ocram6616967 Posted October 16, 2012 Share Posted October 16, 2012 Hi everybody. I'm using backtrack and I would ask to you what is the best program for sql injection... thanks :D Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted October 16, 2012 Share Posted October 16, 2012 Check out this link, http://maestro-sec.com/blogs/2008/10/top-15-sql-injection-scanner/ Quote Link to comment Share on other sites More sharing options...
digininja Posted October 16, 2012 Share Posted October 16, 2012 Depends what you are injecting into. A web app I'd say a browser followed by sqlmap, sqlninja wins occasionally though but you have to use both to know when to chose one over the other. Into a custom app or something else not web based you are looking at writing custom scripts. Quote Link to comment Share on other sites More sharing options...
digip Posted October 16, 2012 Share Posted October 16, 2012 Joe has some great talks and info on the subject in general. Quote Link to comment Share on other sites More sharing options...
ihackforfun Posted October 17, 2012 Share Posted October 17, 2012 The group anonymous is rumored to use the Havji tool a lot (http://www.danbuzzard.net/journal/lulzsec-and-anonymous-script-kiddie-sql-injection.html), SQLMap is a tool thought in most security courses like CeH and SANS 542 so I would start with those as a general rule. If you want to test your own application/website to see if someone could get in easily then I would start with these also … Quote Link to comment Share on other sites More sharing options...
digininja Posted October 17, 2012 Share Posted October 17, 2012 I've heard Havji is a good tool but usually backdoored in some way so I personally would not touch it. Quote Link to comment Share on other sites More sharing options...
ocram6616967 Posted October 17, 2012 Author Share Posted October 17, 2012 Thanks guys! To begin and test my own website database I think I'd start with SQLmap... :D Quote Link to comment Share on other sites More sharing options...
digininja Posted October 17, 2012 Share Posted October 17, 2012 Start with a browser and do it by hand, then move on to tools once you know what is going on. You'll learn a lot more that way. I'd also suggest starting testing against DVWA or one of the other known vulnerable apps first, that way you know what you are looking for. Quote Link to comment Share on other sites More sharing options...
Jason Cooper Posted October 17, 2012 Share Posted October 17, 2012 As digininja says, start learning SQL injection by hand. Not only will you understand what the tools are doing for you, but you will also be able to make much better use of the tools and also when there is no point trying to use the tool at all. Quote Link to comment Share on other sites More sharing options...
ocram6616967 Posted October 18, 2012 Author Share Posted October 18, 2012 OKK. Do you know a good tutorial web page whereI can learn about SQL Injection (by hand) ? Thanks :) Quote Link to comment Share on other sites More sharing options...
digip Posted October 18, 2012 Share Posted October 18, 2012 OKK. Do you know a good tutorial web page whereI can learn about SQL Injection (by hand) ? Thanks :) I posted a link to a video by Joe McCray. He as slides on Slideshare, and also, check out Security Tube for more, but links abound all over the interwebs and plenty of tuts. Even pastebin has many. Just use some google fu, will take 3 seconds to find some great examples.Also, check out (i think its called) Matiladae, from OWASP. At least, i think thats where you can get it. Iron Geek has a video demo on it too somewhere. Check his site. Quote Link to comment Share on other sites More sharing options...
ocram6616967 Posted October 19, 2012 Author Share Posted October 19, 2012 I posted a link to a video by Joe McCray. He as slides on Slideshare, and also, check out Security Tube for more, but links abound all over the interwebs and plenty of tuts. Even pastebin has many. Just use some google fu, will take 3 seconds to find some great examples. Also, check out (i think its called) Matiladae, from OWASP. At least, i think thats where you can get it. Iron Geek has a video demo on it too somewhere. Check his site. OK, thanks for the video Digip! Quote Link to comment Share on other sites More sharing options...
Demux Posted November 17, 2012 Share Posted November 17, 2012 Like others have said, there are a lot of tools out there for learning and practicing exploiting web app vulns. Mutilidae is great and it comes bundled along with DVWA and a number of other vulnerable services in Metasploitable 2 (http://sourceforge.net/projects/metasploitable/files/Metasploitable2/) which is put out by Rapid7. There are also a number of great security CTF competitions, such as Stripe CTF that can really help hone your skills. I would also echo Digininja's comment that you should do manual testing as much as possible if you really want to learn how it works. Good luck! (Also, sorry for waking a slightly stale thread.) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.