Updated Brute Force Search Tool

  • Comments posted to this topic are about the item Updated Brute Force Search Tool

  • First error - Search Value is defined as a string.

    It should be SQL_VARIANT.

    Apart from preventing likely errors caused by mismatch in formatting, it will also eliminate necessity of the second parameter @SearchType.

    SQL_VAPIANT_PROPERTY of @SearchValue will give you the data type of the value you're looking for.

    And I did not analyse the code thoroughly, but it seems quite defenceless against SQL injections.

    Code for TallyGenerator

  • Thanks for your comments, this is not a production script, nor is it designed for anything other than internal use.  It only supports text, date and number searches so i didn't see a huge need to use a SQL_Variant type.  Sql injections are not an issue as this should not be used in a production environment.  If that is your intent i would suggest finding a different script as this returns table and column structures via the sql it returns from matches it has found, which would be a perfect tool for a nefarious person to help sql inject your application.  So i see your points but dont see any reason to adjust the script for either cases.  Just know that this is a tool for internal use and know that a text search requires a string, dates require a date, and numbers require a number, and it should work fine.

  • Hi Jhon,
    I fonded very usefull you solution
    I think there is only just one error in the fuzzy match = 'ends' becouse you save in resultsql ''''+@SearchValue+'%''' instead of '''%'+@SearchValue+''''
    I did my personalizations for my use:
    1. CONCAT did problem to me, I use SSMS 2016, I don't know why, I replaced with a simple +
    2. I put it under transaction + rollback, to evoid to save on db
    3. easy way: I reduced bit parameters in input, I manage them comparing ltrim(rtrim(isnull(@...List,''))) = '' to have less error case to manage
    4. I added a Schema manager, with include & exclude metods like table management
    5. I renamed @IncludeTableList ==> @IncludeOnlyTableList, just renamed to immediate maining

    So it is perfect for me ... by now 😉

  • Ah good spot on the ends with results query, didnt notice my mess up there. at least it wasnt an issue with the query that does the search just the returned query.  For those of you who need that fixed, just replace line 295 with following text


    as for CONCAT not working for you, wonder if your database compatibility is set to an older version of sql maybe, should work fine in sql 2016 as long as the compatibility level is 2012 or higher.

    Glad it could help you out, and also that you were able to modify for your usage. 

    Thanks a bunch


Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply