Friday, November 5, 2010
SqlInjector v1.0.2 released
BlindSQLInjector is an application to perform completely blind SQL injection. Currently it only supports MS SQL Server. It uses time based inference to determine true or false conditions to extract data. The key feature is that it uses a binary search mechanism to reduce the character search address space, this means it can get each character value within 7 to 8 requests.
This is a fairly major update to SqlInjector (yes renamed from BlindSqlInjector). The key change is the addition of true/false inference. So if you have SQLi then its definitely faster to use true/false inference rather than time. I have also added a video of the new true/false inference in action to the project page.
SqlInjector in action: http://www.woany.co.uk