jSQL Injection project has https://github.com/ron190/jsql-injection'>moved, jSQL alpha v0.6 is now available on https://github.com/ron190/jsql-injection/releases'>Github.

Description

jSQL Injection is a lightweight application used to find database information from a distant server.
jSQL is free, open source and cross-platform (Windows, Linux, Mac OS X, Solaris).

alpha-v0.6 Speed x 2 (no more hex encoding), 10 db vendors supported: MySQL Oracle MSSQLServer PostgreSQL DB2 Firebird Informix Ingres MaxDb Sybase. JUnit tests, log4j, i18n integration and more.

Coming... JUnit tests with Hibernate, Github issues with OAuth, i18n arabic russian chinese integration, database vendors: SQLite Access MSDE MariaDB Derby 4D Cassandra Teradata CUBRID HSQLDB.

Screenshots

https://sites.google.com/site/jsqlinjection/home/images/201309272136-screenshot-database.png'>https://sites.google.com/site/jsqlinjection/home/images/201309272136-screenshot-database-mini.png' /> https://sites.google.com/site/jsqlinjection/home/images/201309272136-screenshot-admin.png'>https://sites.google.com/site/jsqlinjection/home/images/201309272136-screenshot-admin-mini.png' /> https://sites.google.com/site/jsqlinjection/home/images/201309272136-screenshot-file.png'>https://sites.google.com/site/jsqlinjection/home/images/201309272136-screenshot-file-mini.png' /> https://sites.google.com/site/jsqlinjection/home/images/201309272136-screenshot-webshell.png'>https://sites.google.com/site/jsqlinjection/home/images/201309272136-screenshot-webshell-mini.png' /> https://sites.google.com/site/jsqlinjection/home/images/201309272136-screenshot-sqlshell.png'>https://sites.google.com/site/jsqlinjection/home/images/201309272136-screenshot-sqlshell-mini.png' /> https://sites.google.com/site/jsqlinjection/home/images/201309272136-screenshot-upload.png'>https://sites.google.com/site/jsqlinjection/home/images/201309272136-screenshot-upload-mini.png' /> https://sites.google.com/site/jsqlinjection/home/images/201309272136-screenshot-bruteforce.png'>https://sites.google.com/site/jsqlinjection/home/images/201309272136-screenshot-bruteforce-mini.png' /> https://sites.google.com/site/jsqlinjection/home/images/201309272136-screenshot-coder.png'>https://sites.google.com/site/jsqlinjection/home/images/201309272136-screenshot-coder-mini.png' />

https://sites.google.com/site/jsqlinjection/home/images/kali_favicon.png' /> jSQL is part of http://www.kali.org/'>Kali Linux, the official penetration distribution. jSQL is also included in http://www.parrotsec.org/tools/tools-web/'>Parrot Security OS, http://tools.pentestbox.com/'>PentestBox, http://www.blackhat-sec.com/'>Black Hat Sec, https://archassault.org/'>ArchAssault Project, http://www.blackarch.org/'>BlackArch Linux and http://cyborg.ztrela.com/'>Cyborg Hawk Linux.

jSQL Injection change log

v0.5 SQL shell, Uploader.
v0.4 Admin page search, Brute force (md5 mysql...), Decoder (decode encode base64 hex md5...).
v0.3 Distant file reader, Webshell drop, Terminal for webshell commands, Configuration backup, Update checker.
v0.2 Time based algorithm, Multi-thread control (start pause resume stop), Shows URL calls.
v0.1 -
v0.0 Methods GET / POST / header / cookie, Algorithms Normal / Error / Blind, Automatic best algorithm selection, Progression bars, Simple evasion, Proxy setting, Supports MySQL.

+--------------+
| Contributors |
+--------------+
There is a lot of work to do if you want to contribute.
Examples of features to include in next releases:

1. Add support for another database provider like Oracle and SQL Server,
   
2. Support command line execution and batch processing,
   
3. Internationalization i18n in Arabic, Hindi, Chinese, Russian, French, German and Japanese,
   
4. Find vulnerable targets from dork list,
   
5. Create JUnit testing to avoid regressions,
   
6. Improve code design and pattern,
   
7. Enhance injection functionalities like evasion and speed,
   
8. Write documentation: wiki, tutorial, video.

Other upcoming tasks:
+ Upload via temporary table and 'into dumpfile' [inj]
+ Netcat connection (upload server) [dev]
+ Manual injection for advanced users [inj]
+ Controlling all running tasks in same panel [gui]
# Shrink / optimize runnable jar with http://proguard.sourceforge.net'>ProGuard [dev]
# Inlude Strategy Pattern: GET / POST / header / cookie [design]
# Inlude Command Pattern: expand terminal functionalities [design]
# Increase speed (non encoding pass): 50% faster [inj]
# Unit testing with http://junit.org'>JUnit: GET / POST / header / cookie, Normal / Error / Blind / Time [dev]
# Provide Continuous Integration with http://hudson-ci.org'>Hudson / http://jenkins-ci.org'>Jenkins [dev]
# Code Quality improvement with http://www.sonarqube.org/'>SonarQube / http://checkstyle.sourceforge.net/'>Checkstyle passes [dev]
# Compare functionalities with other tools [dev]

Installation

Apart from installing Java, there is no installation. Download the .jar file and voilà.
So, install http://java.com'>java then download http://code.google.com/p/jsql-injection/downloads/list'>the latest jSQL executable and double click on the .jar file to open the main window (or you may type in a terminal: java -jar jsql-injection-v0.5.jar, or right click on file, choose "Open with..." and select "Java(TM) Platform SE binary").

Forum

You can request features and discuss about algorithm, programming and functionality in the https://groups.google.com/forum/?fromgroups#!forum/jsql-injection'>forum.

Injection and local test

Running injection requires the URL of a local or distant server, and the name of parameter to inject.
For a local test, you can save the following PHP code into file 'simulate_get.php' and move it to the root folder of your web server (e.g /www), then use http://127.0.0.1/simulate_get.php?lib= in jSQL, and finally click Connect to read the local database:

<?php


    mysql_connect("localhost", "root", "");


    mysql_select_db("mysql");





    $result = mysql_query("SELECT * FROM user where user = " . $_GET['lib']) # time based


        or die( mysql_error() ); # error based





    if( mysql_num_rows($result) !== 0 ) echo " something "; # blind





    while( $row = mysql_fetch_array($result, MYSQL_NUM) )


        echo join(',',$row); # normal


?>

Programming

Source code can be read and downloaded from the Google Git http://code.google.com/p/jsql-injection/source/browse/src/com/jsql/#jsql%2Fmvc%2Fmodel'>repository.
Tools used during development are w7 jre7 eclipse egit easyphp notepad++ virtualbox googlecode github.

Screenshot: jSQL on Linux, Mac OS X and Solaris

https://sites.google.com/site/jsqlinjection/home/images/201303101445-screenshot-linux.png'>https://sites.google.com/site/jsqlinjection/home/images/201303101445-screenshot-linux-mini.png' /> https://sites.google.com/site/jsqlinjection/home/images/201303101445-screenshot-mac-os-x.png'>https://sites.google.com/site/jsqlinjection/home/images/201303101445-screenshot-mac-os-x-mini.png' /> https://sites.google.com/site/jsqlinjection/home/images/201303240622-screenshot-solaris.png'>https://sites.google.com/site/jsqlinjection/home/images/201303240622-screenshot-solaris-mini.png' />