JSQL Injection Tool (JSQL) is another SQL injection tool available in Kali Linux. It has a graphical user interface (GUI) and automates SQL injection attacks, making it a useful tool for penetration testers to discover vulnerabilities in web applications. Like SQLMap, JSQL helps identify SQL injection flaws and interact with databases to retrieve sensitive data.
Installation
sudo apt-get install jsql
Using JSQL
- Target URL: Enter the URL of the web application you want to test for SQL injection vulnerabilities in the Target field.
- Methods: Choose the HTTP request method (GET, POST, Cookie, User-Agent, etc.) you want to use for injection testing.
- Injection: JSQL will automatically detect the SQL injection point by testing various injection techniques.
- Injection Methods Supported: JSQL can use different SQL injection techniques, such as:
- Error-based
- Blind (Time-based and Boolean)
- Union-based
- Out-of-band techniques
- Database Type Detection: JSQL can automatically detect the type of database management system in use, such as:
- MySQL
- PostgreSQL
- Oracle
- MSSQL
- SQLite
- Retrieving Information: After detecting a vulnerability, JSQL can retrieve various types of data:
- Databases: It will list available databases.
- Tables: You can enumerate tables within a selected database.
- Columns: Once you choose a table, you can enumerate its columns.
- Data Dump: Extract the data from the selected table and columns.
Additional Features:
- SQL Injection Testing for Multiple Parameters: JSQL can scan multiple input fields at once for vulnerabilities.
- Proxy Settings: You can configure JSQL to use a proxy to capture traffic or evade detection.
- Tamper Scripts: These help bypass Web Application Firewalls (WAFs) by modifying SQL payloads.
- Brute Force: JSQL can brute force authentication and extract data.
- Automated SQL Injection: JSQL automates the entire SQL injection process, making it easier for users to identify and exploit vulnerabilities quickly.
Example: Testing a Vulnerable URL
- Launch JSQL and enter the vulnerable URL (e.g., http://example.com/index.php?id=1) in the Target field.
- Select the method (typically GET) and click Inject to start testing for SQL injection.
- Once the tool finds a vulnerability, it will display a list of databases and tables that can be queried.
Using JSQL with Burp Suite:
- If you’re capturing traffic with Burp Suite, you can export the traffic and import it into JSQL for SQL injection testing.
- Export the intercepted request from Burp as a text file, and in JSQL, use the Load option to import the request for analysis.
Exporting Results:
JSQL allows you to export the results of your testing, including information about databases, tables, and data, for reporting purposes.
Key Points for Ethical Use
- Legal and Ethical Testing: Always ensure that you have explicit permission to test a website or system. Unauthorized testing is illegal and unethical.
- Documentation: Keep detailed records of vulnerabilities found for later reporting and remediation.
JSQL Injection Tool is a user-friendly and powerful tool that simplifies the process of detecting and exploiting SQL injection vulnerabilities, especially for users who prefer a graphical interface over command-line tools.