Tuesday, April 6, 2010

SFX-SQLi version

SFX-SQLi (Select For XML SQL injection) is a new SQL injection technique which allows to extract the whole information of a Microsoft SQL Server 2005/2008 database in an extremely fast and efficient way.

This technique is based on the FOR XML clause, which is able to convert the content of a table into a single string, so its contents could be appended to some field injecting a subquery into a vulnerable input of a web applicatio
In addition to a new web application for testing, a new revision of the tool is published with some minor fixes and changes, including new functionality like access to other databases in the same server or support for user defined queries

Download source code and binaries from http://www.kachakil.com

1 comment:

Anonymous said...

hmmm this could be the next big thing in the sqli scene.

btw if dig video tutorials, check out my blog : pinoysecurity.blogspot