Aplication: SQL Power Injection Ver. 1.2

Product Information

Introduction

SQL Power Injector is an application created in .Net 1.1 that helps the penetration tester to find and exploit SQL injections on a web page.

For now it is SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal mode). Indeed, the normal mode is basically the SQL command that someone will put in the parameter sent to the server.

If the aspect of inline SQL injection is powerful in itself, its main strength dwells in the multithreaded automation of the injection. Not only there is a possibility to automate tedious and time consuming queries but you can also modify the query to get only what you want. It is obviously more useful in the blind SQL injection since the other ways to exploit the SQL injection vulnerability is more effusive and much faster when the results are displayed on the web page (union select in a HTML table and generated 500 error for instance).

The automation can be realized in two ways: comparing the expected result or by time delay. The first way is generally compared against an error or difference between positive condition with a negative one and the second way will turn out positive if the time delay sent to the server equals to the one parameterized in the application.

The main effort done on this application was to make it as painless as possible to find and exploit a SQL injection vulnerability without using any browser. That is why you will notice that there is an integrated browser that will display the results of the injection parameterized in a way that any related standards SQL error will be displayed without the rest of the page. Of course, like many other features of this application, there are ways to parameterize the response of the server to make it as talkative to you as possible.

Another important part of this application is its power to get all the parameters from the web page you need to test the SQL injection, either by GET or POST method. Like this someone won't need to use several applications or a proxy to intercept the data, all is automated! Not only that, but now there is a Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context (parameters and cookies).

I worked hard on the application usability but I am aware that at first use it's not too obvious. I'm pretty confident that once the few things you need to comprehend are understood it will be quite easy to use afterwards. In order to help a beginner to understand its basic features I created a tutorial that not only will help him out but can also be educative for some advanced SQL injection techniques. Moreover, You will find some great tricks in the FAQ as well and now with the version 1.2 a help file (chm) containing a list of the most useful information for SQL injection.

Also, I designed this application the way I was making my own pen testing and how I was using SQL injection. It has been tested successfully many times on real life web sites (legally of course) and as soon as I see something missing I'm adding it. Now of course that it's officially available to the security community I will have to have more rigors and wait to add them in a new version of the software. This process has already started and many more features will come with time.

Finally, this application will be free of charge and hopefully be used to help in security assessments made by security professionals or to further the knowledge of the techniques used. Obviously I will not be held responsible of any misuses or damage caused by this application.

Features

• Supported on Windows, Unix and Linux operating systems
• SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant
• SSL support
• Load automatically the parameters from a form or a IFrame on a web page (GET or POST)
• Detect and browse the framesets
• Option that auto detects the language of the web site
• Detect and add cookies used during the Load Page process (Set-Cookie detection)
• Find automatically the submit page(s) with its method (GET or POST) displayed in a different color
• Can create/modify/delete loaded string and cookies parameters directly in the Datagrids
• Single SQL injection
• Blind SQL injection
  • Comparison of true and false response of the page or results in the cookie
  • Time delay
• Response of the SQL injection in a customized browser
• Can view the HTML code source of the returned page in HTML contextual colors and search in it
• Fine tuning parameters and cookies injection
• Can parameterize the size of the length and count of the expected result to optimize the time taken by the application to execute the SQL injection
• Create/edit ASCII characters preset in order to optimize the blind SQL injection number of requests/speed

• Multithreading (configurable up to 50)
• Option to replace space by empty comments /**/ against IDS or filter detection
• Automatically encode special characters before sending them
• Automatically detect predefined SQL errors in the response page
• Automatically detect a predefined word or sentence in the response page
• Real time result
• Save and load sessions in a XML file
• Feature that automatically finds the differences between the response page of a positive answer with a negative one
• Can create a range list that will replace the variable (<<@>>) inside a blind SQL injection string and automatically play them for you
• Automatic replaying a variable range with a predefined list from a text file
• Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context (parameters and cookies)
• Two integrated tools: Hex and Char encoder and MS SQL @options interpreter
• Can edit the Referer
• Can choose a User-Agent (or even create one in the User-Agent XML file)
• Can configure the application with the settings window
• Support configurable proxies

DOWNLOAD HERE