10 Big relational database SQL injection Tools overview

Source: Internet
Author: User
Tags file system mssql mysql injection postgresql sql injection sqlite sybase havij

bSQL Hacker

bSQL Hacker was developed by the Portcullis Lab, bSQL Hacker is an SQL Automatic injection tool (which supports SQL blinds) designed to enable SQL overflow injection of any database. The bSQL hacker are used by people who inject experienced users and those who want to automate SQL injection. bSQL Hacker automatically attacks Oracle and MySQL databases, and automatically extracts database data and schemas.

The Mole

The mole is an Open-source automated SQL injection tool that bypasses the Ips/ids (Intrusion prevention system/intrusion detection system). By simply providing a URL and a usable keyword, it can detect the injection point and exploit it. The mole can use the union injection technology and the logic query based injection technology. The Mole attack range includes SQL Server, MySQL, Postgres, and Oracle databases.


Pangolin is a security tool that helps infiltrate testers into SQL injection (SQL Injeciton) testing. Pangolin and Jsky (Web application vulnerability scanners, Web application security assessment tools) are the products of nosec company. Pangolin has a friendly graphical interface and supports testing in almost all databases (Access, MSSQL, MYSQL, Oracle, Informix, DB2, Sybase, PostgreSQL, Sqlite). Pangolin can achieve maximum attack test results through a series of very simple operations. It gives the test steps from the start of the detection injection to the final control target system. Pangolin is currently the most used security software for SQL injection testing in China.


SQLMAP is an automated SQL injection tool. It is competent to perform an extensive database management system with back-end fingerprints,

Retrieves the DBMS database, usernames, tables, columns, and enumerates the entire DBMS information. SQLMAP provides the ability to dump database tables and MySQL, PostgreSQL, SQL Server servers to download or upload any file and execute arbitrary code.


Havij is an automated SQL injection tool that helps penetrate testers to discover and exploit SQL injection vulnerabilities in Web applications. Havij can not only automatically exploit SQL queries that are available, it also recognizes background database types, user names and passwords to retrieve data, hash, dump tables and columns, extract data from the database, and even access the underlying file system and execute system commands, provided there is an exploitable SQL injection vulnerability. Havij supports a wide range of database systems, such as MsSQL, MySQL, MSAccess and Oracle. Havij support parameter configuration to avoid IDs, support agents, background landing address scanning.

Enema Sqli

Enema SQLI Unlike other SQL injection tools, enema sqli is not automatic, and it requires a certain amount of relevant knowledge to use enema sqli. Enema SQLI can use user-defined queries and plug-ins to attack SQL Server and MySQL databases. Supports injection attacks based on error-based, union-based, and blind time-based.


Sqlninja software is written in Perl and conforms to the GPLV2 standard. The purpose of Sqlninja is to take advantage of SQL injection vulnerabilities in Web applications that rely on Microsoft's SQL Server for back-end support. The main goal is to provide a remote enclosure on a vulnerable database server, even in an environment with stringent safeguards. After a SQL injection vulnerability is discovered, an enterprise administrator, especially a tester penetrating the attack, should use it to automatically take over the database server. There are many other SQL injection vulnerabilities available on the market, but unlike other tools, Sqlninja does not need to extract data, but instead focuses on acquiring an interactive shell on a remote database server and using it as a foothold in the target network.


Sqlsus is an open source MySQL injection and takeover tool, Sqlsus is written in Perl and is based on a command-line interface. Sqlsus can get the database structure, inject your own SQL statements, download files from the server, crawl the Web site writable directories, upload and control the back door, clone databases, and so on.

Safe3 SQL Injector

Safe3 SQL Injector is one of the most powerful and easy-to-use penetration testing tools that can detect and exploit SQL injection vulnerabilities and database server processes. Safe3 SQL Injector has the ability to read databases such as MySQL, Oracle, PostgreSQL, SQL Server, Access, SQLite, Firebird, Sybase, SAP maxdb, and so on. It also supports writing files to MySQL, SQL Server, and executing arbitrary commands in SQL Server and Oracle. SAFE3 SQL Injector also supports injection attacks based on error-based, union-based, and blind time-based.

SQL Poizon

The SQL Poizon graphical interface enables users to attack without deep expertise, and the SQL Poizon Scan Injection tool built-in browser helps to see the impact of injection attacks. SQL Poizon take full advantage of the search engine "dorks" to scan Internet sites for SQL injection vulnerabilities.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.