Info

BlindSQLInjector is an application to perform completely blind SQL injection. Currently it only supports MS SQL Server. It uses time based inference to determine true or false conditions to extract data. The key feature is that it uses a binary search mechanism to reduce the character search address space, this means it can get each character value within 7 to 8 requests.

Features

• Binary search for faster character identification
• Validation on each item of data identified
• Completely blind injection using time based inference
• Full ASCII character set support
• Supports MS SQL Server
• Extracts database name, current user, server version, table names, column names, column data types, column lengths
• Configurable space encoding (can change at runtime)
• Configurable wait timing (can change at runtime)
• Tree view display of enumerated data
• Full resume support, so you can stop the processing, close the app then restart and it won’t repeat requests for data already retrieved
• Proxy support
• Authentication support (Basic, Digest, Negotiate, NTLM, X509)
• Data extraction
• Data export

Screenshots