This page has been robot translated, sorry for typos if any. Original content here.

SQL Injection Tool 4

At once I will say that one change appeared, the place where the queries will be inserted is marked {SQLINJ}, that is, if the getid parameter is vulnerable , then we write to the URL

http://localhost/test.php?getid=1{SQLINJ}
and if this is a text parameter, then the URL will be

http://localhost/test.php?getid=1'{SQLINJ}
Well, everything else seems to be, in fact, who wants to figure it out.

The program can be defined by antiviruses such as for example Kaspersky Antivirus 7.0 as HackTool
Detection report: malware HackTool.Win32.SQLInject.i 4 File: s-tool.exe


software.gif
SQL Injection Tool 4
sipt4.rar [2437KB]

SQL Injection TooL 3 manual

1. Introduction.
In general, finally, the hands have reached the point of writing a manual for my prog. So for 95% of the questions on the program, you will find the answer here.

2. Start using.

The first thing you need to enter in the URL line is the path to the vulnerable script, the HTTP server port, configure the program to work with the proxy server in the SETTINGS tab -> MAIN , set the server response timeout in the SETTINGS tab -> MAIN in milliseconds and select the attack method p. 2.1.

2.1.1 GET Method
The method is used when the injection is present in the GET parameter.
Code: Example: http://www.target.ru/vulnscript.php?id=1
If the id parameter is vulnerable, the request to the server takes the form
Code: http://www.target.ru/vulnscript.php?id=1{SQL}

2.1.2 GET (With Cookie) method
The method is used when the injection is present in cookies, but GET is used.
Code: Example: http://www.target.ru/vulnscript.php?id=1
If the VulnCook parameter in cookies is vulnerable, the request to the server takes the form

Code: GET /vulnscript.php?id=1 HTTP / 1.0
Host: www.target.ru
Cookie: VulnCook = {SQL}
Connection: Close

It should be noted that if several cookie parameters are used, all invulnerable parameters are entered into the table that appears when the Cookie parameters button is clicked, and the vulnerable parameter is entered into the Vulnerable parameter field, and its usual value is entered into the Value field, the same principle is used for POST parameters.

2.1.3 Cookie Method (GET)
The method is used when the injection is present in the GET parameter, but a certain cookie (NeedCook) must be sent in the header to the server, for example for authorization
Code: Example: http://www.target.ru/vulnscript.php?id=1{SQL}
If the id parameter is vulnerable, the request to the server takes the form

Code: GET /vulnscript.php?id=1{SQL} HTTP / 1.0
Host: www.target.ru
Cookie: NeedCook = phpsession
Connection: Close

2.1.4 POST method
The method is used when the injection is present in the POST parameter.
Code: Example: http://www.target.ru/vulnscript.php
If the id parameter is vulnerable, the request to the server takes the form

Code: POST /vulnscript.php?id=1 HTTP / 1.0
Host : www.target.ru
Connection: Close

Id = {SQL}

2.1.5 POST (With Cookie) method - very rare case
The method is used when the injection is present in cookies, but POST is used.
Code: Example: http://www.target.ru/vulnscript.php
If the VulnCook parameter in cookies is vulnerable, the request to the server takes the form

Code: POST /vulnscript.php HTTP / 1.0
Host: www.target.ru
Cookie: VulnCook = {SQL}
Connection: Close

2.1.6 Cookie Method (POST)
The method is used when the injection is present in the POST parameter, but a certain cookie (NeedCook) must be sent in the header to the server, for example for authorization
Code: Example: http://www.target.ru/vulnscript.php
If the id parameter is vulnerable, the request to the server takes the form

Code: POST /vulnscript.php?id=1{SQL} HTTP / 1.0
Host: www.target.ru
Cookie: NeedCook = phpsession
Connection: Close

id = 1 {SQL}

2.2 Keyword or phrase (String text field)

Here we introduce the word that we can find in this way.

Example for the GET method,
First we look
Code: http://www.target.ru/vulnscript.php?id=1
Then we look
Code: http://www.target.ru/vulnscript.php?id=2
we find what is here
Code: http://www.target.ru/vulnscript.php?id=1
what is not here (compare so to speak)
Code: http://www.target.ru/vulnscript.php?id=2
Nearby there is a field in which there is a value FOUND and NOT FOUND , it is just necessary to choose a search method,

FOUND - This piece of code, or phrases, is taken as the basis for correctness (the positive conclusion that the injection was made correctly)

NOT FOUND - This piece of code, or phrase, is taken as a basis for NOT correctness.
(also a positive conclusion that the injection was made correctly)

TIP: To automate the search, you can use the AUTO DETERMINE button, but it is worth noting that there may be a false definition or a false definition when the key word is inside the tags.

2.3 The checkbox Use Basic Authorization and the Login and Password text boxes are used to authorize to enter specific places on the site or to access files.

3.1 Next, you need to determine the number of fields that are used in the query to the database, this can be done by clicking on the "LET KNOW QUANTITY" button

There are several options for rendering:

3.1.1 Drop-down menu "USE METHOD"
Here you can determine what method to perform the calculation
- UNION SELECT
- ORDER BY
- GROUP BY
In general, the most common method is ORDER BY and UNION SELECT.
But the preferred method for the program is UNION SELECT, since this method immediately determines the output fields (text field FIELD SUPPORTS PRINTING ) necessary for several functions of the program.

It is worth noting that if you determined the number of request fields by the ORDER BY and GROUP BY methods, and successfully determined, then you should specify the starting number of fields for the search and the final one equal to the found count, and choose the UNION SELECT method to determine the output fields, and click "LET KNOW QUANTITY" again.

3.1.2 Determine support fields checkbox using LIMIT
It is needed as an alternative way to search for fields with output.

NOTE: you can also replace the value of the vulnerable parameter with a value that does not exist to define the fields with the output, again combining this with the tick 3.1.2

After a successful selection of the number of fields, if you use the GET method, you will have a line in the Work URL field by clicking the "Show in Browser" button, you will open this query in the browser.

4.1 Database Identification (SQL Injections -> Identifying DB)
4.1.1 Type of DB - At the moment, the program can determine two types of databases, this is MySQL and MSSQL

4.1.2 USER () is the name of the database user on whose behalf the connection to the database is made

There are 3 options for the definition.

UNION is the most acceptable way to determine, with the server being sent 1 request to determine the entire value at once.

TAKE ONE SYMBOL - character-by-character definition, takes one character at a time.
Moreover, the interval can be specified on the settings tab.
BRUTE - character definition, beats the whole drain.

Both options, for use in MySQL 3, or when it is not possible to determine the standard ways. Well, or for kamikaze.

4.1.3 DATABASE () is the name of the database to which the script is connected to execute the request.
Work method is similar to USER (), clause 4.1.2

4.1.4 VERSION () - the version of the database to which the script is connected to execute the request.
Work method is similar to USER (), clause 4.1.2

4.1.5 the CONVERT drop-down menu can help in determining the values ​​using UNION, when the base uses one encoding, and the values ​​USER (), DATABASE (), VERSION () use another.

5.1 Brut table and field names
(SQL Injections -> Identifying DB -> MySQL / MSSQL)

Used to search for names, as mentioned above. +
For a successful search, you must have selected the number of fields as described in Section 3.1.1.

Here I’ll note that when sorting, words from external text dictionaries are used, so they must be connected to the SETTINGS tab -> DICTIONARY before starting work .
Dictionaries have 4 types
- Table dictionary
- Field dictionary
- Prefix dictionary
- Suffix dictionary

NOTE : They can be edited on the same tab.
.
To use prefix and suffix dictionaries, you should check the corresponding checkboxes on the tab (SQL Injections -> Identifying DB -> MySQL / MSSQL)

“Use prefix from file when bruteforce tables and fields”
"Use suffix from file when bruteforce tables and fields"

To permanently use one prefix or suffix, you can enter them in the Prefix and Suffix fields. Then they will not be taken from dictionaries.

Next, click "GET TABLE NAMES"

Moreover, if you have all the words from the dictionary appear in this list, then the program settings are not correct.

After a successful search, you will see the existing table in the attacked database, you need to select the table you need so that its name appears in the gray field at the top and continue to scan the table to find the field names by pressing the “GET FIELD NAMES” button

NOTE : you can add prefixes and suffixes from dictionaries to field names, the program will ask you this when you press the “GET FIELD NAMES” button.

6.1 Obtaining table and field names using the INFORMATION_SCHEMA table.
(SQL Injections -> Identifying DB -> DUMP INF_SCH)
Actual for MySQL5 and MSSQL

The function will work if you have at least one output field, and the number of fields is determined.

There are 2 options.
- Table names only - getting only table names
- Table and column names - getting the names of tables and columns in them.

There is also a data acquisition limiter, the upper level ( FROM ) is set to 16 by default, since the first 15 tables are standard and do not carry much information.

The “GO DUMP” button starts the data acquisition process.
The obtained data can be saved to a file by clicking the "SAVE TO FILE" button

There is a drop-down menu “Convert” , the essence of the menu and its operation is identical to clause 4.1.5

7.1 character brute arbitrary data
(SQL Injections -> OneChar BruteForce)
MySQL has been updated since version 4.1 and MSSQL.
Used for character-by-character data brute-force

The brutal interval is taken from the SETTINGS tab -> MAIN.

You can use type queries, SELECT id FROM news

Button "Preview SQL query" shows the preliminary request to the server

The “GET RESULT” button starts the brute process.

8.1 Getting data from the database. (SQL Injections -> Data BruteForce)
Actual for MySQL 4 and MSSQL

The function will work if you have at least one output field, and the number of fields is determined.

First you need to fill in the Table field with the name of the desired table.
Next you need to add the names of the required fields to the list by entering these names in the field below the list, and pressing the "ADD FIELD" button.

Field names can be obtained using tabs 5.1 and 6.1.

NOTE: you can remove unwanted fields from the list with the “REMOVE FIELD” button

Next, set the start and end position of the line. In order to check the correctness of the settings, you can click the "TEST" button, if everything is ok, then you should have the value of the selected fields separated by a colon ":" in the list corresponding to the first row in the database in the field to the left of the "TEST" button

If the value appears, you can begin to receive data, to do this, click "GET IT" .

The obtained data can be saved to a file by clicking the "SAVE TO FILE" button

9.1 Back connect from MSSQL
Used to make backconnect from DB. In this case, the MSSQL master..xp_cmdshell database procedure is used to perform backconnect, you need to check the IP address in the string and set the path to NetCat on the SETTINGS tab -> MAIN .

If successful, you will have a command console in which the connection to the server will be opened.
10.1 File Handling

10.1.1 MySQL
Used for working with files via SQL injection

10.1.1.1 Reading a file

The function will work if you have at least one output field, and the number of fields is determined.

You need to register the absolute path to the file on the server in the field of the lower frame.

Example: /home/user/public_hmtl/index.php

And press the "READ" button. In case of successful reading, the file will appear on the screen in the editor window, where you can save this file using the menu item "SAVE FILE"

10.1.1.2 Upload file to server

The function will work if:
1) you have at least one output field
2) determined the number of fields.
3) IN THE CONFIGURATION OF THE SERVER DO NOT QUALIFY THE QUOTS SHOULD BE ESCROWED !!


Again, you must write the absolute path to the created file on the server in the field of the upper frame.

There are 2 options for uploading the file.
- UNION - used INTO OUTFILE (standard version)
- ENCLOSED BY - used in MySQL since version 3 (It is advisable to use when option 1 is not working)

The text of the file to upload to the server is entered in the text box below.

10.1.2 MSSQL
Everything is done by analogy with p.10.1.1

11.1 Terminal
Used to send arbitrary packets to the server, as well as to view the server response (header and response body). There is a search function in the body.

The request is written in "HTTP REQUEST"
The response header is spelled "ANSWER: HTTP HEADER"
The response body is spelled "ANSWER: HTTP BODY"

Sending a request by pressing the button "SEND REQUEST"

12.1 History
All server requests and additional information are displayed here.
It can be saved using the menu item “HISTORY -> SAVE LOG” , or clear it by clicking the same place on “HISTORY -> CLEAR LOG”

13.1 Settings
13.1.1 General (Main)
Interface translation (Path to language file).
Path for NetCat (Path to NetCat) - used in Section 9.1
Proxy settings
- use proxy
- IP address
- Port
Symbol interval ( BruteForce symbol code interval ) - used in 4.1.2-4.1.5 and 7.1

Menu 1. Close SQL expression (Close SQL) - is used to chop off the original query, so that no error appears.
For each base, different "Shutters" are used.
- MySQL = / *
- MSSQL = -

Menu 2. Change quotes to analog (Change quotes to)
Used to bypass filtering with scripts.

Menu 3. Change space to analogue (Change space to)
Used to bypass filtering with scripts.

Other features:

Main menu.

Double Tools - increases the program window, you can arbitrarily assemble the program tabs, for convenience, for example, any window with a terminal or history, coders and decoders

Default Settings - all program settings are reset.

STOP - stops the program.

Utilities section (Tools)

Contains a variety of string encoders and decoders such as HEX, BASE64, URL-LIKE, PHP CHR


Your SQLHack.