lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 6 Apr 2009 02:10:47 +0200
From: sativouf <sativouf@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: [tool] sqlsus 0.3 released !

Hi everyone,

A new version of sqlsus has been released and is available at
http://sqlsus.sf.net/
You will find on the website a description of the features, along with
some documentation and flash demos showing how the tool can be used.

sqlsus is a MySQL injection and takeover tool, written in perl.
Via a command line interface that mimics a mysql console, you can
retrieve the database structure / contents,  inject a SQL query,
download files from the web server, upload and control a backdoor, and
much more...
It is designed to maximize the amount of data gathered per web server
hit, making the best use (I can think of) of MySQL functions to
optimize the available injection space.
sqlsus is focused on PHP/MySQL installations, and integrates some neat
features, some of which are really specific to this DBMS.


What's new
==========

- Full SQLite backend, storing queries / results as they come,
databases structure, variables... into a local SQLite database.
- Added "clone" command to clone some columns, a table, or the full
database into a local SQLite database.
- "clone" has a resume ability, allowing to continue accross sessions.
- Rewrite of the blind injection engine (A LOT faster now):
   - keep all the threads busy with micro tasks (huge speed improvement)
   - regular expression matching for each item, prior to bruteforcing
(huge drop in the number of hits required)
   - progress meter
- Added cookie support.
- Possibility to change the current database ("use xxxx"), and still
be able to use all the commands transparently
- Better query shortening, allowing even more data to be fetched per server hit.
- Got rid of IPC::Shareable, using socketpair() instead.
- Use of BINARY for inband injections, to avoid collation issues.
- Inband injection is now only contained in subqueries, to allow more
complex sql injection scenarios.
...

The full CHANGELOG can be found in the tarball or at
http://sqlsus.sf.net/download.html


Download and enjoy :)


- sativouf

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ