jSQL-injection – GUI Java Application for Automatic SQL Database Injection

jSQL-injection - GUI Java Application for Automatic SQL Database Injection

This tool is one of the best SQL-i tools, jsql-injection is java application with grapical user interface to perform automatic SQL injection. If you are a people who running windows computer, don’t worry because this tool is cross platform and also can run correcly on windows computer.

Description

jSQL Injection is a Java application for automatic SQL database injection with multiple injection strategies and also inject webshell and also lightweight application used to find database information from a distant server.

It is freeopen source and cross-platform (Windows, Linux, Mac OS X).

jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in other distributions like Pentest BoxParrot Security OSArchStrike or BlackArch Linux.

Features

  • Automatic injection of 23 kinds of databases: Access, CockroachDB, CUBRID, DB2, Derby, Firebird, H2, Hana, HSQLDB, Informix, Ingres, MaxDB, Mckoi, MySQL, Neo4j, NuoDB, Oracle, PostgreSQL, SQLite, SQL Server, Sybase, Teradata and Vertica
  • Multiple injection strategies: Normal, Error, Blind and Time
  • Multiple injection structures: Standard, Zipped, Dump In One Shot
  • SQL Engine to study and optimize SQL expressions
  • Injection of multiple targets
  • Search for administration pages
  • Creation and vizualisation of Web shell and SQL shell
  • Read and write files on host using injection
  • Bruteforce of password’s hash
  • Encode and decode a string

Installation [jsql-injection-v0.81.jar]

Install Java 8, then download the latest release and double-click on the file jsql-injection-v0.81.jar to launch the software.
You can also type java -jar jsql-injection-v0.81.jar in your terminal to start the program.
If you are using Kali Linux then get the latest release using command sudo apt-get -f install jsql, or make a system full upgrade with apt update then apt full-upgrade.

[Test-bed scripts]

Use the sample scripts to test injection on your local environment. First install a development environment like EasyPHP, then download the test-bed PHP scripts and place them into www/.

<?php
 # http://127.0.0.1/mysql/strategy/get-normal.php?id=0
  
 $link = mysqli_connect('localhost', 'root', '', 'my_database');
  
 $result = $link->query("SELECT col1, col2 FROM my_table where  id=$_GET[id]");
  
 while ($row = $result->fetch_array($result, MYSQLI_NUM))
    echo join(',', $row); 

Screenshots and [video]

jSQL-injection - GUI Java Application for Automatic SQL Database Injection
jSQL-injection - Automatic SQL Database Injection webshell
jSQL-injection - Application for Automatic SQL Database Injection Upload Shell

[Roadmap]

Burp integration, Crawler, Database: Netezza, Full Path Disclosure, Injection strategies: DIOS RoutedQuery OOB, Dictionnary attack, WAF detection.

In progress

Tampering.

Since latest release

Test-bed scripts for php5 and php7 shared on Github, SOAP injection, Fix multi-params injection, Fix adding items to Scan list, Fix translation dialog

Change log

v0.81 Test all parameters including JSON, Parse forms and Csrf tokens, Databases: CockroachDB Mckoi Neo4j NuoDB Hana and Vertica, Translation complete: Russian, Chinese

v0.79 Error Strategies for MySQL and PostgreSQL compatible with Order/Group By, Wider range of Characters Insertion including multibyte %bf

v0.78 SQL Engine, MySQL Error strategy: DOUBLE, Translations: es pt de it nl id, 18 Database flavors including Access

v0.76 Translation: cz, 17 Database flavors including SQLite

v0.75 URI injection point, Source code mavenification, Upgrade to Java 7

v0.73 Authentication: Basic Digest Negotiate NTLM and Kerberos, Database flavor selection

v0.7 Scan multiple URLs, Github Issue reporter, 16 Database flavors including Cubrid Derby H2 HSQLDB MariaDB and Teradata

alpha-v0.6 Speed x2: No more hex encoding, 10 Database flavors including MySQL Oracle SQLServer PostgreSQL DB2 Firebird Informix Ingres MaxDb and Sybase, JUnit tests, Log4j, GUI translation

0.5 SQL Shell, File Uploader

0.4 Admin page finder, Bruteforce hashes like MD5 and MySQL, Encode and decode string with methods like Base64, Hex and MD5

0.3 File injection, Web Shell with integrated CLI, Persistence of application parameters, Update checker

0.2 Strategy Time, Multi-thread control: Start Pause Resume and Stop, Log URL calls

0.0-0.1 Method GET POST Header and Cookie, Strategies Normal Error and Blind, Best strategy selection, Progression bars, Simple evasion, Proxy settings, MySQL only

Disclaimer

Attacking web-server is illegal without prior mutual consent. The end user is responsible and obeys all applicable laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.


You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

fifteen − 12 =