Expectations for future version 0.2
147 views
Skip to first unread message
ron...@ymail.com
Oct 11, 2012, 2:01:29 PM10/11/12
to jsql-in...@googlegroups.com
What you should expect in version 0.2 (see the screenshot attached):
- new buttons: start, stop, pause, resume
- timeout of 15 seconds for each requests (avoid unresponsive window)
- stopping a request processes and loads the data it has already found (when possible)
- new tabs: chunk, binary, header
- new method: timebased
- evasion: space to /**/, lower to mixed case (select to sElEcT)
- errorbased multilang message (Duplicate entry '1' for key, Duplicata du champ '1' pour la clef, etc)
- contact informations
- smoother graphic design
Note on time/blind: you may encounter character artifacts or failures with those two methods, despite the good results shown by a local test. Time uses a response delay of 5 seconds, and blind algorithm is tricky to produce good results, however now the Binary tab shows the progress of these two methods, so you may 'see' when things go bad. You should read the letters SQLi after the first 32 requests, and then the rest of the chunks follows (therefore it begins with 01010011=S 01010001=Q 01001100=L 01101001=i).
I encourage you to give feedback about the tool, advices on design, method and algorithm, or what you expect for further development.
In fact I have no idea if the tool is really used by anyone, I can only read the download count on the website. But what I would really appreciate to know is: is the tool used :)? So feel free to leave a post or a mail.
By the way, the following code in PHP allows you to reproduce injections on your local PC. Simply grab EasyPHP, or any webserver you want, copy and save the code below in a new PHP file, for example simulate_get.php, and change
- new buttons: start, stop, pause, resume
- timeout of 15 seconds for each requests (avoid unresponsive window)
- stopping a request processes and loads the data it has already found (when possible)
- new tabs: chunk, binary, header
- new method: timebased
- evasion: space to /**/, lower to mixed case (select to sElEcT)
- errorbased multilang message (Duplicate entry '1' for key, Duplicata du champ '1' pour la clef, etc)
- contact informations
- smoother graphic design
Note on time/blind: you may encounter character artifacts or failures with those two methods, despite the good results shown by a local test. Time uses a response delay of 5 seconds, and blind algorithm is tricky to produce good results, however now the Binary tab shows the progress of these two methods, so you may 'see' when things go bad. You should read the letters SQLi after the first 32 requests, and then the rest of the chunks follows (therefore it begins with 01010011=S 01010001=Q 01001100=L 01101001=i).
I encourage you to give feedback about the tool, advices on design, method and algorithm, or what you expect for further development.
In fact I have no idea if the tool is really used by anyone, I can only read the download count on the website. But what I would really appreciate to know is: is the tool used :)? So feel free to leave a post or a mail.
By the way, the following code in PHP allows you to reproduce injections on your local PC. Simply grab EasyPHP, or any webserver you want, copy and save the code below in a new PHP file, for example simulate_get.php, and change
my_own_database, my_own_table, my_own_field to anything already existing in your MySQL server (respectively information_schema, tables, table_name should do it, but best is your own database). Then you should manage to use URL http://127.0.0.1/simulate_get.php?lib= for a local test:mysql_connect("localhost", "root", "");
mysql_select_db("my_own_database");
$result = mysql_query("SELECT * FROM my_own_table where my_own_field = {$_GET['lib']}") # time based
or die( mysql_error() ); # error based
if(mysql_num_rows($result)!==0) echo" true "; # blind
while ($row = mysql_fetch_array($result, MYSQL_NUM))
echo join(',',$row); # normal
ron...@ymail.com
Oct 13, 2012, 2:53:20 PM10/13/12
to jsql-in...@googlegroups.com
You can download the last version of jSQL Injection at the following page: http://code.google.com/p/jsql-injection/downloads/list
alv....@gmail.com
Oct 15, 2012, 7:02:35 PM10/15/12
to jsql-in...@googlegroups.com
Good job the update is pretty fast and nice GUI,
I think there is bug, it never never complete the download, i figure it it from email side, it always stop at W instead of Z because it download alhabetically and double table appear,
try to increase thread or user selected threading option
you done a good job
Ron Ron
Oct 16, 2012, 9:47:25 AM10/16/12
to jsql-in...@googlegroups.com
Thank you for your message,
Could you be more precise on the bug you encountered, are you testing jSQL Injection in local?
You are mentionning 'email side', 'W' and 'Z' but I don't know where you see those values, in your database? in the tool tabs?
Could you provide screenshots, google dorks, or any other informations that explains the problem you are facing?
From: "alv....@gmail.com" <alv....@gmail.com>
To: jsql-in...@googlegroups.com
Sent: Tuesday, October 16, 2012 1:02 AM
Subject: Re: Expectations for future version 0.2
Could you be more precise on the bug you encountered, are you testing jSQL Injection in local?
You are mentionning 'email side', 'W' and 'Z' but I don't know where you see those values, in your database? in the tool tabs?
Could you provide screenshots, google dorks, or any other informations that explains the problem you are facing?
From: "alv....@gmail.com" <alv....@gmail.com>
To: jsql-in...@googlegroups.com
Sent: Tuesday, October 16, 2012 1:02 AM
Subject: Re: Expectations for future version 0.2
--
You received this message because you are subscribed to the Google Groups "jsql-injection" group.
To post to this group, send email to jsql-in...@googlegroups.com.
To unsubscribe from this group, send email to jsql-injection+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/jsql-injection/-/5CQxLkT0N-kJ.
For more options, visit https://groups.google.com/groups/opt_out.
You received this message because you are subscribed to the Google Groups "jsql-injection" group.
To post to this group, send email to jsql-in...@googlegroups.com.
To unsubscribe from this group, send email to jsql-injection+unsub...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/jsql-injection/-/5CQxLkT0N-kJ.
For more options, visit https://groups.google.com/groups/opt_out.
alv....@gmail.com
Nov 16, 2012, 2:48:34 AM11/16/12
to jsql-in...@googlegroups.com, Ron Ron
I have figure it out is all running fine, the problem was from one particular domain i was testing.
add on suggestion,
1)Ability to bypass firewall for pen testing
2)provide provision for admin page finder for pen testing
3)multi thread with error base injection
4)save option
good luck
jay...@gmail.com
Nov 18, 2012, 12:58:57 PM11/18/12
to jsql-in...@googlegroups.com
Hey bro can u post a video tutorial on this software cos most sites i tried give me timeout.
thanks
jeffrey...@gmail.com
Jan 30, 2013, 7:11:01 AM1/30/13
to jsql-in...@googlegroups.com, Ron Ron, alv....@gmail.com
i really want to know how to use this file and what it is used for... and how to get a working proxy server for it... thanks guys
ron...@ymail.com
Jan 31, 2013, 5:38:02 AM1/31/13
to jsql-in...@googlegroups.com, Ron Ron, alv....@gmail.com, jeffrey...@gmail.com
First you install java, then download jsql-injection-v0.2.jar from jSQL download list, double-click on the file jsql-injection-v0.2.jar and the graphical interface opens. Next you should search the web for more informations on the purpose of SQL injection (retrieve informations from a distant server), there are many resources, forums and professional security sites on the subject.
For proxy, see other relative posts here in this group or you can find web tutorials on how you can use a proxy
For proxy, see other relative posts here in this group or you can find web tutorials on how you can use a proxy
Alvin John
Dec 12, 2013, 5:41:49 AM12/12/13
to jsql-in...@googlegroups.com, ron190jSQL .
Hi
your jsql is now becoming populare day by day, i am suggesting you add this feature in your next release which i am sure you are working on this holiday.
Please consider to add WEB SPIDERING / SCANNING SITE FOR SQL INJECTION AND FILE INCLUSION
and also custom adding payload by the user
thank you ron for your time
On Thu, Jan 31, 2013 at 2:38 AM, <ron...@ymail.com> wrote:
First you install java, then download jsql-injection-v0.2.jar from jSQL download list, double-click on the file jsql-injection-v0.2.jar and the graphical interface opens. Next you should search the web for more informations on the purpose of SQL injection (retrieve informations from a distant server), there are many resources, forums and professional security sites on the subject.
For proxy, see other relative posts here in this group or you can find web tutorials on how you can use a proxy
--
You received this message because you are subscribed to the Google Groups "jsql-injection" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jsql-injectio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/jsql-injection/-/dYay_vEciJMJ.
Reply all
Reply to author
Forward
0 new messages