I am glad to release sqlmap version 0.7rc1.
WARNING: This release is a candidate, it only works on Linux so please do not complain that it does not work on your Windows or Mac OS X systems.
Introduction
============
sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.
Changes
=======
Some of the new features include:
* Added support to execute arbitrary commands on the database server underlying operating system either returning the standard output or not via UDF injection on MySQL and PostgreSQL and via xp_cmdshell()
stored procedure on Microsoft SQL Server;
* Added support for out-of-band connection between the attacker box and the database server underlying operating system via stand-alone payload stager created by Metasploit and supporting Meterpreter, shell
and VNC payloads for both Windows and Linux;
* Added support for out-of-band connection via Microsoft SQL Server 2000 and 2005 'sp_replwritetovarbin' stored procedure heap-based buffer overflow (MS09-004) exploitation with multi-stage Metasploit payload support;
* Added support for out-of-band connection via SMB reflection attack with UNC path request from the database server to the attacker box by using the Metasploit smb_relay exploit;
* Added support to read and write (upload) both text and binary files on the database server underlying file system for MySQL, PostgreSQL and Microsoft SQL Server;
* Added database process' user privilege escalation via Windows Access Tokens kidnapping on MySQL and Microsoft SQL Server via either Meterpreter's incognito extension or Churrasco stand-alone executable.
Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.
Download
========
You can download it in two formats:
* Source gzip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7rc1.tar.gz
* Source zip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.7rc1.zip
Documentation
=============
* sqlmap user's manual: http://sqlmap.sourceforge.net/doc/README.pdf
* "Advanced SQL injection to operating system full control" whitepaper[1] and slides[2] presented at Black Hat Europe 2009 in Amsterdam (The Netherlands) on April 16, 2009
[1] http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf
[2] http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides
Happy hacking!
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +447788962949 (UK), +393493821385 (IT)
PGP Key ID: 0x05F5A30F "
A new version of sqlsus has been released
Posted by cdupuis on Friday, 10 April 2009 @ 20:55:09 EDT (1002 reads)
Topic SQL Security
Hi everyone,
A new version of sqlsus has been released and is available at http://sqlsus.sf.net/
You will find on the website a description of the features, along with some documentation and flash demos showing how the tool can be used.
sqlsus is a MySQL injection and takeover tool, written in perl. Via a command line interface that mimics a mysql console, you can retrieve the database structure / contents, inject a SQL query, download files from the web server, upload and control a backdoor, and much more...
It is designed to maximize the amount of data gathered per web server hit, making the best use (I can think of) of MySQL functions to optimize the available injection space. sqlsus is focused on PHP/MySQL installations, and integrates some neat features, some of which are really specific to this DBMS.
What's new
==========
- Full SQLite backend, storing queries / results as they come, databases structure, variables... into a local SQLite database.
- Added "clone" command to clone some columns, a table, or the full database into a local SQLite database.
- "clone" has a resume ability, allowing to continue accross sessions.
- Rewrite of the blind injection engine (A LOT faster now):
- keep all the threads busy with micro tasks (huge speed improvement)
- regular expression matching for each item, prior to bruteforcing
(huge drop in the number of hits required)
- progress meter
- Added cookie support.
- Possibility to change the current database ("use xxx"), and still be
able to use all the commands transparently
- Better query shortening, allowing even more data to be fetched per server hit.
- Got rid of IPC::Shareable, using socketpair() instead.
- Use of BINARY for inband injections, to avoid collation issues.
- Inband injection is now only contained in subqueries, to allow more
complex sql injection scenarios.
...
The full CHANGELOG can be found in the tarball or at
http://sqlsus.sf.net/download.html
Download and enjoy :)
- sativouf
sqlmap version 0.6.4 has been released
Posted by cdupuis on Friday, 06 February 2009 @ 12:49:00 EST (949 reads)
Topic SQL Security
Anonymous writes "Hi,
I am glad to release sqlmap version 0.6.4.
Introduction
============
sqlmap is an open source command-line automatic SQL injection tool developed in Python.
Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more.
Changes
=======
Some of the new features include:
* Major enhancement to make the comparison algorithm work properly also on url not stables automatically by using the difflib Sequence Matcher object.
* Major enhancement to support SQL data definition statements, SQL data manipulation statements, etc from user in SQL query and SQL shell
if stacked queries are supported by the web application technology.
* Major speed increase in DBMS basic fingerprint.
* Major bug fix to correctly handle custom SQL "limited" queries on Microsoft SQL Server and Oracle.
* Major bug fix to avoid tracebacks when multiple targets are specified and one of them is not reachable.
Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.
Download
========
You can download it in various formats:
* Source gzip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4.tar.gz
* Source bzip2 compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4.tar.bz2
* Source zip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4.zip
* DEB binary package,
http://downloads.sourceforge.net/sqlmap/sqlmap_0.6.4-1_all.deb
* RPM binary package,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4-1.noarch.rpm
* Portable executable for Windows that does not require the Python
interpreter to be installed on the operating system,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.4_exe.zip
Documentation
=============
* sqlmap user's manual: http://sqlmap.sourceforge.net/doc/README.pdf
* sqlmap developer's documentation: http://sqlmap.sourceforge.net/dev/
Happy hacking!
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F "
sqlmap version 0.6.1 has been released
Posted by cdupuis on Tuesday, 25 November 2008 @ 23:00:00 EST (961 reads)
Topic SQL Security
Hi, I am glad to release sqlmap version 0.6.1.
Introduction
============
sqlmap is an automatic SQL injection tool developed in Python.
Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.
Changes
=======
Some of the new features include:
* Added a Metasploit Framework 3 auxiliary module to run sqlmap;
* Implemented possibility to test for and inject also on LIKE statements;
* Implemented --start and --stop options to set the first and the last table entry to dump;
* Added non-interactive/batch-mode (--batch) option to make it easy to wrap sqlmap in Metasploit and any other tool.
Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.
Download
========
You can download it in various formats:
* Source gzip compressed, http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.tar.gz
* Source bzip2 compressed, http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.tar.bz2
* Source zip compressed, http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1.zip
* DEB binary package, http://downloads.sourceforge.net/sqlmap/sqlmap_0.6.1-1_all.deb
* RPM binary package, http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1-1.noarch.rpm
* Portable executable for Windows that does not require the Python interpreter to be installed on the operating system, http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.1_exe.zip
Documentation
=============
* sqlmap user's manual: http://sqlmap.sourceforge.net/doc/README.pdf
* sqlmap developer's documentation: http://sqlmap.sourceforge.net/dev/
Happy hacking!
-- Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobiles: +39-3493821385 (IT), +44-(0)7788962949 (UK)
PGP Key ID: 0x05F5A30F
sqlmap an automatic SQL injection
Posted by cdupuis on Wednesday, 03 September 2008 @ 23:03:39 EDT (8087 reads)
Topic SQL Security
Hi,
I am glad to release sqlmap version 0.6.
Introduction
============
sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target
host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.
Changes
=======
Some of the new features include:
* Added multithreading support to set the maximum number of concurrent HTTP requests.
* Implemented SQL shell (--sql-shell) functionality and fixed SQL query (--sql-query, before called -e) to be able to run whatever SELECT statement and get its output in both inband and blind SQL injection attack.
* Added an option (--privileges) to retrieve DBMS users privileges, it also notifies if the user is a DBMS administrator.
* Added support (-c) to read options from configuration file, an example of valid INI file is sqlmap.conf and support (--save) to save command line options on a configuration file.
* Implemented support for HTTPS requests over HTTP(S) proxy.
* Enhanced logging system: added three more levels of verbosity to show also HTTP sent and received traffic.
Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.
Download
========
You can download it in various formats:
* Source gzip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.tar.gz
* Source bzip2 compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.tar.bz2
* Source zip compressed,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6.zip
* DEB binary package,
http://downloads.sourceforge.net/sqlmap/sqlmap_0.6-1_all.deb
* RPM binary package,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6-1.noarch.rpm
* Portable executable for Windows that does not require the Python
interpreter to be installed on the operating system,
http://downloads.sourceforge.net/sqlmap/sqlmap-0.6_exe.zip
Note: the subversion repository is not accessible anymore so the only way to get the new release is to download it from one of the above links.
Documentation
=============
* sqlmap user's manual: http://sqlmap.sourceforge.net/doc/README.pdf
* sqlmap developer's documentation: http://sqlmap.sourceforge.net/dev/
Happy hacking!
- --
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile number: +39-3493821385
Deep Blind SQL Injection
Posted by cdupuis on Friday, 29 August 2008 @ 10:32:25 EDT (8108 reads)
Topic SQL Security
Deep Blind SQL Injection reading data is more complex than in classic blind injection. However it is still possible to retrieve data, moreover it is possible with a 66% reduction in the number of requests made of the server, requiring two rather than six requests to retrieve each char.
Related Applications
- BSQL brute forcer V2Updated version of the Blind SQL Injection Brute Forcer from www.514.es. Works against PostgreSQL, MySQL, MSSQL and Oracle and supports custom SQL Queries.
- BSQL HackerBSQL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database.
Related Presentations
PDF Paper - Deep Blind SQL Injection
MD5: 139CCA843EE5C8F014350A551133AF6D
SHA1:649F08CFF6FC22FA6CF8AD1A5CD7F84D4008B53E
Deep Blind SQL Injection
Posted by cdupuis on Wednesday, 20 August 2008 @ 22:34:56 EDT (7327 reads)
Topic SQL Security
Deep Blind SQL Injection reading data is more complex than in classic blind injection. However it is still possible to retrieve data, moreover it is possible with a 66% reduction in the number of requests made of the server, requiring two rather than six requests to retrieve each char.
Download White Paper
Pangolin Sql Injection tool version 1.2.5.604 has been released
Posted by boss on Sunday, 18 May 2008 @ 18:57:25 EDT (6233 reads)
Topic SQL Security
Anonymous writes "Hi, all:
I’m glad to tell you that Pangolin, the wonderful Sql injection tool, has been updated to version 1.2.5.604.
You can download it from here: http://www.nosec.org/web/pangolin
Pangolin is a GUI tool running on Windows to perform as more as possible pen-testing through SQL injection. This version now supports following databases and operations:
* MSSQL : Server informations, Datas, CMD execute, Regedit, Write file, Download file, Read file, File Browser... * MYSQL : Server informations, Datas, Read file, Write file...
* ORACLE : Server informations, Datas, Accounts cracking...
* PGSQL : Server informations, Datas, Read file...
* DB2 : Server informations, Datas, ...
* INFORMIX : Server informations, Datas, ...
* SQLITE : Server informations, Datas, ...
* ACCESS : Server informations, Datas, ...
* SYBASE : Server informations, Datas, ...
etc. And supports: * HTTPS support
* Pre-Login
* Proxy
* Specify any HTTP headers(User-agent, Cookie, Referer and so on)
* Bypass firewall setting
* Auto-analyzing keyword
* Detailed check options
* Injection-points management
etc.
What's the differents to the others?
* Easy-of-use : What I try to do is making pen-tester more care about result, not the process. All you should do is clicking the buttons.
* Amazing Speed : so many people told you things about brute sql injection, is it really necessary? Forget char-by-char, we can row-by-row(of cource, not every injection-point can do this)?
* The exact check mothod : do you really think automated tools like AWVS,APPSCAN can find all injection-points?
So, whatever, just check it out, and then enjoy your feeling ;)"
sqlninja 0.2.2 has been released
Posted by boss on Tuesday, 22 January 2008 @ 17:53:40 EST (5306 reads)
Topic SQL Security
cdupuis writes " a new version of sqlninja is out at Sourceforge!
Introduction
=========
Sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.
Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.
It is written in Perl, it is released under the GPLv2 and so far has been successfully tested on: - Linux - FreeBSD - Mac OS X
You can find it, together with a flash demo of its features at:
http://sqlninja.sourceforge.net
What's new
========
# Evasion techniques, in order to obfuscate the injected code and confuse/bypass signature-based IPS and application firewalls
# A more sophisticated upload module
# A new 'blind execution' attack mode, useful to issue commands and performs diagnostics when other modes fail
# Automatic URL-encoding now is performed only on sqlninja generated SQL code, giving the user a more granular control on the exploit strings
# Several other minor improvements
What's not so new
+============
# Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, authentication mode)
# Bruteforce of 'sa' password, both dictionary-based and incremental
# Privilege escalation to 'sa' if its password has been found
# Creation of a custom xp_cmdshell if the original one has been disabled
# Upload of netcat.exe (or any other executable) using only 100% ASCII GET/POST requests, so no need for FTP connections
# TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
# Direct and reverse bindshell, both TCP and UDP
# DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames
Happy hacking !
-- icesurfer "
|
|
Login
Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.
Old Articles
| Saturday, January 19 | | · | SQLMap Automated SQL injection tool |
| Sunday, October 07 | | · | sqlninja 0.2.1 has been released |
| Tuesday, June 26 | | · | ISR-Sqlget - Blind SQL Injection Tool |
| Wednesday, June 20 | | · | SQLNinja -- A new version has been released |
| Friday, June 15 | | · | New release of sqlmap 0.4; sqlmap is an automatic blind SQL |
| Thursday, January 25 | | · | sqlmap: a blind SQL injection tool 0.3 released |
| Friday, December 15 | | · | sqlmap: a blind SQL injection tool 0.2 released |
| Thursday, December 14 | | · | A new version of SQLNinja has been released |
| Sunday, April 09 | | · | New version of bsqlbf has been released |
| Monday, February 20 | | · | SQL Power Injector has been officially released |
| Sunday, February 19 | | · | Blind SQL Injection Perl Tool |
| Tuesday, March 22 | | · | SQLRecon v1.0 has been released (and it is FREE) |
| Thursday, December 09 | | · | Absinthe 1.1 - Blind SQL Injection Tool Released |
| Wednesday, September 22 | | · | New SQL Injection Paper |
| Monday, April 19 | | · | SQL Injection Signatures Evasion |
Older Articles
|
Environment for testing tools help