This page has been robot translated, sorry for typos if any. Original content here.

SQL Injection Tool 4

Just say that there was one change, the place where the requests will be inserted is marked {SQLINJ}, that is, if the parameter getid is vulnerable, then in the URL we write

http://localhost/test.php?getid=1{SQLINJ}
And if this is a text parameter then the URL will be

http://localhost/test.php?getid=1'{SQLINJ}
Well, everything else is like, actually, who wants to understand.

The program can be defined by animate viruses such as for example Kaspersky Antivirus 7.0 as HackTool
Detection report: malicious program HackTool.Win32.SQLInject.i 4 File: s-tool.exe


software.gif
SQL Injection Tool 4
sipt4.rar [2437KB]

Manual to SQL Injection TooL 3

1. Introduction.
In general, here at last the hands have reached the point of writing a manual to my prog. So on 95% of questions on the program you will find the answer here.

2. Start to use.

The first thing to do is enter the path to the vulnerable script, the HTTP server port, configure the proxy server proxy on the SETTINGS -> MAIN tab, set the server response timeout in the SETTINGS -> MAIN tab in milliseconds, and select the attack method. 2.1.

2.1.1 The GET Method
The method is used when the injection is present in the GET parameter.
Code: Example: http://www.target.ru/vulnscript.php?id=1
If the id parameter is vulnerable, the request to the server takes the form
Code: http://www.target.ru/vulnscript.php?id=1{SQL}

2.1.2 Method GET (With Cookie)
The method is used when the injection is present in cookies, but GET is used
Code: Example: http://www.target.ru/vulnscript.php?id=1
If the VulnCook parameter in cookies is vulnerable, the request to the server takes the form

Code: GET /vulnscript.php?id=1 HTTP / 1.0
Host: www.target.ru
Cookie: VulnCook = {SQL}
Connection: Close

It should be noted that if several cookie parameters are used, then all invulnerable parameters are entered into the table that appears when the Cookie parameters button is pressed, and the vulnerable parameter is entered in the Vulnerable parameter field, and its usual value is entered in the Value field, the same principle is used for POST parameters.

2.1.3 The Cookie Method (GET)
The method is used when the injection is present in the GET parameter, but on the server it is necessary to send in the header a certain cookie (NeedCook), for example for authorization
Code: Example: http://www.target.ru/vulnscript.php?id=1{SQL}
If the id parameter is vulnerable, the request to the server takes the form

Code: GET /vulnscript.php?id=1{SQL} HTTP / 1.0
Host: www.target.ru
Cookie: NeedCook = phpsession
Connection: Close

2.1.4 POST Method
The method is used when the injection is present in the POST parameter.
Code: Example: http://www.target.ru/vulnscript.php
If the id parameter is vulnerable, the request to the server takes the form

Code: POST /vulnscript.php?id=1 HTTP / 1.0
Host : www.target.ru
Connection: Close

Id = {SQL}

2.1.5 The POST method (With Cookie) is a very rare case
The method is used when the injection is present in cookies, but POST is used
Code: Example: http://www.target.ru/vulnscript.php
If the VulnCook parameter in cookies is vulnerable, the request to the server takes the form

Code: POST /vulnscript.php HTTP / 1.0
Host: www.target.ru
Cookie: VulnCook = {SQL}
Connection: Close

2.1.6 Cookie Method (POST)
The method is used when the injection is present in the POST parameter, but on the server it is necessary to send in the header a certain cookie (NeedCook), for example for authorization
Code: Example: http://www.target.ru/vulnscript.php
If the id parameter is vulnerable, the request to the server takes the form

Code: POST /vulnscript.php?id=1{SQL} HTTP / 1.0
Host: www.target.ru
Cookie: NeedCook = phpsession
Connection: Close

id = 1 {SQL}

2.2 Keyword or phrase (Text field String)

A word is entered here that we can find in this way.

An example for the GET method,
First look
Code: http://www.target.ru/vulnscript.php?id=1
Then we look
Code: http://www.target.ru/vulnscript.php?id=2
we find what is there here
Code: http://www.target.ru/vulnscript.php?id=1
which is not here (we compare so to speak)
Code: http://www.target.ru/vulnscript.php?id=2
Nearby there is a field in which there is a value FOUND and NOT FOUND , it is just necessary to choose a method of search,

FOUND - This piece of code, or phrases, is taken as the basis of correctness (a positive conclusion that the injection is made correctly)

NOT FOUND - This piece of code, or phrases is taken as the basis for NOT correctness
(also a positive conclusion that the injection was done correctly)

TIP: To automate the search, you can use the AUTO DETERMINE button, but it's worth noting that there may be a false definition or a false definition not, when a piece of the keyword is inside the tags.

2.3 Use Basic Authorization checkbox and Login and Password text fields serve to authorize to enter certain site locations or to access files.

3.1 Next, you need to determine the number of fields that are used in the query to the database, this can be done by clicking on the button "LET KNOW QUANTITY"

There are several options for miscalculation:

3.1.1 The drop-down menu "USE METHOD"
Here you can determine what method to make a miscalculation
- UNION SELECT
- ORDER BY
- GROUP BY
In general, the most common method is ORDER BY and UNION SELECT
But the preferred method for the program is UNION SELECT, since this method immediately determines the output fields (the FIELD SUPPORTS PRINTING text field) required for several program functions.

It should be noted that if you have defined the number of query fields using the ORDER BY and GROUP BY methods and have successfully determined, you should specify the starting number of search fields and the final number equal to the number found and select the UNION SELECT method to define the fields with output, and press the button «LET KNOW QUANTITY» again.

3.1.2 checkmark Determine suppots printing fields using LIMIT
It is needed as an alternative way to search for fields with output.

NOTE: You can also replace the value of a vulnerable parameter with an unrealized value to determine the fields with output, again combining it with the check mark 3.1.2

After the successful selection of the number of fields, if you use the GET method, you will have a line in the Work URL field, clicking the "Show in Browser" button will open this query in the browser.

4.1 Identifying the database (SQL Injections -> Identifying DB)
4.1.1 Type of DB - At the moment the program can define two types of databases, these are MySQL and MSSQL

4.1.2 USER () - the name of the user of the database on whose behalf the connection to the database is made

There are 3 options for determining.

UNION - the most acceptable way to determine, the server is sent 1 request to determine the whole value at once.

TAKE ONE SYMBOL - character by character, brutit by one character.
And the interval can be specified on the settings tab.
BRUTE- symbolic definition, brutit all the drain.

Both options are for use in MySQL 3, or if it can not be determined by standard methods. Well, or for kamikaze.

4.1.3 DATABASE () - the name of the database to which the script is attached to execute the query.
The method of operation is similar to USER () p.4.1.2

4.1.4 VERSION () - the version of the database to which the script is attached to execute the query.
The method of operation is similar to USER () p.4.1.2

4.1.5 the CONVERT drop-down menu can help in determining values ​​using UNION when the database uses one encoding, and the USER (), DATABASE (), VERSION () values ​​use a different one.

5.1 Brut names of tables and field fields.
(SQL Injections -> Identifying DB -> MySQL / MSSQL)

Used to browse names, as mentioned above. +
For a successful search, you must select the number of fields described in section 3.1.1

Here I note that the search uses words from external text dictionaries, so they must be connected on the SETTINGS -> DICTIONARY tab before starting work .
Dictionaries are of 4 types
- Table dictionary
- Field dictionary
- Prefix dictionary
- Dictionary of Suffixes (Suffix dictionary)

NOTE : You can edit them on the same tab
.
To use the prefix and suffix dictionaries, you must check the appropriate checkboxes on the tab (SQL Injections -> Identifying DB -> MySQL / MSSQL)

"Use prefix from file when bruteforce tables and fields"
"Use suffix from file when bruteforce tables and fields"

To permanently use one prefix or suffix, you can enter them into the Prefix and Suffix fields. Then they will not be taken from the dictionaries.

Then click "GET TABLE NAMES"

In this case, if you have all the words from the dictionary appear in this list, then the program settings are not correct.

After a successful search, you will see the existing table in the attacked database, you need to select the table you need so that its name appears in the gray field and continue scanning the table for finding the field names by pressing the button "GET FIELD NAMES"

NOTE : you can add prefixes and suffixes from the dictionaries to the field names, the program will ask you when you press the button "GET FIELD NAMES" .

6.1 Obtaining table and field names using the INFORMATION_SCHEMA table.
(SQL Injections -> Identifying DB -> DUMP INF_SCH)
Actual for MySQL5 and MSSQL

The function will work if you have at least one output field, and the number of fields is defined.

There are 2 options.
- Table names only - get only table names
- Table and column names - get the names of the tables and columns in them.

There is also a data-receiving limit, the top level ( FROM ) is set to 16 by default, since the first 15 tables are standard and do not carry much information.

The "GO DUMP" button starts the data acquisition process.
The received data can be saved to a file by clicking the "SAVE TO FILE" button

There is a drop-down menu "Convert" , the essence of the menu and its operation is identical to p.4.1.5

7.1 Symbol of arbitrary data
(SQL Injections -> OneChar BruteForce)
MySQL is current since version 4.1 and MSSQL.
Used for a character data bar from a table

The interval of brute is taken from the tab SETTINGS -> MAIN.

You can use query type, SELECT id FROM news

The "Preview SQL query" button shows a preliminary request to the server

The button "GET RESULT" starts the process of brute.

8.1 Obtaining data from the database. (SQL Injections -> Data BruteForce)
Actual for MySQL 4 and MSSQL

The function will work if you have at least one output field, and the number of fields is defined.

To begin, you must fill the Table field with the name of the table you want.
Next, you need to add the names of the required fields to the list by entering these names in the field below the list, and by pressing the "ADD FIELD" button.

Field names can be obtained using tabs 5.1 and 6.1.

NOTE: you can delete unnecessary fields from the list using the button "REMOVE FIELD"

Next, the starting and ending position of the line is adjusted. In order to check the correctness of the settings, you can press the "TEST" button, if everything is ok, then you should have the value of the selected fields separated by a colon ":" in the list corresponding to the first line in the database in the field to the left of the "TEST" button

If the value appears, you can start receiving the data, for this press the button "GET IT" .

The received data can be saved to a file by clicking the "SAVE TO FILE" button

9.1 Back connect from MSSQL
Used to make a backcontext from a database. In doing so, the MSSQL master.xp_cmdshell database procedure is used, to implement the backcontext, you need to check the IP address in the string and set the NetCat path in the SETTINGS -> MAIN tab.

With successful operation, you will have a command console in which the connection to the server will be opened.
10.1 Working with files

10.1.1 MySQL
Used to work with files via SQL injection

10.1.1.1 Reading a file

The function will work if you have at least one output field, and the number of fields is defined.

You need to register the absolute path to the file on the server in the lower frame field.

Example: /home/user/public_hmtl/index.php

And press the "READ" button. In case of successful reading, the file will appear on the screen in the editor window, where you can save this file using the menu item "SAVE FILE"

10.1.1.2 Uploading a file to the server

The function will work if:
1) you have at least one output field,
2) the number of fields is determined.
3) IN THE SERVER CONFIGURATION, SHOULD NOT BE SCREENED !!


Again, you need to register the absolute path to the created file on the server in the upper frame field.

There are 2 options for uploading a file.
- UNION - uses INTO OUTFILE (standard version)
- ENCLOSED BY - used in MySQL since version 3 (it is advisable to use when version 1 does not work)

The text of the file to be uploaded to the server is entered in the text field from the bottom.

10.1.2 MSSQL
Everything is done by analogy with clause 10.1.1

11.1 Terminal
Used to send arbitrary packets to the server, as well as to view the response of the server (the header and the body of the response). There is a search function in the body.

The request is written to "HTTP REQUEST"
The response header is written "ANSWER: HTTP HEADER"
The body of the response is written "ANSWER: HTTP BODY"

Sending the request is done by pressing the "SEND REQUEST" button

12.1 History
Here all the requests to the server are displayed, and additional information.
You can save it by using the menu item "HISTORY -> SAVE LOG" , or clear it by pressing the same "HISTORY -> CLEAR LOG"

13.1 Settings
13.1.1 General
Translation of the interface (Path to language file).
Path for NetCat (Path to NetCat) - used in paragraph 9.1
Proxy settings
- use proxy
- IP address
- Port
The symbol interval ( BruteForce symbol code interval ) is used in 4.1.2-4.1.5 and 7.1

Menu 1. Close the SQL statement (Close SQL) - used to cut off the original query, so that an error does not appear.
For each database, different "Closures" are used
- MySQL = / *
- MSSQL = -

Menu 2. Change quotes to an analogue (Change quotes to)
Used to bypass filtering with scripts.

Menu 3. Change the space for the analog (Change space to)
Used to bypass filtering with scripts

Other features:

Main menu.

Double Tools - the program window is enlarged, it is possible to arrange the program tabs arbitrarily, for convenience, for example, any window with a terminal or history, coders and decoders

Default Settings - all settings of the program are reset.

STOP - stops the program.

Utilities section

Contains a variety of encoders and string decoders, such as HEX, BASE64, URL-LIKE, PHP CHR


Your SQLHack.