Difference between revisions of "OWASP Backend Security Project Tools"

From OWASP
Jump to: navigation, search
([http://www.imperva.com/products/scuba.html Scuba])
Line 3: Line 3:
 
The aim of this section is to enumerate and quickly describe the tools used to find and exploit some vulnerabilities concerning database management systems.
 
The aim of this section is to enumerate and quickly describe the tools used to find and exploit some vulnerabilities concerning database management systems.
  
== [http://sqlninja.sourceforge.net SQL Ninja] ==
+
=== Free Tools ===
 +
==== [http://sqlninja.sourceforge.net SQL Ninja] ====
 
SQL Ninja is a tool, written in Perl, which helps a penetration tester to gain a shell on a  system running Microsoft SQL server, exploiting a web application resulted vulnerable to SQL Injection.
 
SQL Ninja is a tool, written in Perl, which helps a penetration tester to gain a shell on a  system running Microsoft SQL server, exploiting a web application resulted vulnerable to SQL Injection.
 
+
==== [http://sqlmap.sourceforge.net SQLMap] ====
== [http://www.sqlpowerinjector.com SQL Power Injector] ==
+
SQL Power Injector is a .Net 1.1 application used to find and exploit SQL Injection vulnerability through a vulnerable web application which uses SQL Server, MySql, Sybase/Adaptive Server and DB2 Database Management Systems as backend. It’s main feature is the support for multithreaded automation of the injection.
+
 
+
== [http://sqlmap.sourceforge.net SQLMap] ==  
+
 
SQLMap is a Python application able to collect information and data, such as databases names, table’s names and contents, and read system files from a MySQL, Oracle, PostgreSQL or Microsoft SQL Server Database Management Systems, exploiting the SQL Injection vulnerability of a vulnerable web application.
 
SQLMap is a Python application able to collect information and data, such as databases names, table’s names and contents, and read system files from a MySQL, Oracle, PostgreSQL or Microsoft SQL Server Database Management Systems, exploiting the SQL Injection vulnerability of a vulnerable web application.
 
+
==== [http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project OWASP SQLiX] ====
== [http://sqltool.itdefence.ru/indexeng.html SQL Injection Tool] ==
+
SQLiX is a tool, written in Perl, able to identify the back-end database, find blind and normal injection and also execute system commands on a Microsoft SQL Server. It was also successfully tested on MySQL and PostgreSQL.
SQL Injection Tool is an application used to exploit SQL Injection vulnerability found in a web application, it’s able to retrieve some useful information and data from a Microsoft SQL server. It also includes a terminal to send raw HTTP requests.
+
==== [http://www.imperva.com/products/scuba.html Scuba] ====
 
+
== [http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html BobCat] ==
+
BobCat is a tool based on “Data Thief” and realized in .NET 2.0. It permits to take full advantage of SQL Injection vulnerability discovered in a web application to steal data, gain a shell or a reverse shell on the database management system machine. It has been tested on MSDE2000.
+
 
+
== [http://www.darknet.org.uk/2007/05/owasp-sqlix-project-sql-injection-scanner OWASP SQLiX] ==  
+
SQLiX is a tool, written in Perl, able to identify the back-end database, find blind and normal injection and also execute system commands on a Microsoft SQL Server. It was also successfully tested on MySQL and PostgreSQL.  
+
 
+
== [http://www.ngssoftware.com NGSQuirrel] ==
+
NGSQuirrel is a tool used to execute vulnerability assessments on database management systems. It’s able to find vulnerabilities and mistaken configuration or policy on SQL Server, Oracle, IBM DB2, Sybase ASE and Informix.
+
 
+
== [http://www.imperva.com/products/scuba.html Scuba] ==  
+
 
Scuba is a Database vulnerability scanner able to find vulnerabilities like unpatched software, unsafe processes and weak password on Oracle, DB2, Microsoft SQL Server and Sybase.
 
Scuba is a Database vulnerability scanner able to find vulnerabilities like unpatched software, unsafe processes and weak password on Oracle, DB2, Microsoft SQL Server and Sybase.
 
+
==== [http://sqid.rubyforge.org/ SQID SQL Injection Digger] ====
== [http://www.appsecinc.com/products/index.shtml AppDetectivePro] ==
+
<Coming soon the description>
+
 
+
== [http://sqid.rubyforge.org/ SQID SQL Injection Digger] ==  
+
 
SQL injection digger is a command line program, written in [http://www.ruby-lang.org/ ruby], that looks for SQL injections and common errors in websites. It can perform the following operations:
 
SQL injection digger is a command line program, written in [http://www.ruby-lang.org/ ruby], that looks for SQL injections and common errors in websites. It can perform the following operations:
 
* Look for SQL injection in a webpage, by looking for links
 
* Look for SQL injection in a webpage, by looking for links
Line 36: Line 18:
 
* Crawl a website to perform the above listed operations
 
* Crawl a website to perform the above listed operations
 
* Perform a google search for a query and look for SQL injections in the urls found
 
* Perform a google search for a query and look for SQL injections in the urls found
 +
==== [http://www.ictsc.it/site/IT/projects/sqlDumper/sqlDumper.php SqlDumper] ====
 +
Exploiting a SQL injection vulnerability SqlDumper can make dump of any file in the file system. It work only with DBMS MySql.
 +
==== [http://www.sqlpowerinjector.com SQL Power Injector] ====
 +
SQL Power Injector is a .Net 1.1 application used to find and exploit SQL Injection vulnerability through a vulnerable web application which uses SQL Server, MySql, Sybase/Adaptive Server and DB2 Database Management Systems as backend. It’s main feature is the support for multithreaded automation of the injection.
 +
==== [http://www.northern-monkee.co.uk/index.html BobCat] ====
 +
BobCat is a tool based on “Data Thief” and realized in .NET 2.0. It permits to take full advantage of SQL Injection vulnerability discovered in a web application to steal data, gain a shell or a reverse shell on the database management system machine. It has been tested on MSDE2000.
 +
==== [http://sqltool.itdefence.ru/indexeng.html SQL Injection Pentesting Tool] ====
 +
SQL Injection Tool is an application used to exploit SQL Injection vulnerability found in a web application, it’s able to retrieve some useful information and data from a Microsoft SQL server. It also includes a terminal to send raw HTTP requests.
 +
 +
=== Commercial Tools ===
 +
==== [http://www.appsecinc.com/products/index.shtml AppDetectivePro] ====
 +
<Coming soon the description>
 +
==== [http://www.ngssoftware.com NGSQuirrel] ====
 +
NGSQuirrel is a tool used to execute vulnerability assessments on database management systems. It’s able to find vulnerabilities and mistaken configuration or policy on SQL Server, Oracle, IBM DB2, Sybase ASE and Informix.
  
== [http://www.ictsc.it/site/IT/projects/sqlDumper/sqlDumper.php SqlDumper] ==
 
Exploiting a SQL injection vulnerability SqlDumper can make dump of any file in the file system. It work only with DBMS MySql.
 
  
 
== Web Application Vulnerability Scanners ==  
 
== Web Application Vulnerability Scanners ==  

Revision as of 08:26, 2 April 2008

Contents

Tools

The aim of this section is to enumerate and quickly describe the tools used to find and exploit some vulnerabilities concerning database management systems.

Free Tools

SQL Ninja

SQL Ninja is a tool, written in Perl, which helps a penetration tester to gain a shell on a system running Microsoft SQL server, exploiting a web application resulted vulnerable to SQL Injection.

SQLMap

SQLMap is a Python application able to collect information and data, such as databases names, table’s names and contents, and read system files from a MySQL, Oracle, PostgreSQL or Microsoft SQL Server Database Management Systems, exploiting the SQL Injection vulnerability of a vulnerable web application.

OWASP SQLiX

SQLiX is a tool, written in Perl, able to identify the back-end database, find blind and normal injection and also execute system commands on a Microsoft SQL Server. It was also successfully tested on MySQL and PostgreSQL.

Scuba

Scuba is a Database vulnerability scanner able to find vulnerabilities like unpatched software, unsafe processes and weak password on Oracle, DB2, Microsoft SQL Server and Sybase.

SQID SQL Injection Digger

SQL injection digger is a command line program, written in ruby, that looks for SQL injections and common errors in websites. It can perform the following operations:

  • Look for SQL injection in a webpage, by looking for links
  • Submit forms in a webpage to look for SQL injection
  • Crawl a website to perform the above listed operations
  • Perform a google search for a query and look for SQL injections in the urls found

SqlDumper

Exploiting a SQL injection vulnerability SqlDumper can make dump of any file in the file system. It work only with DBMS MySql.

SQL Power Injector

SQL Power Injector is a .Net 1.1 application used to find and exploit SQL Injection vulnerability through a vulnerable web application which uses SQL Server, MySql, Sybase/Adaptive Server and DB2 Database Management Systems as backend. It’s main feature is the support for multithreaded automation of the injection.

BobCat

BobCat is a tool based on “Data Thief” and realized in .NET 2.0. It permits to take full advantage of SQL Injection vulnerability discovered in a web application to steal data, gain a shell or a reverse shell on the database management system machine. It has been tested on MSDE2000.

SQL Injection Pentesting Tool

SQL Injection Tool is an application used to exploit SQL Injection vulnerability found in a web application, it’s able to retrieve some useful information and data from a Microsoft SQL server. It also includes a terminal to send raw HTTP requests.

Commercial Tools

AppDetectivePro

<Coming soon the description>

NGSQuirrel

NGSQuirrel is a tool used to execute vulnerability assessments on database management systems. It’s able to find vulnerabilities and mistaken configuration or policy on SQL Server, Oracle, IBM DB2, Sybase ASE and Informix.


Web Application Vulnerability Scanners

The web application vulnerability scanners listed below are able to discover SQL Injection vulnerability:

   - Acunetix
   - Appscan
   - Hailstorm
   - Sentinel
   - SQL Injector (SPI Toolkit)