BBQSQL

BBQSQL Package Description

Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don’t you have to write something custom. This is time-consuming and tedious. BBQSQL can help you address those issues.

BBQSQL is a blind SQL injection framework written in Python. It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast.

Similar to other SQL injection tools you provide certain request information.

Must provide the usual information:

• URL
• HTTP Method
• Headers
• Cookies
• Encoding methods
• Redirect behavior
• Files
• HTTP Auth
• Proxies

Then specify where the injection is going and what syntax we are injecting.

Tools included in the bbqsql package

bbqsql – SQL Injection Exploitation Tool

The Blind SQL Injection Exploitation Tool.

bbqsql Usage Example

root@kali:~# bbqsql
    _______   _______    ______    ______    ______   __      
   |       \ |       \  /      \  /      \  /      \ |  \      
   | $$$$$$$\| $$$$$$$\|  $$$$$$\|  $$$$$$\|  $$$$$$\| $$      
   | $$__/ $$| $$__/ $$| $$  | $$| $$___\$$| $$  | $$| $$      
   | $$    $$| $$    $$| $$  | $$ \$$    \ | $$  | $$| $$      
   | $$$$$$$\| $$$$$$$\| $$ _| $$ _\$$$$$$\| $$ _| $$| $$      
   | $$__/ $$| $$__/ $$| $$/ \ $$|  \__| $$| $$/ \ $$| $$_____
   | $$    $$| $$    $$ \$$ $$ $$ \$$    $$ \$$ $$ $$| $$     \
    \$$$$$$$  \$$$$$$$   \$$$$$$\  \$$$$$$   \$$$$$$\ \$$$$$$$$
                     \$$$                \$$$

                   _.(-)._
                .'         '.
               / 'or '1'='1  \
               |'-...___...-'|
                \    '='    /
                 `'._____.'`
                  /   |   \
                 /.--'|'--.\
              []/'-.__|__.-'\[]
                      |
                     []

    BBQSQL injection toolkit (bbqsql)        
    Lead Development: Ben Toews(mastahyeti)        
    Development: Scott Behrens(arbit)        
    Menu modified from code for Social Engineering Toolkit (SET) by: David Kennedy (ReL1K)    
    SET is located at: http://www.secmaniac.com(SET)    
    Version: 1.0              
   
    The 5 S's of BBQ:
    Sauce, Spice, Smoke, Sizzle, and SQLi
   


 Select from the menu:

   1) Setup HTTP Parameters
   2) Setup BBQSQL Options
   3) Export Config
   4) Import Config
   5) Run Exploit
   6) Help, Credits, and About

  99) Exit the bbqsql injection toolkit

bbqsql>