SQLsus 0.2 - MySQL Injection & Takeover Tool

sqlsus is an open source MySQL injection and takeover tool, written in perl.

Via a command line interface that mimics a mysql console, you can retrieve the database structure, inject a SQL query, download files from the web server, upload and control a backdoor, and much more...

It is designed to maximize the amount of data gathered per web server hit, making the best use (I can think of) of MySQL functions to optimize the available injection space.

sqlsus is focused on PHP/MySQL installations, and integrates some neat features, some of them being really specific to this DBMS.

I have lots of ideas for sqlsus improvements, all I need is time, and feedback :)

It is not and won't ever be a SQL injection scanner, it starts its job on the next step..


Demo Video:

MySQL 4, quotes allowed, FILE privilege, sighted injection. (http://sqlsus.sourceforge.net/demo/takeover.html)

MySQL 5, no quotes allowed, sighted injection. (http://sqlsus.sourceforge.net/demo/sighted.html)

Download:

http://sqlsus.sourceforge.net/download.html

new released 0.4 version http://sourceforge.net/projects/sqlsus/files/sqlsus/0.4/sqlsus-0.4.tgz/download