Presentation is loading. Please wait.

Presentation is loading. Please wait.

SQL Power Injector Avadanei AlinBalan Robert. What is SQL Power Injector ?  A graphical application created in C#.Net 1.1 that helps the penetration.

Published byLucinda Carter Modified over 9 years ago

Similar presentations

Presentation on theme: "SQL Power Injector Avadanei AlinBalan Robert. What is SQL Power Injector ?  A graphical application created in C#.Net 1.1 that helps the penetration."— Presentation transcript:

1 SQL Power Injector Avadanei AlinBalan Robert

2 What is SQL Power Injector ?  A graphical application created in C#.Net 1.1 that helps the penetration tester to inject SQL commands on a web page.  Its main strength is its capacity to automate tedious blind SQL injection with several threads.  For now it is SQL Server, Oracle and MySQL compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal mode).  The normal mode is basically the SQL command that someone will put in the parameter sent to the server.

3 How it works ?  The multithreaded automation of the injection gives the possibility to automate tedious and time consuming queries  The query can be modified to get only what you want.  Moreover this application will get all the parameters you need to test the SQL injection, either by GET or POST method, avoiding thus the need to use several applications or a proxy to intercept the data.  Firefox plugin that will launch SQL Power Injector ?? – No longer available

4 Multithreaded automation  The automation can be realized in two ways:  comparing the expected result  by time delay  The first way is generally compared against an error or difference between positive condition with a negative one.  The second way will turn out positive if the time delay sent to the server equals to the one parameterized in the application.

5 Features  Supported on Windows, Unix and Linux operating systems  SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant  SSL support  Load automatically the parameters from a form or a IFrame on a web page (GET or POST)  Detect and browse the framesets  Option that auto detects the language of the web site  Detect and add cookies used during the Load Page process (Set-Cookie detection)

6 Features  Find automatically the submit page(s) with its method (GET or POST) displayed in a different color  Can create/modify/delete loaded string and cookies parameters directly in the Datagrids  Single SQL injection  Blind SQL injection  Comparison of true and false response of the page or results in the cookie  Time delay  Response of the SQL injection in a customized browser  Multithreading (configurable up to 50)

7 Demo

8 Differences with Other Tools  Web page string and cookie parameters auto detection  Fine tuning parameters SQL injection  Time delay feature  Multithread feature  Response results in a customized browser  Automated positive and negative condition discovery  Blind SQL injection characters preset optimizer

9 Conclusion  In closing, SQL injection enables you to inject malicious code into strings that are destined for storage in a table or as metadata and test your webpages and databases for security vulnerabilities

Download ppt "SQL Power Injector Avadanei AlinBalan Robert. What is SQL Power Injector ?  A graphical application created in C#.Net 1.1 that helps the penetration."

Similar presentations

PHP I.

PHP I.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Aqua Data Studio. Find the application We are using Aqua Data Studio v11.

Aqua Data Studio. Find the application We are using Aqua Data Studio v11.
Exadata Distinctives Brown Bag New features for tuning Oracle database applications.

Exadata Distinctives Brown Bag New features for tuning Oracle database applications.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
For Removal Info: visit

For Removal Info: visit
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
GreenSQL Yuli Stremovsky /MSN/Gtalk:

GreenSQL Yuli Stremovsky /MSN/Gtalk:
Web Application Security Assessment and Vulnerability Assessment.

Web Application Security Assessment and Vulnerability Assessment.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
SJSU CS157B Dr. Lee1  2004 Jenny Mitchell Two Useful Tools You Can’t Live Without by Jenny Mitchell SJSU CS157B Section 1 09-21-04 PHP and MySQL.

SJSU CS157B Dr. Lee1  2004 Jenny Mitchell Two Useful Tools You Can’t Live Without by Jenny Mitchell SJSU CS157B Section PHP and MySQL.
Web Sites for amateur radio. So You want to make a Web Site? There are several things you need to know about web sites before you start to think about.

Web Sites for amateur radio. So You want to make a Web Site? There are several things you need to know about web sites before you start to think about.
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
Penetration Testing Training Day Capture the Flag Training.

Penetration Testing Training Day Capture the Flag Training.

Similar presentations

Ads by Google