Best Sql Injection Program

[ocram6616967]

Hi everybody. I'm using backtrack and I would ask to you what is the best program for sql injection... thanks :D

[Infiltrator]

Check out this link, http://maestro-sec.com/blogs/2008/10/top-15-sql-injection-scanner/

[digininja]

Depends what you are injecting into. A web app I'd say a browser followed by sqlmap, sqlninja wins occasionally though but you have to use both to know when to chose one over the other.

Into a custom app or something else not web based you are looking at writing custom scripts.

[digip]

Joe has some great talks and info on the subject in general.

[ihackforfun]

The group anonymous is rumored to use the Havji tool a lot (http://www.danbuzzard.net/journal/lulzsec-and-anonymous-script-kiddie-sql-injection.html), SQLMap is a tool thought in most security courses like CeH and SANS 542 so I would start with those as a general rule. If you want to test your own application/website to see if someone could get in easily then I would start with these also …

[digininja]

I've heard Havji is a good tool but usually backdoored in some way so I personally would not touch it.

[ocram6616967]

Thanks guys! To begin and test my own website database I think I'd start with SQLmap... :D

[digininja]

Start with a browser and do it by hand, then move on to tools once you know what is going on. You'll learn a lot more that way.

I'd also suggest starting testing against DVWA or one of the other known vulnerable apps first, that way you know what you are looking for.

[Jason Cooper]

As digininja says, start learning SQL injection by hand. Not only will you understand what the tools are doing for you, but you will also be able to make much better use of the tools and also when there is no point trying to use the tool at all.

[ocram6616967]

OKK. Do you know a good tutorial web page whereI can learn about SQL Injection (by hand) ? Thanks :)

[digip]

OKK. Do you know a good tutorial web page whereI can learn about SQL Injection (by hand) ? Thanks :)

I posted a link to a video by Joe McCray. He as slides on Slideshare, and also, check out Security Tube for more, but links abound all over the interwebs and plenty of tuts. Even pastebin has many. Just use some google fu, will take 3 seconds to find some great examples.

Also, check out (i think its called) Matiladae, from OWASP. At least, i think thats where you can get it. Iron Geek has a video demo on it too somewhere. Check his site.

[ocram6616967]

I posted a link to a video by Joe McCray. He as slides on Slideshare, and also, check out Security Tube for more, but links abound all over the interwebs and plenty of tuts. Even pastebin has many. Just use some google fu, will take 3 seconds to find some great examples.

Also, check out (i think its called) Matiladae, from OWASP. At least, i think thats where you can get it. Iron Geek has a video demo on it too somewhere. Check his site.

OK, thanks for the video Digip!

[Demux]

Like others have said, there are a lot of tools out there for learning and practicing exploiting web app vulns. Mutilidae is great and it comes bundled along with DVWA and a number of other vulnerable services in Metasploitable 2 (http://sourceforge.net/projects/metasploitable/files/Metasploitable2/) which is put out by Rapid7. There are also a number of great security CTF competitions, such as Stripe CTF that can really help hone your skills. I would also echo Digininja's comment that you should do manual testing as much as possible if you really want to learn how it works. Good luck!

(Also, sorry for waking a slightly stale thread.)