jSQL Injection is a lightweight application used to find database information from a distant server.
jSQL is free, open source and cross-platform (Windows, Linux, Mac OS X, Solaris).
jSQL is free, open source and cross-platform (Windows, Linux, Mac OS X, Solaris).
Version 0.3 features:
- GET, POST, header, cookie methods
- Normal, error based, blind, time based algorithms
- Automatic best algorithm selection
- Thread control (start/pause/resume/stop)
- Expose URL calls
- Simple evasion
- Data retrieving progression bar
- Proxy setting
- Distant file reading
- Webshell deposit
- Terminal for webshell commands
- Configuration backup
- Updates checking
- Supports MySQL
Next work:
+ distant table writing [sqli]
+ distant file writing [sqli]
+ reverse tcp shell deposit [sqli]
+ right elevation [sqli]
+ speed increase (non encoding pass): 50% faster [sqli]
+ control all running tasks in a tab [gui]
# speed test comparison with other injection tools [dev]
# automatic code testing (JUnit) [dev]
# wiki pages [site]
+ distant table writing [sqli]
+ distant file writing [sqli]
+ reverse tcp shell deposit [sqli]
+ right elevation [sqli]
+ speed increase (non encoding pass): 50% faster [sqli]
+ control all running tasks in a tab [gui]
# speed test comparison with other injection tools [dev]
# automatic code testing (JUnit) [dev]
# wiki pages [site]
Installation
First, install java. Then download the latest jSQL executable and double click on the .jar file to open the main window (or you may type in a terminal: java -jar jsql-injection-v0.2.jar).
Forum
You can request features and discuss about algorithm, programming and functionality in the discussion group.
Injection and local test
Running injection requires from you the URL for a local or distant server, and the name of parameter to inject.
For a local test, you can save the following PHP code as 'simulate_get.php' and move it to the root folder into your web server (e.g /www), then use http://127.0.0.1/simulate_get.php?lib= in jSQL, and finally click Connect to read the local database safely:
For a local test, you can save the following PHP code as 'simulate_get.php' and move it to the root folder into your web server (e.g /www), then use http://127.0.0.1/simulate_get.php?lib= in jSQL, and finally click Connect to read the local database safely:
<?php
mysql_connect("localhost", "root", "");
mysql_select_db("my_own_database");
$result = mysql_query("SELECT * FROM my_own_table where my_own_field = " . $_GET['lib']) # time based
or die( mysql_error() ); # error based
if( mysql_num_rows($result) !== 0 ) echo " something "; # blind
while( $row = mysql_fetch_array($result, MYSQL_NUM) )
echo join(',',$row); # normal
?>
Coding
Source code can be accessed at the Google Git repository.
Tools used during development: w7 jre7 eclipse easyphp notepad++ egit virtualbox.
Tools used during development: w7 jre7 eclipse easyphp notepad++ egit virtualbox.
Disclaimer
Attacking web-server is illegal without prior mutual consent. The end user is responsible and obeys all applicable laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.
Download latest version-
jsql-injection-v0.3.jar
Download other versions from here
Source-
https://code.google.com/p/jsql-injection/
0 comments:
Post a Comment