Havij is a Security Tool which is used to test website security, Havij last version was 17.2 after that they don’t update it and the official website has been closed permanently, but we have their last version tool which we are going to share with you.
Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.
It can take advantage of a vulnerable web application. By using this software, user can perform back-end database fingerprinting, retrieve DBMS login names and password hashes, dump tables and columns, fetch data from the database, execute SQL statements against the server, and even access the underlying file system and execute operating system shell commands.
The distinctive power of Havij that differentiates it from similar tools lies in its unique methods of injection. The success rate of attack on vulnerable targets using Havij is above 95%.
The user-friendly GUI (Graphical User Interface) of Havij and its automated configuration and heuristic detections make it easy to use for everyone even amateurs
Havij SQL Injection Software Features
It can take advantage of a vulnerable web application. back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system.
- Complete HTTPS support
- Various updates are available
- Added MS SQL blind
- Blind MSAccess (in commercial version only)
- Easily accessible user manual
- Additional dumping data file feature
- XML format comes with the tool for data storage
- User can remove the log
- The default settings can be changed at any time
- Repair methods are available to cover up the weaknesses of the website
- Keyword testing is also available
- Error fixing feature
Here are Steps of How to use Havij
1First, download Havij from here and install it. Then open it and enter the vulnerable page URL in the target column
2 Set the database option to ‘auto detect‘ and hit analyze. This should show you the current database name as shown below.
3 Click on the “info” tab. This will show you information about the victim’s system. We can see information like Host IP address, web server version, etc.
4 Click on the “Tables” tab.
5 Click on “Get DBs” option. This will list all the databases as shown below.
6. To get tables in a specific database, select the database and click on “Get Tables”. This will list all the tables present in the selected database. I selected the base “shunya” here.
7. We can see that there is on table ‘users’ in our database ‘shunya’ .To get columns, select the table ‘ users’ and click on “Get Columns”.
8. This will list all the columns in the table. We can see that we have five columns in the table ‘users’.all the columns. It’s time to dump the values of columns. Select the columns whose data we want to dump and click on “Get data”. Here I selected all the columns.
9. We got all the data including usernames and passwords. But passwords seem to be encrypted. No problem. Click on the password hashes and copy them. Then click on “MD5″ tab and paste the password. Click on “Start”. Havij automatically decrypts the password for us. Decrypt all passwords in a similar manner.
10. Click on “Find admin”. This option finds the admin page of the website automatically. When it finds the admin page, you can try the username and passwords to get access to the website. Hope this was helpful.