sqlsus is an open source MySQL injection and takeover tool, written in perl. Via a command line interface, you can retrieve the database(s) structure, inject your own sql queries , download files from the web server, crawl the website for writable directories, upload and control a backdoor, clone the database, and much more.Whenever relevant, sqlsus will mimic a MySQL console output.
- Added time-based blind injection support (added option “blind_sleep”, and renamed “string_to_match” to “blind_string”).
- It is now possible to force sqlsus to exit when it’s hanging (i.e.: retrieving data), by hitting Ctrl-C more than twice.
- Rewrite of “autoconf max_sendable”, so that sqlsus will properly detect which length restriction applies. (removed option “max_sendable”, added options “max_url_length” and “max_inj_length”)
- Uploading a file now sends it into chunks under the length restriction.
- sqlsus now saves variables after each command, so that forcing it to quit (or killing it) will not discard the changes that were made.
- Added a progress bar to inband mode, sqlsus now determines the number of rows to be returned prior to fetching them.
- get db (tables/columns) in inband mode now uses multithreading (like everything else).
- clone now uses count(*) if available (set by “get count” / “get db”), instead of using fetch-ahead.
- sqlsus now prints what configuration options are overridden (when a saved value differs from the configuration file).
You can download sqlsus 0.7.1 here:
sqlsus-0.7.1.tgz
No comments:
Post a Comment