Category:OWASP SQLiX Project

Overview
SQLiX, coded in Perl, is able to crawl, find SQL injection vectors, identify the back end database and grab function call/UDF results (even execute system commands for MS-SQL). The concepts in use are different than the one used in other SQL injection scanners. SQLiX is able to find normal and blind SQL injection vectors and doesn't need to reverse engineer the original SQL request (using only function calls).

Goals
TBD

Download
OWASP SQLiX v1.0 is available for download here.

Features
TBD - Current command line help - TBD

Usage: SQLiX.pl [options] -help                                  Show this help

Target specification: -url [URL]                             Scan a given URL. Example: -url="http://target.com/index.php?id=1" --post_content [CONTENT]               Add a content to the current [URL] and change the HTTP method to POST -file [FILE_NAME]                      Scan a list of URI provided via a flat file. Example: -file="./crawling" -crawl [ROOT_URL]                      Scan a web site from the given root URL. Example: -crawl="http://target.com/"

Injection vectors: -referer                               Use HTTP referer as a potential injection vector. -agent                                 Use HTTP User agent as a potential injection vector. -cookie [COOKIE]                       Use the cookie as a potential injection vector. Cookie value has to be specified and the injection area tagged as "--INJECT_HERE--". Example: -cookie="userID=--INJECT_HERE--"

Injection methods: -all                                   Use all the injection methods. -method_taggy                          Use MS-SQL "verbose" error messages method. -method_error                          Use conditional error messages injection method. -method_blind                          Use all blind injection methods. -method_blind_integer                  Use integer blind injection method. -method_blind_string                   Use string blind injection method. -method_blind_statement                Use statement blind injection method. -method_blind_comment                  Use MySQL comment blind injection method.

Attack modules: -exploit                               Exploit the found injection to extract information. by default the version of the database will be retrieved -function [function]                   Used with exploit to retrieve a given function value. Example: -function="system_user" Example: -function="(select password from user_table)" -union                                 Analyse target for potential UNION attack [MS-SQL only].

MS-SQL System command injection: -cmd [COMMAND]                         System command to be executed. Example: -cmd="dir c:\\" -login [LOGIN]                         MS-SQL login to use if known. -password [PASSWORD]                   MS-SQL password to use if known.

Verbosity: -v=[n]                                 Verbose mode level v=0 => no output, only results are displayed at the end v=2 => realtime display, provide minimum result info v=5 => debug view [all url,content and headers are displayed]

Future Development
Currently working on a module able to dump the database schema and the data of the vulnerable database.

News
'''OWASP SQLiX Project Created! - 09:45, 28 August 2006 (EDT)'''

While the SQLiX Project has been under development for some time now, it has only recently been donated to OWASP.

The OWASP community would like to thank Cedric Cochin for the generous donation.

Project Contributor
The project is lead by Cedric Cochin (cedric.cochin at gmail dot com)

Homepage

Project Sponsors
If you want to help SQLiX project developpement, feel free to contact the project leader.