General

Both quoted and numeric injections are supported.

All quoted texts can be translated as their hex equivalent to bypass any quotes filtering (eg: magic_quotes_gpc) (eg : "sqlsus" will become 0x73716c737573)

sqlsus also supports these 2 scenarios of injection :

• inband : the result of the request will be in the HTML returned by the web server
• blind : when you can't see the result of the request directly

Support for GET and POST parameters injection vectors.

Support for HTTP proxy and HTTP simple authentication.

Support for HTTPS.

Support for cookies.

Full SQLite backend, storing queries / results as they come, databases structure, key variables. This allows you to recall a command and its cached answer, even in a later re-use of the session.

Possibility to clone a database / table / column, into a local SQLite database, and continue over different sessions.

If you can't access the information_schema database, or if it doesn't exist, sqlsus will help you bruteforce the names of the tables and columns.

Possibility to change the current database and still use all the commands transparently.

Inband

If your query is likely to return more than one row, sqlsus will loop using as many subqueries it can use at a time (per query) without hitting a configurable limit.

Therefore, it can grab dozens, hundreds, thousands of results (depending on the available injection space) in just 1 server hit (yes, one), allowing excessively faster database retrieval in the case of new connection rate restrictions on the remote server.

Databases names, tables names, columns names, count(*) per table, privileges... On MySQL > 5, the database structure can be grabbed in one command from within sqlsus.

Once you have found an inband injection, you need to find the correct number of columns for UNION. sqlsus will do the job for you, identifying the needed number of columns, and which of them are suitable for injection.

To speed things up, multithreading (actually, multi processes) can be used.

Blind

Blind injection is supported, using conditional responses, and multithreading.

The engine has been optimised in speed and server hit :

• keep all the threads busy with micro tasks, whenever it makes sense.
• match each item against a few regular expressions, prior to bruteforcing, to determine the character space to use.

Takeover

If the database user has the FILE privilege, and if you can use quotes in your injection (mandatory for a SELECT INTO OUTFILE), then sqlsus will help you place a php backdoor on the remote system, recursively looking for writable directories.

You can use "download file" from sqlsus shell, to download an arbitrary (world readable) file from the remote server. The file will be stored in the local filesystem, rebuilding the path tree to the file for easier parsing.

sqlsus has the ability to crawl the website at a configurable depth, looking for all the directories it can find, via hypertext links, img links, etc... Then, it tries to upload a tiny php uploader on each candidate directory until it finds one world writable, later used to upload the backdoor itself.

It ships with a PHP backdoor and a controller, to help you execute system commands, PHP commands, and SQL queries as if you were sitting on a normal direct MySQL connection.

License

sqlsus is released under the GPL v2.

Disclaimer

Use it at your own risk.

Just keep in mind that whatever you do with this tool, the author (aka me, not you) won't be held responsible for anything.

Author

Jérémy "sativouf" Ruffet : sativouf <at> gmail -dot- com