Blog|Login|中文Deutsche日本語
April 03, 2012
 Dissecting the SQL Injection Tools Used By Hackers
Pin It

Recently, during a presentation to a group of security professionals, an impromptu poll was taken asking attendees whether they were familiar with Havij, a SQL injection tool used heavily in the hacking community.  Out of a crowd of around 60 people, only two people were familiar with it.  Though not a scientific, statistically valid survey, the result is spooky.  It’s kind of like going to fight in the mountains of Afghanistan and not knowing what an AK-47 is.

Today’s entry is designed to ensure you know what hackers are throwing at you in order to steal data when it comes to SQL injections.  If you’ve wondered why, as the most recent Verizon report shows, the main attack vector is web applications, knowing SQL injections tools hackers deploy to take data is vital.  Here’s what every security professional should know.

  • Vulnerability scanners:  Vulnerability scanners find an initial SQL injection vulnerability.  However, these tools stop short of actually exploiting the vulnerability.  In other words, they highlight a potential vulnerability but don’t actually extract the data.  From a hacker’s perspective, they provide a list of likely targets. In this group we can find all kinds of vulnerability scanners which include:
    • Acunetix
    • W3af
    • Netsparker
    • Webinspect
    • Appscan
    • Whitehat
    • And the list goes on. 
  • SQL injection dumping tools:  Given a potentially SQL injection vulnerability, these tools expand the small hole to a major breach to leak all database content. This market is ruled by two main packages:

For more, here’s a YouTube movie showing both tools:  http://www.youtube.com/watch?v=GOvRAJBbRnk.

To date, here’s how Havij and SQLmap currently stack up:

 

Havij

SQLmap

Code

Commercial/Proprietary

Open source

OS support

Windows

Every OS running Python

Form

Installer

Python code

UI

Graphic (GUI)

Command line

Supported DBs

MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, Sybase 

MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite,Firebird, Sybase, SAP MaxDB

Last updated

22.6.11

29.3.12

Password cracking

Supported

supported

 

Customizable DB dump

Supported

Supported

 

Execute arbitrary DB commands

 

Supported

Supported

Auxiliary functionality (password cracking, shell upload, remote contorl etc.)

Supported

Supported

Some other considerations:

  • Usability:  So Havij and SQLmap have very common SQLi features but Havij seems more accessible to new users – it is a point and click windows GUI application with installer which is a major advantage to the inexperienced user. However, more advanced user may find SQLmap more powerful and can be more easily extended and modified  - since it’s an open source project.
  • Speed:  Some hackers report that SQLmap is dumping DBs more slowly than Havij – this may be due to the fact the Havij is compiled and SQLmap is interpreted (it is written in python code).  On hacker forums, some show their complaints openly:

  Sqltools1

  Sqltools2

But the debate rages on:

Sqltools3

Sqltools4

What do hackers actually use?  Using our “weather balloon” in cyberspace that tracks automated hacking we find that the use of Havij is much more common in our data.  Looking at attack data from the past six months, apart from January, in each month we’ve seen at least twice as much Havij attacks than SQLmap attacks.

Sqltools5

Another interesting difference between the two is that Havij seems to be more widely distributed- During the last half a year, we had 178 different Havij attackers from 48 countries.

In contrast, during the same period we’ve only seen 16 IPs that used SQLmap, from only 9 different countries.  Accordingly, the average attacks per attacker ratio is around 90 for Havij and much higher, around 400 for SQLmap.  These are the top ten source countries for each tool:

Havij 

IPs 

sqlmap 

IPs 

USA

37

Canada

3

Indonesia

12

Netherlands

3

Morocco

10

USA

3

Germany

7

Bulgaria

2

Egypt

7

Philippines

1

United Kingdom

7

Germany

1

Russian Federation

6

Israel

1

Vietnam

6

Russian Federation

1

Brazil

5

Argentina

1

Pakistan

5

 

 

Apart from being more diverse, it is quite evident from this list that there are more attackers from developing countries that use Havij than SQLmap.  Why?  Havij is friendlier to inexperienced users, while SQLmap is for pros. This might explain Havij’s broader use world-wide.

The Havij/SQLmap debate may never get settled.  Either way, every security team trying to protect data from hackers should know both and put in place all the mitigations to stop them.

 

 


Comments

Havij is a freely available desktop application and not a scanning service. Therefore, a list of Havij IP addresses doesn't exist. However, using reputation services such as Imperva's THR IP addresses reputation can help in detecting scanners' attacks.

How would I go about finding which IPs havij is actually using? I figure it'd make sense to get that list and include it in our firewall. I've tried searching all over to no avail.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

« Anatomy of an RFI/LFI Attack | Main | Our RFI/LFI Attack Graphic »

Find Us Online
RSS Feed - Subscribe Twitter Facebook iTunes LinkedIn YouTube
Authors
Monthly Archives
Email Subscription
Sign up here to receive our blog: