Full Disclosure mailing list archives
Re: Framework for the aid of exploiting SQL injection
From: "Dinis Cruz" <dinis () ddplus net>
Date: Thu, 17 Nov 2005 13:48:20 -0500
Hello Roman, The new version of Foundstone's HacmeBank (which I wrote) contains an SQL Injection Database Explorer (Hardcoded to HacmeBank but you will get the point), this version allows you to easily explore the scenario where you have a clean SQL Injection with verbose error messages. The tools shows you all available databases and depending on the access privileges given to the account executing the request, you will be able to click on a database to see all tables, click on a table and see all columns, and click on a column and see all data. This version of Hacmebank will soon be released by Foundstone, but you can get the lastest build from the owasp.net website: http://owasp.net/blogs/dinis_cruz/archive/2005/11/15/71.aspx Hope this helps Dinis Cruz Owasp .Net Project www.owasp.net ---------------------------------------- From: "David Litchfield" <davidl () ngssoftware com> Sent: 17 November 2005 13:21 To: "Roman Medina-Heigl Hernandez" <roman () rs-labs com>, <full-disclosure () lists grok org uk> Subject: Re: [Full-disclosure] Framework for the aid of exploiting SQL injection Hi Roman,
Is there any recommended tool which helps to get databases tables, entries, structure, etc, given a particular SQL injection bug in one application? I mean, it should *automatically* try different sentences to figure out the names of the columns and in general, other useful info from the database. Perhaps a PoC of some of NGSSoftware's papers or a more elaborated tool...
I've just put up sqlinjector.zip on the databasesecurity.com website ( http://www.databasesecurity.com/webapplications.htm ). This is the tool (source and exe) you refer to. I never got around to completing it but it works as is - I'd rather the code was tidier. HTH, David _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Framework for the aid of exploiting SQL injection Dinis Cruz (Nov 17)