Penetration TestingSSH

SQLNINJA Vulnerability Analysis

SQLNINJA  Vulnerability Analysis

Fancy going from a SQL Injection on Microsoft SQL Server to a full GUI access on the DB? Take a few new SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have just one of the attack modules of sqlninja!

Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.

Its main goal is to provide remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.


[email protected]:~# sqlninja -h
Unknown option: h
Usage: /usr/bin/sqlninja
-m <mode> : Required. Available modes are:
t/test – test whether the injection is working
f/fingerprint – fingerprint user, xp_cmdshell and more
b/bruteforce – bruteforce sa account
e/escalation – add user to sysadmin server role
x/resurrectxp – try to recreate xp_cmdshell
u/upload – upload a .scr file
s/dirshell – start a direct shell
k/backscan – look for an open outbound port
r/revshell – start a reverse shell
d/dnstunnel – attempt a dns tunneled shell
i/icmpshell – start a reverse ICMP shell
c/sqlcmd – issue a ‘blind’ OS command
m/metasploit – wrapper to Metasploit stagers
-f <file> : configuration file (default: sqlninja.conf)
-p <password> : sa password
-w <wordlist> : wordlist to use in bruteforce mode (dictionary method
-g : generate debug script and exit (only valid in upload mode)
-v : verbose output
-d <mode> : activate debug
1 – print each injected command
2 – print each raw HTTP request
3 – print each raw HTTP response
all – all of the above
…see sqlninja-howto.html for details


Connect to the target in test mode (-m t) with the specified config file (-f /root/sqlninja.conf):

[email protected]:~# sqlninja -m t -f /root/sqlninja.conf
Sqlninja rel. 0.2.6-r1
Copyright (C) 2006-2011 icesurfer <[email protected]>
[+] Parsing /root/sqlninja.conf…
[+] Target is:
[+] Trying to inject a ‘waitfor delay’….


Related Articles

Back to top button