Home 0P3N Blog Pentesting with the SQLi Dumper v8 Tool
Ready to Start Your Career?
Create Free Account
Babak Esmaeilis profile image
By: Babak Esmaeili
August 23, 2016

Pentesting with the SQLi Dumper v8 Tool

By: Babak Esmaeili
August 23, 2016
Babak Esmaeilis profile image
By: Babak Esmaeili
August 23, 2016
SQLi Dumper v8 is an excellent, advanced, automatic SQL injection tool for testing links that may contain SQL injection problems in Windows. Download link: https://userscloud.com/gn4q6dozavla

A good  tutorial by the Anon Angel team: http://anonangelteam.blogspot.co.uk/2015/04/how-to-use-sqli-dumper-v80-powerful.html

This tool is more powerful than the famous Havij SQL injection and has many features including:

  • Supports Multi. Online search engine (to find the trajects)
  • Automated exploiting and analyzing from a URL list-Automated search for data in a bulk URL list
  • Automated analyzer for injections points using URL, POST, Cookies, UserLogin or UserPassword
  • Dumper supports dumping data with multi-threading (databases/tables/columns/fetching data)
  • Exploiter supports up to 100x threads
  • Analyzer and Dumper supports up to 50x threads
  • Advanced WAF bypass methods
  • Advanced custom query box
  • Dumper can dump large amounts of data, with greats control of delay each request (multi-threading)
  • Easy switch vulnerabilities to vulnerabilities
  • Supports proxies list
  • GeoIP database
  • Internal database
  • Trash System
  • Admin login finder
  • Hash online cracker
  • Reverse IP
  • Standalone .exe (no install).

The SQL Injection Methods that are supported include:

- MySQL
- Union (Integer / String)
- Error (Integer / String)

** Error Methods:
- Double Query
- XPATH - ExtractValue
- XPATH - UpdateXML
- Brute Forcing
- Blind
- Load File
- Load File Scanner

** Illegal Mix Of Collations:
- UnHexHex()
- Binary()
- Cast As Char
- Compress(Uncompress())
- Convert Using utf8
- Convert Using latin1
- Aes_decrypt(aes_encrypt())
- MS SQL
- Union (Integer / String)
- Error (Integer / String)

** Illegal Mix Of Collations:
- SQL_Latin1;
- Cast As Char.
- Oracle
- Union (Integer / String)
- Error (Integer / String)

** Error Methods:
- GET_HOST_ADDRESS
- DRITHSX.SN
- GET;APPINGXPATH.

** Illegal Mix Of Collations:
- Cast As Char.

** Suports TOP N Types:
- ROWUM
- RANK()
- DESE_RANK()

** Analizer detects also:
- MS Access
- PostgredSQL
- Sybase


I wanted to use its dork scanner feature for a specific website, not a random search. But, how?

Use this dork in a dork scanner:

.aspx? & site:samplesite.com
.php?  & site:samplesite.com
.asp?  & site:samplesite.com
.pl?   & site:samplesite.com
.jsp?  & site:samplesite.com


And, it simply fetches the links and automatically scans for SQL injection in those links.
Schedule Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry