SQL Injection exploitation is one of the (most important?) steps of a web application testing endeavours.
There are many tools around. Each with its unique feature. Each with its area of use.
What are the discriminating factors in actual sql injection tools? :
But at least we have SQLiBench. An OWASP powered project that aims at, guess what?, benchmark these tools.
This is an extract of the great Tools Benchamarked matrix available here:
SQLiBench project page is here
There are many tools around. Each with its unique feature. Each with its area of use.
What are the discriminating factors in actual sql injection tools? :
- DBMS fingerprinting and support
Some tools are capable to deal with with just a few version of the same DBMS others
are capable of dealing with different DBMS - Speed in terms of number of requests required to achieve a given task (dump table, dump rows, gain privileges, read / write files...)
But at least we have SQLiBench. An OWASP powered project that aims at, guess what?, benchmark these tools.
The goal of the project is to create a detailed set of benchmarking criteria for automatic sql injection tools and applying these to a set of open source sql injectors, producing analysis/benchmarking reports. Additionaly, in a semi-academic manner, algorithms used by targeted sql injectors will be analyzed both implementation and complexity vise.
This is an extract of the great Tools Benchamarked matrix available here:
SQLiBench project page is here
Posts
