Hexjector is an Opensource,Multi-Platform PHP script to automate site pentest for SQL Injection Vulnerabilties.

Hexjector Version 1.0.7.3SE (5/6/2010)

Changes Made from previous release :
-Special Edition
-Disclaimer added.
-Hexjector Official Documentation for Win32 released.
-MySQL Injection v5 Full Database Enumeration (There was a few bugs in past releases
that is fixed in this version and Data Retrieved is checked one by one.).
-Persistent XSS is patched by filtering the $url2.
(For the Patch, you can find it at Exploitdb or email me if it has still not
posted at exploitdb)
-Html Dump temporary removed due to 0day Vulnerablity found by me.
-Video regarding 0day Exploit is made and uploaded at youtube.
-Non-Persistent XSS is patched.
-Another Non-persistent XSS is patched (Hexdumper).
-Yet Another Non-persistent XSS is patched (Hexafind).
-Every input is filtered to prevent XSS.
-cURL is modified to reduce HTTP Request Time Usage.
-Type of Injection(Numeric,String Based) added.
-Changes in Query according to Numeric or String Based Detection is added.
-Total Queries Generated for Information_schema,phpmyadmin and mysql is 359.
-Error in Hexdumper fixed. (wafdetect($dumpstr))
-Filenames had been modifed to make it more professional.
-Error in Column Count is patched.
-Coalesce() is added.
-Error on conditional matching is fixed. ($str_col=true)
-Now I will focus on MySQL Injection v4.
-MySQL Injection v4 is temporary disabled as I never refined the code since made
and it is kind of buggy.
-You may notice some performance slow down.(Reason is located at the below).
-Problem on if there is too many columns ,only partial of the data will be
extracted is patched.
-Interface changed to aid users in finding the data wanted(Data are in bold).
-SiXSS Added.
-Custom Header is added.
-Server Information is added.
-Connect4.php editted to make it more error-proof.
-Processes of Hexafind,Hexoutfile and Hexdumpfile has been changed to
make it more real-time.
-Hexoutfile(Into OutFile) added.
-New File Created : hexoutfile.php
-Hexdumpfile(Into DumpFile) added .
-New File Created : hexdumpfile.php
-Load_File added.
-New File Created : hexloader.php
-Custom Back Parameter added.
-Update Check Module is added.
-Version Comment added.
-Operating System Detection added.
-Operating System Architecture Detection added.
-Temporary Directory Retrieval Added.

-New File added : HexacURL.php
-HexacURL is a cURL based webbrowser with Header Enumeration to ease Professional Pentesters
to solve the sql query problems.
-Non-persistent XSS is expected if the site has XSS.It is more or less like a browser
so this is normal.
-Testers can use it to find the unique parameter input it in Custom Parameter
of Hexjector so Hexjector can execute.
-Custom Whitespace added.
-To Hexadecimal added.
-Url_encode added.
-Url_decode added.

Download Link :
Windows :
[sourceforge.net]

Unix :
[sourceforge.net]

Mac :
[sourceforge.net]



I would like some feedbacks and ideas on what to improve.

Hexjector is an Opensource,Cross Platform PHP script to automate site
Pentest for SQL Injection Vulnerabilties.


Version 1.0.7.4 (3/7/2010)

Hexjector v1.0.7.4
-WAF_Detector v1.0.2
-HexacURL v1.0.1
-Hexafind v1.0.1
-Error_Check v1.0.2
-Hexdumper v1.0.1
-HexaCurD v1.0.0
-Hexdumpfile v1.0.0
-Hexoutfile v1.0.0
-Hexloader v1.0.0
-HexDorker v1.0.1

-MsAccess SQL Injection is not added yet, it will be added in the next version.
-MySQL Injection v4 is back !
-WebPanel is Added.
-Every additional tool is separated to enable users to know the progress of the
additional tools.
-Index.php is made to convenient users in using tools of Hexjector.
-Refined the code to reduce wastage of HTTP Requests.
-Every file that specialized in Connection will have a prefix "Con_".
-Waf_Detector.php is removed.
-Waf_Detector is integrated into each Connection.
-Every File with Waf_Detector have a postfix "_WD" to ease users & developers
to identify it.
-Wafdetect on MySQL Injection v4 is disabled by default as it may hinder the process.
(Enabled back by integrating connection with wafdetect)
-wafdetect is removed as wafdetect is integrated into each Connection.
-Coalesce() is removed.
-Problem on Webservers not using apache is fixed. (Apache_request_headers() )
-Error_reporting is enabled. (Previously disabled due to my fault)
-Background of Hexjector is changed.
-Hexjector Wordpress Blog opened (http://sourceforge.net/hexjector/wordpress)
-Personal Wordpress Blog opened.
-Wallpaper Gallery opened.
-Users can see Wallpapers submitted at the Gallery.
-Filename error fixed as Filename is case-sensitive in Unix.
-Auto-Update Check is done.
-Union All select in Information.php is changed to Union distinct select.
-HexacURL and HexDorker is separated from main

A New Tool had been made.
-HexaCurD.php is made.
-HexaCurD is an additional tool to aid users to retrieve the Current Directory
of a particular table in MsAccess SQL Injection.

A New Tool had been made.
-HexDorker.php is made.
-HexDorker is a Tool to search for sites by using Google Dork and check the sites
for SQL Injection Vulnerabilities.

Download Link:

Win32 :
http://sourceforge.net/projects/hexjector/files/Hexjector%20(Win32)/Hexjector%20v1.0.7.4.zip/download

Unix :
http://sourceforge.net/projects/hexjector/files/Hexjector%20(Unix)/Hexjector%20v1.0.7.4.tar/download

Mac :
http://sourceforge.net/projects/hexjector/files/Hexjector%20(Mac)/Hexjector%20v1.0.7.4.tar/download