Havij是一款自动化的SQL注入工具，它能够帮助渗透测试人员发现和利用Web应用程序的SQL注入漏洞。Havij不仅能够自动挖掘可利用的SQL 查询，还能够识别后台数据库类型、检索数据的用户名和密码hash、转储表和列、从数据库中提取数据，甚至访问底层文件系统和执行系统命令，当然前提是有 一个可利用的SQL注入漏洞。Havij支持广泛的数据库系统，如 MsSQL, MySQL, MSAccess and Oracle。 Havij支持参数配置以躲避IDS，支持代理，后台登陆地址扫描。目前，Havij更新至v1.15版，新版主要改变如下：
 Webknight WAF bypass added.
 Bypassing mod_security made better
 Unicode support added
 A new method for tables/columns extraction in mssql
 Continuing previous tables/columns extraction made available
 Custom replacement added to the settings
 Default injection value added to the settings (when using %Inject_Here%)
 Table and column prefix added for blind injections
 Custom table and column list added.
 Custom time out added.
 A new md5 cracker site added
 Bugfix: a bug releating to SELECT command
 Bugfix: finding string column
 Bugfix: getting multi column data in mssql
 Bugfix: finding mysql column count
 Bugfix: wrong syntax in injection string type in MsAccess
 Bugfix: false positive results was removed
 Bugfix: data extraction in url-encoded pages
 Bugfix: loading saved projects
 Bugfix: some errors in data extraction in mssql fixed.
 Bugfix: a bug in MsAccess when guessing tables and columns
 Bugfix: a bug when using proxy
 Bugfix: enabling remote desktop bug in windows server 2008 (thanks to pegasus315)
 Bugfix: false positive in finding columns count
 Bugfix: when mssql error based method failed
 Bugfix: a bug in saving data
 Bugfix: Oracle and PostgreSQL detection
工具下载:http://itsecteam.com/en/projects/project1.htm