[ISR] :: Infobyte Security Research :: release (ISR-sqlget.pl) v1.0.0
-- ISR - Infobyte Security Research
-- | ISR-sqlget v1.0.0 | www.infobyte.com.ar |
..:: DESCRIPTION
ISR-sqlget: It's a blind SQL injection tool developed in Perl.
It lets you get databases schemas and tables rows.
Using a single GET/POST you can access quietly the database structure
and using a single GET/POST you can dump every table row to a csv-like file.
Databases supported:
- IBM DB2
- Microsoft SQL Server
- Oracle
- Postgres
- Mysql
- IBM Informix
- Sybase
- Hsqldb (www.hsqldb.org)
- Mimer (www.mimer.com)
- Pervasive (www.pervasive.com)
- Virtuoso (virtuoso.openlinksw.com)
- SQLite
- Interbase/Yaffil/Firebird (Borland)
- H2 (http://www.h2database.com)
- Mckoi (http://mckoi.com/database/)
- Ingres (http://www.ingres.com)
- MonetDB (http://www.monetdb.nl)
- MaxDB (www.mysql.com/products/maxdb/)
- ThinkSQL (http://www.thinksql.co.uk/)
- SQLBase (http://www.unify.com)
Evasion features:
- Full-width/Half-width Unicode encoding
- Apache non standard CR bypass
- mod_security bypass
- Random uppercase request transform
- PHP Magicquotes: encode every string using db CHR function or similar.
- Convert requests to hexadecimal values
- Avoid non-space replacing for /**/ or (\t) tab
- Avoid non || or + concatenation using db concat function or similar.
- Random user-agent
- Random proxy-server
- Random delay request
Common features:
- Database schemate download blacklist
- Cookie array support
- SSL support
- Proxy server support
- Database information dumped in csv format
Reporting:
- Database structure graphication to create impact executive reports
require Graphviz library (http://www.graphviz.org/)
..DEMO
- Demo features (bypassing IBM ISS Proventia IPS)
http://www.infobyte.com.ar/demo/ISR_sqlget_ISS_proventia_bypass.html
..AUTHOR
Francisco Amato - famato+at+infobyte+dot+com+dot+ar
..:: DOWNLOAD
http://www.infobyte.com.ar/development.html