« HDIV: Struts 2 Security Plugin | Main | Rant: Security 2.0 and Ethics 0.2 Beta »

Tool: SQL Power Injector 1.2

"SQL Power Injector is an application created in .Net 1.1 that helps the penetration tester to find and exploit SQL injections on a web page.

For now it is SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal mode). Indeed, the normal mode is basically the SQL command that someone will put in the parameter sent to the server.

If the aspect of inline SQL injection is powerful in itself, its main strength dwells in the multithreaded automation of the injection. Not only there is a possibility to automate tedious and time consuming queries but you can also modify the query to get only what you want. It is obviously more useful in the blind SQL injection since the other ways to exploit the SQL injection vulnerability is more effusive and much faster when the results are displayed on the web page (union select in a HTML table and generated 500 error for instance).

The automation can be realized in two ways: comparing the expected result or by time delay. The first way is generally compared against an error or difference between positive condition with a negative one and the second way will turn out positive if the time delay sent to the server equals to the one parameterized in the application."

Announcement Link: http://www.webappsec.org/lists/websecurity/archive/2007-07/msg00018.html
Download Link: www.sqlpowerinjector.com


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!