1

I tested web site application with commercial automated tool.There are some blind sql injection.I want to retest this results .Is there any good method for test blind sql injection with tool or anything else ?

dgn
  • 124
  • 2
  • 4
  • 13
  • What not just manual? – Lucas Kauffman Dec 11 '13 at 10:01
  • In my opinion there are a lot of test case.Manual test takes too much time.For this reason I asked about automated tool – dgn Dec 11 '13 at 10:33
  • What DBMS is your target using? – rook Dec 11 '13 at 17:18
  • How about simply reverting to some form of interface that doesn't require manual escaping? Why would anyone use raw SQL in a web facing application these days? – aaaaaaaaaaaa Dec 11 '13 at 18:24
  • @Rook .Net application dbms mysql. – dgn Dec 11 '13 at 21:18
  • @eBusiness I dont understand can you explain simple? – dgn Dec 11 '13 at 21:19
  • @dgn You typically make SQL injection vulnerabilities in the first place because you generate SQL commands by concatenating strings of commands with strings of data. So use some tool that either does this for you or bypass the need altogether by passing commands and data separately to the database. For .NET you might want to look into ADO.NET. Here is a page with a simple example where the data in the SQL string is substituted with an identifier, which is then replaced with the real data using another command: http://msdn.microsoft.com/en-us/library/dw70f090(v=vs.100).aspx – aaaaaaaaaaaa Dec 11 '13 at 21:36
  • @eBusiness I will check this site. – dgn Dec 12 '13 at 08:40

3 Answers3

2

Apart from manual testing you could first try SQLMap, which is the standard tool for automated SQL exploitation.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • Can you write sample command for sqlmap for test blind sql injection case?which command can I use retest this case because blind sql injection in viewstate? – dgn Dec 11 '13 at 10:37
  • Seriously you can at least put in some effort. Their whole github page is full of examples... even aside of that you can find tons of info about SQLMap on the internet. Google -> use it. – Lucas Kauffman Dec 11 '13 at 10:39
  • I understand you.I already know sqlmap tool.But case is related to viewstate so I have to find related code with viewstate in sqlmap.Maybe I modified question – dgn Dec 11 '13 at 11:24
1

You can try Havij. It is a free software works fast and stable and gives you a easy to use interface if you dont want to bug with terminal and such.

http://itsecteam.com/products/havij-advanced-sql-injection/

cengizUzun
  • 616
  • 1
  • 4
  • 12
1

These are the tools recommended by OWASP (Open Web Application Security Project)

SQL Power Injector
Absinthe - Automated Blind SQL Injection
SQLBrute - Multi Threaded Blind SQL Injection Bruteforcer in Python
SQLiX - SQL Injection Scanner in Perl
bsqlb - a blind SQL injection tool in Perl

OWASP Blind_SQL_Injection

Harikrishnan
  • 452
  • 1
  • 5
  • 18