An SQL injection attack is perhaps still the worst enemy of a corporation. Simply put it allows a malicious person, entity, “codebot” or even a nation to draw information out of a corporations/governments databases and use this to nefarious means.
Is the cure for these sort of attacks simply the use of automated scans using commercial products.
One has to dig further once a “vulnerability” is discovered”.
To be clear, code/SQL injection attacks are still one of the most common methods for hackers to get into your system.
There is a pretty good write up on tools to use after the initial “click” that help automate what might otherwise be manual testing. However manual testing is still a part of the process. The security industry should not get lazy and think that automated tests are all that is needed.
Back to the “pretty good write up”. In my experience (and we all have our own experiences with testing) the following list needs to be re-ordered to list the following tools first:
1. SQLMap – hands down the best tool I have used after working with scores of tools.
2. Havij – very effective. It costs some coin but it is worth the cost.
3. Pangolin – beware the malware downloads and the false positives but this product does a great job.
The others are good but nothing I have found compares to the top three here, especially SQLMap. You’ll need to use a command line interface and read some documentation but imagine injecting a site based on cookies, headers, GET, POST, etc requests. Then getting usernames, passwords, privileges, network access, etc.
And then gaining shell access to the computer and traversing through the network?
This is possible with SQL Injection and SQLMap.