RabidSQrL is an SQL injection attack tool.

RabidSQrL is an SQL injection attack tool.

RabidSQrL is an SQL injection attack tool against specific web applications.
(On Ubuntu you can install these via “sudo apt-get install python3 python3-yaml”.)

Latest Change 08/06/2015:
+ new wpvuln attack: show dbusers, DOS attack (CPU usage), discover mysql version, read arbitrary system files.
+ implement the -b,–blind arguement. if given do not change server pages at all.
+ added a few code coments. stripslashes from incoming inline attribute in wpvuln vulnerability.
+ bumped version for new attacks.
Degrees of freedom in RabidSQrl are:
– Types of SQL Injection attacks to perform.
– Injection interval function.
– Injection URL length (for file transfer attack)

Currently supported attacks:
– Direct injection.
– Stacked Queries (postgres, not supported on MySQL)
– Move file from attacker path to victim path via database manipulation
– Read file on server to stdout on client
– DOS attack on mysql
– Show database users on server
– discover MySQL version
– Generic, user-defined SQL statements executed directly on the server.

Note that these are attacks are targeted at specific datbase/application platforms: mysql/wordpress and postgres/smf. The code base includes vulnerabilities that the user should install on the victim platforms. If the user does not have access to the victim machine, he or she can use sqlmap or other sql injection mapping tool to discover existing vulnerable URL attributes and customize the rabidsqrl configuration to support attacks using these discovered attacks. Rabidsqrl itself does not scan a victim for vulnerabilities.

Rabidsqrl is installed via standard python distutils methods.

> sudo python3 setup.py install

See README.wpvuln and README.smf-server for details on how to install the vulnerabilies on these machines.

rabidsqrl is invoked via loading it as a python3 module.
Usage :

Download : Master.zip  | Clone Url
Source : https://github.com/glawler