Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.
It can take advantage of a vulnerable web application. By using this software user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system.
The power of Havij that makes it different from similar tools is its injection methods. The success rate is more than 95% at injectiong vulnerable targets using Havij.
The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users.
- Supported Databases with injection methods:
- MsSQL 2000/2005 with error
- MsSQL 2000/2005 no error (union based)
- MySQL (union based)
- MySQL Blind
- MySQL error based
- Oracle (union based)
- MsAccess (union based)
- Automatic database detection
- Automatic type detection (string or integer)
- Automatic keyword detection (finding difference between the positive and negative response)
- Trying different injection syntaxes
- Proxy support
- Real time result
- Options for replacing space by /**/,+,… against IDS or filters
- Avoid using strings (magic_quotes similar filters bypass)
- Bypassing illegal union
- Full customizable http headers (like referer and user agent)
- Load cookie from site for authentication
- Guessing tables and columns in mysql<5 (also in blind) and MsAccess
- Fast getting tables and columns for mysql
- Multi thread Admin page finder
- Multi thread Online MD5 cracker
- Getting DBMS Informations
- Getting tables, columns and data
- Command executation (mssql only)
- Reading system files (mysql only)
- insert/update/delete data
How to use
This tool is for exploiting SQL Injection bugs in web application.
For using this tool you should know a little about SQL Injections.
Enter target url and select http method then click Analyze.
Note: Try to url be valid input that returns a normal page not a 404 or error page.
This program is free software. I hope it be useful for you.
This software is provided “as is” without warranties.
Feel free to share and distribute it anywhere but please keep the files original!
We are NOT responsible for any damage or illegal actions caused by the use of this program. Use on your own risk!
Version 1.10 2010/05/22
-Runtime error on canceling analyze fixed.
-Bug in finding mssql’s database when COLLATE is not supported fixed.
-A bug in getting mssql tables fixed.
-Html encoding bug when saving data fixed.
-A few other changes.
Version 1.09 2010/05/06
-Software’s window made resizeable.
-Adding and removing nodes to tables tree view list enabled by right click.
-All data bases will be shown in the tree view list.
-Start row in data extraction can be changed now.
-A bug in bypassing illegal union when getting tables and columns in mysql fixed.
-Saving and loading current injection job enabled.
-Start column added to settings
-Blind injection character set added to settings
-MsSQL injection syntax changed.
-Tables and columns brute forcing in mysql 4 blind added.
-Better injection in mssql
-Get data made better in mysql injection
-Find keyword works better now
-Mysql detection from error added.
-A bug in getting current db in mysql fixed.
-Positive pattern replaced with keyword.
-Manual keyword specification.
-Tables and Columns list improved.
Version 1.08 2010/02/13
-MySQL Blind Injection added.
-Auto injection type detection added.
-Try different injection syntaxes becase an option.
-Following redirections became an option.
-Admin list, Table list and Column list improved.
Version 1.07 2009/12/08
-finding column count and string column in mssql no error when type was string fixed.
-some bugs in analyze method for mysql fixed.
-manual syntax available for mysql and mssql no error
-Online MD5 cracker added.
Version 1.06 2009/10/09
-finding string column in mysql made better.
-bug in find admin when file list was huge (oveflow error!) fixed.
-bug in delete/update/insert when database was not default fixed.
-retry bug in find admin fixed.
-‘load cookie’ added to settings.
Version 1.05 Not Released
-find admin added.
-filter made available for mssql
-a bug fixed (blind detection when target is not vulnerable and injection type is string)
-MsAccess database added
-finding columns count and string column in mysql made better.
Version 1.04 Not Released
-filter added to get data
-data list changed
-updating data enabled
-delete row added
-insert new row added
-bug in guessing columns in mysql fixed.
-bug with null strings when ‘avoid using strings’ was on fixed.
-bug in getting data in mysql when type is string fixed.
-injection method changed for mysql.
-bug in guessing tables and columns in mysql<5 fixed.
-program displays injection syntax after analyze.
-‘user agent’ added to settings.
Version 1.03 2009/08/19
-bug in getting info fixed when collate not allowed in mssql
-analyzing method changed for mysql data bases.
-finding db server made better.
-injection with different syntaxes added.
-data base server detection is now both automated and user selective.
-injection of string type for double quotation mark added.
-bugs in cmdshell fixed.
-command executation enabled for mssql no error.
-some little bugs fixed.
Version 1.02 2009/08/08
-access privilege detection added when getting data
-string type added.
-an error in getting http response code fixed.
-a bug in finding columns fixed.
-command executation added.
-‘do not find column count in mssql with error’ added to settings.
-html encode bug in mssql with error fixed.
-another try for finding columns count added.
-logging made better.
-guessing tables and columns in MySQL<5 added.
-a bug in getting tables fixed.
-some other little changes.
Version 1.01 2009/07/25
-post method added.
-program finds count of tables or columns before getting tables and columns.
-‘Replace space with’ added to the settings.
-‘Additional http headers’ added to the settings.
-positive pattern checking algorithm made better.
-stop on erros added.
-a second method added for finding DB server type.
-mssql no error data base added.
-new look (command buttons changed into menus)
-a little problem in getting mysql’s tables data was fixed.
-save option added.
-a bug in data base ‘mssql with error’ when getting tables and columns with ‘avoid using strings’ option fixed.
-some other little changes.