Ir para o conteúdo
  • Revista PROGRAMAR: Já está disponível a edição #60 da revista programar. Faz já o download aqui!

herakty

sqlninja a SQL Server injection & takeover tool (integrado com MSF)

Mensagens Recomendadas

herakty

logo.png

permite reverce shell remota, activar xp_cmdshell, bruteforce SA, etc

usar wmap,w3af framework (nota que nestes casos não com recurso a vulns conhecidas... mesmo um site desconhecido é analisado e tudo é detectado (não dá hipóteses), para descobrir a vulnerabilidade ou puro olho. basta navegar num site para o olho nos dizer algo  :smoke: :thumbsup:

ntroduction

Fancy going from a SQL Injection on Microsoft SQL Server to a full GUI access on the DB? Take a few SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have just one of the attack modules of sqlninja!

Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered. Have a look at the flash demo and then feel free to download it.

It is released under the GPLv2 and it has been featured on SecurityHack's Top 15 Free SQL Injection Scanners, which is a good result for something that started as a small script written on-the-fly during a pen-test :)

Features

The full documentation can be found in the tarball and also here, but here's a list of what the Ninja does:

    * Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)

    * Bruteforce of 'sa' password (in 2 flavors: dictionary-based and incremental)

    * Privilege escalation to sysadmin group if 'sa' password has been found

    * Creation of a custom xp_cmdshell if the original one has been removed

    * Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)

    * TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell

    * Direct and reverse bindshell, both TCP and UDP

    * DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)

    * Evasion techniques to confuse a few IDS/IPS/WAF

    * Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection

Platforms supported

Sqlninja is written in Perl and should run on any UNIX based platform with a Perl interpreter, as long as all needed modules have been installed. So far it has been successfully tested on:

    * Linux

    * FreeBSD

    * Mac OS X

Sqlninja does not run on Windows and I am not planning a port in the near future

http://sqlninja.sourceforge.net/

Demos: 

A demo of all basic features:

    * How to configure the tool

    * How to fingerprint the remote server

    * How to bruteforce the 'sa' password

    * How to upload executables and obtain a shell

Demo1: Configuration, fingerprint, SA brute Force, Restaurar a xp_cmdshell (MS SQL), upload NetCat

e reverse shell (passa por firewalls)

http://sqlninja.sourceforge.net/sqlninjademo1.html

GUI access demo

A demo of the integration of sqlninja and metasploit, showing how to start from a simple SQL Injection to finally obtain a full GUI access on the remote DB server. Yes, while the other demo should be watched first, this happens to be the coolest one.

Demo2: integração com MSF meterpreter :D

http://sqlninja.sourceforge.net/sqlninjademo2.html

teckV

Partilhar esta mensagem


Ligação para a mensagem
Partilhar noutros sites

Crie uma conta ou ligue-se para comentar

Só membros podem comentar

Criar nova conta

Registe para ter uma conta na nossa comunidade. É fácil!

Registar nova conta

Entra

Já tem conta? Inicie sessão aqui.

Entrar Agora

×

Aviso Sobre Cookies

Ao usar este site você aceita os nossos Termos de Uso e Política de Privacidade. Este site usa cookies para disponibilizar funcionalidades personalizadas. Para mais informações visite esta página.