.

Recommendation for an SQL fuzzer?

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Aug 16, 2010 8:36 am

Recommendation for an SQL fuzzer?

Hi,

I am looking for a fuzzer to find SQL Injection vulnerabilities. I have used a few, but I am wondering which one you use?
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Aug 16, 2010 1:51 pm

Re: Recommendation for an SQL fuzzer?

WebScarab has a neat fuzzing capability, as most of proxy tools.  W3AF can also do this.  I use SQLMap primarily for automated SQL Inject testing.  I find it to be very flexible and somewhat accurate. 
~~~~~~~~~~~~~~
Ketchup
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Aug 16, 2010 2:14 pm

Re: Recommendation for an SQL fuzzer?

Thanks Ketchup.

I have been using WebScarab and SQLMap so far and I was wondering if they were good. I guess they are!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Aug 16, 2010 2:54 pm

Re: Recommendation for an SQL fuzzer?

I don't have a lot of experience with these tools. They need to be used with care as some checks may drop databases or cause other damage, correct?
The day you stop learning is the day you start becoming obsolete.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Aug 16, 2010 4:25 pm

Re: Recommendation for an SQL fuzzer?

That depends on your input entirely.  WebScarab works from a text file template of SQL commands and such.  SQLMap has quite a few payloads, including some MSF webshells. 
~~~~~~~~~~~~~~
Ketchup
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Aug 16, 2010 5:22 pm

Re: Recommendation for an SQL fuzzer?

OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Aug 17, 2010 10:31 am

Re: Recommendation for an SQL fuzzer?

Would anyone know about a good SQL Injection dictionary? I found an OK one, but I am looking for MySQL, MSSQL and Oracle specific ones...

Also for XSS and XSRF!

Good ones are hard to find...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Aug 17, 2010 10:40 am

Re: Recommendation for an SQL fuzzer?

As an update, I finally found Injection dictionaries/wordlists at http://www.edge-security.com/wfuzz.php

The source directory of the WFuzz application contains several dictionaries.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Aug 17, 2010 1:28 pm

Re: Recommendation for an SQL fuzzer?

sqlninja, sqlmap, pangolin, webscarab, paros and drum roll... curl ;)

curl + your own list + your own values.

I was sent an email from my FW admin yesterday: (Chicken Little style... sky is...) "OMG Someone in Brazil is trying SQL injection attacks..." To which I replied: "Alright, so? Any 200's in the logs?" - 200's being what I thought was obvious - HTTP 200's (a-okay). Needless to say, deer + headlights. Maybe my question was wrong. I should have said, did you check the webserver logs. After explaining what 200's I was looking for, I just said send me the logs, I'll take care of it.

Anyhow, point of that rambling is... Timing. Timing is everything. I like to play around with honeypots, IDS', IPS' which means, the odds of someone coming in the front door with a tool (especially with off the shelf variables) is low. When performing ANYTHING web related, the point of view a pentester from my perspective should be: "timing is everything" where - if possible - keep the attack timing so slow you'll be so low key and blend in because you'll be lost in the sauce. Also hping + curl + decoy hosts does wonders to further get you lost in the sauce.

On the other hand, we have the defensive side to this. Personally I love all of these scanners and the users behind them ESPECIALLY if the end point is a *nix box. Simply because most scanners are so damn noisy, it's easy to whip up a shell script, tail the last few lines of access_log, awk out the connection, sort it, find out if N connection tried to connect to say more than 20 pages in less than a minute, if so, block em ;) Think about it... It literally is close to impossible to plop open 30 pages in ONE minute. I don't care what your ctrl+click skills are.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Aug 17, 2010 3:26 pm

Re: Recommendation for an SQL fuzzer?

sil wrote:Think about it... It literally is close to impossible to plop open 30 pages in ONE minute. I don't care what your ctrl+click skills are.


Not a fan of Fire Gestures? ;)

Ctrl + Right Click + Drag = Selected links in new tabs. Great for forums, Digg, etc.
The day you stop learning is the day you start becoming obsolete.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Aug 17, 2010 3:55 pm

Re: Recommendation for an SQL fuzzer?

dynamik wrote:
sil wrote:Think about it... It literally is close to impossible to plop open 30 pages in ONE minute. I don't care what your ctrl+click skills are.


Not a fan of Fire Gestures? ;)

Ctrl + Right Click + Drag = Selected links in new tabs. Great for forums, Digg, etc.


Heh... That reminds me. I was trying to explain to explain this VoIP honeypot I made to someone in government. The goal, figure out what toll-fraudsters are doing, how they're doing it, what they're using, etc... (www.infiltrated.net/arkeos-w-mysql.txt) So I whipped up a quick and dirty shell script to dump data from my honeypot PBX's into a MySQL DB

  Code:
mysql> select * from bruteforcers ;
+------------------------------------------+------------+------------+------------+-----------+----------------+----------+
| hostid                                   | start_date | start_time | stop_date  | stop_time | attacker       | attempts |
+------------------------------------------+------------+------------+------------+-----------+----------------+----------+
| e3d8862a1f1457b8722646dbec79d0f4b7e1b2ab | 2010-07-17 | 20:26:08   | 2010-07-17 | 20:44:26  | 220.241.37.123 | 35787    |
+------------------------------------------+------------+------------+------------+-----------+----------------+----------+


So while explaining it, I was asked...

GovWrker: "How do you know they weren't legit attempts..."

ArrogantMe: Oh I don't know... 35,787 attempts in 18 minutes 18 seconds... I can see where they re-attempt connections manually 32x a second. A little bit of meth here, some crackrocks there... Maybe you have yourself a drug problem, not a vishing one"
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Aug 17, 2010 4:09 pm

Re: Recommendation for an SQL fuzzer?

sil wrote:ArrogantMe: Oh I don't know... 35,787 attempts in 18 minutes 18 seconds... I can see where they re-attempt connections manually 32x a second. A little bit of meth here, some crackrocks there... Maybe you have yourself a drug problem, not a vishing one"


Hahahaha...!!!  ;D
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software