Skip to main content

SQL Injection Tools

Sqlninja ( )
Supports only Microsoft SQL Server.

sqlmap ( )
Full support: MySQL, Oracle, PostgreSQL and Microsoft SQL Server.
Partial support for: Microsoft Access, DB2, Informix, Sybase and Interbase.

Pangolin 3.2.3 free edition ( )
Your web applications using Access,DB2,Informix,Microsoft SQL Server 2000,Microsoft SQL Server 2005,Microsoft SQL Server 2008,MySQL,Oracle,PostgreSQL,Sqlite3,Sybase.
Features: Auto-analyzing keyword, HTTPS support, Pre-Login, Bypass firewall setting, Injection Digger, Data dumper, etc.

Havij v1.14 Advanced SQL Injection – free version ( )
SQL Power Injector ( )
Supports: Microsoft SQL Server, Oracle, MySQL, Sybase / Adaptive Server and DB2.

SQLIer 0.8.2b  ( )
SQLIer takes an SQL Injection vulnerable URL and attempts to determine all the necessary information to build and exploit an SQL Injection hole by itself, requiring no user interaction at all (unless it can’t guess the table/field names correctly). By doing so, SQLIer can build a UNION SELECT query designed to brute force passwords out of the database. This script also does not use quotes in the exploit to operate, meaning it will work for a wider range of sites.

bsqlbf-v2 ( )
Supports: MySQL, Oracle, PostgreSQL and Microsoft SQL Server.

Marathon Tool ( )
Supports: MySQL, Oracle, Microsoft SQL Server and Microsoft Access.

Absinthe ( http://www.0×…inthe/index.php )
Supports: Microsoft SQL Server, MSDE, Oracle, and Postgres.

pysqlin (…source/checkout )
Implemented: Oracle, MySQL and Microsoft SQL Server.

BSQL Hacker ( http://labs.portcull…on/bsql-hacker/ )
Implemented: Oracle and Microsoft SQL Server.
Available experimental support for MySQL.

SQL Injection digger (SQLID) is a command line program that looks for SQL injections and common errors in websites. It can perform the follwing operations: look for SQL injection in a web pages and test submit forms for possible SQL injection vulnerabilities

WITOOL ( http://witool.sourceforge.nSQL, Oracle, Microsoft SQL Server and Microsoft )
Implemented: Oracle and Microsoft SQL Server.

sqlus ( )
Supports only MySQL. ( )
Supports only MySQL.

mySQLenum ( http://sourceforge.n…ects/mysqlenum/ )
Supports only MySQL.

Supports only Microsoft SQL Server.

FJ-Injector Framework (
FG-Injector is a free open source framework designed to help find SQL injection vulnerabilities in web applications. It includes a proxy feature for intercepting and modifying HTTP requests, and an interface for automating SQL injection exploitation

SFX-SQLi ( )
Supports only Microsoft SQL Server.

DarkMySQL ( )
Supports only MySQL.

ProMSiD Premium ( http://forum.web-def…02&postcount=15 )
Supports only MySQL.

Acunetix WVS  (
Automatically checks your web applications for SQL Injection, XSS & other web vulnerabilities.

yInjector (…-softwares/id10 )
Supports only MySQL.

Bobcat SQL Injection Tool ( http://www.northern-…pub/bobcat.html )

Safe3 Sql Injector (
Supports: http, https website, Basic, Digest, NTLM http authentications,GET, Post, Cookie sql injection.
Databases: MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
SQL injection techniques: blind, error-based, UNION query and force guess.

ExploitMyUnion ( http://sourceforge.n…exploitmyunion/ )
Laudanum ( http://sourceforge.n…jects/laudanum/ )

Hexjector ( http://sourceforge.n…ects/hexjector/ )

WebRaider ( )
Supports only Microsoft SQL Server.  Designed to execute commands on the server (reverse shell).

Toolza 1.0 ( )
SQL injection supported DB: Mysql, Mssql, Sybase, Postgresql, Access, Oracle, Firebird / Interbase

SCRT Mini-MySqlat0r (
A multi-platform application used to audit web sites in order to discover and exploit SQL injection vulnerabilities. It is written in Java and is used through a user-friendly GUI that contains three distinct modules” (Crawler, Tester & Exploiter).

post on comments other sql injection tools that u know