SFX-SQLi (Select For XML SQL injection)

Ver en español

What is SFX-SQLi?

SFX-SQLi (Select For XML SQL injection) is a new SQL injection technique which allows to extract the whole information of a Microsoft SQL Server 2005/2008 database in an extremely fast and efficient way.

This technique is based on the FOR XML clause, which is able to convert the content of a table into a single string, so its contents could be appended to some field injecting a subquery into a vulnerable input of a web application.

Paper in PDF formatSFX-SQLi PaperDetailed description of how the technique works and its fundamentals

Proof of concept: SFX-SQLi Tool

To demonstrate the power of this technique in practice, there is a tool which implements it. This tool can be downloaded from here, also with its source code, exclusively for academic purposes.

UPDATE (28/03/2010): In addition to a new web application for testing, a new revision of the tool is published with some minor fixes and changes, including new functionality like access to other databases in the same server or support for user defined queries:

Download the toolSFX-SQLi Tool (binaries) A tool which automates the process (requires Microsoft .NET Framework 2.0) - v1.1
Download the source codeSFX-SQLi Tool (source code) Source code of the tool (available in VB.NET for Visual Studio 2008) - v1.1
Download an example of web vulnerable applicationWebVulnerableSql (ASP.NET) Vulnerable web application sample for testing (includes executable and source code)

WARNING: Your use of this software indicates your acceptance of this license agreement. You are not allowed to modify the software. You are not allowed to use the software for commercial purposes. The software is provided "as is", without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and noninfringement. In no event shall the author be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or the use or other dealings in the software.

Contact the author

If you have any question, suggestion or proposal related to this matter, feel free to contact me via e-mail:

Daniel Kachakil (dani@kachakil.com)

© 2009 · Daniel Kachakil - Contents under a Creative Commons License Creative Commons License

Last updated: 28/03/2010