Nytro Posted May 9, 2011 Report Posted May 9, 2011 SQL Power injectorIntroductionSQL Power Injector is an application created in .Net 1.1 that helps the penetration tester to find and exploit SQL injections on a web page.For now it is SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal mode). Indeed, the normal mode is basically the SQL command that someone will put in the parameter sent to the server.If the aspect of inline SQL injection is powerful in itself, its main strength dwells in the multithreaded automation of the injection. Not only there is a possibility to automate tedious and time consuming queries but you can also modify the query to get only what you want. It is obviously more useful in the blind SQL injection since the other ways to exploit the SQL injection vulnerability is more effusive and much faster when the results are displayed on the web page (union select in a HTML table and generated 500 error for instance).The automation can be realized in two ways: comparing the expected result or by time delay. The first way is generally compared against an error or difference between positive condition with a negative one and the second way will turn out positive if the time delay sent to the server equals to the one parameterized in the application.The main effort done on this application was to make it as painless as possible to find and exploit a SQL injection vulnerability without using any browser. That is why you will notice that there is an integrated browser that will display the results of the injection parameterized in a way that any related standards SQL error will be displayed without the rest of the page. Of course, like many other features of this application, there are ways to parameterize the response of the server to make it as talkative to you as possible.Another important part of this application is its power to get all the parameters from the web page you need to test the SQL injection, either by GET or POST method. Like this someone won't need to use several applications or a proxy to intercept the data, all is automated! Not only that, but now there is a Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context (parameters and cookies).I worked hard on the application usability but I am aware that at first use it's not too obvious. I'm pretty confident that once the few things you need to comprehend are understood it will be quite easy to use afterwards. In order to help a beginner to understand its basic features I created a tutorial that not only will help him out but can also be educative for some advanced SQL injection techniques. Moreover, You will find some great tricks in the FAQ as well and now with the version 1.2 a help file (chm) containing a list of the most useful information for SQL injection.Also, I designed this application the way I was making my own pen testing and how I was using SQL injection. It has been tested successfully many times on real life web sites (legally of course) and as soon as I see something missing I'm adding it. Now of course that it's officially available to the security community I will have to have more rigors and wait to add them in a new version of the software. This process has already started and many more features will come with time.Finally, this application will be free of charge and hopefully be used to help in security assessments made by security professionals or to further the knowledge of the techniques used. Obviously I will not be held responsible of any misuses or damage caused by this application.What It's NotThis application if powerful won't find SQL injection vulnerabilities for you nor will find the right syntax if one found. Its main strength is to provide a way to find them more easily and once they are found to automate it in a way that you won't need to make every single injection if the only way to inject is using the blind technique.Moreover, I didn't intent to make it to be a database pumping application. There are plenty good applications for that purpose. In any cases many pumped data are not relevant and since it takes time to pump it can be a real waste of time. It's better to refine and get what you really want.Lastly, if I added the feature (mini-browser) to have the results in an HTML format it doesn't mean that it has all the features of a professional browser. Internet Explorer and Mozilla, to mention a few, are real complex software that it would be nearly impossible to implement all their features in my application. That's why that you won't be able to use it as a conventional browser even though it has the same look and feel.Features Supported on Windows, Unix and Linux operating systems SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant SSL support Load automatically the parameters from a form or a IFrame on a web page (GET or POST) Detect and browse the framesets Option that auto detects the language of the web site Detect and add cookies used during the Load Page process (Set-Cookie detection) Find automatically the submit page(s) with its method (GET or POST) displayed in a different color Can create/modify/delete loaded string and cookies parameters directly in the Datagrids Single SQL injection Blind SQL injection Comparison of true and false response of the page or results in the cookie Time delay Response of the SQL injection in a customized browser Can view the HTML code source of the returned page in HTML contextual colors and search in it Fine tuning parameters and cookies injection Can parameterize the size of the length and count of the expected result to optimize the time taken by the application to execute the SQL injection Create/edit ASCII characters preset in order to optimize the blind SQL injection number of requests/speed Multithreading (configurable up to 50) Option to replace space by empty comments /**/ against IDS or filter detection Automatically encode special characters before sending them Automatically detect predefined SQL errors in the response page Automatically detect a predefined word or sentence in the response page Real time result Save and load sessions in a XML file Feature that automatically finds the differences between the response page of a positive answer with a negative one Can create a range list that will replace the variable (<<@>>) inside a blind SQL injection string and automatically play them for you Automatic replaying a variable range with a predefined list from a text file Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context (parameters and cookies) Two integrated tools: Hex and Char encoder and MS SQL @options interpreter Can edit the Referer Can choose a User-Agent (or even create one in the User-Agent XML file) Can configure the application with the settings window Support configurable proxiesDifferences with Other ToolsTo be honest, I didn't study all the other tools features in all their details. The only thing I can say is that if they are great they always lack something important that I need when I'm doing SQL injection.Some application will find the SQL injection for you that sometimes will result in false positive. And others will generically pump the data of the database. Some of those applications got smarter and you can check for what you need when the list of databases has been pumped. Or ask a specific hard coded data, such as the current DB user.But none of them have the ability to specifically choose what you want as far as I know. That ability comes with a cost of course, you need to know some SQL syntax, but I can assure that once someone understands how it works, not much syntax is required.Also, I cannot recall to have seen any application using the time delay feature inserted in the application. Many SQL injection vulnerabilities are impossible to exploit unless you use that technique. A technique that could be really tedious and time consuming, that often results by giving up after long hours of copy pasting the command in the browser when done manually.I don't remember as well to have seen any multithread feature that can be most definitely a really important time saver. Nor the ASCII characters preset feature that can save up to 25% the blind SQL injection. (Please look at the statistics section for some figures)I apologize in advance to those who have made their own application and made it available on the Net that possess those features before I made SQL Power Injector available. Please let me know and I will update this section.Summary of the differences: Web page string and cookie parameters auto detection Fine tuning parameters SQL injection Time delay feature Multithread feature Response results in a customized browser Automated positive and negative condition discovery Blind SQL injection characters preset optimizerScreenshotsYou will find two screen shots demonstrating the two techniques used in the application: Normal and Blind.Screen 1: SQL Power injector with Normal technique Screen 2: SQL Power injector with Blind technique Some Statistic FiguresI didn't use any scientific methods so do not consider those statistics as scientific facts but more as a general idea of what you can expect. Especially that no one controls the flux on the Net and I would be really hard pressed to give any valuable scientific data. Another thing, I didn't make enough tests (10 times for each thread) to have a real statistical sample since the goal of these numbers will be to show approximately what you can expect.Moreover, it will depend also of the size of the data sought. Sometimes a lower number of threads will be more effective than more. In fact, the time taken will be optimized if the length of the value is a divisible number of the number of thread. So let's say we have 24 characters length, 3, 4, 6 and 8 will be faster than any other. As a rule of thumb, the bigger gap of time between any thread is from 1 to 2. As you can see the higher is not always the better. You will see some examples in the following statistics.Even though you can go up to 50 threads, I have discovered that around 10 threads it's starting to have errors and getting slower and slower. So again bigger number of threads is not necessary better. I must warn as well that the higher number of threads is, the higher is the chances to crash the web application (web server or database)I must thank Nathaniel Felsen to have allowed me to test on one of his web server and my wife Elizabeth to have done all the tedious tests for me in her free time.Here are the characteristics of the computer used to make the tests: AMD Athlon ? 64 X2 Dual Core Processor 4200+ GHz 2 GB of RAM Windows XP SP 2 ADSL 1 MB/s Ping round trip average time of 173 msDownload:http://www.sqlpowerinjector.com/download.htm 1 Quote