SQL Power Injector for Advanced Injection

SQL Power Injector is an application helps the penetration tester to find and exploit SQL injections on a web page.

For now it is SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal mode). Indeed, the normal mode is basically the SQL command that someone will put in the parameter sent to the server.
If the aspect of inline SQL injection is powerful in itself, its main strength dwells in the multithread automation of the injection. Not only there is a possibility to automate tedious and time consuming queries but you can also modify the query to get only what you want. It is obviously more useful in the blind SQL injection since the other ways to exploit the SQL injection vulnerability is more effusive and much faster when the results are displayed on the web page (union select in the HTML table and generated 500 error for instance).

The automation can be realized in two ways: comparing the expected result or by time delay. The first way is generally compared against an error or difference between positive condition with a negative one and the second way will turn out positive if the time delay sent to the server equals to the one parameterized in the application.

The main effort done on this application was to make it as painless as possible to find and exploit a SQL injection vulnerability without using any browser. That is why you will notice that there is an integrated browser that will display the results of the injection parameterized in a way that any related standards SQL error will be displayed without the rest of the page. Of course, like many other features of this application, there are ways to parameterize the response of the server to make it as talkative to you as possible.

Another important part of this application is its power to get all the parameters from the web page you need to test the SQL injection, either by GET or POST method. Like this someone won't need to use several applications or a proxy to intercept the data, all is automated! Not only that, but now there is a Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context (parameters and cookies).

Download [3MB]
Password : 123hackz.blogspot.in

See SQL Injection Basics first to get started