Scanning for SQL injection vulns

savage · #1 11th June 2008, 07:15 AM

I'm coding a new CMS for my site. While I am making every effort to make sure any user inputted data is escaped properly, I'd still like to remain paranoid and scan for vulnerabilities.

Anybody know of good software for doing this? What do the skiddies use when they go hunting online for vulnerable sites?

pete_1967 · #2 11th June 2008, 12:24 PM

sqlmap is one that is specifically designed to find them: http://sqlmap.sourceforge.net/

And BackTrack is an excellent distro for white hat cracking: http://www.remote-exploit.org/backtrack.html

savage · #3 11th June 2008, 07:23 PM

Thanks, I'm playing with sqlmap now, it seems to be exactly what I wanted.

I'll take a look at that distro next weekend, it sounds interesting.

techmum · #4 11th June 2008, 11:42 PM

Wow!

and sqlmap looks perfect for a project here as well

thanks for that link

kevross_33 · #5 12th June 2008, 01:01 PM

http://www.securitycompass.com/exploitme.shtml

Get sqlinject me, a firefox plugin from the security compas site, it opens a nice tool and lets you manually test individual or just launch a ton of sql injection attacks agains all forms on a given page.

savage · #6 14th June 2008, 04:34 PM

Thanks, I've been playing with that two, both do the job I need, thanks again.