Kamis, 27 April 2017

In // April 27, 2017 // Leave a Comment

Havij SQL Injection tool


Havij, an automatic SQL Injection tool, is distributed by ITSecTeam, an Iranian security company. The name Havij means “carrot”, which is the tool’s icon.
The tool is designed with a user-friendly GUI that makes it easy for an operator to retrieve the desired data. Such ease of use may be the reason behind the transition from attacks deployed by code-writing hackers to those by non-technical users.
Havij was published during 2010, and since its, release several other automatic SQL Injection tools (such as sqlmap) were introduced. However, Havij is still active and commonly used by both penetration testers and low level hackers.

Havij traffic is easily identified by its user agent:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij

Check Point’s IPS protection which detects SQL Injection attempts using this tool, “Havij Automated SQL Injection tool”, has detected attacks toward 30% of the monitored customers in Chek Point’s Managed Security Service.
Review of the connections’ details indicates that the majority of the detected attacks included the input 999999.9, usually used to scan a website for an injection vulnerability. Most of the queries had the following structure:
SELECT * FROM table_example WHERE ID = 999999.9
Error messages are not hidden. Therefore, if an error is received, the source knows the website is vulnerable to injection attempts.
Another method used by Havij is “attempting” to convert something to integer values which can’t be converted. For example, the DB name (usually a string):

SELECT * FROM table_example WHERE ID = CONVERT (int, db_name()) and 1=1

The ensuing error message exposes the DB name:

Conversion failed when converting the nvarchar value ‘BadWebsite’ to data type int.

Havij attempts to extract the tables and columns names in a similar manner
Once Havij is served with a vulnerable website, it enables the attacker to analyze the site and bring back the DB name, tables’ names and the actual data. Once the schema is received, the attacker can choose the specific columns they would like to obtain (see example below).

Download Havij Sql Injection >>

0 komentar:

Posting Komentar

Designed By Blogtipsntricks. In Association With Tozilnutpam and Praverb Dot Net.

© 2012 Software Centre