2016-06-03

SQL_Injector Version-2 by incredible

Hello,

I am here with Advanced version of  SQL_Inj3ct0r. In this version I have added few more functionality to the tool. We will see what are these functionality in this post.

Previously released SQL_Inj3ct0r was a simple php script integrated with sqlmap and was able to perform SQL injection by 'get method' only. For details and usage of the previous script, please visit following link :

This version of  SQL_Inj3ct0r is having two more method by which you can exploit you target using SQL injection. 
1. Via Post method
2. Using file.

Download link :
You can download this script "Advanced SQL_Inj3ct0r" from here :

Usage:  
Please refer following screenshot as manual of the script:

1. You will get this modules shown in the screenshot on first access of 'Advanced_injector.php'. You can download sqlmap here. if you already have sqlmap , simply set that's location using "Set" button.


2. If you download the sqlmap, SQL_Inject0r will show the location of sqlmap. Simply type the path in input box as shown and hit  "Set". Refer screenshot below.



3. After setting the location you will be redirected to following main module where you get 4 options ( i.e 'GET Method' , 'POST Method' , 'Inject using file'), for injecting the target via 3 different method and one option for generating a file.

If you want do changes on path/location of sqlmap, You may use "Reset SQLMAP path" button as shown in the screenshot.
for reference :


 4. You may proceed with any of the method out of three in order to inject your target. To know complete exploitation method through 'Inject via get method' you may have a look on previous version of SQL_Inject0r: refer this Link

a) Injecting target using GET Method.
Exploitation 'Level' , 'Risk'  and 'Technique' is also implemented in newer version of Inject0r
you can set any value for 'Level'(from 1 to 5) and Risk( from 1-3). If you don't specify the value, SQL_Inject0r proceed for exploitation with their default values.
For exploitation  technique ( depending on SQL injection type ) you can choose any out of 5.
Following type of SQL injections can be performed using Inject0r:
(i) Union based SQLi
(ii) Error based SQLi
(iii) Boolean based SQLi
(iv) Time based SQLi
(v) Stack query based SQLi

Please refer following screenshot:


b) Injecting target using POST Method.
In this module you have to provide vulnerable URL and POST parameters in input boxes as shown in following screenshot:


After that, set Level and Risk, select your exploitation technique and hit "Exploit" button.


c) Generating a file.
Using this module you can generate a txt file which contains the request header. this file will be used to inject the target through "Inject using file" module.
To generate the file you need to provide a name for file with .txt extension and need the paste the request header in text area,as shown in screenshot below:


 After pasting the request header, hit "Generate File" button. SQL_Inject0r will generate the file with same name you have given, in current working directory. Refer following screenshot:



d) Inject target using file.
In this module you can use the generated file to inject your target. Simply type the filename in text box, set level, risk, technique (if you wish to) and go for "Exploit".
Refer following screenshots:

I am using 'sqli-audi lab' again to demonstrate the usage of the SQL_Inject0r_v2 as I used this for previous Inject0r. From 'Step2' complete exploitation process with be same for all of three the modules.
Full demonstration of the "inject using file" module: 

Step1: Provide DB filename in text box and click on "Exploit" button.



Step 2: You will get the names of all the existing databases. Select the database name you wish and proceed to extract table_name from selected database. Refer screenshot:




Step3: You will get all the tables present on the selected database. Type one of  the table name in input box,of which you want to get the data and click on "Extract Columns" button. Refer screenshot below:



 Step 4: After getting the columns name, you can proceed to dump the data from columns. Type columns name separating them  with comma(,)  to get the data inside the column and click on "Dump_Data".

  
Step 5: Finally, you will get the data inside the columns.
Reference image:



 
So this is the SQL_Inject0r_v2 with some more functionalities.
I hope this description will help you to use the script. :)

Thank you.
Share this post

0 comments

© 2009 Start With Linux | Mannu Linux
Designed by cyb3r.gladiat0r
Posts RSSComments RSS
Back to top