HackHackerskali linuxweb hacking

SQL Power Injector tools

Product Information Introduction SQL Power Injector is an application created in .Net 1.1 that helps the penetration tester to find and exploit SQL injections on a web page. sql injection sql power injector

For now it is SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal mode). Indeed, the normal mode is basically the SQL command that someone will put in the parameter sent to the server.

Havij SQL Injection tool windows Download free

If the aspect of inline SQL injection is powerful in itself, its main strength dwells in the multithreaded automation of the injection. Not only there is a possibility to automate tedious and time consuming queries but you can also modify the query to get only what you want. It is obviously more useful in the blind SQL injection since the other ways to exploit the SQL injection vulnerability is more effusive and much faster when the results are displayed on the web page (union select in a HTML table and generated 500 error for instance).

The automation can be realized in two ways: comparing the expected result or by time delay. The first way is generally compared against an error or difference between positive condition with a negative one and the second way will turn out positive if the time delay sent to the server equals to the one parameterized in the application.

The main effort done on this application was to make it as painless as possible to find and exploit a SQL injection vulnerability without using any browser. That is why you will notice that there is an integrated browser that will display the results of the injection parameterized in a way that any related standards SQL error will be displayed without the rest of the page. Of course, like many other features of this application, there are ways to parameterize the response of the server to make it as talkative to you as possible.

Another important part of this application is its power to get all the parameters from the web page you need to test the SQL injection, either by GET or POST method. Like this someone won’t need to use several applications or a proxy to intercept the data, all is automated! Not only that, but now there is a Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context (parameters and cookies).

I worked hard on the application usability but I am aware that at first use it’s not too obvious. I’m pretty confident that once the few things you need to comprehend are understood it will be quite easy to use afterwards. In order to help a beginner to understand its basic features I created a tutorial that not only will help him out but can also be educative for some advanced SQL injection techniques. Moreover, You will find some great tricks in the FAQ as well and now with the version 1.2 a help file (chm) containing a list of the most useful information for SQL injection.

Also, I designed this application the way I was making my own pen testing and how I was using SQL injection. It has been tested successfully many times on real life web sites (legally of course) and as soon as I see something missing I’m adding it. Now of course that it’s officially available to the security community I will have to have more rigors and wait to add them in a new version of the software. This process has already started and many more features will come with time.

Finally, this application will be free of charge and hopefully be used to help in security assessments made by security professionals or to further the knowledge of the techniques used. Obviously I will not be held responsible of any misuses or damage caused by this application.

What It’s Not

This application if powerful won’t find SQL injection vulnerabilities for you nor will find the right syntax if one found. Its main strength is to provide a way to find them more easily and once they are found to automate it in a way that you won’t need to make every single injection if the only way to inject is using the blind technique.

Moreover, I didn’t intent to make it to be a database pumping application. There are plenty good applications for that purpose. In any cases many pumped data are not relevant and since it takes time to pump it can be a real waste of time. It’s better to refine and get what you really want.

Lastly, if I added the feature (mini-browser) to have the results in an HTML format it doesn’t mean that it has all the features of a professional browser. Internet Explorer and Mozilla, to mention a few, are real complex software that it would be nearly impossible to implement all their features in my application. That’s why that you won’t be able to use it as a conventional browser even though it has the same look and feel.


  • Supported on Windows, Unix and Linux operating systems
  • SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant
  • SSL support
  • Load automatically the parameters from a form or a IFrame on a web page (GET or POST)
  • Detect and browse the framesets
  • Option that auto detects the language of the web site
  • Detect and add cookies used during the Load Page process (Set-Cookie detection)
  • Find automatically the submit page(s) with its method (GET or POST) displayed in a different color
  • Can create/modify/delete loaded string and cookies parameters directly in the Datagrids
  • Single SQL injection
  • Blind SQL injection
    • Comparison of true and false response of the page or results in the cookie
    • Time delay
  • Response of the SQL injection in a customized browser
  • Can view the HTML code source of the returned page in HTML contextual colors and search in it
  • Fine tuning parameters and cookies injection
  • Can parameterize the size of the length and count of the expected result to optimize the time taken by the application to execute the SQL injection
  • Create/edit ASCII characters preset in order to optimize the blind SQL injection number of requests/speed
  • Multithreading (configurable up to 50)
  • Option to replace space by empty comments /**/ against IDS or filter detection
  • Automatically encode special characters before sending them
  • Automatically detect predefined SQL errors in the response page
  • Automatically detect a predefined word or sentence in the response page
  • Real time result
  • Save and load sessions in a XML file
  • Feature that automatically finds the differences between the response page of a positive answer with a negative one
  • Can create a range list that will replace the variable (<<@>>) inside a blind SQL injection string and automatically play them for you
  • Automatic replaying a variable range with a predefined list from a text file
  • Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context (parameters and cookies)
  • Two integrated tools: Hex and Char encoder and MS SQL @options interpreter
  • Can edit the Referer
  • Can choose a User-Agent (or even create one in the User-Agent XML file)
  • Can configure the application with the settings window
  • Support configurable proxies

Differences with Other Tools

To be honest, I didn’t study all the other tools features in all their details. The only thing I can say is that if they are great they always lack something important that I need when I’m doing SQL injection.

Some application will find the SQL injection for you that sometimes will result in false positive. And others will generically pump the data of the database. Some of those applications got smarter and you can check for what you need when the list of databases has been pumped. Or ask a specific hard coded data, such as the current DB user.

But none of them have the ability to specifically choose what you want as far as I know. That ability comes with a cost of course, you need to know some SQL syntax, but I can assure that once someone understands how it works, not much syntax is required.

Also, I cannot recall to have seen any application using the time delay feature inserted in the application. Many SQL injection vulnerabilities are impossible to exploit unless you use that technique. A technique that could be really tedious and time consuming, that often results by giving up after long hours of copy pasting the command in the browser when done manually.

I don’t remember as well to have seen any multithread feature that can be most definitely a really important time saver. Nor the ASCII characters preset feature that can save up to 25% the blind SQL injection. (Please look at the statistics section for some figures)

I apologize in advance to those who have made their own application and made it available on the Net that possess those features before I made SQL Power Injector available. Please let me know and I will update this section.

Summary of the differences:

  • Web page string and cookie parameters auto detection
  • Fine tuning parameters SQL injection
  • Time delay feature
  • Multithread feature
  • Response results in a customized browser
  • Automated positive and negative condition discovery
  • Blind SQL injection characters preset optimizer


You will find two screen shots demonstrating the two techniques used in the application: Normal and Blind.

SQL Power Injector tools
SQL Power Injector tools

Screen 1: SQL Power injector with Normal technique 

Screen 2: SQL Power injector with Blind technique

Some Statistic Figures

I didn’t use any scientific methods so do not consider those statistics as scientific facts but more as a general idea of what you can expect. Especially that no one controls the flux on the Net and I would be really hard pressed to give any valuable scientific data. Another thing, I didn’t make enough tests (10 times for each thread) to have a real statistical sample since the goal of these numbers will be to show approximately what you can expect.

Moreover, it will depend also of the size of the data sought. Sometimes a lower number of threads will be more effective than more. In fact, the time taken will be optimized if the length of the value is a divisible number of the number of thread. So let’s say we have 24 characters length, 3, 4, 6 and 8 will be faster than any other. As a rule of thumb, the bigger gap of time between any thread is from 1 to 2. As you can see the higher is not always the better. You will see some examples in the following statistics.

Even though you can go up to 50 threads, I have discovered that around 10 threads it’s starting to have errors and getting slower and slower. So again bigger number of threads is not necessary better. I must warn as well that the higher number of threads is, the higher is the chances to crash the web application (web server or database)

I must thank Nathaniel Felsen to have allowed me to test on one of his web server.

Here are the characteristics of the computer used to make the tests:

  • AMD Athlon ™ 64 X2 Dual
  • Core Processor 4200+ GHz
  • 2 GB of RAM
  • Windows XP SP 2
  • ADSL 1 MB/s
  • Ping round trip average time of 173 ms

With positive answer option

6 characters
Number of ThreadsFullsetOptimized
Time takenNumber of requestTime takenNumber of request
1~36 s 0 ms61~26 s 193 ms43
2~20 s 314 ms61~15 s 561 ms43
3~20 s 883 ms61~15 s 755 ms43
4~22 s 705 ms70~17 s 540 ms49
5~22 s 14 ms61~17 s 171 ms43
6~19 s 878 ms61~15 s 227 ms43
11 characters
Number of ThreadsFullsetOptimized
Time takenNumber of requestTime takenNumber of request
1~1 m 1 s 910 ms106~47 s 840 ms80
2~35 s 492 ms106~26 s 350 ms80
3~35 s 157 ms106~28 s 220 ms80
4~33 s 638 ms106~26 s 607 ms80
5~35 s 280 ms106~26 s 403 ms80
6~32 s 426 ms106~26 s 983 ms80
7~35 s 162 ms115~28 s 858 ms86
8~40 s 590 ms106~28 s 972 ms80
23 characters
Number of ThreadsFullsetOptimized
Time takenNumber of requestTime takenNumber of request
1~2 m 4 s 37 ms214~1 m 45 s 905 ms175
2~1 m 6 s 57 ms214~57 s 552 ms175
3~1 m 6 s 418 ms214~56 s 714 ms175
4~1 m 3 s 759 ms214~54 s 575 ms175
5~1 m 3 s 57 ms214~53 s 743 ms175
6~1 m 2 s 995 ms214~53 s 750 ms175
7~1 m 7 s 870 ms214~59 s 178 ms175
8~1 m 3 s 285 ms214~52 s 938 ms175
187 characters
Number of ThreadsFullsetOptimized
Time takenNumber of requestTime takenNumber of request
1~16 m 42 s 991 ms1692~13 m 16 s 31 ms1303
2~8 m 32 s 604 ms1692~6 m 34 s 562 ms1303
3~8 m 24 s 751 ms1692~6 m 41 s 286 ms1303
4~8 m 9 s 943 ms1692~6 m 25 s 358 ms1303
5~8 m 10 s 97 ms1692~6 m 35 s 30 ms1303
6~8 m 12 s 256 ms1692~6 m 24 s 839 ms1303
7~8 m 14 s 811 ms1692~6 m 25 s 531 ms1303
8~8 m 13 s 168 ms1692~6 m 28 s 909 ms1303

With time delay of 3 seconds

6 characters
Number of ThreadsFullsetOptimized
Time takenNumber of requestTime takenNumber of request
1~2 m 3 s 337 ms62~1 m 40 s 941 ms44
2~1 m 17 s 114 ms62~1 m 7 s 308 ms44
3~1 m 16 s 273 ms62~1 m 4 s 770 ms44
4~1 m 22 s 970 ms71~1 m 8 s 701 ms50
5~1 m 17 s 349 ms62~1 m 4 s 448 ms44
6~1 m 13 s 998 ms62~1 m 1 s 981 ms44
11 characters
Number of ThreadsFullsetOptimized
Time takenNumber of requestTime takenNumber of request
1~3 m 27 s 825 ms107~2 m 42 s 829 ms80
2~1 m 54 s 687 ms107~1 m 36 s 265 ms80
3~1 m 56 s 737 ms107~1 m 32 s 425 ms80
4~1 m 51 s 883 ms107~1 m 29 s 994 ms80
5~2 m 4 s 263 ms107~1 m 38 s 55 ms80
6~1 m 54 s 239 ms107~1 m 38 s 112 ms80
7~2 m 2 s 25 ms116~1 m 41 s 341 ms80
8~2 m 19 s 62 ms107~1 m 57 s 104 ms80
23 characters
Number of ThreadsFullsetOptimized
Time takenNumber of requestTime takenNumber of request
1~7 m 4 s 531 ms215~6 m 11 s 70 ms176
2~3 m 42 s 679 ms215~3 m 31 s 982 ms176
3~3 m 41 s 82 ms215~3 m 23 s 911 ms176
4~3 m 41 s 791 ms215~3 m 22 s 364 ms176
5~3 m 43 s 176 ms215~3 m 17 s 817 ms176
6~3 m 38 s 604 ms215~3 m 22 s 348 ms176
7~3 m 58 s 906 ms215~3 m 41 s 586 ms176
8~3 m 38 s 255 ms215~3 m 13 s 52 ms176
187 characters
Number of ThreadsFullsetOptimized
Time takenNumber of requestTime takenNumber of request
1~59 m 19 s 88 ms1692~44 m 2 s 421 ms1296
2~30 m 50 s 515 ms1692~22 m 36 s 765 ms1296
3~30 m 27 s 572 ms1692~22 m 43 s 10 ms1296
4~30 m 10 s 437 ms1692~21 m 56 s 114 ms1296
5~29 m 48 s 328 ms1692~ 31 m 57 s 703 ms1296
6~29 m 41 s 322 ms1692~22 m 7 s 432 ms1296
7~29 m 26 s 499 ms1693~22 m 484 ms1296
8~30 m 17 s 641 ms1692~22 m 17 s 234 ms1296


In this section you will be able to download the installation file, the documentation and the source code of all versions of SQL Power Injector.

Current version

Version 1.2InfoSize (Kb)
SoftwareInstallation file MSI5,860
Source codeSource code in C# and .Net 1.12,280
DocumentationSame document as the one of the tutorial and Databases “Aide Memoire” Help file (chm)2,075
Plugin FirefoxXPI Plugin Installation file20

Previous versions

Version 1.1.1InfoSize (Kb)
SoftwareInstallation file MSI3,906
Source codeSource code in C# and .Net 1.12,440
DocumentationSame document as the one of the tutorial and version 1.12,513
Version 1.1InfoSize (Kb)
SoftwareInstallation file MSI4,460
Source codeSource code in C# and .Net 1.12,438
DocumentationSame document as the one of the tutorial2,513
Version 1.0InfoSize (Kb)
SoftwareInstallation file MSI3,893
Source codeSource code in C# and .Net 1.11,871
DocumentationSame document as the one of the tutorial1,936

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button