pen-test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISR] :: Infobyte Security Research :: release (ISR-sqlget.pl) v1.0.0

from [Francisco Amato] [Permanent Link][Original]
To: <pen-test@securityfocus.com>
Subject: [ISR] :: Infobyte Security Research :: release (ISR-sqlget.pl) v1.0.0
From: "Francisco Amato" <famato@infobyte.com.ar>
Date: Tue, 26 Jun 2007 01:43:42 -0300
Delivered-to: sp-com-lists@consult.net
Delivered-to: pentest-list2@consult.net
Delivered-to: mailing list pen-test@securityfocus.com
Delivered-to: moderator for pen-test@securityfocus.com
List-help: <mailto:pen-test-help@securityfocus.com>
List-id: <pen-test.list-id.securityfocus.com>
List-post: <mailto:pen-test@securityfocus.com>
List-subscribe: <mailto:pen-test-subscribe@securityfocus.com>
List-unsubscribe: <mailto:pen-test-unsubscribe@securityfocus.com>
Mailing-list: contact pen-test-help@securityfocus.com; run by ezmlm
Resent-date: Tue, 26 Jun 2007 17:56:40 -0600 (MDT)
Resent-from: pen-test-return-1078484464@securityfocus.com
Resent-message-id: <20070626235640.B79BB143B27@outgoing2.securityfocus.com>
Resent-sender: listbounce@securityfocus.com
Sender: listbounce@securityfocus.com 
-- ISR - Infobyte Security Research
-- | ISR-sqlget v1.0.0 | www.infobyte.com.ar |


..:: DESCRIPTION

ISR-sqlget: It's a blind SQL injection tool developed in Perl.
It lets you get databases schemas and tables rows.
Using a single GET/POST you can access quietly the database structure
and using a single GET/POST you can dump every table row to a csv-like file.

Databases supported:

    - IBM DB2
    - Microsoft SQL Server
    - Oracle
    - Postgres
    - Mysql
    - IBM Informix
    - Sybase
    - Hsqldb (www.hsqldb.org)
    - Mimer (www.mimer.com)
    - Pervasive (www.pervasive.com)
    - Virtuoso (virtuoso.openlinksw.com)
    - SQLite
    - Interbase/Yaffil/Firebird (Borland)
    - H2 (http://www.h2database.com)
    - Mckoi (http://mckoi.com/database/)
    - Ingres (http://www.ingres.com)
    - MonetDB (http://www.monetdb.nl)
    - MaxDB (www.mysql.com/products/maxdb/)
    - ThinkSQL (http://www.thinksql.co.uk/)
    - SQLBase (http://www.unify.com)

Evasion features:

    - Full-width/Half-width Unicode encoding
    - Apache non standard CR bypass
    - mod_security bypass
    - Random uppercase request transform
    - PHP Magicquotes: encode every string using db CHR function or similar.
    - Convert requests to hexadecimal values
    - Avoid non-space replacing for /**/ or (\t) tab
    - Avoid non || or + concatenation using db concat function or similar.
    - Random user-agent
    - Random proxy-server
    - Random delay request

Common features:

    - Database schemate download blacklist
    - Cookie array support
    - SSL support
    - Proxy server support
    - Database information dumped in csv format


Reporting:

    - Database structure graphication to create impact executive reports
    require Graphviz library (http://www.graphviz.org/)

..DEMO

    -  Demo features (bypassing IBM ISS Proventia IPS)
    http://www.infobyte.com.ar/demo/ISR_sqlget_ISS_proventia_bypass.html

..AUTHOR

Francisco Amato - famato+at+infobyte+dot+com+dot+ar

..:: DOWNLOAD

http://www.infobyte.com.ar/development.html



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [ISR] :: Infobyte Security Research :: release (ISR-sqlget.pl) v1.0.0, Francisco Amato <=
Previous by Date:  Re: pen testing flash games., Sir Mordred
Next by Date:  Re: Safe keeping super-user / root IDs, Schanulleke
Previous by Thread:  Port Scanning Issues, crumdub12
Next by Thread:  Mpack, Nikolaj
Indexes:  [Date] [Thread] [Top] [All Lists]