In this post, we are adding few open source SQL injection tools. These tools are powerful and can perform automatic SQL injection attacks against the target applications. I will also add the download link to download the tool and try. I tried my best to list the best and most popular SQL injection tools. Download the different editions of our Time Clock Software, the FREE Edition, the Stand Alone Edition, and the Network Edition.
Script types:portrule
Categories: intrusive, vuln
Download: https://svn.nmap.org/nmap/scripts/http-sql-injection.nse
Categories: intrusive, vuln
Download: https://svn.nmap.org/nmap/scripts/http-sql-injection.nse
User Summary
Spiders an HTTP server looking for URLs containing queries vulnerable to an SQLinjection attack. It also extracts forms from found websites and tries to identifyfields that are vulnerable.
The script spiders an HTTP server looking for URLs containing queries. It thenproceeds to combine crafted SQL commands with susceptible URLs in order toobtain errors. The errors are analysed to see if the URL is vulnerable toattack. This uses the most basic form of SQL injection but anything morecomplicated is better suited to a standalone tool.
We may not have access to the target web server's true hostname, which can prevent access tovirtually hosted sites.
See also:
Script Arguments
http-sql-injection.withinhost
only spider URLs within the same host. (default: true)
http-sql-injection.errorstrings
a path to a file containing the error strings to search for (one per line, lines started with # are treated as comments). The default file is nselib/data/http-sql-errors.lst which was taken from fuzzdb project, for more info, see http://code.google.com/p/fuzzdb/. If someone detects some strings in that file causing a lot of false positives, then please report them to [email protected].
http-sql-injection.withindomain
only spider URLs within the same domain. This widens the scope from
withinhost
and can not be used in combination. (default: false)
http-sql-injection.url
the url to start spidering. This is a URL relative to the scanned host eg. /default.html (default: /)
http-sql-injection.maxpagecount
the maximum amount of pages to visit. A negative value disables the limit (default: 20)
slaxml.debug
See the documentation for the slaxml library.httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost
See the documentation for the httpspider library.smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.Example Usage
Script Output
Requires
Authors:
License: Same as Nmap--See https://nmap.org/book/man-legal.html
portrule
- portrule (host, port)
-
Parameters
- host:
- port:
See also:
SQL injection is one of the most common attacks against web applications. A SQL injection attack consists of insertion or 'injection' of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.