Update SqliFuzzer V-0.6 – command line scanner that seeks to identify SQL injection vulnerabilities

Changelog V-0.6 : Fixed a bug preventing time based exploitation from being triggered

sqlifuzzer is a command line scanner that seeks to identify SQL injection vulnerabilities. It parses Burp logs to create a list of fuzzable requests… then fuzzes them.

What is sqlifuzzer?
It’s a wrapper for curl written in bash. It’s also a tool that can be used to remotely identify SQL (and XPath) injection vulnerabilities. It does this by sending a range of injection payloads and examining the responses for signs of ‘injectability’. If a parameter appears to be vulnerable, sqlifuzzer sends exploit payloads to extract data.

Like almost all web app scanners, sqlifuzzer includes OR 1=1 payloads; this means that there is a significant risk of data destruction, Denial of Service, and/or other undesirable implications for any host (or intermediary device) scanned using sqlifuzzer. sqlifuzzer is beta; don’t use it in an environment that matters to you or anyone else. Do not use sqlifuzzer to scan hosts without the owner’s permission.

Features : 

  • Payloads/tests for numeric, string, error and time-based SQL injection
  • Support for MSSQL, MYSQL and Oracle DBMS’s
  • Automated testing of ‘tricky’ parameters like POST URL query and mulipart form parameters
  • A range of filter evasion options:
  • case variation, nesting, double URL encoding, comments for spaces, ‘like’ for ‘equals’ operator, intermediary characters, null and CRLF prefixes, HTTP method swapping (GETs become POSTs / POSTs become GETs)
  • ORDER BY and UNION SELECT tests on vulnerable parameters to:
  • enumerate select query column numbers
  • identify data-type string columns in select queries
  • extract database schema and configuration information
  • Conditional tests to extract DBMS info when data extraction via UNION SELECT fails (i.e. no string type columns)
  • Time delay based tests to extract DBMS info when data extraction via conditional methods fails (i.e. fully blind scenarios)
  • Boolean response-based XPath injection testing and data extraction
  • Support for automated detection and testing of parameters in POST URIs and multipart forms
  • Scan ‘state’ maintenance:
  • Halt a scan at any time – scan progress is saved and you can easily resume a scan from the URL where you stopped
  • Specify a specific request number to resume a scan from
  • Optional exclusion of a customizable list of parameters from scanning scope
  • Tracking of parameters scanned and avoidance of re-scanning scanned parameters
  • HTML format output with:
  • links/buttons to send Proof of Concept SQL injection requests
  • links to response difference files and to extracted data

Download : sqlifuzzer-0.6.tgz (62.0 KB)
Find Other Version |
Read more in here : http://code.google.com/p/sqlifuzzer/

Our Post Before :

  • http://www.seclist.us/2012/05/update-sqlifuzzer-v-05l-command-line.html
  • http://www.seclist.us/2012/03/sqlifuzzer-command-line-sql-injection.html