jSQL Injection alternatives

The sqlmap is a well-known tool with an amazing number of GitHub stars (10,000+). It is used by many security professionals around the world to test the security of both web applications and the database that stores the data.

NoSQLMap is designed to audit database, as well to automate injection attacks. It can exploit configuration weaknesses in NoSQL databases and web applications using NoSQL.

Albatar has the focus on the situations where tools like sqlmap need to be adjusted to make an exploit work. It is written in Python and unlike sqlmap, it does not detect SQL injection vulnerabilities.

This tool has limited documentation. For that reason, the review is limited at this time.

Acra is a database encryption proxy that provides encryption and data leakage prevention to applications. It provides selective encryption, access control, database and data leak prevention, and even intrusion detection capabilities. It is focused on developers and supports most popular programming languages such as Go, PHP, Python, Ruby.

Typically this type of tool would be used as an additional defense layer to prevent injection attacks from reaching the database.

SQLMate is a tool to perform security assessments and vulnerability of web applications. It can discover admin panels of websites, which might be a way to break into a web application. It also has the option for dorking, which means it can find possible vulnerable targets to a particular attack.

The tool has a plugin-based architecture for enumeration purposes of Oracle installations.

• Sid enumeration
• Passwords tests (common & dictionary)
• Enumerate Oracle version
• Enumerate account roles
• Enumerate account privileges
• Enumerate account hashes
• Enumerate audit information
• Enumerate password policies
• Enumerate database links

Evilredis tool is an offensive security program for pentesting Redis databases. It can scan the target and perform different actions, like shutting down a Redis instance.

Yasuo is a Ruby script that scans for vulnerable and exploitable third-party web applications. There are many remotely exploitable vulnerabilities for web applications and their front-end components. Yasuo helps to make it easier to scan for the weaknesses like remote code execution (RCE), SQL injections, and file inclusions.

This tool performs an assessment by running actual queries against the database engine or reading the configuration file for particular settings. The tool helps with finding any issues and possible improvements.

This tool is typically used by developers and system administrators to protect their database against common database attacks. One of them is the SQL injection attack, that tries to bypass checks, resulting in data leakage. By using this tool, another level of security defense is implemented.

Arachni is framework written in Ruby with focus on evaluating the security of web applications. Typical users include security professionals and system administrators.

The tooling is free and open source. Besides Linux, it also runs on macOS and Microsoft Windows.

Commix is short for COMMand Injection eXploiter.

The tool uses RBAC (Role Based Access Control) with different levels of access. Jackhammer uses several tools to do dynamic and static code analysis (e.g. for Java, Ruby, Python, and Nodejs). It checks also for vulnerabilities in libraries. Due to its modular architecture, it can use several scanners out of the box, with options to add your own.

The Jackhammer project was initially added to GitHub on the 8th of May, 2017.

Databases typically store sensitive data or data that is important for the company. This data needs to be protected in different ways, like who has access, what level, and how it is stored. Mongoaudit helps to audit several technical aspects of running a MongoDB instance and get it properly secured.

0d1n is useful to perform brute-force login attempts for authentication forms. It can discover useful directory names by using a predefined list of paths. With options to use a random proxy per request and load CSRF tokens, it is a tool that can be used in different type of assignments.

Leviathan is a security tool to provide a wide range of services including service discovery, brute force, SQL injection detection, and exploit capabilities. The primary reason to use this tool is to do massive scans on many systems at once. For example to include a huge network range, country-wide scan, or even full internet scan.

The pybelt toolkit may be useful during a pentest to simplify the process of scanning. It includes options like port scanning, dork checking, cracking and verification of hashes, and scanning for SQL injections.

Tulpar is a vulnerability scanner that can be used to test new or existing web applications. In the former case, it could be helpful to test a new project before it is deployed into production. This could be done by the developer or a security professional. If some web application is already in production, then it might be a good tool to perform regular testing on known vulnerabilities. In this case, it is typically a pentester or security specialist that does the testing.

With WPSeku a WordPress installation can be tested for the presence of security issues. Some examples are cross-site scripting (XSS), sql injection, and local file inclusion. The tool also tests for the presence of default configuration files. These files may reveal version numbers, used themes and plugins.