SQL injection tools for automated testing. SQL injection is a security exploit in which an attacker injects SQL parameters into a Web form, allowing he or. By submitting your personal information, you agree that Tech. Target and its partners may contact you regarding relevant content, products and special offers. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy. SQL Injection Test Online. Online SQL Injection scanner to test for injectable parameters on a web. The SQLmap tool is a powerful automated sql injection testing tool. SQL injection is not a direct database problem but rather an application issue that indirectly affects your database systems. Then again, no matter how you look at it, its still a database problem in the end. Manual testing for SQL injection used to be the only way to determine if your database was vulnerable. Rooting through returned error messages, adding apostrophes and trying to guess database structure information was a long and arduous process. In fact, it was nearly impossible to do. It also didnt guarantee that youd find all SQL injection vulnerabilities, much less be able to view or extract data. Several automated SQL injection tools are available to carry out attacks. Offering features from front end Web application and database footprinting to vulnerability detection and the actual extraction of database tables, there are plenty of free and commercial hacking tools to choose from. Given the complexity of our information systems and the fact that we dont have unlimited time, using automated tools to find and exploit SQL injection is the only reasonable way to go about doing it. If you have a Web application with a backend database that allows dynamic user input supported by ASP. NET, Java, or similar languages, odds are that its susceptible to SQL injection. In typical ethical hacking fashion, what you can do is perform automated SQL injection attacks against your own systems to identify just what can be compromised from the outside world. No more SELECT this or apostrophe that you can let your tools do the work for you. Testing your own systems for SQL injection vulnerabilities in an automated fashion is a two step process. Heres what you need to do Step 1 Scan for vulnerabilities. First, you must scan your site with a Web application vulnerability scanner to see if any input filtering or other SQL injection specific holes exist. Since Im always in a time crunch and need good reporting capabilities, I like using commercial tools such as Acunetix Web Vulnerability Scanner or Web. Inspect software from Hewlett Packard HP. Both are great at finding SQL injection holes. Researchers found Katyusha Scanner A Fully Automated Telegrambased Powerful SQL Injection Tool. HP also offers a free tool called Scrawlr. Theres also the Perl based SQLi. X tool an open source SQL injection scanner supported by OWASP. An example of SQL injection vulnerabilities discovered by Acunetix Web Vulnerability Scanner is shown in Figure 1. Figure 1. Acunetix Web Vulnerability Scanner click to enlargeStep 2 Begin SQL injection. Once you determine whether or not your target system is vulnerable to SQL injection, your next step is to carry out the SQL injection process and determine just what can be gleaned from the database. My favorite tool for automating the actual SQL injection process is HPs SQL Injector which comes with Web. Inspect. You can also use Absinthe, shown in Figure 2. Figure 2. Absinthe tool for automated SQL injection click to enlargeBoth tools allow you to perform basic and blind SQL injection. As a side note, both types of tests should be performed especially if basic SQL injection doesnt return any results. These tools can query and extract data very quickly in an automated fashion, easily dumping large tables in just a matter of minutes. Other options include a free Web services testing framework from called Foundstone WSDigger from Mc. Afee, Inc. that can generate basic SQL injection attacks against Web services. Theres also Automagic SQL Injector, which you can use to perform automated SQL injection queries against SQL Server based systems. Finally, if you want to get some hands on practice outside of your live systems and learn more about SQL injection and other front end Web application vulnerabilities that can lead to database compromise, I highly recommend you check out Web. Goat and Foundstones Hacme tools. In the end, however, it doesnt matter which tools you use for automating your SQL injection tests as long as youre comfortable with how they work and are getting the expected results. Just do something the bad guys certainly are ABOUT THE AUTHORKevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authoredco authored several books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies Wiley. Hes also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at  kbeaverprinciplelogic. Blind SQL Injection Tool Download in Ruby   file    Mandatory File containing valid HTTP request and. SQL injection pointSQLINJECT. filetmpreq. Mandatory Pattern tolook forwhen query istrue. patterntruestatement   prepend    Mandatory Main payload. prependabcdandabunionselecttruestatementfromtablewherecol3dvalueandsubstrpassword,   append    How toendour payload. Forexample comment out rest of SQL statement. append   schar    Character placed around chars. This character is not used while in hex mode. File containing valid HTTP request used in second order exploitation. Blind mode to use between b generates less requests, moreless a generates less requests by using lt, characters, like l complete bruteforce, equals e complete bruteforce. Use hex to compare instead of characters.    case    Case sensitivity.    ssl    Use SSL.    proxy    Proxy to use. Enable test mode. Do not send request, just show full payload.    special    Include all special characters in enumeration.    start    Start enumeration from specified character. Maximum characters to enumerate. Timeout in waiting for responses. Stop showing each enumerated letter.    comma    Encode comma.    bracket    Add brackets to the end of substring function. Usespace instead of brackets tosplit hex values.    verbose    Show verbose messages.