By: Darcy Kempa
January 8, 2021
Pentesting with the SQLi Dumper v8 Tool
By: Darcy Kempa
January 8, 2021
Individuals interested in performing penetration testing on Structured Query Language (SQL) databases should look at SQLi Dumper. This is an excellent automatic SQL injection tool that scans web applications for SQL injection vulnerabilities. It can be downloaded through the https://sqli-dumper.com/ website. Use/download with caution. The website also provides SQLi Dumper tutorials and other pertinent information.
This overview aims to support legal and authorized activities undertaken to improve the security of SQL databases. It does not promote SQLi Dumper as a "hacking" tool or to be used in illegal or unauthorized activities.
As SQL became more popular in database design and management, so did its popularity with hackers. A central repository (database) containing personally identifiable information (PII), credit card data, and other information was still a tempting target for hackers. A business can use SQLi Dumper as part of its cybersecurity program to prevent SQL Injection attacks.
This tool uses a 6-phase process to provide the requested information. Each phase, in turn, has several steps, and all are easy to understand.
- Phase 1. Collect dorks.
- Phase 2. Use a Proxy or VPN.
- Phase 3. Insert dorks and start the scanner.
- Phase 4. Click SQL Injection and start the exploiter.
- Phase 5. Select URLs for searching.
- Phase 6. Dump and save the data.
Dorks are search criteria selected by the user. There are three categories located within the SQLi Dumper Dork Generator. The user can select dorks from Names/Keywords, Page Format, and Page Type.
The Names/Keywords category focuses on the names of pages and/or keywords to search. The name of a page can be seen in the browser address bar. Examples of this are "home" and "new products." On the other hand, keywords refer to the specific content within a page like "jacket" or "social security number." Page Format refers to the type of scripting language used to create the web page and file extensions. Examples are “.asp”, “.html”, “.php” as well as “.jsf” and “.raw”. This category helps refine the type of page for the search.
Page Type is used to provide specific query information based on a value category. Entries in this category can be used to identify a specific product (IDProduct=), a cart item (cartID=), or other assigned values and/or categories located within a database.
After the dorks are specified, they are then saved to a file for further use.
The rest of the steps are easy to understand and follow. The dorks file is inserted into the SQLi Dumper white box. The user then selects a specific search engine or engines to use to gather the results. The next step is to click the Start Scanner button. After that, the user selects the SQL Injection option and then clicks on the Start Exploiter button. At this point, the user just waits for the results.
In the event of any confusion, there are pictures and diagrams available on the website. There are several tutorials available on YouTube.
The scan results are viewed in one of five category tabs: URL's Queue, Exploitables, Injectables, Non-Injectables, and Trash Collector. The Injectables tab is of particular interest because the information presented includes the URL and the Method but may also include SQL Version and User information. The Method refers to a specific vulnerability while the User information may show an email address. Both are valuable for further exploitation attempts.
The results are displayed in rows and columns. The user can click on the specific row, bringing up a pop-up window with more information. This allows the user to select specific URLs for further searching or for saving the scan results.
Overall, SQLi Dumper is a robust penetration testing tool. The variety of dorks available helps the pen-tester target specific pages and information. The ease of use and the straightforward design make SQLi Dumper a solid option for the novice and expert alike. Anyone involved in cybersecurity should take a look at this powerful tool.
Pertinent Training Options.
Cybrary provides online training courses in information technology and cybersecurity. These courses cover a myriad of subjects, from project management to penetration testing to auditing. The following links are provided for your consideration.