Wednesday, August 27, 2008

The best SQL Injection tools classified

| Armando Romeo |

Continuing my review of the best penetration testers tools, it's time to face the most dangerous vulnerability a website may suffer in regards to data protection : SQL Injection.
I'm not going through the sql injection basis as we already have a nice guide in depth and there is a number of references on the internet.
But I'm going to make some rough classification of every tool listed so that this can serve as a quick reference.

I am going to list here the most used tools for sql injection exploitation. There are some others to find the sql injection in a website as well. But this shouldn't be an issue for a professional.

The explotitaion tools work for different kind of DBMS and using different techniques such as error based sql injection, inband or union based sql injection and blind sql injection.

To date, MS SQL Server is the DBMS that has the highest number
of attacking tools available. It is prone to error based sql injection thus retrieving data from it is as easy as providing the vulnerable url to tools like Priamos and Absinthe and clicking a button.
These tools are not free from bugs. Sometimes they fail to receive correct data, but if you're not a script kiddie there's no way you can miss it.

Priamos

  • Works on SQL server only
  • Enumerates databases, tables and data in a very nice GUI
  • The only big problem is that it works only with GET requests, unless you make it pass through a proxy to change the request to POST and shift the query string to the http request payload.
  • Allows for proxy tunneling
  • Very fast

Absinthe
Beside some bugs that affect the tool, 2.0b version works with

  • Blind sqli
  • Error based sqli
and does a better job than 1.41 version.

Blind mode supports: SQL Server, Postgre, Sybase, Oracle.
Error based mode supports SQL Server

  • good GUI from which fine tuning the injection parameters and additional options like authentication.


Injection is feasible through

  • POST
  • GET
  • COOKIE

Allows for proxy tunneling

SQLMap
It's the best tool to deal with Mysql sql injections. The only tool that does the job sometimes.

  • It's python powered so it's cross platform.

It supports:

  • MySQL
  • Oracle
  • PostgreSQL
  • Microsoft SQL Server.

SQLmap supports two operating modes:

  • Blind SQLi
  • Inband (Union) Sqli

Before going for Blind sql injection, that is slow and requires a lot of requests to the server, it is possible to check for UNION based sqli availability that gives faster results.

SQLmap performs blind sqli recognition through hashes of the http response text. It is possible to specify the string to match in the response text when the case is TRUE. A very needed feature sometimes.

It supports injection into

  • GET
  • POST
  • COOKIE
  • USER-AGENT

and retrieves:

  • databases username and password
  • DBMS version
  • databases
  • tables
  • data
It allows to execute custom SQL queries as if you were on a real SQL client connected to the remote DBMS. This saves a lot of time and allows for very sophisticated data retrieval.

More options are:

  • proxy support
  • google dorks
  • remote file retrieval.

In the tool package a very nice guide on the tool usage is given

Automagic
It's written in perl and requires that you read the guide or watch the nice flash video before you can really enjoy it.

It works only against SQL Server DBMS and performs dumo of

  • database
  • tables
  • data

It is possible to retrieve DBMS users and passwords. It's quite fast, in my opinion Priamos and Absinthe do a better job.
A good backup tool though.


To sum up

Mysql SQL Injection tools:

  • SQL Map (blind and inband)

Oracle SQL Injection tools:

  • SQL Map (inband)
  • Absinthe (blind)

Sybase SQL Injection tools:

  • Absinthe (blind)

MS SQL Server SQL Injection tools:

  • Atomagic (error)
  • SQL Map (error and inband)
  • Priamos (error)
  • Absinthe (error)


If the list is not exhaustive...well...these at least are the most known and used.
Of course every professional has his own tools and patches to improve these tools or adding functionalities. Your own tool is always the best tool.
Any suggestion or addition is encouraged!

Free Security Magazines