begood Posted May 10, 2010 Report Share Posted May 10, 2010 Hello security enthusiasts,It's been 2 years, but a new version of sqlninja is out at Sourceforge!Introduction============Sqlninja is a tool to exploit SQL Injection vulnerabilities on a webapplication that uses Microsoft SQL Server as its back-end. Its maingoal is to provide an interactive access on the vulnerable DB server,even in a very hostile environment. It should be used by penetrationtesters to help and automate the process of taking over a DB Server whena SQL Injection vulnerability has been discovered. It is written inPerl, it is released under the GPLv2 and so far has been successfullytested on:- Linux- FreeBSD- Mac OS XYou can find it, together with a flash demo of its features, at theaddress http://sqlninja.sourceforge.netWhat's new==========# Proxy support (it was about time!)# No more 64k bytes limit in upload mode# Upload mode is also massively faster# Privilege escalation through token kidnapping (kudos to Cesar Cerrudo)# Other minor improvementsWhat's not so new=================# Fingerprint of the remote SQL Server (version, user performing thequeries, user privileges, xp_cmdshell availability, DB authentication mode)# Bruteforce of 'sa' password (in 2 flavors: dictionary-based andincremental)# Privilege escalation to sysadmin group if 'sa' password has been found# Creation of a custom xp_cmdshell if the original one has been removed# Upload of netcat (or any other executable) using only normal HTTPrequests (no FTP/TFTP needed)# TCP/UDP portscan from the target SQL Server to the attacking machine,in order to find a port that is allowed by the firewall of the targetnetwork and use it for a reverse shell# Direct and reverse bindshell, both TCP and UDP# DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for adirect/reverse shell, but the DB server can resolve external hostnames(check the documentation for details about how this works)# Evasion techniques to confuse a few IDS/IPS/WAF# Integration with Metasploit3, to obtain a graphical access to theremote DB server through a VNC server injectionHappy hacking !-- Full Disclosure: sqlninja 0.2.5 released!icesurfer 1 Quote Link to comment Share on other sites More sharing options...
yakuZza22 Posted May 22, 2010 Report Share Posted May 22, 2010 bun......foarte bunfelicitari Quote Link to comment Share on other sites More sharing options...