Jump to content
begood

sqlninja 0.2.5 released!

By begood, in Programe hacking

Recommended Posts

begood Newbie

begood

Posted
Posted

Hello security enthusiasts,

It's been 2 years, but a new version of sqlninja is out at Sourceforge!

Introduction

============

Sqlninja is a tool to exploit SQL Injection vulnerabilities on a web

application that uses Microsoft SQL Server as its back-end. Its main

goal is to provide an interactive access on the vulnerable DB server,

even in a very hostile environment. It should be used by penetration

testers to help and automate the process of taking over a DB Server when

a SQL Injection vulnerability has been discovered. It is written in

Perl, it is released under the GPLv2 and so far has been successfully

tested on:

- Linux

- FreeBSD

- Mac OS X

You can find it, together with a flash demo of its features, at the

address http://sqlninja.sourceforge.net

What's new

==========

# Proxy support (it was about time!)

# No more 64k bytes limit in upload mode

# Upload mode is also massively faster

# Privilege escalation through token kidnapping (kudos to Cesar Cerrudo)

# Other minor improvements

What's not so new

=================

# Fingerprint of the remote SQL Server (version, user performing the

queries, user privileges, xp_cmdshell availability, DB authentication mode)

# Bruteforce of 'sa' password (in 2 flavors: dictionary-based and

incremental)

# Privilege escalation to sysadmin group if 'sa' password has been found

# Creation of a custom xp_cmdshell if the original one has been removed

# Upload of netcat (or any other executable) using only normal HTTP

requests (no FTP/TFTP needed)

# TCP/UDP portscan from the target SQL Server to the attacking machine,

in order to find a port that is allowed by the firewall of the target

network and use it for a reverse shell

# Direct and reverse bindshell, both TCP and UDP

# DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a

direct/reverse shell, but the DB server can resolve external hostnames

(check the documentation for details about how this works)

# Evasion techniques to confuse a few IDS/IPS/WAF

# Integration with Metasploit3, to obtain a graphical access to the

remote DB server through a VNC server injection

Happy hacking !

--

Full Disclosure: sqlninja 0.2.5 released!

icesurfer

  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...