SQL Injection ToyNo, this title is not about to the United Nations web site.

Their hole is still gaped by the way, no matter what the U.N. staffers said so far.
As you may recall, I did offer a little free help to fix their bugs (13 AUG), but I've not been contacted back, notwithstanding some public flattery.
At any rate, since the 5 days "grace time" granted them under the RFPolicy is more than expired (10 days now), you may want to stay tuned for a report about their vulnerabilities -- and, more interesting, about the worrying ways they pretend (or, worse, believe?) to have fixed them -- as soon as I find a few minutes for this.

In the meanwhile, the real reason behind this post: I'm releasing a free web-based tool to help those experimenting and studying SQL injections, called SQL Injection Toy (or just SQL IT).

Even if simple, it exhibits some interesting properties:

  1. Automatic deep URL encoding: all the characters of the injection (even the "safe" ones) get percent-encoded before submission.
  2. Automatic SQL parameters encoding: SQL string parameters specified using
    @paramName

    placeholders are automatically replaced with an equivalent concatenation of ASCII to Character function calls. This kind of transformation resembles the

    String.fromCharCode(88, 83, 83)

    idiom, well known by people familiar with XSS, and has been made compatible with 4 of the most popular RDBMSes (i.e. MySQL, MS SQL Server, MS Access and Oracle).

  3. Anonymity: the tool does not send any data to the server side, aside the unrevealing initial request. More specifically, it doesn't transmit any data you enter in the tool (URL, SQL template, parameters). Obviously, once you submit your SQL injection to its target site, it will be logged there. But even so, tracing the request back to this tool is not easy (see #5 below).
  4. Persistence: as we said, the tool doesn't log anything. It does not use a database of its own nor cookies for storage. Nevertheless, anonymous client side persistence is achieved through JavaScript manipulation of the fragment URI part: every time you modify a parameter in the browser, the URL in your address bar changes in a way that is invisible to the server side, but can be captured in a bookmark. Each bookmark holds the current state of the tool, so you can store your attempts and retrieve them later for further editing and usage.
  5. Low traceability: if you're approaching such a tool, almost certainly you already use privacy helpers like Tor, NoScript and CookieSafe. You're probably blocking your Referer header as well, e.g. with something like RefControl. Nonetheless, our kind SQL Injection Toy does its best to graciously detach itself from your injection submission, by forcing a META Refresh which strips off the Referer HTTP URL and prevents tool's URL from being logged on the target server.

Happy hacking, and please don't hammer too hard on our most beloved worldwide organization ;)

25-AUG Update

In order to satisfy sirdarkcat's RFEs, two new features have been added:

  1. POST requests: you can issue a POST instead of a GET, turning the query string parameters into url-encoded payload.
    If you need both a query string and POST parameters, just use the question mark twice: last question mark delimits the POST parameters.
    For instance, "http://maone.net/test?a=1?b=2" will send "b=2" in the POST body and "http://maone.net/test?a=1" as the request URI.
  2. Injection Placeholder: while the 1st version just appended the injection to the specified base URL, now you can place a
    %SQL%

    placeholder anywhere in the URL and have it replaced with your injection. This obviously adds flexibility, and indirectly allows alternate usages, for instance cookie injection via bookmarklets like

    javascript:document.cookie="language=en%SQL%"

    .

Links

7 Responses to “SQL Injection Toy”

  1. #1 scratchz says:

    hmmm,,, SQLIT

  2. #2 sirdarckcat says:

    Cool!
    The support for several database types is great :P

    I have 1 bug report.

    Any way, it would be cooler if it could generate POST petitions, and a favlet for generating a COOKIE with the exploit :P, something like javascript:void(document.cookie="var=val1");

  3. #3 Davide says:

    source code?

  4. #4 Giorgio says:

    @sirdarkcat:
    aarrgh, the dangers of innerHTML...

    @Davide:
    it's all there (View|Source), no server side stuff involved :P

  5. #5 BlogCadre says:

    SQL Injection tool

    The boys over at haxademix.net never cease to amaze me, this time rolling out a web based and virtually anonymous SQL injection tool (it's FREE to).
    http://evil.hackademix.net/sqlit/
    ** For those of you who do not know what an SQL injection is...

    ...

  6. #6 raaka says:

    simple yet ko0l
    well i have death threat for u bro.. post more

  7. #7 steeL says:

    I hv posted Complete XSS, SQL Injection technique on my site http://steeLit.funpic.de

    My site is not for hacking, i just education ppl how hacking happens & how to defend. :D

Bad Behavior has blocked 2419 access attempts in the last 7 days.