BBQSQL, a framework for Blind SQL Injections

Useful for penetration tests


BBQSQL is a blind SQL injection framework written in Python, with also a semi-automatic tool, helpful for create customized SQL injection attacks in penetration testing activities.

Blind SQL injection can be difficult to exploit. When the available automated tools don’t works well, you have to write something custom, and this is time-consuming process: BBQSQL can help you address those issues.

For more information and usage, refer to official documentation on github:

High Level Usage
Similar to other SQL injection tools you provide certain request information.

Must provide the usual information:
– URL
– HTTP Method
– Headers
– Cookies
– Encoding methods
– Redirect behavior
– Files
– HTTP Auth
– Proxies


What is a Blind SQL Injection attack?

https://xkcd.com/327/

From OWASP:

Blind SQL (Structured Query Language) injection is a type of SQL Injection attack that asks the database true or false questions and determines the answer based on the applications response. This attack is often used when the web application is configured to show generic error messages, but has not mitigated the code that is vulnerable to SQL injection.

When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query’s syntax is incorrect. Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible. .


Installation

Simple, with pip:

sudo pip install bbqsql

Alternatively, you can install from source:

git clone https://github.com/Neohapsis/bbqsql.git
cd bbsql
python setup.py install

More information and downloads

https://github.com/Neohapsis/bbqsql/


Comments