April news

[ron...@ymail.com]

I'm currently working on jSQL version 0.4th.

It should include a simpler management list for tabs like File and Webshell. It's a plain basic list, containing items that the user can cut, copy, paste and delete. Drag/drop list items is possible, but also you can drop text from outside the list and even from outside the application window. Also the user can drop a file from his hard drive to populate list with his own paths, and export it to a file. Because SIMPLE=GOOD.

A new tab should allow admin page testing. It makes a fast header call to selected pages in concurrent threads, and render the pages found in new tabs (if HTTP response = 200 OK). I am testing different libraries to clean HTML source code in order to remove web component like input text and button, also to make life easier to the Java component that renders web pages, because unsanitized HTML is rendered as crap (e.g Google homepage is really a mess without sanitization). Libray jsoup seems OK for that purpose.

I have tested file upload successfully, both plain text and binary file upload work. But for now I haven't figured how to place components in tab 'Upload' and which upload method to use. First I could upload with pure SQL injection: translate file to hexadecimal (size multiplied by 2) and make one big request to the server, but GET does not support very long data. So in order to use POST, which on the contrary allows very big data, I should create a temporary file containing a complete MySQL connection: provide MySQL user name and password, and select $_POST into dumpfile [filepath]. I could retreive the connection informations from database or source page (e.g  read file simulate_get.php via File tab and extract user's information), but it does not appear simple enough. Then I could use a temporary 'file upload' page in order to send file as webmasters used to do manually, but it appears to me as one dirty job. The third one I have not tested: create a temporary table on server, use GET method to add small hexadecimal chunks to that table, finally 'select into dumpfile' the data from that table to a file. It's tricky but maybe it's the best one. Actually I can't make my choice between the three.

I added a Help/About dialog window to the previous version, and I gladly note that some stars and recommendations appear sometimes on the project page. Also I see blog posts, forum, tweets, and even video talking about jSQL, and I find that really supportive.

Can I create an executable for jSQL in order to avoid the installation of Java? The problem is you need Java to run the application. Even if I embed jSQL in a Windows native EXE with tools like launch4j, the user needs a JVM next to jSQL in order to run it, that would make a *ouch* 50Mo jSQL (it might be possible if you build a zip archive containing jSQL .jar and a JRE directory, but I prefer to not get into that). Also current cross-plateform jSQL would end into a Windows only executable, and that's a bigger problem to me. Non Java executable means non Java at all, basically it means recreate the tool in another language. In the beginning I have thought about creating the tool in another one, but Java advantages override other languages drawbacks (Java: easy coding + cross-platform + GUI + no compilation V.S Other languages: platform dependant, needs compilation by developer or worse, by the user).

I would someday display a hash on the project page for those who want to check non repudiation.

Next tests:
+ upload netcat server, display a telnet/netcat client tab (pb: open port, really necessary or POC?)
+ VNC/RDP? (pb: open port, windowless server, really necessary or POC?)
+ file and directory explorer
+ distant table writing
+ right elevation
+ manual injection for advanced users
+ speed increase (non encoding pass): 50% faster
+ controlling all running tasks in a tab
# speed test comparison with other injection tools
# automatic code testing (JUnit)
# wiki pages