Description

jSQL Injection is a lightweight application used to find database information from a server.

It's free, open source and cross-platform for Windows, Linux and Mac and it works with Java from version 11 to 17.

jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in various other distributions like Pentest Box, Parrot Security OS, ArchStrike and BlackArch Linux.

Features

• Automatic injection of 33 database engines: Access, Altibase, C-treeACE, CockroachDB, CUBRID, DB2, Derby, Exasol, Firebird, FrontBase, H2, Hana, HSQLDB, Informix, Ingres, InterSystems-IRIS, MaxDB, Mckoi, MemSQL, MimerSQL, MonetDB, MySQL, Neo4j, Netezza, NuoDB, Oracle, PostgreSQL, Presto, SQLite, SQL Server, Sybase, Teradata and Vertica
• Multiple injection strategies: Normal, Error, Blind and Time
• Various injection processes: Default, Zip, Dios
• Database fingerprint: Basic error, Order By error, Boolean single query
• Script sandboxes for SQL and tampering
• List to inject multiple targets
• Read and write files using injection
• Create and display Web shell and SQL shell
• Bruteforce password hash
• Search for admin pages
• Hash, encode and decode text
• Authenticate using Basic, Digest, NTLM and Kerberos
• Proxy connection on HTTP, SOCKS4 and SOCKS5

Installation [jsql-injection-v0.85.jar]

Install Java 11 or up to 17, then download the latest release and double-click on the file jsql-injection-v0.85.jar to launch the software.

You can also type java -jar jsql-injection-v0.85.jar in your terminal to start the program.

If you are using Kali Linux then get the latest release using command sudo apt-get -f install jsql, or make a system full upgrade with apt update then apt full-upgrade.

To run older version on Java 16+ use java --illegal-access=warn --add-exports java.base/sun.net.www.protocol.http=ALL-UNNAMED -jar jsql-injection-v0.84.jar.

Continuous integration

This software is developed using open source libraries like Spring, Spock and Hibernate and is tested using continuous integration platform Github Actions.

Non regression tests are run against dockerized and in memory databases and GUI is tested on VNC screen on the CI platforms, then quality checks are stored on code quality platforms.

flowchart TB
    id022(JUnit Tests)
    subgraph jSQL
    id01(Injection Model)
    id02(GUI)
    end
    id0(Spring APIs)
    subgraph Docker
    direction TB
    id1[(MySQL)]   
    id2[(Postgres)]   
    id3[(...)]      
    end
    subgraph Memory
    direction TB
    id5[(H2)]    
    id8[(SQLite)]
    id6[(...)]      
    end
    id0 --> Docker & Memory
    id01 --> id0
    id022 --> id01 & id02   
    click id01 "https://github.com/ron190/jsql-injection/tree/master/model/src/main/java/com/jsql/model" _blank
    click id02 "https://github.com/ron190/jsql-injection/tree/master/view/src/main/java/com/jsql" _blank
    click id0 "https://github.com/ron190/jsql-injection/tree/master/model/src/test/java/spring" _blank 

[Test-bed scripts for Spring]

See test scripts used for CI integration.

[Test-bed scripts for PHP]

Use the sample PHP scripts to test injection on your local environment. First install a development environment like EasyPHP, then download the test-bed PHP scripts and move them into www/.

<?php
# http://127.0.0.1/mysql/strategy/get-normal.php?id=0

$link = mysqli_connect('localhost', 'root', '', 'my_database');

$result = $link->query("SELECT col1, col2 FROM my_table where id=$_GET[id]");

while ($row = $result->fetch_array($result, MYSQLI_NUM))
    echo join(',', $row);

Screenshots

[Roadmap]

- New manager: create auth token for Basic, Digest, Negotiate, NTLM
- Full Path Disclosure
- WAF fingerprinting
- Inject user defined query
- Inject range of rows
- Routed query strategy
- Connect to Digest/Kerberos API with HttpClient
- Replace Docker with Kubernetes
- Database fingerprinting: Boolean single query

In progress

- Implement DNS/HTTP out-of-band algorithm
- Inject each Cookie parameters
- Rows custom load

Since latest release

- Testing Oracle DNS/HTTP out-of-band
- Testing PostgreSQL DNS out-of-band
- Testing Websocket Basic/STOMP
- Testing GraphQL
- Testing Kerberos

Change log

v0.84-85 Upgrade to Java 11, compatible up to Java 17

v0.83 Modes Zip and Dios, Insertion char and db fingerprinting, 33 dbs including Altibase C-treeACE Exasol FrontBase InterSystems-IRIS MemSQL MimerSQL MonetDB Netezza and Presto

v0.82 Tampering options, Refactoring for Cloud and multithreading

v0.81 Test all parameters including JSON, Parse forms and Csrf tokens, 23 dbs including CockroachDB Mckoi Neo4j NuoDB Hana and Vertica, Translation complete: Russian, Chinese

v0.79 Error Strategies for MySQL and PostgreSQL compatible with Order/Group By, Wider range of Characters Insertion including multibyte %bf

v0.78 SQL Engine, MySQL Error strategy: DOUBLE, Translations: es pt de it nl id, 18 Database flavors including Access

v0.76 Translation: cz, 17 dbs including SQLite

v0.75 URI injection point, Source code mavenification, Upgrade to Java 7

v0.73 Authentication: Basic Digest Negotiate NTLM and Kerberos, Database flavor selection

v0.7 Scan multiple URLs, Github Issue reporter, 16 dbs including Cubrid Derby H2 HSQLDB MariaDB and Teradata

alpha-v0.6 Speed x2: No more hex encoding, 10 dbs including Oracle SQLServer PostgreSQL DB2 Firebird Informix Ingres MaxDb and Sybase, JUnit tests, Log4j, GUI translation

0.5 SQL Shell, File Uploader

0.4 Admin page finder, Bruteforce hashes like MD5 and MySQL, Encode and decode string with methods like Base64, Hex and MD5

0.3 File injection, Web Shell with integrated CLI, Persistence of application parameters, Update checker

0.2 Strategy Time, Multi-thread control: Start Pause Resume and Stop, Log URL calls

0.0-0.1 Method GET POST Header and Cookie, Strategies Normal Error and Blind, Best strategy selection, Progression bars, Simple evasion, Proxy settings, MySQL only

Disclaimer

Attacking web-server is illegal without prior mutual consent. The end user is responsible and obeys all applicable laws.
Developers assume no liability and are not responsible for any misuse or damage caused by this program.