Thursday 13 January 2011

Havij: A Advanced SQL Injection Tool

We are really liking this tool. For with this tool, you can almost go back to your “point and shoot” days! Havij is a free tool, programmed in Visual Basic that will automate SQL injections for you! Infact, just to test it out, we tried this on an installation of DVWA and it got us what we wanted!



Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. All you need to know is a bit of SQL injection and you are done. You just need to click a button and wait till it finds a exploitable SQL query. Not only that, you can also fingerprint the back-end database, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system. Ofcourse most of that is after you have a successful exploit. Not only that, it supports a wide array of databases – MsSQL, MySQL, MSAccess and Oracle! You could also choose to evade IDS detection by simple pre-configured tricks of this tool. You can also try to brute force your way to find the admin directory and yes it does support proxies too!


These are the current functions that Havij supports as of now:
  • Supported Databases with injection methods:
    a. MsSQL 2000/2005 with error
    b. MsSQL 2000/2005 no error (union based)
    c. MySQL (union based)
    d. MySQL Blind
    e. MySQL error based
    f. Oracle (union based)
    g. MsAccess (union based)
  • Automatic database detection
  • Automatic type detection (string or integer)
  • Automatic keyword detection (finding difference between the positive and negative response)
  • Trying different injection syntaxes
  • Proxy support
  • Real time result
  • Options for replacing space by /**/,+,… against IDS or filters
  • Avoid using strings (magic_quotes similar filters bypass)
  • Bypassing illegal union
  • Full customizable http headers (like referer and user agent)
  • Load cookie from site for authentication
  • Guessing tables and columns in mysql<5 (also in blind) and MsAccess
  • Fast getting tables and columns for mysql
  • Multi thread Admin page finder
  • Multi thread Online MD5 cracker
  • Getting DBMS Informations
  • Getting tables, columns and data
  • Command executation (mssql only)
  • Reading system files (mysql only)
  • Insert/update/delete data


As we have already said previously that this is a tool in Visual Basic, this will run only on Windows. Installation is pretty much simple too. We noticed something peculiar about this tool. It installs – columns.txt, admins.txt and tables.txt. Call them teh databases of Havij. You are free to add your stuff to these files. Just take care where you add those things.


download Havij version 1.10 here.

note:personally my experience with this tool was really good its smoother and faster than reilike sql injector but cant beat manual injections
Posted by at
Labels: , ,

1 comment:

  1. Anonymous15 May 2011 at 05:34

    please explain the steps how to use it

    ReplyDelete

Subscribe to: Post Comments (Atom)