Posts Tagged ‘SQL Injection’

Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a webpage.

It can take advantage of a vulnerable web application. By using this software user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system.

The power of Havij that makes it different from similar tools is its injection methods. The success rate is more than 95% at injection vulnerable targets using Havij.

The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users.

Havij - SQL Injection Tool

There is a free version available and also a more fully-featured commercial edition available here.

You can download Havij v1.12 Free Edition here:


Or read more here.

Safe3 SQL Injector is one of the most powerful penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end database servers.


  • Full support for GET/Post/Cookie Injection
  • Full support for HTTP Basic, Digest, NTLM and Certificate authentications
  • Full support for MySQL, Oracle, PostgreSQL, MSSQL, ACESS, DB2, Sybase & Sqlite
  • Full support for Error/Union/Blind/Force SQL injection
  • Support for file access, command execute, IP domain reverse, web path guess, md5 crack etc.
  • Super bypass WAF

more info & download

Netsparker is a Web Application Security Scanner that claims to be False-Positive Free. The developers thought that if you need to investigate every single identified issue manually what’s the point of having an automated scanner? So they developed a new technology which can confirm vulnerabilities on demand which allowed us to develop the first false positive free web application security scanner.

When Netsparker identifies an SQL Injection, it can identify how to exploit it automatically and extract the version information from the application. When the version is successfully extracted Netsparker will report the issue as confirmed so that you can make sure that the issue is not a false-positive.

Same applies to other vulnerabilities such as XSS (Cross-site Scripting) where Netsparker loads the injection in an actual browser and observes the execution of JavaScript to confirm that the injection will actually get executed in the browser.

Thanks to its comprehensive and powerful JavaScript engine it’s possible to simulate a real attacker successfully. This means it can successfully analyse websites that rely on AJAX and JavaScript.

You don’t need to be a security expert, get training or read a long manual to start. Since the user interface is easy to use and can confirm and show you the impact, you can just fire it up and start using it.

Netsparker - Community Edition

You can download Netsparker – Community Edition here:


Or read more here.


On July 6th, 2009 a zero day vulnerability in a component of the Windows operating system controlling
MPEG2 videos became publicly distributed. The attack code is currently present on several malware
servers in Asia and being used to infect unwitting clients who have been redirected to these servers. This
vulnerability will allow the remote control of clients who are pushed to malicious web servers via XSS or
phishing techniques. Microsoft has not issued a patch for this vulnerability, but they have recommended a
common workaround for dealing with ActiveX vulnerabilities which we have included below under
‘Recommended Preventative Actions’. Only older versions of Windows (2000, XP, 2003) are vulnerable to
this, as Vista and later operating systems have architecture which prevents the vulnerable code from being
exposed to the malicious control object. Major IDS/IPS/AV vendors have released signatures to detect
exploits against this vulnerability.

Severity: MEDIUM

We consider this to be a ‘medium’ severity event. We have not, to this date, seen high infection ratesamongst our monitored networks, but vendors are just now releasing signatures to detect the exploit comingback from a malicious webserver to a vulnerable client. This exploit is not related to any worms, but isbeing used to install Trojan software which may then perform additional attacks on vulnerable hosts viaother exploit vectors. While normally we would give ActiveX exploits a low severity, there over the past 18months there have been a proliferation of SQL Injection attacks resulting in legitimate ASP.NET sitesunwittingly serving up malicious javascript, that ‘trusting’ the intention of a site is no longer prudent forsurfing behavior We feel the multitude of the hacked web environments hosting up active pages with malicious javascript inclusions, coupled with newer methods of attack obfuscation, added to the knowledgethat MPEG2 is an EXTREMELY popular media format justifies this severity.

How to Determine Whether You Are Vulnerable:

All 2003 and XP systems will be vulnerable to this unless specific actions have been taken to:
[1] Disable ActiveX altogether (not recommended in many environments)
[2] Are not using Internet Explorer at all
[3] Disabled Windows Media Software by some 3rd party application
[4] Have updated A/V software which detects the attack and mitigates it
[5] Have set the kill-bit for ActiveX Control Object (CLSID 0955AC62-BF2E-4CBA-A2B9-
[6] Perform an automated Scan on hosts that are in the Windows 2003/XP tranche of Operating Systems.

Recommended Preventive Actions:

Oddly, Microsoft has discovered that no ActiveX control objects which interface with MSvidctl.dll are
needed by Internet Explorer. On Windows XP and 2003 systems they may all be safely disabled by using
the tool Microsoft provides for at URL: Later systems such as
Windows Vista, 2008, v7 do not appear to be vulnerable.

How to Detect Potential Attacks:

Intrusion Detection Systems which have recently come out withsignatures to detect some facet of this attempted exploit. We are currently investigating efficacy of these signatures and will be updating managed and monitored devices according.
Tipping Point
Popular Antivirus Software are detecting attacks as ‘JS/Exploit.CVE-2008-0015.A.Gen trojan

What to do if You Have Been Attacked:

Typically workstations, laptops and desktops running XP or 2003 are the ones likely to fall victim to this
type of attack. Recommend consulting your security policy for the Incident Response
procedure as it pertains to the asset which is compromised. Infection should be considered serious, and
Windows MSRT may or may not be enough to remove the Trojan Software that the attacker has installed.

Detailed Analysis:

From Microsoft:
Customers who are using Windows Vista or Windows Server 2008 are not affected because the
ability to pass data to this control within Internet Explorer has been restricted.
By default, Internet Explorer on Windows Server 2003 and 2008 runs in a restricted mode that is
known as Enhanced Security Configuration. Enhanced Security Configuration is a group of
preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator
downloading and running specially crafted Web content on a server. This is a mitigating factor for
Web sites that you have not added to the Internet Explorer Trusted sites zone. See also Managing
Internet Explorer Enhanced Security Configuration.
By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open
HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate
attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX
controls from being used when reading HTML e-mail messages. However, if a user clicks a link in
an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through
the Web-based attack scenario.
In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is
used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or
host user-provided content or advertisements could contain specially crafted content that could
exploit this vulnerability. In all cases, however, an attacker would have no way to force users to
visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site,
typically by getting them to click a link in an e-mail message or Instant Messenger message that
takes users to the attacker’s Web site.
An attacker who successfully exploited this vulnerability could gain the same user rights as the
local user. Users whose accounts are configured to have fewer user rights on the system could be
less impacted than users who operate with administrative user rights.

Suggested Reading:

Microsoft has developed a new security offering called HELLOSECUREWORLD.COM. It is a program to engage developers in a fun and exciting way to build knowledge around security in application development. In addition, developers can share information about secure coding for today’s internet-based computing environment. The program features an array of online and offline customer activities ranging from MSDN events, to security virtual labs, to video presentations on a new website.


* XSS (Cross Site Scripting)
* SQLi (SQL Injection)
* Canonicalization Attack
* CSRF (Cross Site Request Forgery)
* Integer Overflow/Underflow
* Etc…

To access the labs go to: HelloSecureWorld

Fancy going from a SQL Injection on Microsoft SQL Server to a full GUI access on the DB? Take a few SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have just one of the attack modules of sqlninja!

Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered. Have a look at the flash demo and then feel free to download it.


The full documentation can be found in the tarball and also here, but here’s a list of what the Ninja does:

  • Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
  • Bruteforce of ‘sa’ password (in 2 flavors: dictionary-based and incremental)
  • Privilege escalation to sysadmin group if ‘sa’ password has been found
  • Creation of a custom xp_cmdshell if the original one has been removed
  • Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
  • TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
  • Direct and reverse bindshell, both TCP and UDP
  • DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)
  • Evasion techniques to confuse a few IDS/IPS/WAF
  • Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection

Platforms supported

Sqlninja is written in Perl and should run on any UNIX based platform with a Perl interpreter, as long as all needed modules have been installed. So far it has been successfully tested on:

  • Linux
  • FreeBSD
  • Mac OS X

Sqlninja does not run on Windows.