sqlsus is an open source MySQL injection and takeover tool, written in perl.
Via a command line interface, you can retrieve the database(s) structure, inject your own SQL queries (even complex ones), download files from the web server, crawl the website for writable directories, upload and control a backdoor, clone the database(s), and much more…
Whenever relevant, sqlsus will mimic a MySQL console output.
sqlsus focuses on speed and efficiency, optimising the available injection space, making the best use (I can think of) of MySQL functions.
It uses stacked subqueries and an powerful blind injection algorithm to maximise the data gathered per web server hit.
Using multithreading on top of that, sqlsus is an extremely fast database dumper, be it for inband or blind injection.
If the privileges are high enough, sqlsus will be a great help for uploading a backdoor through the injection point, and takeover the web server.
It uses SQLite as a backend, for an easier use of what has been dumped, and integrates a lot of usual features (see below) such as cookie support, socks/http proxying, https..
- Both quoted and numeric injections are supported.
- Databases names, tables names, columns names, count(*) per table, privileges… On MySQL > 5, the database structure can be grabbed in one command from within sqlsus.
- Discovery of the exact injection space, going through all possible restrictions (web server, suhosin patch…), to inject as much as possible at once.
- All quoted texts can be translated as their hex equivalent to bypass any quotes filtering (eg: magic_quotes_gpc) (eg : “sqlsus” will become 0x73716c737573).
Sqlsus also supports these types of injection :
- inband (UNION w/ stacked subqueries) : the result of the request will be in the HTML returned by the web server
- blind (boolean-based or time-based) : when you can’t see the result of the request directly
- Support for GET and POST parameters injection vectors.
- Support for HTTP proxy and HTTP simple authentication.
- Support for HTTPS.
- Support for socks proxy.
- Support for cookies.
- Support for binary data retrieving.
Full SQLite backend, storing queries / results as they come, databases structure, key variables. This allows you to recall a command and its cached answer, even in a later re-use of the session.
Possibility to clone a database / table / column, into a local SQLite database, and continue over different sessions.
If you can’t access the information_schema database, or if it doesn’t exist, sqlsus will help you bruteforce the names of the tables and columns.
Possibility to change the current database and still use all the commands transparently.
Auto-detection of the length restriction in place, be it the web server or the layer above (eg: suhosin).
Download SQLSUS from SourceForge