Hi,

I am looking for a fuzzer to find SQL Injection vulnerabilities. I have used a few, but I am wondering which one you use?

Thanks Ketchup.

I have been using WebScarab and SQLMap so far and I was wondering if they were good. I guess they are!

That depends on your input entirely.   WebScarab works from a text file template of SQL commands and such.  SQLMap has quite a few payloads, including some MSF webshells.   

Would anyone know about a good SQL Injection dictionary? I found an OK one, but I am looking for MySQL, MSSQL and Oracle specific ones...

Also for XSS and XSRF!

Good ones are hard to find...

sqlninja, sqlmap, pangolin, webscarab, paros and drum roll... curl

curl + your own list + your own values.

I was sent an email from my FW admin yesterday: (Chicken Little style... sky is...) "OMG Someone in Brazil is trying SQL injection attacks..." To which I replied: "Alright, so? Any 200's in the logs?" - 200's being what I thought was obvious - HTTP 200's (a-okay). Needless to say, deer + headlights. Maybe my question was wrong. I should have said, did you check the webserver logs. After explaining what 200's I was looking for, I just said send me the logs, I'll take care of it.

Anyhow, point of that rambling is... Timing. Timing is everything. I like to play around with honeypots, IDS', IPS' which means, the odds of someone coming in the front door with a tool (especially with off the shelf variables) is low. When performing ANYTHING web related, the point of view a pentester from my perspective should be: "timing is everything" where - if possible - keep the attack timing so slow you'll be so low key and blend in because you'll be lost in the sauce. Also hping + curl + decoy hosts does wonders to further get you lost in the sauce.

On the other hand, we have the defensive side to this. Personally I love all of these scanners and the users behind them ESPECIALLY if the end point is a *nix box. Simply because most scanners are so damn noisy, it's easy to whip up a shell script, tail the last few lines of access_log, awk out the connection, sort it, find out if N connection tried to connect to say more than 20 pages in less than a minute, if so, block em Think about it... It literally is close to impossible to plop open 30 pages in ONE minute. I don't care what your ctrl+click skills are.

Heh... That reminds me. I was trying to explain to explain this VoIP honeypot I made to someone in government. The goal, figure out what toll-fraudsters are doing, how they're doing it, what they're using, etc... (www.infiltrated.net/arkeos-w-mysql.txt) So I whipped up a quick and dirty shell script to dump data from my honeypot PBX's into a MySQL DB


So while explaining it, I was asked...

GovWrker: "How do you know they weren't legit attempts..."

ArrogantMe: Oh I don't know... 35,787 attempts in 18 minutes 18 seconds... I can see where they re-attempt connections manually 32x a second. A little bit of meth here, some crackrocks there... Maybe you have yourself a drug problem, not a vishing one"