Recall back in November last year when we published a history of sql injection attacks, and followed that up with a sql injection tutorial. The purpose of these publications is to increase awareness of sql injection and to familiarize users with securing dynamic web applications. For testing and understanding the attack we have an online sql injection test that allows anyone to quickly test a HTTP GET based URL for a sql injection vulnerability.

It is normal to assume that when implementation of security has a cost associated with it; in the form of development time or code fixing, there will be those who hold off until disaster strikes. However it seems that unless that disaster directly affects the organisation, pushing applications out that have been untested or security reviewed continues to be the normal practice.

Hit the link for the full list – SQL Injection Scanners

If you are not familiar with the power of sqlmap head over to the sourceforge site for demo videos and some top notch documentation. Our scanning tools are configured to discover sql injection holes. However the full power of sqlmap allows you move into the exploitation phase and take over a server – an excellent tool for penetration testing and showing management how serious sql injection holes can be. New features include integration with Metasploit.

From the Matrix:
Trinity: Hello Neo.
Neo:How do you know that name
Trinity: I know a lot about you
Neo: Who are you?
Trinity: My name’s Trinity
Neo: Trinity…THE Trinity? The one who hacked the IRS D-Base?
Trinity: That was a long time ago
Neo: Jesus
Trinity: What?
Neo: I just thought…you were a guy
Trinity: Most guys do

To the horror of Latvia’s political establishment, a mysterious group of computer hackers is threatening to expose the incomes of top officials after stealing millions of government tax records.

The group, calling itself the People’s Army of the Fourth Awakening, claimed to have downloaded more than 7.5 million documents, including VAT receipts and income tax returns, from the State Revenue Service
(SRS) after exploiting a security loophole on its website.

One hacker used the name Neo, in apparent tribute to the hero of The Matrix science-fiction films, in which a vast system for enslaving humanity is exposed. He or she claimed that the documents revealed the
extent of official hypocrisy over belt-tightening reforms introduced as Latvia’s economy reeled under the impact of the global economic crisis. “The purpose of the group is to unmask those who gutted the country,”
Neo told the Latvian television current affairs programme Kas Notiek Latvija in an interview posted on its website.

Neo has been hailed as a digital Robin Hood by disgruntled Latvians after posting details from the documents on the internet to contrast the earnings of top officials with cuts experienced by other workers.

Times Online – Latvia in turmoil after hacker exposes establishment salaries

Now would be a good time to check your site try our scanner for a quick check against possible HTTP GET injection. Be sure to enter the full url with the additional parameters that will be tested. Ie: www.mysitetotest.com/listproducts.php?cat=3 or www.examplesite.com/article.asp?id=3. Once you have checked this form don’t forget that form based SQL Injection is also very easy to exploit. For testing form based sql injection attacks try the firefox plugin SQL from Security Compass – SQL Injection – Exploit Me – Firefox Plugin

Several high-profile hacks over the past year including those at Heartland, Hannaford Bros., and 7-11, all have had one thing in common: they were launched with a SQL injection attack.

Cross-site scripting (XSS) had been the king of Web attack techniques for some time, and for good reason — the ability to steal user credentials, hijack active Web sessions and take action on behalf of a user without their knowledge is particularly nasty. But the classic SQL injection attack has regained the lead as the most popular of Web attacks. Most of all reported Web breaches the first half of this year, according to the new Web Hacking Incidents Database (WHID) report, were conducted via SQL injection. And SQL injection is one of the most common vulnerabilities in Web applications today.

Dark Reading – SQL Injection Demystified

Don’t forget to check out the documentation, it has to be one of the best documented open source tools around! Nice work Bernardo.

Some of the major features implemented in sqlmap include:

* Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server back-end database management systems. Besides these four database management systems software. sqlmap can also identify Microsoft Access, DB2, Informix, Sybase and Interbase.
* Full support for three SQL injection techniques: inferential blind SQL injection, UNION query (inband) SQL injection and batched queries support. sqlmap can also test for time based blind SQL injection.
* Extensive back-end database management system software and underlying operating system fingerprint based upon inband error messages, banner parsing, functions output comparison and specific features such as MySQL comment injection. It is also possible to force the back-end database management system name if you already know it. sqlmap is also able to fingerprint the web server operating system, the web application technology and, in some circumstances, the back-end DBMS operating system.
* Support to retrieve on all four back-end database management system banner, current user, current database, check if the current user is a database administrator, enumerate users, users password hashes, users privileges, databases, tables, columns, dump tables entries, dump whole database management system and run user’s own SQL statement.
* Support to read either text or binary files from the database server underlying file system when the database software is MySQL, PostgreSQL and Microsoft SQL Server.
* Support to execute arbitrary commands on the database server underlying operating system when the database software is MySQL, PostgreSQL via user-defined function injection and Microsoft SQL Server via xp_cmdshell() stored procedure.
* Support to establish an out-of-band stateful connection between the attacker box and the database server underlying operating system via:
o Stand-alone payload stager created by Metasploit and supporting Meterpreter, shell and VNC payloads for both Windows and Linux;
o Microsoft SQL Server 2000 and 2005 sp_replwritetovarbin stored procedure heap-based buffer overflow (MS09-004) exploitation with multi-stage Metasploit payload support;
o SMB reflection attack with UNC path request from the database server to the attacker box by using the Metasploit smb_relay exploit on the attacker box.
* Support for database process’ user privilege escalation via Windows Access Tokens kidnapping on MySQL and Microsoft SQL Server via either Meterpreter’s incognito extension or Churrasco stand-alone executable.

SQL Map 0.7