Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.
It can take advantage of a vulnerable web application. By using this software user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system.
The power of Havij that makes it different from similar tools is its injection methods. The success rate is more than 95% at injectiong vulnerable targets using Havij.
The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users.
Havij 1.17 released
We are glad to finally announce the long-awaited release of version 1.17 of Havij Advanced SQL Injection tool.
This version is equipped with enhanced stealth and evasion techniques (including the new randomized signature generator) which allow covert attacks with support for circumvention of many major web application firewalls.
The new Write File feature allows you to create an arbitrary file on the server if the database user has the required permissions. The last but not least is the Dump All feature, which relieves you of the burden of having to retrieve and save each table individually; using Dump All, you can, retrieve all the [accessible] databases on the server and save them with a single action.
All the new features and changes introduced in this release are as below:
• Dump all
• New bypass method for MySQL using parenthesis
• Write file feature added for MSSQL and MySQL.
• Loading HTML form inputs
• Random signature generator
• Saving data in CSV format
• Advanced evasion tab in the settings
• Injection tab in settings
• ‘Non-existent injection value’ can now be changed by user (the default value is 999999.9)
• ‘Comment mark’ can be changed by user (the default value is –)
• Disabling/enabling of logging
• Bugfix: adding manual database in tables tree view
• Bugfix: finding string columns in PostgreSQL
• Bugfix: MS Access blind string type data extraction
• Bugfix: MSSQL blind auto detection when error-based method fails
• Bugfix: all database blind methods fail on retry
• Bugfix: guessing columns/tables in MySQL time-based injection
• Bugfix: crashing when dumping into file
• Bugfix: loading project injection type (Integer or String)
• Bugfix: HTTPS multi-threading bug
• Bugfix: command execution in MSSQL 2005
And apart from the changes to the software and the new features, the licensing options for the software have also undergone changes. As of version 1.16 of the software, the evaluation/free edition is no longer available.
However, you may still download older releases of the software which came with an evaluation edition. We cannot, nevertheless, guarantee the quality of the old evaluation editions as many bugfixes and features have been effected since then.