Demo

Tutorial of SQL Power Injector 1.1

Copyright © 2006 Francois Larouche

1

Tutorial of SQL Power Injector 1.1

Copyright © 2006 Francois Larouche

2

Tutorial of SQL Power Injector 1.1

Copyright © 2006 Francois Larouche

3

Tutorial of SQL Power Injector 1.1
Please follow first the main schema and if you need more details go to their respective number detailed below.Moreover, in two circumstances you will get drill down schemas (8 and 20). There you can look at the sub-schema for more details and like the main schema go in their respective number for more details.

1. DO YOU WANT TO LOAD A SESSION?
We start the tutorial with that question since you might have already initiated a session before and just want to reuse it. If it’s the case then your answer is YES –GO TO STEP 9. If you have never saved any session your answer is NO – GO TO STEP 2. In other times you do not want to load any session or wish to start from scratch then your answer is NO – GO TO STEP 2.

HINT 1
To save session can be a real time saver when you want to get back to your tests exactly where you were when you stopped. Or just to save the session with different values.

HINT 2Once the session is saved it is possible to go modify it directly in the XML file. There you can either change some values, remove some of them, update a JSESSIONID or even add a new form! Keep in mind that this file could be more useful than just a session repository.

HINT 3
If you are making tests with a web site using Java which keeps the web site context with a session id it is possible toupdate the cookie directly in the XML file. What you need to do is to modify the value of SubmitUri in the HtmlForm tag with the current session id. To do so you need to add a semi-colon (;) with the java session id right before the web page name and right before the query string values Ex: MyPage.jsp;JSESSIONID=D23TfhU3fdf7884HDSA45hfdGs?Param1=test&Param2=1

NOTE
Remember that if yoursession was working at the time you were using it, it might no more work the next time you load it. Two reasons are possible: 1. The cookie is no more valid. Either re-inject it (see Step 6 for more details) or if it’s a Java web site, open the XML file and modify it accordingly to the Hint 3. 2. Or the web site has changed and some or all values are no working. Just try to reload the page with the Loadbutton to see what’s happening.

Copyright © 2006 Francois Larouche

4

Tutorial of SQL Power Injector 1.1
Of course in order to be able to load a session you need to save it first. To do so, you first need to successfully load a page and from that point you can save it. It does not matter if you have or haven’t tested the web site yet for SQL injection as long as you loaded it you cansave it. You will find the save session under the menu File:

From there you just need to save it like any normal file you would save under Windows.

• •

IF YOUR ANSWER IS NO GO TO STEP 2 IF YOUR ANSWER IS YES GO TO STEP 9

2. TYPE URL IN THE URL PARAMETER TEXTBOX
• • Get the URL where you want to see if there are SQL injections, or that you already know there are. Copy paste it in thattextbox

NOTE 1
If you have http:// or https:// missing the application will raise an error. I realized that it’s much clearer that way and that the user should have the control to use the prefix he wants. Please note that SSL is now supported.

NOTE 2
It might happen that you already know there are SQL injections in a web site because you’ve got a positive answer from an automated tool suchas Paros. I think it could be a good technique to use an automated tool to make the rough work of analyzing every page then to come back to exploit it with SQL Power Injector, unless of course you don’t want to leave too much traces that those kind of applications leave.

GO TO STEP 3

Copyright © 2006 Francois Larouche

5

Tutorial of SQL Power Injector 1.1 3. I WANT TO TEST OR USE POST...