
SQL injection refers to an injection attack in which the attacker adds malicious SQL statements
to a Web form input box to gain access to resources or make changes to data
SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces. Due to the nature of programmatic interfaces available, J2EE and ASP.NET applications are less likely to have easily exploited SQL injections.
This vulnerability could possibly affect any website or web application that makes use of an SQL-based database, The risk of SQL injection exploits is on the rise because of automated tools
SQL injection is not being done manually anymore and there is so many tools that do the job automatically which put thousands and thousands of website at the risk of SQL injection
one of the automated tools is jSQL Injection
jSQL Injection is a free open source application coded in Java it’s cross-platform which mean it work on multi Operating system that include windows , Linux , Mac OS and Solaris
jSQL Injection is also part of the official penetration testing distribution Kali Linux and it’s included in distributions like Pentest Box, Parrot Security OS, ArchStrike and BlackArch Linux.
Features of jSQL:
- GET, POST, header, cookie methods
- Normal, error based, blind, time based algorithms
- Automatic best algorithm selection
- Multi-thread control (start/pause/resume/stop)
- Progression bars
- Shows URL calls
- Simple evasion
- Proxy setting
- Distant file reading
- Webshell deposit
- Terminal for webshell commands
- Configuration backup
- Update checker
- Admin page checker
- Brute forcer (md5 mysql…)
- Coder (encode decode base64 hex md5…)
- Supports MySQL
To run a local test of injection save the following PHP code into file let’s say ‘kile_get.php’
and move the file to the root folder of your web server
<?php
mysql_connect("localhost","root","");
mysql_select_db("my_own_database");
$result = mysql_query("SELECT * FROM my_own_table where my_own_field = ". $_GET['lib'])# time based
ordie( mysql_error());# error based
if( mysql_num_rows($result)!==0) echo " something ";# blind
while( $row = mysql_fetch_array($result, MYSQL_NUM))
echo join(',',$row);# normal?>
Now use this URL to connect and read local database :
http://127.0.0.1/kile_get.php?lib=

You can get jSQL from here
https://github.com/ron190/jsql-injection
Leave a Reply