Wednesday, January 27, 2016
SQL Injection Fuzzer - sqlifuzzer
sqlifuzzer is a wrapper for curl written in bash. It’s also a tool that can be used to remotely identify SQL (and XPath) injection vulnerabilities. It does this by sending a range of injection payloads and examining the responses for signs of ‘injectability’. If a parameter appears to be vulnerable, sqlifuzzer sends exploit payloads to extract data.
Like almost all web app scanners, sqlifuzzer includes OR 1=1 payloads; this means that there is a significant risk of data destruction, Denial of Service, and/or other undesirable implications for any host (or intermediary device) scanned using sqlifuzzer. sqlifuzzer is beta; don’t use it in an environment that matters to you or anyone else. Do not use sqlifuzzer to scan hosts without the owner’s permission.
SQL Injection Fuzzer Features:
ºPayloads/tests for numeric, string, error and time-based SQL injection
ºSupport for MSSQL, MYSQL and Oracle DBMS’s
ºA range of filter evasion options:
case variation, nesting, double URL encoding, comments for spaces, ‘like’ for ‘equals’ operator, intermediary characters, null and CRLF prefixes, HTTP method swapping (GETs become POSTs / POSTs become GETs)
ºORDER BY and UNION SELECT tests on vulnerable parameters to:
ºenumerate select query column numbers
ºidentify data-type string columns in select queries
ºextract database schema and configuration information
ºConditional tests to extract DBMS info when data extraction via UNION SELECT fails (i.e. no string type columns)
ºTime delay based tests to extract DBMS info when data extraction via conditional methods fails (i.e. fully blind scenarios)
ºBoolean response-based XPath injection testing and data extraction
ºSupport for automated detection and testing of parameters in POST URIs and multipart forms
ºScan ‘state’ maintenance:
ºHalt a scan at any time – scan progress is saved and you can easily resume a scan from the URL where you stopped
ºSpecify a specific request number to resume a scan from
ºOptional exclusion of a customizable list of parameters from scanning scope
ºTracking of parameters scanned and avoidance of re-scanning scanned parameters
ºHTML format output with:
ºlinks/buttons to send Proof of Concept SQL injection requests
ºlinks to response difference files and to extracted data
What do I need to use sqlifuzzer?
sqlifuzzer is built and tested on BackTrack. On all other platforms Your Mileage May Vary; you will need a an OS that can support bash (*nix, cygwin (not tested), etc), curl must be installed and in your path, and ‘replace’ (which is missing from Ubuntu) must also be installed in in your path. Until I implement web spider functionality, sqlifuzzer is dependent upon burp proxy to create log files (not burp state files) which sqlifuzzer uses to build its internal list of fuzz requests. The free version of burp can be used to create these log files. Within Burp go to options > misc and check the proxy requests tick box; browse the target site, populate your log, then pass it to sqlifuzzer.
How does sqlifuzzer work?
sqlifuzzer receives a burp log (which you must create for it) that specifies a bunch of HTTP requests. Requests in the burp log look like this:
======================================================
3:09:54 PM http://192.168.182.136:80
======================================================
POST /orangehrm/menu.php?TEST=1111 HTTP/1.1
Host: 192.168.182.136
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://192.168.182.136/orangehrm/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Cookie: PHPSESSID=bf7u0ad95cbubpcvdjda2bqro3; Loggedin=True; EliteNinja=False
module=Home&action=UnifiedSearch&search_form=false&tabnumber=1
======================================================
sqlifuzzer converts these into it’s own format; a list of all the requests like this:
GET /orangehrm/menu.php?TEST=1111
POST /orangehrm/menu.php?TEST=1111??module=Home&action=UnifiedSearch&search_form=false&tabnumber=1
GET /orangehrm/index.php?module=Contacts&action=index&return_module=Contacts&return_action=DetailView&&print=true
GET /orangehrm/index.php?module=Home&menu_no=0&menu_no_top=home&submenutop=home1
Next, sqlifuzzer looks at what payload types have been specified, and concatenates the relevant files to create a payload list. The list of requests and the payload list are then passed into the main scanning loop. The loop sends a ‘clean’ reference request (by calling out to curl), then, for the first line in the request list, the loop selects the first parameter and replaces this with the first payload and sends the fuzzed request (again via curl). The two responses are then compared; specifically, the response length and the duration of the responses are compared, the response HTTP status codes are examined, and the responses are searched for some common error strings. If anything ‘juicy’ is found, URL and payload information is logged to an output file and printed to the screen. The loop iterates through all payloads before moving on to the next parameter, and so on for each request.
Why was sqlifuzzer created?
Ever wanted to hit every dynamic parameter of a web app with a single quote? That’s how sqlifuzzer started out. At first, it just compared the response lengths. Then I added the ability to iterate over a list of payloads. Then came POST requests, URL encoding, time delay diffing, searching for common error messages, logging, sessions, the ability to define parameters NOT to scan, method swapping, null byte prefixes, POST URIs, DBMS fingerprinting, data extraction, conditional testing, filter evasion options, boolean response-based XPath injection detection and data extraction and support for multipart forms.
Search
Categories
Popular Posts
-
dotenv loads .env files into process.env for Node.js projects, making it useful for configuration hygiene checks, secret-handling review...
-
In this post, we will explore a Python script designed to parse logs containing url:user:pass data. These logs are instrumental in executin...
-
New bug bounty(vulnerabilities) collector Requirements Chrome with GUI (If you encounter trouble with script execution, check the stat...
-
x64dbg is a Windows user-mode debugger for controlled runtime inspection, breakpoint logic, trace collection and patch validation in autho...
-
As cyber threats evolve, so must our strategies to combat them. The deepdarkCTI project serves as a crucial resource, offering access to a c...
-
GTFOcli it's a Command Line Interface for easy binaries search commands that can be used to bypass local security restrictions in mis...
-
As mobile applications become more integral to our daily lives, ensuring their security is paramount. Vulnerabilities in mobile apps can exp...
-
social-analyzer provides API, CLI, and web interfaces for finding and analyzing public profiles across more than 1000 social media and web...
-
Remote adminitration tool for android Features Notifications listener SMS listener Phone call recording Image capturing and sc...
-
RepoReaper is a precision tool designed to automate the identification of exposed .git repositories across a list of domains and subdomai...
Blog Archive
-
►
2026
(3)
- ► 05/24 - 05/31 (3)
-
►
2024
(42)
- ► 05/26 - 06/02 (1)
- ► 05/12 - 05/19 (1)
- ► 05/05 - 05/12 (5)
- ► 03/10 - 03/17 (3)
- ► 02/18 - 02/25 (32)
-
►
2022
(20)
- ► 02/06 - 02/13 (18)
- ► 01/30 - 02/06 (2)
-
►
2018
(69)
- ► 10/14 - 10/21 (4)
- ► 08/26 - 09/02 (7)
- ► 08/12 - 08/19 (4)
- ► 07/15 - 07/22 (2)
- ► 07/08 - 07/15 (6)
- ► 07/01 - 07/08 (3)
- ► 06/17 - 06/24 (2)
- ► 03/04 - 03/11 (2)
- ► 02/18 - 02/25 (1)
- ► 02/04 - 02/11 (3)
- ► 01/28 - 02/04 (7)
- ► 01/21 - 01/28 (6)
- ► 01/14 - 01/21 (12)
- ► 01/07 - 01/14 (10)
-
►
2017
(72)
- ► 12/31 - 01/07 (2)
- ► 12/03 - 12/10 (1)
- ► 11/19 - 11/26 (1)
- ► 11/12 - 11/19 (1)
- ► 10/22 - 10/29 (3)
- ► 10/01 - 10/08 (2)
- ► 09/17 - 09/24 (6)
- ► 09/10 - 09/17 (2)
- ► 09/03 - 09/10 (2)
- ► 08/27 - 09/03 (4)
- ► 07/23 - 07/30 (5)
- ► 07/16 - 07/23 (3)
- ► 06/25 - 07/02 (1)
- ► 06/18 - 06/25 (4)
- ► 05/21 - 05/28 (7)
- ► 05/14 - 05/21 (1)
- ► 05/07 - 05/14 (2)
- ► 04/30 - 05/07 (2)
- ► 04/23 - 04/30 (2)
- ► 04/16 - 04/23 (2)
- ► 03/19 - 03/26 (4)
- ► 01/22 - 01/29 (2)
- ► 01/15 - 01/22 (1)
- ► 01/08 - 01/15 (8)
- ► 01/01 - 01/08 (4)
-
▼
2016
(648)
- ► 12/25 - 01/01 (1)
- ► 12/18 - 12/25 (2)
- ► 12/11 - 12/18 (6)
- ► 12/04 - 12/11 (4)
- ► 11/27 - 12/04 (5)
- ► 11/13 - 11/20 (1)
- ► 11/06 - 11/13 (1)
- ► 10/30 - 11/06 (5)
- ► 10/23 - 10/30 (1)
- ► 10/16 - 10/23 (2)
- ► 10/09 - 10/16 (5)
- ► 10/02 - 10/09 (3)
- ► 09/25 - 10/02 (2)
- ► 09/18 - 09/25 (6)
- ► 09/11 - 09/18 (6)
- ► 09/04 - 09/11 (4)
- ► 08/28 - 09/04 (7)
- ► 08/21 - 08/28 (5)
- ► 08/14 - 08/21 (4)
- ► 08/07 - 08/14 (2)
- ► 07/31 - 08/07 (2)
- ► 07/24 - 07/31 (5)
- ► 07/17 - 07/24 (2)
- ► 07/10 - 07/17 (3)
- ► 07/03 - 07/10 (6)
- ► 06/26 - 07/03 (11)
- ► 06/12 - 06/19 (4)
- ► 06/05 - 06/12 (1)
- ► 05/29 - 06/05 (1)
- ► 05/08 - 05/15 (4)
- ► 04/24 - 05/01 (8)
- ► 04/17 - 04/24 (5)
- ► 04/10 - 04/17 (1)
- ► 04/03 - 04/10 (8)
- ► 03/27 - 04/03 (1)
- ► 03/20 - 03/27 (5)
- ► 03/13 - 03/20 (1)
- ► 03/06 - 03/13 (12)
- ► 02/28 - 03/06 (14)
- ► 02/21 - 02/28 (11)
- ► 02/14 - 02/21 (12)
- ► 02/07 - 02/14 (13)
- ► 01/31 - 02/07 (121)
-
▼
01/24 - 01/31
(34)
- Immunity debugger
- Debugger - Ollydbg
- Interactive Disassembler - IDA
- Popular SQLi and Pentesting Scanner - V3n0M-Scanner
- Tool To Compares A Targets Patch Levels Against Th...
- PowerShell Runspace Post Exploitation Toolkit - p0...
- Open Source Web Server Scanner - NIkto
- Domain Name Permutation Engine For Detecting Typo ...
- Zizzania - Automated DeAuth Attack
- SQL Injection Fuzzer - sqlifuzzer
- Open Source Web Server Scanner - NIkto
- Pentesting VoIP Systems - VIPER VAST 3
- EncFS and TrueCrypt for Android - Cryptonite
- Android Security Evaluation Framework - ASEF
- Network Forensic Analysis - NetworkMiner
- Blind SQL injection - BBQSQL
- Wireless Security Auditing - Fern Wifi Cracker
- Local Pentest Transform Package - Sploitego
- Anonymous - A Guerra no Brasil 2016 (The War in Br...
- The movie - They Live (Portuguese) 1988
- Portable Linux Auditing CD
- Bootable Forensics - snarl
- Data Wiping Software - DBAN
- ATTENTION-DEFICIT-DISORDER - ADD
- OWASP - mantra
- Secure data destruction - wipe
- Secure file deletion - srm
- Anti Forensic Practice - A study of its impact on ...
- TECHNICAL APPLICATION OF ANTI- FORENSIC IN COMPUTE...
- GPU Password Auditing - Cryptohaze
- Vulnerabile Evaluation Platform - WAVSEP
- VoIP Sniffer - UCSniff
- Bluetooth scanner - Bluelog
- A Guerra que a Televisão não Mostra - Um Documentá...
- ► 01/17 - 01/24 (58)
- ► 01/10 - 01/17 (59)
- ► 01/03 - 01/10 (174)
-
►
2015
(26)
- ► 12/27 - 01/03 (1)
- ► 08/30 - 09/06 (8)
- ► 08/23 - 08/30 (16)
- ► 08/16 - 08/23 (1)
Home
Privacy Center
Data Protection
Community
Digital Policy
Security Tools
Online Utilities
Resources
Search Operators
Library

0 comentários:
Post a Comment
Note: Only a member of this blog may post a comment.