ARTICLE

SQL Power Injector 1.2 released

Thursday 19 July 2007

SQL Power Injector is an application created in .Net 1.1 that helps the penetration tester to find and exploit SQL injections on a web page.

Features for this release :

- Now support DB2 database
- Can create/edit ASCII characters preset in order to optimize the blind SQL injection number of requests/speed
- Can make the blind SQL injection case insensitive (useful with characters preset)
- New feature that will find the differences between the response page of a positive answer with a negative one
- Created a Firefox Plugin that will launch SQL Power Injector with all the current page context (string parameters and cookies)
- Created an extensive documentation used as a databases "Aide Memoire" that contains information related to SQL injection for each supported DBMS (System tables (with their column names and description), environment and session variables, functions, dangerous stored procs, etc...)
- Can create a range list that will replace the variable (<<@>>) inside a blind SQL injection string and automatically play them for you
- Automatic replaying a variable range with a predefined list from a text file
- New management console for Cookies used for the Load Page process
- Detect and add Cookies used during the Load Page process (Set-Cookie detection)
- Improved the User Interface to display contextual information (normal vs blind mode)
- New Datagrid has been added with the Cookies information, which can be injected in the same fashion than the String Parameter
- Improved the accuracy and reliability of the blind SQL injection results (if a character cannot be found it’s replaced by the sun char (¤))
- Can edit the Referer
- View source now displays HTML in colors and can be customized in a XML file
- Can search in the View source
- Can choose an User-Agent from the menu (and even add new ones in the XML file)
- Threads are better managed and it’s now possible to raise it to the number you wish (50 max in the application but can be changed in the source code)
- Can configure the application settings
- Support configurable proxies
- With SQL Server it is possible to use the TOP keyword
- Take in account the different syntax of MySQL 4.1.0 and lower with higher versions in the database list
- Various things redesigned and quality improvement
- Two integrated tools: Hex and Char encoder and MS SQL @options interpreter
- Problems when there is a Form tag inside another one (Bug fix)
- Bug with multi threads with cookies (Bug fix)

SQL Power Injector has been added to SD Tools Watch Process


POSTSCRIPTUM

Download


RELATED ARTICLES

Application Scanner, Security Solutions, SQL Power Injector,

19 July 2007 : SQL Power Injector 1.2 released