{ "id": "81a43979-dd41-459a-aa3d-71c1e45afe5e", "created_at": "2026-04-06T00:06:10.930009Z", "updated_at": "2026-04-10T03:32:41.125171Z", "deleted_at": null, "sha1_hash": "de401c2fb22d4ebfdcfb2b6719bacd6ab0e13475", "title": "Analysis of the Havij SQL Injection tool", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52737, "plain_text": "Analysis of the Havij SQL Injection tool\r\nBy bferrite\r\nPublished: 2015-05-14 · Archived: 2026-04-05 12:56:10 UTC\r\nHavij, an automatic SQL Injection tool, is distributed by ITSecTeam, an Iranian security company. The name\r\nHavij means “carrot”, which is the tool’s icon.\r\nThe tool is designed with a user-friendly GUI that makes it easy for an operator to retrieve the desired data. Such\r\nease of use may be the reason behind the transition from attacks deployed by code-writing hackers to those by\r\nnon-technical users.\r\nHavij was published during 2010, and since its, release several other automatic SQL Injection tools (such as\r\nsqlmap) were introduced. However, Havij is still active and commonly used by both penetration testers and low\r\nlevel hackers.\r\nHavij traffic is easily identified by its user agent:\r\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij\r\nCheck Point’s IPS protection which detects SQL Injection attempts using this tool, “Havij Automated SQL\r\nInjection tool”, has detected attacks toward 30% of the monitored customers in Chek Point’s Managed Security\r\nService.\r\nReview of the connections’ details indicates that the majority of the detected attacks included the input 999999.9,\r\nusually used to scan a website for an injection vulnerability. Most of the queries had the following structure:\r\nSELECT * FROM table_example WHERE ID = 999999.9\r\nError messages are not hidden. Therefore, if an error is received, the source knows the website is vulnerable to\r\ninjection attempts.\r\nAnother method used by Havij is “attempting” to convert something to integer values which can’t be converted.\r\nFor example, the DB name (usually a string):\r\nSELECT * FROM table_example WHERE ID = CONVERT (int, db_name()) and 1=1\r\nThe ensuing error message exposes the DB name:\r\nConversion failed when converting the nvarchar value ‘BadWebsite’ to data type int.\r\nHavij attempts to extract the tables and columns names in a similar manner\r\nOnce Havij is served with a vulnerable website, it enables the attacker to analyze the site and bring back the DB\r\nname, tables’ names and the actual data. Once the schema is received, the attacker can choose the specific\r\ncolumns they would like to obtain (see example below).\r\nhttps://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/\r\nPage 1 of 2\n\nAs Havij scans for several SQLi vulnerabilities, it is detected by other IPS protections as well. This gives us\r\nanother clue on what the scanning tool looks for, namely:\r\nSQL Servers MySQL Vendor-specific SQL Injection\r\nSQL Servers Time-based SQL Injection\r\nSQL Servers Stack Query SQL Injection\r\nSQL Servers SQL Injection Evasion Techniques\r\nSQL Servers UNION Query-based SQL Injection\r\nBased on the attacks detected against Managed Service customers, it seems the majority of the attacks originated\r\nfrom IP addresses registered in the United States, as seen in the graph below.\r\nThe easy-to-operate program, together with the free version and quick analysis, makes Havij one of the most\r\ncommon tools for automated SQL Injection and vulnerability assessments.\r\nTools such as Havij are changing the landscape of cyber attacks, as attackers no longer require the resources once\r\nneeded to deploy attacks. This may also mean that not all attacks will necessarily carry information disclosure or\r\ndamage – they sometimes only serve to pass a boring afternoon for a high-school kid, playing with a cool tool\r\nthey found online.\r\nSource: https://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/\r\nhttps://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/" ], "report_names": [ "analysis-havij-sql-injection-tool" ], "threat_actors": [ { "id": "9663cdbf-646e-4579-881a-a8ebc3aabf63", "created_at": "2023-01-06T13:46:38.360862Z", "updated_at": "2026-04-10T02:00:02.942852Z", "deleted_at": null, "main_name": "Cutting Kitten", "aliases": [ "ITsecTeam" ], "source_name": "MISPGALAXY:Cutting Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433970, "ts_updated_at": 1775791961, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/de401c2fb22d4ebfdcfb2b6719bacd6ab0e13475.pdf", "text": "https://archive.orkl.eu/de401c2fb22d4ebfdcfb2b6719bacd6ab0e13475.txt", "img": "https://archive.orkl.eu/de401c2fb22d4ebfdcfb2b6719bacd6ab0e13475.jpg" } }