squeeza: making your injections count

Can I get an introduction?

Sure. squeeza was released as part of SensePost's BlackHat USA 2007 talk on timing and related attacks.

A local copy of the paper is available, as is a copy of the slides.

What Does squeeza Do?

squeeza is a tool that helps exploit SQL injection vulnerabilities in broken web applications. Its functionality is split into creating data on the database (by executing commands, copying in files, issuing new SQL queries) and extracting that data through various channels (dns, timing, http error messages)

Currently, it supports the following databases:

Microsoft SQL Server

squeeza is *not* a tool for *finding* injection points. That recipe generally starts with 1 x analyst.

License

squeeza is distributed under the GNU General Public License.

More info?

Check out the README.

Download squeeza ver 0.21
Download squeeza cer 0.22 (with OLE Goodness)

| Contact the SensePost Team | Return to the full research listing |

Subscribe to SensePostResearch

Email:

Browse Archives at groups.google.co.za