Dissecting the SQL Injection Tools Used By Hackers

Sqltools1

Recently, during a presentation to a group of security professionals, an impromptu poll was taken asking attendees whether they were familiar with Havij, a SQL injection tool used heavily in the hacking community.  Out of a crowd of around 60 people, only two people were familiar with it.  Though not a scientific, statistically valid survey, the result is spooky.  It’s kind of like going to fight in the mountains of Afghanistan and not knowing what an AK-47 is.

Today’s entry is designed to ensure you know what hackers are throwing at you in order to steal data when it comes to SQL injections.  If you’ve wondered why, as the most recent Verizon report shows, the main attack vector is web applications, knowing SQL injections tools hackers deploy to take data is vital.  Here’s what every security professional should know.

  • Vulnerability scanners:  Vulnerability scanners find an initial SQL injection vulnerability.  However, these tools stop short of actually exploiting the vulnerability.  In other words, they highlight a potential vulnerability but don’t actually extract the data.  From a hacker’s perspective, they provide a list of likely targets. In this group we can find all kinds of vulnerability scanners which include:
    • Acunetix
    • W3af
    • Netsparker
    • Webinspect
    • Appscan
    • Whitehat
    • And the list goes on.
  • SQL injection dumping tools:  Given a potentially SQL injection vulnerability, these tools expand the small hole to a major breach to leak all database content. This market is ruled by two main packages:

For more, here’s a YouTube movie showing both tools:  http://www.youtube.com/watch?v=GOvRAJBbRnk.

To date, here’s how Havij and SQLmap currently stack up:

Havij SQLmap
Code Commercial/Proprietary Open source
OS support Windows Every OS running Python
Form Installer Python code
UI Graphic (GUI) Command line
Supported DBs MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, Sybase MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite,Firebird, Sybase, SAP MaxDB
Last updated 22.6.11 29.3.12
Password cracking Supported supported

 

Customizable DB dump Supported Supported

 

Execute arbitrary DB commands

 

Supported Supported
Auxiliary functionality (password cracking, shell upload, remote contorl etc.) Supported Supported

Some other considerations:

  • Usability:  So Havij and SQLmap have very common SQLi features but Havij seems more accessible to new users – it is a point and click windows GUI application with installer which is a major advantage to the inexperienced user. However, more advanced user may find SQLmap more powerful and can be more easily extended and modified  – since it’s an open source project.
  • Speed:  Some hackers report that SQLmap is dumping DBs more slowly than Havij – this may be due to the fact the Havij is compiled and SQLmap is interpreted (it is written in python code).  On hacker forums, some show their complaints openly:

sqltools2

But the debate rages on:

sqltools3

sqltools4

What do hackers actually use?  Using our “weather balloon” in cyberspace that tracks automated hacking we find that the use of Havij is much more common in our data.  Looking at attack data from the past six months, apart from January, in each month we’ve seen at least twice as much Havij attacks than SQLmap attacks.

sqltools5

Another interesting difference between the two is that Havij seems to be more widely distributed- During the last half a year, we had 178 different Havij attackers from 48 countries.

In contrast, during the same period we’ve only seen 16 IPs that used SQLmap, from only 9 different countries.  Accordingly, the average attacks per attacker ratio is around 90 for Havij and much higher, around 400 for SQLmap.  These are the top ten source countries for each tool:

Havij  IPs  sqlmap  IPs 
USA 37 Canada 3
Indonesia 12 Netherlands 3
Morocco 10 USA 3
Germany 7 Bulgaria 2
Egypt 7 Philippines 1
United Kingdom 7 Germany 1
Russian Federation 6 Israel 1
Vietnam 6 Russian Federation 1
Brazil 5 Argentina 1
Pakistan 5

Apart from being more diverse, it is quite evident from this list that there are more attackers from developing countries that use Havij than SQLmap.  Why?  Havij is friendlier to inexperienced users, while SQLmap is for pros. This might explain Havij’s broader use world-wide.

The Havij/SQLmap debate may never get settled.  Either way, every security team trying to protect data from hackers should know both and put in place all the mitigations to stop them.