The Mole is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the vulnerability and exploit it, either by using the union technique or a boolean query based technique.
- Support for Mysql, Postgres, SQL Server and Oracle.
- Automatic SQL injection exploitation using union technique.
- Automatic blind SQL injection exploitation.
- Exploits SQL Injections in GET/POST/Cookie parameters.
- Support for filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily.
- Exploits SQL Injections that return binary data.
- Powerful command interpreter to simplify its usage.
How To Use The Mole
./mole.py -u 'http://192.168.0.142/vulnerable/sqli.php?id=1' -n 'admin'
By default, the last parameter on the URL is used as the vulnerable parameter. If you want to specify another parameter as the vulnerable one, you can use the “-p” command line argument, or use the “injectable_field” command.
For Windows Users
Windows users shoud be aware that when using the “-u” command line argument, the “&” characters have to be escaped manually using the “^” character. Therefore, if the URL has two parameters, it should look like this:
mole.exe -u http://192.168.0.142/vulnerable/sqli.php?param=1^&id=1 -n 'admin'
You can also set the URL by using the “url” command, so you can paste the URL without quoting it. The needle can also be set using the “needle” command.
The Mole Tutorial