Dissecting the SQL Injection Tools Used By Hackers

Recently, during a presentation to a group of security professionals, an impromptu poll was taken asking attendees whether they were familiar with Havij, a SQL injection tool used heavily in the hacking community.  Out of a crowd of around 60 people, only two people were familiar with it.  Though not a scientific, statistically valid survey, the result is spooky.  It’s kind of like going to fight in the mountains of Afghanistan and not knowing what an AK-47 is.
Today’s entry is designed to ensure you know what hackers are throwing at you in order to steal data when it comes to SQL injections.  If you’ve wondered why, as the most recent Verizon report shows, the main attack vector is web applications, knowing SQL injections tools hackers deploy to take data is vital.  Here’s what every security professional should know.

• Vulnerability scanners:  Vulnerability scanners find an initial SQL injection vulnerability.  However, these tools stop short of actually exploiting the vulnerability.  In other words, they highlight a potential vulnerability but don’t actually extract the data.  From a hacker’s perspective, they provide a list of likely targets. In this group we can find all kinds of vulnerability scanners which include:
  • Acunetix
  • W3af
  • Netsparker
  • Webinspect
  • Appscan
  • Whitehat
  • And the list goes on.
• SQL injection dumping tools:  Given a potentially SQL injection vulnerability, these tools expand the small hole to a major breach to leak all database content. This market is ruled by two main packages:
  • Havij – http://itsecteam.com/en/projects/project1.htm
  • SQLmap – http://sqlmap.sourceforge.net/
  • There are some other much smaller “players” (e.g., SSDP or Absinthe).  Considering there are two main players, we’ll focus on Havij and SQLmap.

For more, here’s a YouTube movie showing both tools:  http://www.youtube.com/watch?v=GOvRAJBbRnk.
To date, here’s how Havij and SQLmap currently stack up:

Some other considerations:

• Usability:  So Havij and SQLmap have very common SQLi features but Havij seems more accessible to new users – it is a point and click windows GUI application with installer which is a major advantage to the inexperienced user. However, more advanced user may find SQLmap more powerful and can be more easily extended and modified  – since it’s an open source project.
• Speed:  Some hackers report that SQLmap is dumping DBs more slowly than Havij – this may be due to the fact the Havij is compiled and SQLmap is interpreted (it is written in python code).  On hacker forums, some show their complaints openly:

But the debate rages on:


What do hackers actually use?  Using our “weather balloon” in cyberspace that tracks automated hacking we find that the use of Havij is much more common in our data.  Looking at attack data from the past six months, apart from January, in each month we’ve seen at least twice as much Havij attacks than SQLmap attacks.

Another interesting difference between the two is that Havij seems to be more widely distributed- During the last half a year, we had 178 different Havij attackers from 48 countries.
In contrast, during the same period we’ve only seen 16 IPs that used SQLmap, from only 9 different countries.  Accordingly, the average attacks per attacker ratio is around 90 for Havij and much higher, around 400 for SQLmap.  These are the top ten source countries for each tool:

Apart from being more diverse, it is quite evident from this list that there are more attackers from developing countries that use Havij than SQLmap.  Why?  Havij is friendlier to inexperienced users, while SQLmap is for pros. This might explain Havij’s broader use world-wide.
The Havij/SQLmap debate may never get settled.  Either way, every security team trying to protect data from hackers should know both and put in place all the mitigations to stop them.