Sqlninja's goal is to exploit SQL injection vulnerabilities on web applications that use Microsoft SQL Server as back end. It is released under the GPLv2.
There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network. In a nutshell, here's what it does:
- Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB Server authentication mode)
- Bruteforce of the 'sa' password
- Privilege escalation to 'sa'
- Creation of a custom xp_cmdshell if the original one has been disabled
- Upload of executables
- Reverse scan in order to look for a port that can be used for a reverse shell
- Direct and reverse shell, both TCP and UDP
- DNS tunneled pseudoshell, when no ports are available for a bindshell
- Metasploit wrapping, when you want to use Meterpreter or even want to get GUI access on the remote DB server
- OS privilege escalation on the remote DB server using token kidnapping
- All of the above can be done with obfuscated SQL code, in order to confuse IDS/IPS systems
For the latest release and two flash demos, check out the address http://sqlninja.sourceforge.net/. The demos refer to a previous version but are still perfectly good to get a better understanding of the tool.
Read this manual carefully (yes, I mean all of it), as it will explain you what it is all about and how to make your way through all sqlninja options. Yes, I know that it's terribly long and boring, but since sqlninja has a plethora of options to play with (and no shiny green buttons), try to read the whole thing: it will help you to get the most of the tool and will save you a lot of time later.
## Demo ##
출처 : http://sqlninja.sourceforge.net/