Monday, November 7, 2011

Sqlninja v.0.2.6 Released

Sqlninja's goal is to exploit SQL injection vulnerabilities on web applications that use Microsoft SQL Server as back end.There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network. In a nutshell, here's what it does:  
  • Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB Server authentication mode)
  • Bruteforce of the 'sa' password
  • Privilege escalation to 'sa'
  • Creation of a custom xp_cmdshell if the original one has been disabled
  • Upload of executables
  • Reverse scan in order to look for a port that can be used for a reverse shell
  • Direct and reverse shell, both TCP and UDP
  • DNS tunneled pseudoshell, when no ports are available for a bindshell
  • ICMP tunneled shell, if the target DBMS can communicate via ICMP Echo with the attacking machine
  • Metasploit wrapping, when you want to use Meterpreter or even want to get GUI access on the remote DB server
  • OS privilege escalation on the remote DB server using token kidnapping or through CVE-2010-0232
  • All of the above can be done with obfuscated SQL code, in order to confuse IDS/IPS systems 

No comments: