Re: Framework for the aid of exploiting SQL injection

[nummish <nummish () gmail com>]

Absinthe (www.0x90.org/releases/absinthe<http://www.0x90.org/releases/absinthe>)
might do some of what you are describing. It works via blind injection
against MS SQL, Oracle and Postgres it also has the ability to work via
error pages (which is faster) for MS SQL server to a limited extent.

On 11/17/05, Roman Medina-Heigl Hernandez <roman () rs-labs com> wrote:
> Hi,
>
> Is there any recommended tool which helps to get databases tables,
> entries, structure, etc, given a particular SQL injection bug in one
> application? I mean, it should *automatically* try different sentences
> to figure out the names of the columns and in general, other useful info
> from the database. Perhaps a PoC of some of NGSSoftware's papers or a
> more elaborated tool... I'd like to hear from you what's the state of
> the art in this very particular web-appsec field (so feel free to talk
> about tools oriented to different database flavours, if you want: SQL
> Server, Oracle, MySQL, Access, etc...).
>
> Thanks.
>
> PD: For God's sake, don't continue feeding non-sense threads like the
> former Netdev's related flamewar. The best thing you can do is to ignore
> them.
>
> --
>
> Saludos,
> -Roman
>
> PGP Fingerprint:
> 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
> [Key ID: 0xEAD56742. Available at KeyServ]
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



--
Bigger 1:23
This address if for mailing list traffic only.
Please direct non-list correspondence to 0x90.org <http://0x90.org>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/