Havij is a tool that automates SQL injections (blind SQL, SQL errors, UNION) to reverse-engineer a database and gather relevant data on a server. Following databases are handled by version 1.12:
- MsSQL 2000/2005 (error, blind, UNION)
- MySQL (error, blind, UNION)
- Oracle (UNION)
- PostgreSQL (UNION)
- MsAccess (blind, UNION)
A free (with limited functionalities) version is available.
Installation is available here: http://www.itsecteam.com/files/havij/Havij1.12Free.rar. All you need to do is to uncompress and install.
- Target: Enter the URL corresponding to the target. This URL should include the parameter(s) that will be used for the injections.
- Keyword: Leave blank to auto detect.
- Syntax: Leave blank to auto detect.
- Database: Select database type if you know it. Else, the tool will guess.
- Method: GET or POST (see FORM METHOD in the source code of your target)
- Type: Leave blank to auto detect.
- Analyze: Click on that button to initialize basic injections and to access the other tabs.
- Load: Enables to load a previously saved session.
- Save: Enables to save a session.
This tab gives information about installed version.
Once target has been analyzed, server information are displayed on this tab.
- Stop: Stops current job (if any running)
- Get DBs: Gets database name (necessary for gathering tables, columns, data)
- Get Tables: Displays list of tables in the database
- Get Columns: Displays list of columns for selected table(s)
- Get Data: Displays data of selected columns
- Save Tables: Enables to save list of tables in a file
- Save Data: Enables to save data in a file
It enables to query the database directly.