Havij 1.

14 User Manual

IT Security Research & Penetration Testing Team

http://ItSecTeam.com

Author:

r3dm0v3
What’s new?

Features

Installation
 What is Havij?
 What is SQL Injection?
 Who should use Havij?
 Installing Havij
 Uninstalling Havij
 Registering Havij
 Check for update

Getting Started
 Fast starting with Havij
 Saving and loading the project
 Getting Info
 Data base and tables data Extraction
o Data extraction
o Filtering data
o Changing data extraction start row
o Using Group_Concat
o Extracting data of one row at once
o Saving data
o Updating data
o Deleting data
o Inserting data
 Reading files
 Executing system commands on target
 Query
 Finding admin login page
 Cracking MD5 hashes
Manual Injection
 Choosing Database
 Choosing Variable Type
 Defining Keyword
 Defining Syntax
 Defining Syntax for Blind injections
 Choosing Method
 Injecting into Forms (POST Method)

Settings
 Basic Settings
o Using proxy
o Replacing Space character
o Showing Injections
o Injecting URL rewrite pages
 Advanced Settings
o Authentication is needed for injection
o Defining character set to use in blind injections
o Changing Headers
o Avoid using strings
o Bypass illegal union
o Try different syntaxes in union injection
o Follow redirections
o Column count
o Do not find columns count in MsSQL with error
o Bypass mod_security
o Time based method delay
What’s new?
 Sybase (ASE) database added.
 Sybase (ASE) Blind database added.
 Time based method for MsSQL added.
 Time based method for MySQL added.
 mod_security bypass added.
 Pause button added.
 Basic authentication added
 Digest authentication added.
 Post Data field added
 bugs related with dot character in database name fixed
 Syntax over writing when defined by user in blind injections fixed.
 mssql database detection from error when using JDBC driver corrected.
 Time out bug in md5 cracker fixed.
 Default value bug fixed
 string encode bug fixed in PostgreSQL
 Injecting URL rewrite pages added.
 injecting into any part of http request like Cookie, User-Agent, Referer, etc made
available
 A bug in finding string column fixed. (specially for MySQL)
 Finding columns count in mysql when input value is non effective added.
 Window resize bug in custom DPI setting fixed.
 Some bugs in finding row count fixed.
 Getting database name in mssql error based when injection type is guessed integer
but it is string fixed.
Features
item Free Pro
version version
1. Supported Databases with injec on methods:
MsSQL 2000/2005 with error
MsSQL 2000/2005 no error union based
MsSQL Blind
MsSQL time based
MySQL union based
MySQL Blind
MySQL error based
MySQL time based
Oracle union based
Oracle error based
PostgreSQL union based
MsAccess union based
MsAccess Blind
Sybase (ASE)
Sybase (ASE) Blind
2. HTTPS Support
3. Proxy support
4. Automa c database detec on
5. Automa c type detec on (string or integer)
6. Automa c keyword detec on (finding difference between the posi ve
and negative response)
7. Trying different injec on syntaxes
8. Options for replacing space by /**/,+,... against IDS or filters
9. Avoid using strings (magic_quotes similar filters bypass)
10. Manual injec on syntax support
11. Manual queries with result
12. Bypassing illegal union
13. Full customizable http headers (like referer,user agent and ...)
14. Load cookie from site for authen ca on
15. Http Basic and Digest authentication
16. Injecting URL rewrite pages
17. Bypassing mod_security web application firewall and similar firewalls
18. Real time result
19. Guessing tables and columns in mysql<5 (also in blind) and MsAccess
20. Fast getting tables and columns for mysql
21. Executing SQL query in Oracle database
22. Getting one row in one request (all in one request)
23. Dumping data into file
24. Saving data as XML format
25. View every injection request sent by program
26. Enabling xp_cmdshell and remote desktop
27. Multi thread Admin page finder
28. Multi thread Online MD5 cracker
29. Getting DBMS Informations
30. Getting tables, columns and data
31. Command executation (mssql only)
32. Reading system files (mysql only)
33. insert/update/delete data
Installation
What is Havij?
Havij is an automated SQL Injection tool that helps penetration testers to find and exploit
SQL Injection vulnerabilities on a web page.
It can take advantage of a vulnerable web application. By using this software user can
perform back-end database fingerprint, retrieve DBMS users and password hashes, dump
tables and columns, fetching data from the database, running SQL statements and even
accessing the underlying file system and executing commands on the operating system.
The power of Havij that makes it different from similar tools is its injection methods. The
success rate is more than 95% at injec ng vulnerable targets using Havij.
The user friendly GUI (Graphical User Interface) of Havij and automated settings and
detections makes it easy to use for everyone even amateur users.

What is SQL Injection?

SQL Injection is common web application vulnerability due to insufficient validation on user
inputs. An attacker can inject some SQL commands into the original query written by the
developer to change the result to what he/she wants and execute his/her commands. This
work (injecting SQL commands) is called Exploitation that can cause sensitive data
disclosure, changing data, deleting data or even whole system compromise!

Who should use Havij?

All security professionals, Web administrators, web application developers, penetration
testers, everyone who wants to test his/her sites security and all hack and security
researchers can use Havij.

Installing Havij
Requirements for installing Havij:

 Windows operating system

 Havij setup file
 Internet Explorer 5.5 or above
 8MB free space on hard disk

Make sure that you have downloaded the setup file from ItSecTeam.com or somewhere else
that you trust.

For starting the installation run the setup file. Below window should be displayed.
Click on ‘Next’ to continue the installation and below window will be shown.
At the above window you should specify where you want to install Havij. You can use the
default path and click on ‘Next’ to go to next step.

You should enter the Start Menu folder that will be created for program at the above
screen. Click on ‘Next’ after doing it.
If you would like to create a shortcut for the Havij on your desktop check the ‘Create a
desktop icon’ checkbox. With clicking on ‘Next’ button following information about the
install should be shown.
Click on ‘Install’ to start the installation.

After the installation finished, following window will be shown.

If you would like to run Havij after installation, check ‘Launch Havij’ checkbox and click
‘Finish’ button.
Havij installation successfully finished.

For running Havij you can click on Havij icon in Start Menu folder or run it from desktop
shortcut.

Important: Havij needs accessing to the internet for injecting the targets. If you use firewall
software, give the required permissions to the Havij.
The above steps are same in all versions.

Uninstalling Havij
For uninstalling Havij go to Control Panel and open ‘Add or Remove Programs’ then find
Havij in list.
Click on ‘Remove’ to uninstall begins. The uninstall program will ask you that are you sure
you want to uninstall it or not, click on ‘Yes’. Havij removal process will proceed
automatically and at last the following message will be shown.

The above steps are same in all versions.

Registering the software

Before you can register the software you should buy a license. For purchase detail contact
[email protected]
After receiving the license follow these steps to register.

1- Connect to the internet

2- In about window click on ‘Register’

3- In ‘Name’ text box enter the name that your license is registered to.
4- In ‘File’ text box browse the license file.
Important: both name and license file will be send to you after purchase.
5- Now click on ‘Register’ and wait until license validation process completes. The
following message should be shown if everything is correct.
Important: if you use firewall, make sure that Havij has enough permission to access the
internet. If you had problem with registering, turn off your firewall and repeat all steps.

Important: using one license at two or more different machines will make the license
expired!
Check for update
In about window click on ‘Check for update’ to program automatically check for new
updates. If there be no updates the following message will be shown.

If there is a new version available, this message will be displayed.

If you would like to download the new version, click on ‘Yes’ button.
Getting Started
Fast starting with Havij
You don’t need so much technical information for using Havij however it has a lot of settings
for professional users. To start using Havij you just need a vulnerable URL to SQL Injection
bug.

How to find a vulnerable web site? You can use web vulnerability scanner programs and
available tools for finding SQL Injection vulnerabilities and also you can use Google. It
doesn’t matter if you are not sure that page is vulnerable or not, Havij will check it. You can
use Havij to check security of your own website.

Why should the target address be like ‘http://www.target.com/index.php?id=123’? Because

the vulnerable page must have at least one input that Havij could inject into in.
Save and loading the project
For increasing your speed in testing targets you can save them after analyze and injecting,
so you won’t need to analyze them again for further use.

To save the project after analyze, click on ‘Save’ button below the ‘Analyze’ and select a file.

For loading a project and continuing it click on ‘Load’ button near the ‘Save’ button and load
the saved project.
Getting Info
After analyzing finished, if the target is vulnerable, the ‘Info’ button on the top menu will be
activated. You can use this option to get some info like database username, current
database, server name and more. To do this click on ‘Info’ then click on ‘Get’ extracted info
will be shown in the text box. You can save this info by clicking on ‘Save’ button.
Data base and tables data Extraction
Data extraction
Using the ‘Tables’ button on the top menu you can find server’s database and tables. Click
on ‘Tables’ to display the data extraction window. On the left window databases and tables
will be shown and on the right window extracted data. After analyzing, target’s default
database is selected in the left window, to get all databases click on ‘Get DBs’.

Important: the current database user may doesn’t have enough privileged to access other
databases.
To view tables, check one or more database from the left list and click on ‘Get Tables’.
Tables will be listed under the databases.

To get columns first choose one or more tables and then click on ‘Get Columns’.
To get data from tables select some columns (check their checkbox) and then click on ‘Get
Data’.
Filtering the data
Sometimes you’re looking for a specific data in database, in these cases you can use filter to
find what you want faster.

To set a filter on data extraction click on arrow near the ‘Get Data’ button and select ‘Filter’
from the opened menu. Now enter your condition and click on ‘Get Data’ to get all data that
fit your condition.
For example if you want to get the record that its ‘Username’ column is ‘Admin’ enter the
following condition as filter:

Username=’Admin’

To remove filter leave it empty.

Changing Data extraction start row

The ‘Get Data’ extracts data from first row to the last row by default. If you want to change
the start row click on arrow near the ‘Get Data’ and select ‘Start Row’ then enter the
number of data extraction start row. Now click ‘Get Data’ to start data extraction. At any
time you can click on ‘Stop’ to stop data extraction.

Using Group_Concat
This option is below the database and tables list. If it is activated it means that you can use
Group_Concat function in MySQL database to extract all tables and databases in one
request.

Important: if there are so many tables or columns, Havij may not be able to extract all of
them using Group_Concat option. The following message will be displayed in this case.

To get tables or databases normally uncheck this Group_Concat and retry.

Extracting data of one row at once
Using ‘All in one request’ op on below the extracted data window you can get 1 row data of
all columns you selected in one request.

Important: if selected columns are too much, Havij may not be able to extract all data using
this method. To get data normally uncheck ‘All in one request’ and retry.

Saving Data
For saving tables in html format click on ‘Save Tables’ and for saving data click on ‘Save
Data’.

If you would like to save data in XML format click on arrow near the ‘Get Data’ and select
‘Save as XML’ then select a file to save. Now click on ‘Get Data’, extracted data won’t be
displayed in form and will be saved directly in XML file. This is good for getting so much
data.

If you would like to dump data like MySQL, click on arrow near ‘Get Data’ and select ‘Dump
into File’ then click ‘Get Data’ then extracted data won’t be displayed and will be directly in
file. This is good for getting so much data.

Updating data
For updating data double click on it and enter new data then press Enter key.

Deleting data
To delete a row right click on it and select ‘Delete Row’.
Inserting Data
To insert a new record right click on a row and select ‘Insert Row’.

Important: it’s not possible to update, insert or delete data in MySQL with PHP. It is shown
in below table for other data bases and languages.

SQL Server MySQL PostgreSQL Oracle MsAccess

ASP Yes ? ? ? No
ASP.NET Yes ? ? ? No
PHP Yes No Yes ? No
JAVA ? No ? No No
ColdFusion Yes ? ? ? No

Reading Files
If the database is MySQL after analyze ‘Read Files’ will be activated and you can read files on
MySQL server using it. To do this just enter the file address and click ‘Read’

Important: if the file does not exist or the current database user doesn’t have enough
privilege to access the file, nothing will be displayed.
Executing system commands on target
When target’s database is Microsoft SQL Server, ‘CMD Shell’ option will be activated and
you can execute system commands on SQL server.

Enter your command and click ‘Execute’. The result will be displayed if the command was
executed.

Important: for executing commands database user must have enough privilege.
Query
By using ‘Query’ on top menu you can run your own query on target’s database.

Important: SQL queries should not return more than one row.
Finding admin login page
By using ‘Find Admin’ you can find any site’s login page. Click on ‘Find Admin’, enter the site
address in ‘Path to search’ and click ‘Start’ to find available login pages for that site. Found
pages will be shown in list. You can right click on them and select ‘Open URL’ to open them
in your browser.
Cracking MD5 Hashes
Havij has an online MD5 cracker. Click on ‘MD5’ on top menu and enter the hash you want
to crack into ‘MD5 hash’ field and click ‘Start’. Havij will look for hash in several sites in multi
thread mode and displays the result.
Manual Injection
Havij has manual injection settings that let the user to set them manually and use Havij
advantages in injecting targets vulnerable to SQL Injection bug. By default all of these
setting are set to ‘Auto Detect’ and Havij does everything needed. These settings are
Keyword, Syntax, Database and Type (variable type). You can set one or all of these settings
manually and start injecting.

Choosing Database
If you’re sure what the target’s database server is, you can select it from ‘Database’ list on the top of
main program window. Havij supports following databases and injection methods.

 MsSQL with error: Microsoft SQL Server injection using error based method
 MsSQL no error: Microsoft SQL Server injection using union
 MsSQL Blind: Microsoft SQL Server injection using blind method
 MySQL unknown ver: MySQL injection using union
 MySQL Blind: MySQL injection using blind method
 MySQL error based: MySQL injection using error based method
 Oracle: Oracle injection using union method
 PostgreSQL: PostgreSQL injection using union method
 MsAccess: Microsoft Access injection using union method
 MsAccess Blind: Microsoft Access injection using blind method

Choosing Variable Type

Variable type is type of the input variable that Havij injects into it that can be integer or
string. Integer type is variable that will be used directly in SQL query but string type will be
used between quotation marks (‘ or “).

Defining Keyword
Keyword is a word that indicates true response. True response is the response that page
returns to a SQL injection that returns some rows. The false response is the response page
returns to an injection that cause the query to return no row. Keyword is a word from the
html source code of true response page.
For finding keyword you can use following injections.

h p://site.com/index.php?id=52 and 1=1 that returns true response for integer variables

h p://site.com/index.php?id=52 and 1=0 that returns false esponse

r for integer variables

And

h p://site.com/index.php?id=52’ and ‘x’=’x that returns true response for string variables

h p://site.com/index.php?id=52’ and ‘x’=’y that returns false response for string variables

Keyword should exist in true response and shouldn’t exist in false response. For example if
you can see ‘Hello’ word in true response and couldn’t see in false response (in html source
code), ‘Hello’ is a good keyword to use.

Defining Syntax
In some targets because of specific SQL queries or conditions Havij can’t inject
automatically. In these cases you can still inject with Havij using manual syntax.

For example assume that you can inject into a target and see the SQL server version using
the following injection.

http://site.com/index.php?id=-52 union all select 1,2,@@version,3—

To set syntax in Havij enter the following address as ‘Target’:

h p://site.com/index.php?id=52

And then check ‘Syntax’ checkbox and enter the following in textbox as ‘Syntax’:

-52 union all select 1,2,%String_Col%,3—

Important: we replaced @@version that will be returned in page with %String_Col%

Important: %String_Col% is case sensitive.

Now click on ‘Analyze’ to start injection.

Defining Syntax for Blind injections

In blind injections none of selected data by query won’t be returned in vulnerable page, so
it’s not possible to extract data by union injection. In most of cases we can see two different
response by various injections, one which indicates true response (SQL query with injection
returns at least one row) and the other indicates false response (SQL query with injection
returns no row). Please read ‘Defining Keyword’ for more.

For example assume that following injection returns true response in some page:

h p://site.com/index.php?id=52 and 1=1

Enter following URL as target:

h p://site.com/index.php?id=52

And enter the following expression as syntax:

52 and %True_Expression%

Important: %True_Expression% is case sensitive.

If the variable type is string and you can see true response by the following injection:

h p://site.com/index.php?id=52’ and ‘x’=’x

Enter following URL as target:

h p://site.com/index.php?id=52

And enter this as syntax:

52’ and %True_Expression and ‘x’=’x

Important: if you set manual syntax, it’s better to set keyword manually too (especially in
blind injections).

Choosing Method
Method is the http method that Havij uses to send injection to target. All links in html pages
use GET method and most of forms use POST method. GET method is selected by default. If
you found injection in a form, you should use POST method.

Injecting into Forms (POST Method)

For example if you saw the following form in a page and you would like to inject into it with
Havij, follow these steps:
1- Select POST method
2- View the source code of the page.

3- Look for <form> tag in the page source code.

4- Enter the action value (login.php) after the URL like this:

http://site.com/login.php

5- In Post Data field enter the input parameters in the following format:

pass=&submit=Login&name=whatever

Important: the last parameter (name) will be injected. If you would like to inject into
‘pass’ parameter, you can write it and the end or define it as below:

pass=%Inject_Here%&submit=Login&name=whatever

6- Click on ‘Analyze’ to start injection.

Settings
By using ‘Settings’ from the top menu you can change some settings of Havij.

Important: for settings to take effect after analyze and while doing injections, you should
click on ‘Apply’ button in ‘Settings’ window otherwise new settings will take effect with
clicking on ‘Analyze’.

Basic Settings
Using Proxy
For hiding your IP while injecting a target you can use proxy. In settings window check
‘Proxy’ checkbox and enter your proxy server address and port.

Replacing Space character

For bypassing some filters that block injection requests you can replace space character with
+,/**/,… . This won’t change the injection result but can bypass weak filters.

To do this click on ‘Replace space with’ on settings to check it and select or enter what you
want to be replaced with space character in injections.
Showing Injections
Havij can display all injection that it does and you can open them in your browser to see the
result.

Click on ‘Show Requests’ in settings window to check it. All injections will be shown in log
window.

Injecting URL rewrite pages

Sometimes you can see URLs without any input parameter. In this URLs input parameters
are set using URL rewrite option (if exists). You define injection point using %Inject_Here%
tag in your target. For example if you had a URL like this:

h p://somewhere.com/news/1077/index.html

And 1077 is the vulnerable variable, you should enter the following URL as target:

http://somewhere.com/news/%Inject_Here%/index.html

Important: %Inject_Here% is case sensitive

Advanced Settings
Authentication is needed for injection!
In some cases you need to login into site to access the vulnerable web page. Havij can inject
these kinds of targets too.

Havij supports for three type of authen ca ons:- 1h p Basic authen ca on

- http
2 Digest
authen ca on- 3http form authentication

Http Basic authentication

If the target uses Basic authentication, Havij will detect it and ask you for username and
password.

Just enter your username and password and click ok.

You can do this manually by clicking on ‘Authentication’ in settings.

Http Digest authentication

This is same as Basic authentication

Http form authentication

This is when you have to login through a form in website

Just follow these steps for authentication:

1- Enter vulnerable web page address as ‘Target’.

2- Go to settings and check ‘Additional http headers’ checkbox and click on ‘Load
Cookie’.
3- In new window you can see the web page as you see it in your browser (IE), now
login into the site.
 4- Click ‘Add’.

5- Click on ‘Analyze’ to start injection.

Defining character set to use in blind injections

In blind injections Havij finds each character of data by binary trial and error method.
Characters range that Havij uses can be changed. In settings set your character ascii range as
‘Blind injection character ascii set’

Changing Headers
All injections that Havij does are sent using http protocol. This protocol has a lot of headers
that you can set them manually for example one of common headers is User-Agent that
indicates user browsers.

In settings click on ‘Additional http headers’ to check it and enter any header you want.

To set the ‘User-Agent’ click on it and select one from the menu.
Avoid using strings
If this option is checked Havij will encode all string (literals between quotation marks)
automatically. This can bypass filters like ‘magic_quotes’. It’s recommended to use this
option.

Bypass illegal union

This option is for solving different table languages problem in injections with union method.
It’s recommended to use this option.

Try different syntaxes in union injections

If this option is checked, Havij will try to find columns count with different syntaxes (normal
and with parentheses) in union injections.

Follow redirections
If this option is checked, Havij will search for injection result in redirected page (if server
redirects to another page).

Column count
You can set minimum and maximum number of selected columns that Havij tries to find in
union injections.

Do not find columns count in MsSQL with error

If this option is checked, Havij won’t try to find columns count when database server and
injection method is Microsoft SQL Server with error based method. It’s recommended to
use this option.

Bypass mod_security
This is for bypassing mod_security web application firewall and similar firewalls. This option
will be used automatically by the software, you can also set it manually.

Time based method delay

This option defines milliseconds delay for time based injection methods. If it is set to ‘Auto’
Havij will automatically use the best suitable delay.