Ad End 1 February 2024
Ad Ends 13 January 2025
ad End 25 April 2025
Ad Ends 20 January 2025
Ad expire at 5 August 2024
banner Expire 25 April 2025
What's new
banner Expire 15 January 2025
banner Expire 20 October 2024
UniCvv
adv exp at 23 August 2024
casino
swipe store
Carding.pw carding forum
BidenCash Shop
Kfc CLub

AUTOMATED BLIND SQL INJECTION ATTACKING TOOLS - HACKING TUT

File_closed07

TRUSTED VERIFIED SELLER
Staff member
Joined
Jun 13, 2020
Messages
7,515
Reaction score
916
Points
212
Awards
2
  • trusted user
  • Rich User
What is Blind SQL Injection:
Some Websites are vulnerable to SQL Injection but the results of injection are not visible to the attacker. In this situation, Blind SQL Injection is used. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered.
There are plenty of automated Blind Sql Injection tool available. Here i am introducing one of Tool named as bsqlbf(expanded as Blind Sql Injection Brute Forcer).
This tool is written in Perl and allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections
Supported Database:

  • MS-SQL
  • MySQL
  • PostgreSQL
  • Oracle
The tool supports 8 attack modes(-type switch):-
Type 0: Blind SQL Injection based on true and false conditions returned by back-end server
Type 1: Blind SQL Injection based on true and error(e.g syntax error) returned by back-end server.
Type 2: Blind SQL Injection in “order by” and “group by”.
Type 3: extracting data with SYS privileges (ORACLE dbms_export_extension exploit)
Type 4: is O.S code execution (ORACLE dbms_export_extension exploit)
Type 5: is reading files (ORACLE dbms_export_extension exploit, based on java)
Type 6: is O.S code execution DBMS_REPCAT_RPC.VALIDATE_REMOTE_RC exploit
Type 7: is O.S code execution SYS.KUPP$PROC.CREATE_MASTER_PROCESS(), DBA Privs




-cmd=revshell Type 7 supports meterpreter payload execution, run generator.exe first
Type 8: is O.S code execution DBMS_JAVA_TEST.FUNCALL, with JAVA IO Permissions



-cmd=revshell Type 8 supports meterpreter payload execution, run generator.exe first
For Type 4(O.S code execution) the following methods are supported:
-stype: How you want to execute command:
SType 0 (default) is based on java..will NOT work against XE.
SType 1 is against oracle 9 with plsql_native_make_utility.
SType 2 is against oracle 10 with dbms_scheduler.
 
Ad End 1 February 2024
Top