In this blog I will show you a pretty sweet tool called SQL Ninja in the Metasploit Framework. There are a lot of SQL injection tools out there but this one is my favorite because instead of extracting the actual data it focuses on getting a interactive shell on the remote DB server, and uses it as a foothold against the target network. So let’s go ahead and dive in to the wonders of SQL Ninja.
First all of the information we need SQL Ninja to use is stored in a config file by default it’s called sqlninja.conf. All you need to do is simply open the configuration file with Nano, Kate or whatever your favorite text editor in Linux is. (See Below)
As you can see from the screenshot above I pointed out the important parts of the config file for basic SQL injections. The first arrow is the actual host address ie. www.domain.com this can also be an IP address of the server.
The second arrow is the port that we will try to exploit on 443 is the default for SQL so just leave it as 443. Make all the changes needed to the config file and save it.
Now type: “cd /pentest/database/sqlninja” without quotes and hit enter this will load up the SQL Ninja tool, after that type: “./sqlninja –f config.conf –m m” without quotes this is going to parse the config file into SQL Ninja and also start up a Metasploit module at the same time.
After you do this it’s going to take awhile because SQL Ninja is actually pushing SQL queries via the initial SQL injection. So it has to go through several queries and then wait for the responses from the SQL server and then check the those results. I would advise grabbing a rum and coke while you wait :) When it’s done you will get a screen like the one below:
This has created a local shell on the SQL box from here you can use your Metasploit meterpreter session, this is pretty awesome because a SQL server is usually a high maintenance server, so it’s likely the admin has logged in recently. We can do something like a hashdump or grab the tokens off the local SQL server once we have the hashes of all the accounts (Admin included) we can use the hash to pivot from the SQL server into the domain controller. This technique is known as “Pass The Hash” and works if the admin uses the same password for all his logins to windows servers.
Final Note: The best lab for this is a virtual environment I like to use VMWare Workstation to run all the different boxes needed for the demos.