SQL Power Injector 1.2 released

by

In: Application Scanner , Security Solutions , SQL Power Injector

19 July 2007

SQL Power Injector is an application created in .Net 1.1 that helps the penetration tester to find and exploit SQL injections on a web page.

Features for this release :

  • Now support DB2 database
  • Can create/edit ASCII characters preset in order to optimize the blind
    SQL injection number of requests/speed
  • Can make the blind SQL injection case insensitive (useful with
    characters preset)
  • New feature that will find the differences between the response page
    of a positive answer with a negative one
  • Created a Firefox Plugin that will launch SQL Power Injector with all
    the current page context (string parameters and cookies)
  • Created an extensive documentation used as a databases "Aide Memoire" that contains information related to SQL injection for each supported DBMS (System tables (with their column names and description), environment and session variables, functions, dangerous stored procs, etc...)
  • Can create a range list that will replace the variable (<<@>>) inside
    a blind SQL injection string and automatically play them for you
  • Automatic replaying a variable range with a predefined list from a
    text file
  • New management console for Cookies used for the Load Page process
  • Detect and add Cookies used during the Load Page process (Set-Cookie detection)
  • Improved the User Interface to display contextual information (normal
    vs blind mode)
  • New Datagrid has been added with the Cookies information, which can be injected in the same fashion than the String Parameter
  • Improved the accuracy and reliability of the blind SQL injection
    results (if a character cannot be found it’s replaced by the sun char (¤))
  • Can edit the Referer
  • View source now displays HTML in colors and can be customized in a XML file
  • Can search in the View source
  • Can choose an User-Agent from the menu (and even add new ones in the XML file)
  • Threads are better managed and it’s now possible to raise it to the
    number you wish (50 max in the application but can be changed in the
    source code)
  • Can configure the application settings
  • Support configurable proxies
  • With SQL Server it is possible to use the TOP keyword
  • Take in account the different syntax of MySQL 4.1.0 and lower with
    higher versions in the database list
  • Various things redesigned and quality improvement
  • Two integrated tools: Hex and Char encoder and MS SQL @options
    interpreter
  • Problems when there is a Form tag inside another one (Bug fix)
  • Bug with multi threads with cookies (Bug fix)

SQL Power Injector has been added to SD Tools Watch Process

Post scriptum

Compliance Mandates

  • Application Scanner :

    PCI/DSS 6.3, SOX A12.4, GLBA 16 CFR 314.4(b) and (2), HIPAA 164.308(a)(1)(i), FISMA RA-5, SA-11, SI-2, ISO 27001/27002 12.6, 15.2.2


Related Articles

Application Scanner
Security Solutions
SQL Power Injector