‘Blind SQL Injection Brute Forcer’

Summary

Credit:

‘The information has been provided by Sumit Siddharth.
To keep updated with the tool visit the project’s homepage at: http://code.google.com/p/bsqlbf-v2/


Details

‘This tool is a modified version of ‘bsqlbfv1.2-th.pl’. This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections. Databases supported:
 * MS-SQL
 * MySQL
 * PostgreSQL
 * Oracle

The tool supports 2 attack modes(-type switch):
Type 0:- Blind SQL Injection based on true and false conditions returned by back-end server
Type 1:- Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.

Usage example:
$./bsqlbf-v2.pl -url http://192.168.1.1/injection_string_post/1.asp?p=1 -method post -match true -database 0 -sql ‘select top 1 name from sysobjects where xtype=’U”

Categories: Tools