SQLNinja – Fancy going from a SQL Injection on Microsoft SQL Server to a full GUI access on the DB? Take a few new SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have just one of the attack modules of sqlninja!
Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.
Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.
-m <mode> : Required. Available modes are: t/test - test whether the injection is working f/fingerprint - fingerprint user, xp_cmdshell and more b/bruteforce - bruteforce sa account e/escalation - add user to sysadmin server role x/resurrectxp - try to recreate xp_cmdshell u/upload - upload a .scr file s/dirshell - start a direct shell k/backscan - look for an open outbound port r/revshell - start a reverse shell d/dnstunnel - attempt a dns tunneled shell i/icmpshell - start a reverse ICMP shell c/sqlcmd - issue a 'blind' OS command m/metasploit - wrapper to Metasploit stagers -f <file> : configuration file (default: sqlninja.conf) -p <password> : sa password -w <wordlist> : wordlist to use in bruteforce mode (dictionary method only) -g : generate debug script and exit (only valid in upload mode) -v : verbose output -d <mode> : activate debug 1 - print each injected command 2 - print each raw HTTP request 3 - print each raw HTTP response all - all of the above ...see sqlninja-howto.html for details
Two Beautiful Examples Provided By them are :
A demo of all basic features:
How to configure the tool
How to fingerprint the remote server
How to bruteforce the ‘sa’ password
How to upload executables and obtain a shell