Havij: A Advanced SQL Injection Tool!

begood · May 29, 2010

We are really liking this tool. For with this tool, you can almost go back to your “point and shoot” days! Havij is a free tool, programmed in Visual Basic that will automate SLQ injections for you! Infact, just to test it out, we tried this on an installation of DVWA and it got us what we wanted!

Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. All you need to know is a bit of SQL injection and you are done. You just need to click a button and wait till it finds a exploitable SQL query. Not only that, you can also fingerprint the back-end database, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system. Ofcourse most of that is after you have a successful exploit. Not only that, it supports a wide array of databases – MsSQL, MySQL, MSAccess and Oracle! You could also choose to evade IDS detection by simple pre-configured tricks of this tool. You can also try to brute force your way to find the admin directory and yes it does support proxies too!

This is how Havij looks:

Click this bar to view the full image. havij-1.10-snap-shot.gif

These are the current functions that Havij supports as of now:

Supported Databases with injection methods:
a. MsSQL 2000/2005 with error
b. MsSQL 2000/2005 no error (union based)
c. MySQL (union based)
d. MySQL Blind
e. MySQL error based
f. Oracle (union based)
g. MsAccess (union based)
Automatic database detection
Automatic type detection (string or integer)
Automatic keyword detection (finding difference between the positive and negative response)
Trying different injection syntaxes
Proxy support
Real time result
Options for replacing space by /**/,+,… against IDS or filters
Avoid using strings (magic_quotes similar filters bypass)
Bypassing illegal union
Full customizable http headers (like referer and user agent)
Load cookie from site for authentication
Guessing tables and columns in mysql<5 (also in blind) and MsAccess
Fast getting tables and columns for mysql
Multi thread Admin page finder
Multi thread Online MD5 cracker
Getting DBMS Informations
Getting tables, columns and data
Command executation (mssql only)
Reading system files (mysql only)
Insert/update/delete data

As we have already said previously that this is a tool in Visual Basic, this will run only on Windows. Installation is pretty much simple too. We noticed something peculiar about this tool. It installs – columns.txt, admins.txt and tables.txt. Call them teh databases of Havij. You are free to add your stuff to these files. Just take care where you add those things.

Download Havij version 1.10 here.

Havij: A Advanced SQL Injection Tool! ? PenTestIT

Bebe1911 · May 29, 2010

On: Bunisor.. doar ca mai bine faci "de mana"

Off: A mai fost postat, doar ca asta e alta versiune.

THE PRO · June 2, 2010

Dar totusi ce face acest program?

strike · June 2, 2010

Dar totusi ce face acest program?

Dupa ce citesti SQL injection - Wikipedia, the free encyclopedia ai sa intelegi.

Naaraxi · June 5, 2010

On: Bunisor.. doar ca mai bine faci "de mana"

Mai putin de munca , te poti concentra pe alte chestii in timp ce asta lucreaza

Suporta liste de URL-uri [eventual cu parametri pentru fiecare] ?

Edited June 5, 2010 by Naaraxi

Flubber · June 5, 2010

[...] Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. All you need to know is a bit of SQL injection and you are done. You just need to click a button and wait till it finds a exploitable SQL query.

Mai bine spuneau "Havij is an automated SQL Injection tool that helps kinders to find and exploit SQL Injection vulnerabilities on a web page.", aceeasi situatie in care un skiddie da un click si face un deface. La toate programele astea ar trebuii pus un anti-kinders. De ce sa stea lumea sa citeasca ce se intampla s.a.m.d. cand poate sa apese butonul magic si sare in aer lumea!

L-a testat cineva, este folositor pentru situatiile critica atunci cand nu este timp si trebuie ce ceva fast? Eu unul pentru astea le vad bune, nu am sa stau toata ziua sa dau limit 12,1 13,1 14,1 pentru un "dork" ca sa obtin un shell...

Naaraxi · June 5, 2010

Faza cu Auto Detect la Keyword nu prea tine .

Setarile nu sunt salvate , trebuie sa le faci de fiecare data .

Nu suporta liste de URL-uri .

In rest , e util in sensul pe care l-a precizat Flubber .

Daca esti in graba , incerci si alte cai de a intra etc. , programul incearca diverse metode automat .

Totusi , nu cred ca e o idee buna sa te lasi pe mana lui .

Sunt sanse sa nu gaseasca nimic , pe cand manual , ai putea gasi

Sign In

Havij: A Advanced SQL Injection Tool!

Recommended Posts

begood

Link to comment

Share on other sites

Bebe1911

Link to comment

Share on other sites

THE PRO

Link to comment

Share on other sites

strike

Link to comment

Share on other sites

Naaraxi

Link to comment

Share on other sites

Flubber

Link to comment

Share on other sites

Naaraxi

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Pages