Tuesday, July 5, 2011

Havij: A Advanced SQL Injection Tool!

We are really liking this tool. For with this tool, you can almost go back to your “point and shoot” days! Havij is a free tool, programmed in Visual Basic that will automate SLQ injections for you! Infact, just to test it out, we tried this on an installation of DVWA and it got us what we wanted!

Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. All you need to know is a bit of SQL injection and you are done. You just need to click a button and wait till it finds a exploitable SQL query. Not only that, you can also fingerprint the back-end database, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system. Ofcourse most of that is after you have a successful exploit. Not only that, it supports a wide array of databases – MsSQL, MySQL, MSAccess and Oracle! You could also choose to evade IDS detection by simple pre-configured tricks of this tool. You can also try to brute force your way to find the admin directory and yes it does support proxies too!

this is how Havij looks:


These are the current functions that Havij supports as of now:

Supported Databases with injection methods:
a. MsSQL 2000/2005 with error
b. MsSQL 2000/2005 no error (union based)
c. MySQL (union based)
d. MySQL Blind
e. MySQL error based
f. Oracle (union based)
g. MsAccess (union based)
Automatic database detection
Automatic type detection (string or integer)
Automatic keyword detection (finding difference between the positive and negative response)
Trying different injection syntaxes
Proxy support
Real time result
Options for replacing space by /**/,+,… against IDS or filters
Avoid using strings (magic_quotes similar filters bypass)
Bypassing illegal union
Full customizable http headers (like referer and user agent)
Load cookie from site for authentication
Guessing tables and columns in mysql<5 (also in blind) and MsAccess
Fast getting tables and columns for mysql
Multi thread Admin page finder
Multi thread Online MD5 cracker
Getting DBMS Informations
Getting tables, columns and data
Command executation (mssql only)
Reading system files (mysql only)
Insert/update/delete data

As we have already said previously that this is a tool in Visual Basic, this will run only on Windows. Installation is pretty much simple too. We noticed something peculiar about this tool. It installs – columns.txt, admins.txt and tables.txt. Call them teh databases of Havij. You are free to add your stuff to these files. Just take care where you add those things.

Download Havij version 1.10 here

No comments: