Top ten relational database SQL injection tools at a glance

SQL injection attacks are known to be the most common Web application attack technologies. The security damage caused by SQL injection attacks is also irreparable. The 10 SQL tools listed below can help administrators detect vulnerabilities in a timely manner.

bSQL Hacker

bSQL Hacker was developed by the Portcullis Lab, bSQL Hacker is an SQL Automatic injection tool (which supports SQL blinds) designed to enable SQL overflow injection of any database. The bSQL hacker are used by people who inject experienced users and those who want to automate SQL injection. bSQL Hacker automatically attacks Oracle and MySQL databases and automatically extracts database data and schemas.

The Mole

The mole is an Open-source automated SQL injection tool that bypasses IPs (Intrusion prevention system/intrusion detection system). By simply providing a URL and a usable keyword, it can detect the injection point and exploit it. The mole can use the union injection technique and the injection technology based on logical query. The Mole attack range includes SQL Server, MySQL, Postgres, and Oracle databases.

Pangolin

Pangolin is a security tool that helps infiltrate testers into SQL injection (SQL Injeciton) testing. Pangolin and Jsky (Web application vulnerability scanners, Web application security assessment tools) are the products of nosec company. Pangolin has a friendly graphical interface and supports testing in almost all databases (Access, MSSQL, MYSQL, Oracle, Informix, DB2, Sybase, PostgreSQL, Sqlite). Pangolin can achieve maximum attack test results through a series of very simple operations. It gives the test steps from the start of the detection injection to the final control target system. Pangolin is currently the most used security software for SQL injection testing in China.

Sqlmap

SQLMAP is an automated SQL injection tool. It is competent to perform an extensive database management system back-end fingerprint,

Retrieves the DBMS database, usernames, tables, columns, and enumerates the entire DBMS information. SQLMAP provides the ability to dump database tables and MySQL, PostgreSQL, SQL Server servers to download or upload any file and execute arbitrary code.

Havij

Havij is an automated SQL injection tool that helps penetrate testers to discover and exploit SQL injection vulnerabilities in Web applications. Havij not only can automatically exploit SQL queries, it also recognizes background database types, user names and passwords to retrieve data, hash, dump tables and columns, extract data from the database, and even access the underlying file system and execute system commands, provided there is an exploitable SQL injection vulnerability. Havij supports a wide range of database systems, such as MsSQL, MySQL, MSAccess and Oracle. Havij support parameter configuration to avoid IDs, support agents, background landing address scanning.

Enema SQLi

Enema SQLI Unlike other SQL injection tools, enema sqli is not automatic, and it requires a certain amount of knowledge to use enema sqli. Enema SQLI can use user-defined queries and plug-ins to attack SQL Server and MySQL databases. Supports injection attacks based on error-based, union-based, and Extrudes time-based.

Sqlninja

Sqlninja software is written in Perl and conforms to the GPLV2 standard. The purpose of Sqlninja is to take advantage of SQL injection vulnerabilities in Web applications that rely on Microsoft's SQL Server for back-end support. The main goal is to provide a remote enclosure on a vulnerable database server, even in an environment with stringent safeguards. After a SQL injection vulnerability is discovered, an enterprise administrator, especially a tester penetrating the attack, should use it to automatically take over the database server. There are many other SQL injection vulnerabilities available on the market, but unlike other tools, Sqlninja does not need to extract data, but instead focuses on acquiring an interactive shell on a remote database server and using it as a foothold in the target network.

Sqlsus

Sqlsus is an open source MySQL injection and takeover tool, Sqlsus is written in Perl and is based on a command-line interface. Sqlsus can get the database structure, inject your own SQL statements, download files from the server, crawl the Web site writable directories, upload and control the back door, clone databases, and so on.

Safe3 SQL Injector

Safe3 SQL Injector is one of the most powerful and easy-to-use penetration testing tools that can detect and exploit SQL injection vulnerabilities and database server processes. Safe3 SQL Injector has the ability to read MySQL, Oracle, PostgreSQL, SQL Server, Access, SQLite, Firebird, Sybase, SAP MaxDB, and other databases. It also supports writing files to MySQL, SQL Server, and executing arbitrary commands in SQL Server and Oracle. SAFE3 SQL Injector also supports injection attacks based on error-based, union-based, and Extrudes time-based.

SQL Poizon

The SQL Poizon graphical interface enables users to attack without deep expertise, and the SQL Poizon Scan Injection tool built-in browser helps to see the impact of injection attacks. SQL Poizon take full advantage of the search engine "dorks" to scan Internet sites for SQL injection vulnerabilities. (Li/Edit)

(Responsible editor: Lu Guang)