SqlNinja 0.2.6 is Now Available


Sqlninja’s goal is to exploit SQL injection vulnerabilities on web applications that use Microsoft SQL Server as back end. It is released under the GPLv3. There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network.

 Here’s what it does:
  • Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
  • Bruteforce of 'sa' password (in 2 flavors: dictionary-based and incremental)
  • Privilege escalation to sysadmin group if 'sa' password has been found
  • Creation of a custom xp_cmdshell if the original one has been removed
  • Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
  • TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
  • Direct and reverse bindshell, both TCP and UDP
  • ICMP-tunneled shell, when no TCP/UDP ports are available for a direct/reverse shell but the DB can ping your box
  • DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)
  • Evasion techniques to confuse a few IDS/IPS/WAF
  • Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection
  • Integration with churrasco.exe, to escalate privileges to SYSTEM on w2k3 via token kidnapping
  • Support for CVE-2010-0232, to escalate the privileges of sqlservr.exe to SYSTEM

Do you have questions, comments, or suggestions? Feel free to post a comment! 





Subscribe to Saint Andrew's Paradise
Liked this post?

Subscribe to "Saint Andrew's Paradise" and get all new tricks, tools and regular updates to your inbox!

    




Share your views...

1 Respones to "SqlNinja 0.2.6 is Now Available"

Anonymous said...
November 13, 2011 at 12:02 AM

UPDATE UR BLOG WE ARE WAITING...........................

Post a Comment

 

About Me

Saint Andrew is a computer science student. Saint Andrew is a founder of the blog Saint Andrew's Hacking Paradise.

His mission and the aim of this blog is to make the reader aware of the existing threats and describe them in comprehensible way.

"Saint Andrew's Hacking Paradise" is a place to Learn, Understand and Explore the facts of computer technology.

You are always welcome to contact us to suggest ideas, tips, or to ask questions.

© 2011 Saint Andrew's Hacking Paradise

This blog run on iThesis Theme & hosted by Blogger