[ISR] :: Infobyte Security Research :: release (ISR-sqlget.pl) v1.0.0

-- ISR - Infobyte Security Research
-- | ISR-sqlget v1.0.0 | www.infobyte.com.ar |


..:: DESCRIPTION

ISR-sqlget: It's a blind SQL injection tool developed in Perl.
It lets you get databases schemas and tables rows.
Using a single GET/POST you can access quietly the database structure
and using a single GET/POST you can dump every table row to a csv-like file.

Databases supported:

- IBM DB2
- Microsoft SQL Server
- Oracle
- Postgres
- Mysql
- IBM Informix
- Sybase
- Hsqldb (www.hsqldb.org)
- Mimer (www.mimer.com)
- Pervasive (www.pervasive.com)
- Virtuoso (virtuoso.openlinksw.com)
- SQLite
- Interbase/Yaffil/Firebird (Borland)
- H2 (http://www.h2database.com)
- Mckoi (http://mckoi.com/database/)
- Ingres (http://www.ingres.com)
- MonetDB (http://www.monetdb.nl)
- MaxDB (www.mysql.com/products/maxdb/)
- ThinkSQL (http://www.thinksql.co.uk/)
- SQLBase (http://www.unify.com)

Evasion features:

- Full-width/Half-width Unicode encoding
- Apache non standard CR bypass
- mod_security bypass
- Random uppercase request transform
- PHP Magicquotes: encode every string using db CHR function or similar.
- Convert requests to hexadecimal values
- Avoid non-space replacing for /**/ or (\t) tab
- Avoid non || or + concatenation using db concat function or similar.
- Random user-agent
- Random proxy-server
- Random delay request

Common features:

- Database schemate download blacklist
- Cookie array support
- SSL support
- Proxy server support
- Database information dumped in csv format


Reporting:

- Database structure graphication to create impact executive reports
require Graphviz library (http://www.graphviz.org/)

..DEMO

- Demo features (bypassing IBM ISS Proventia IPS)
http://www.infobyte.com.ar/demo/ISR_sqlget_ISS_proventia_bypass.html

..AUTHOR

Francisco Amato - famato+at+infobyte+dot+com+dot+ar

..:: DOWNLOAD

http://www.infobyte.com.ar/development.html



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

Relevant Pages

  • Re: What so special about PostgreSQL and other RDBMS?
    ... That's exactly the link the licence agreement for the database points to when it ... comes to what wecan expect for paying support. ... > "Oracle may provide additional releases or versions of its programs ... If the requirements are volatile I'd do a long term contract detailing what ...
    (comp.lang.php)
  • Re: What so special about PostgreSQL and other RDBMS?
    ... > the porting to another database won't be significantly eased. ... not terribly significant and the abstraction can be kept very light ... >> If they where a credible provider of support and development for this ... >> services, exactly like Oracle does, but without trapping you into a ...
    (comp.lang.php)
  • RE: Repairing / modyfing Exchange
    ... Customer Service and Support for more immediate assistance. ... This service gives you access to Microsoft technical support engineers who ... database by using the old Server's database files, ... >> up with the First Storage Group, so you would like to delete it and then ...
    (microsoft.public.windows.server.sbs)
  • Re: we substitute the monthly war
    ... Hey, go obtain a database! ... Mohammad! ... in support of it. ...
    (sci.crypt)
  • Re: Unisys OS/2200 DMS / TIP / COBOL Migration
    ... support the legacy system api's that the application is using. ... differences in COBOL compiler dialects. ... What DBI does is to provide legacy database (DMS) ... the legacy database to the COBOL applications. ...
    (comp.sys.unisys)