SQLol: An Intentionally Vulnerable SQL Injection Web Application!

by Mayuresh on January 9, 2012

in Open Source, Penetration Testing

When you think of a vulnerable web application, the first name is that of the Damn Vulnerable Web App or the DVWA, closely followed by Jarlsberg aka Gruyere, BodgeIT, Vicnum, etc. These are all great frameworks, but when you want to concentrate only on SQL injection vulnerabilities, there is now an option – SQLol.

SQLolSQLolis a configurable SQL injection testbed. It allows you to exploit SQL injection flaws, but furthermore allows a large amount of control over the manifestation of the flaw. The author thought about different data extraction techniques from SQL injection flaws and found that a vulnerability framework that includes SQLi verbose error extraction techniques was never found. To be precise, the author never came across a vulnerability framework that includes SQL injection in a DELETE query. So, with this aim in mind, SQLol was born, specifically for SQL injection flaws. It can be useful to those who know nothing about SQL injection, or those who know a bit of it. SQLol comes with a set of challenges which help you with performing some flavor of SQL injection and have pre-configured settings.

Options provided by SQLol:

  • Type of query (SELECT, DELETE, INSERT, UPDATE, and custom)
  • Location within query (String/Int in WHERE clause, column name, ORDER BY clause, etc.)
  • Type and level of sanitization (Single quotes [remove, escape, double], keyword blacklist [three levels of difficulty], etc.)
  • Level of query output (No rows, One row, All rows)
  • Verbosity of error messages (No errors, Generic errors, Verbose errors)
  • Visibility of query
  • Injection string entry point

Using SQLol is also quiet simple. Just upload the open source, SQLol PHP source files on your Web server and access them via a Web browser. Modify the configuration file /includes/database.config.php to point to your installed database server. Use the resetbutton.php script to write the SQLol database and start using it via the browser!

SQLol requirements:

  • PHP 5.x
  • Web server
  • Database server (MySQL, PostgreSQL and SQLite have been tested, others may work)
  • ADODB library (included)

As always, do not install this vulnerable application on un-protected network facing servers. Our learning – if you are a beginner, SQLol will help you a lot. It has a lot of helpful hints on all the challenge pages.

Download SQLol:

SQLolhttps://github.com/SpiderLabs/SQLol/downloads

0

Searches leading to this post:
web penetration testbed

If you enjoyed this article, you might also like:

Tagged as: , , , , , , , , , , , , , , , , , , ,

{ 0 comments… add one now }

Leave a Comment

* Copy this password:

* Type or paste password here:

Previous post:

Next post: