SQL Injection (SQLI) Tools
• SQLDict
• SQLExec
• SQLbf
• SQLSmack
• SQL2.exe
• SQLPoke
• SQLMap
• SQLNinja
• BSQL Hacker
• BBQSQL
• SQLSus
• Mole
• NGSSQLCrack
• NGSSQuirreL
• SQLPing
BBQSQL is a blind SQL injection framework written in Python. It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast.
Similar to other SQL injection tools you provide certain request information.
SQLdict is a dictionary attack tool for SQL Server.
SQLExec executes commands on compromised MS SQL servers by using xp_cmdshell stored procedure
• uses default sa and NULL password
• usage: SQLExec target
BSQL (Blind SQL) Hacker is an automated SQL Injection Framework / Tool designed to exploit SQL injection vulnerabilities virtually in any database.
• Portcullis no longer maintain the tool
• BSQL Hacker aims for experienced users as well as beginners who want to automate SQL Injections (especially Blind SQL Injections).
• It allows metasploit alike exploit repository to share and update exploits.
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
• Features
• Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management systems.
• Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.
Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.
Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.
Safe3 SQL Injector
https://sourceforge.net/projects/safe...
Safe3SI is one of the most powerful and easy usage penetration tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a AI detection engine
Features
Full support for http, https website.
Full support for Basic, Digest, NTLM http authentications.
Full support for GET, Post, Cookie sql injection.
Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
Sqlsus is an open source MySQL injection and takeover tool, written in perl.
Via a command line interface, you can retrieve the database(s) structure, inject your own SQL queries (even complex ones), download files from the web server, crawl the website for writable directories, upload and control a backdoor, clone the database(s), and much more...
Whenever relevant, sqlsus will mimic a MySQL console output.
Automatic SQL Injection Exploitation Tool
The Mole is a command line interface SQL Injection exploitation tool. This application is able to exploit both union-based and blind boolean-based injections. Every action The Mole can execute is triggered by a specific command. All this application requires in order to exploit a SQL Injection is the URL(including the parameters) and a needle(a string) that appears in the server's response whenever the injection parameter generates a valid query, and does not appear otherwise.
SQLPing
http://www.sqlsecurity.com/downloads
Информация по комментариям в разработке