Havij ----- Version 1.16 Pro Advanced SQL Injection Tool Disclaimer ---------- We are NOT responsible for any damage or illegal actions caused by the use of this program. Use on your own risk! What's New? ----------- -Webknight WAF bypass added. -Bypassing mod_security made better -Unicode support added -A new method for tables/columns extraction in mssql -Continuing previous tables/columns extraction made available -Custom replacement added to the settings -Default injection value added to the settings (when using %Inject_Here%) -Table and column prefix added for blind injections -Custom table and column list added. -Custom time out added. -A new md5 cracker site added -bugfix: a bug releating to SELECT command -bugfix: finding string column -bugfix: getting multi column data in mssql -bugfix: finding mysql column count -bugfix: wrong syntax in injection string type in MsAccess -bugfix: false positive results was removed -bugfix: data extraction in url-encoded pages -bugfix: loading saved projects -bugfix: some errors in data extraction in mssql fixed. -bugfix: a bug in MsAccess when guessing tables and columns -bugfix: a bug when using proxy -bugfix: enabling remote desktop bug in windows server 2008 (thanks to pegasus315) -bugfix: false positive in finding columns count -bugfix: when mssql error based method failed -bugfix: a bug in saving data -bugfix: Oracle and PostgreSQL detection Features -------- 1. Supported Databases with injection methods: a. MsSQL 2000/2005/2008 with error b. MsSQL 2000/2005/2008 no error union based c. MsSQL Blind (Pro version only) d. MsSQL time based (Pro version only) e. MySQL union based f. MySQL Blind g. MySQL error based h. MySQL time based i. Oracle union based j. Oracle error based k. PostgreSQL union based (Pro version only) l. MsAccess union based m. MsAccess Blind (Pro version only) n. Sybase (ASE) o. Sybase (ASE) Blind (Pro version only) 2. HTTPS Support (Pro version only) 3. Proxy support 4. Automatic database detection 5. Automatic type detection (string or integer) 6. Automatic keyword detection (finding difference between the positive and negative response) 7. Trying different injection syntaxes 8. Options for replacing space by /**/,+,... against IDS or filters 9. Avoid using strings (magic_quotes similar filters bypass) 10. Manual injection syntax support 11. Manual queries with result (Pro version only) 12. Bypassing illegal union 13. Full customizable headers (like referer,user agent and ...) 14. Load cookie from site for authentication 15. Basic and Digest authentication 16. Injecting url rewrite pages (Pro version only) 17. bypassing mod_security web application firewall and similar firewalls (Pro version only) 18. bypassing WebKnight web application firewall and similar firewalls (Pro version only) 19. Real time result 20. Guessing tables and columns in mysql<5 (also in blind) and MsAccess 21. Fast getting tables and columns for mysql 22. continuing previous tables/columns extraction session (Pro version only) 23. Executing SQL commands on Oracle 24. Custom keyword replacement in inejctions (Pro version only) 25. Getting one row in one request (all in one request) (Pro version only) 26. Dumping data into file (Pro version only) 27. Saving data as XML format (Pro version only) 28. View every injection request sent by program (Pro version only) 29. Enabling xp_cmdshell and remote desktop (Pro version only) 30. Multiple tables/column extraction methods (Pro version only) 31. Multi thread Admin page finder 32. Multi thread Online MD5 cracker 33. Getting DBMS Informations 34. Getting tables, columns and data 35. Command executation (mssql only) 36. Reading system files (mysql only) 37. insert/update/delete data 38. Unicode support How to use ---------- This tool is for exploiting SQL Injection bugs in web application. For using this tool you should know a little about SQL Injections. Enter target url and select method then click Analyze. Note: Try to url be valid input that returns a normal page not a 404 or error page. [size=18]Due to the nature of the crack this program will not run sandboxed or in a virtual machine. Be sure to run as admin.[/size] ENJOY!