Re: Open Source SQL Inject, XSS, Remote File Include Testing

From: Marco Ivaldi <raptor@xxxxxxxxxxxxxxxx>
Date: Thu, 24 May 2007 12:06:02 +0200 (ora solare Europa occidentale)

Hey again pen-testers,

On Mon, 21 May 2007, Marco Ivaldi wrote:

You shouldn't expect anything too fancy (it's still v0.1 after all;), but it does its job:

I managed to work a bit more on my multi-purpose MSSQL injection script, and now (at version 0.9;) it can be considered a fairly powerful and usable attack tool. You can download it from:

http://www.0xdeadbeef.info/code/mssql-hax0r

Three modes of operation are available:

1) Information Gathering (-m info).
Dump basic information about the MSSQL database (@@version, db_name(),
user_name(), system_user, etc.), database names, tables/views/stored
procedures, columns, data types, keys, and users.

2) Record Dump (-m dump).
Dump N records from the specified columns/table|db..table

3) Brute Force (-m brute)
Perform a brute force attack against the specified user(s), either
using a password wordlist or testing weak passwords such as the empty
one or password=username.

Cheers,

--
Marco Ivaldi, OPST
Chief Security Officer Data Security Division
@ Mediaservice.net Srl http://mediaservice.net/

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

References:
- Open Source SQL Inject, XSS, Remote File Include Testing
  - From: winsoc
- Re: Open Source SQL Inject, XSS, Remote File Include Testing
  - From: Marco Ivaldi

Prev by Date: Private IP address with yahoo messenger
Next by Date: Creating API for SSS & Appscan
Previous by thread: Re: Open Source SQL Inject, XSS, Remote File Include Testing
Next by thread: Wireless penetration testing
Index(es):
- Date
- Thread