본문 바로가기
모의해킹 (WAPT)

sqlifuzzer: Command Line SQL Injection Web Scanner

by 날으는물고기 2012. 4. 17.

sqlifuzzer: Command Line SQL Injection Web Scanner

728x90

Features of Sqlifuzzer:

  • Payloads/tests for numeric, string, error and time-based SQL injection
  • Support for MSSQL, MYSQL and Oracle DBMS’s
  • Automated testing of ‘tricky’ parameters like POST URL query and mulipart form parameters
  • A range of filter evasion options:
  • case variation, nesting, double URL encoding, comments for spaces, ‘like’ for ‘equals’ operator, intermediary characters, null and CRLF prefixes, HTTP method swapping (GETs become POSTs / POSTs become GETs)
  • ORDER BY and UNION SELECT tests on vulnerable parameters to:
    • enumerate select query column numbers
    • identify data-type string columns in select queries
    • extract database schema and configuration information
  • Conditional tests to extract DBMS info when data extraction via UNION SELECT fails (i.e. no string type columns)
  • Boolean response-based XPath injection testing and data extraction
  • Support for automated detection and testing of parameters in POST URIs and multipart forms
  • Scan ‘state’ maintenance:
    • Halt a scan at any time – scan progress is saved and you can easily resume a scan from the URL where you stopped
    • Specify a specific request number to resume a scan from
  • Optional exclusion of a customizable list of parameters from scanning scope
  • Tracking of parameters scanned and avoidance of re-scanning scanned parameters
  • HTML format output with:
    • links/buttons to send Proof of Concept SQL injection requests
    • links to response difference files and to extracted data 

  • The only feature sqlifuzzer does not have as of now is the – web spider. Due to this, it has to depend on the Burp Proxy for it’s log files to build its internal list of fuzz requests.  This feature is available in the free version of Burp Suite.

    It depends on certain pre-defined files, which can be edited to include your own stuff. For example, you can add your own MYSQL, Oracle or MSSQL payloads, add your own time delay payloads, etc. All of these files can be found in the payload directory.

    Presumeably, sqlifuzzer depends on Burp Suite. Additionally, you need bash, cURL and replace. Some systems do need a few modifications. Sqlifuzzer is built and tested on BT5-R1 and does run flawlessly.

    Download Sqlfuzzer:

    Sqlifuzzer 0.5gsqlifuzzer-0.5g.tgzhttp://sqlifuzzer.googlecode.com/files/sqlifuzzer-0.5g.tgz



    출처 : PenTestIT

    728x90

    댓글0