Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Framework for the aid of exploiting SQL injection

From: "Dinis Cruz" <dinis () ddplus net>
Date: Thu, 17 Nov 2005 13:48:20 -0500
Hello Roman, 

 The new version of Foundstone's HacmeBank (which I wrote) contains an SQL Injection Database Explorer (Hardcoded to 
HacmeBank but you will get the point), this version allows you to easily explore the scenario where you have a clean 
SQL Injection with verbose error messages.

 The tools shows you all available databases and depending on the access privileges given to the account executing the 
request, you will be able to click on a database to see all tables, click on a table and see all columns, and click on 
a column and see all data.

 This version of Hacmebank will soon be released by Foundstone, but you can get the lastest build from the owasp.net 
website: http://owasp.net/blogs/dinis_cruz/archive/2005/11/15/71.aspx

 Hope this helps

 Dinis Cruz
 Owasp .Net Project
 www.owasp.net

----------------------------------------
From: "David Litchfield" <davidl () ngssoftware com>
Sent: 17 November 2005 13:21
To: "Roman Medina-Heigl Hernandez" <roman () rs-labs com>, <full-disclosure () lists grok org uk>
Subject: Re: [Full-disclosure] Framework for the aid of exploiting SQL injection 

Hi Roman,

Is there any recommended tool which helps to get databases tables,
entries, structure, etc, given a particular SQL injection bug in one
application? I mean, it should *automatically* try different sentences
to figure out the names of the columns and in general, other useful info
from the database. Perhaps a PoC of some of NGSSoftware's papers or a
more elaborated tool...


I've just put up sqlinjector.zip on the databasesecurity.com website ( 
http://www.databasesecurity.com/webapplications.htm ). This is the tool 
(source and exe) you refer to. I never got around to completing it but it 
works as is - I'd rather the code was tidier.
HTH,
David

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: