2010.05.25 19:24

sqlninja - a SQL Server injection & takeover tool

Sqlninja's goal is to exploit SQL injection vulnerabilities on web applications that use Microsoft SQL Server as back end. It is released under the GPLv2.

There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network. In a nutshell, here's what it does:

  • Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB Server authentication mode)
  • Bruteforce of the 'sa' password
  • Privilege escalation to 'sa'
  • Creation of a custom xp_cmdshell if the original one has been disabled
  • Upload of executables
  • Reverse scan in order to look for a port that can be used for a reverse shell
  • Direct and reverse shell, both TCP and UDP
  • DNS tunneled pseudoshell, when no ports are available for a bindshell
  • Metasploit wrapping, when you want to use Meterpreter or even want to get GUI access on the remote DB server
  • OS privilege escalation on the remote DB server using token kidnapping
  • All of the above can be done with obfuscated SQL code, in order to confuse IDS/IPS systems
As you probably have figured out, sqlninja does not look for SQL injection vulnerabilities. Again, there are already several tools that perform that task already, like BurpSuite.

For the latest release and two flash demos, check out the address http://sqlninja.sourceforge.net/. The demos refer to a previous version but are still perfectly good to get a better understanding of the tool.

Read this manual carefully (yes, I mean all of it), as it will explain you what it is all about and how to make your way through all sqlninja options. Yes, I know that it's terribly long and boring, but since sqlninja has a plethora of options to play with (and no shiny green buttons), try to read the whole thing: it will help you to get the most of the tool and will save you a lot of time later.

## Demo ##

출처 : http://sqlninja.sourceforge.net/

Trackback 1 Comment 0