Update SQL Ninja v-0.2.999-alpha1

Update SQL Ninja v-0.2.999-alpha1

What new :
There is a shiny new data extraction method in the alpha of the new release. It uses WAITFOR-based injection (slow) and DNS tunnels (fast!!). It is still extremely experimental, so don’t expect it to be very stable yet. However, it might be already stable enough to help you in your next penetration test.

sql_ninja

Sqlninja is an exploitation tool to be used against web apps based on MS SQL Server that are vulnerable to SQL Injection attacks, in order to get a shell or extract data also in very hostile conditions.

Features

  • The full documentation can be found in the tarball and also here, but here’s a list of what the Ninja does:
  • Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
  • Bruteforce of ‘sa’ password (in 2 flavors: dictionary-based and incremental)
  • Privilege escalation to sysadmin group if ‘sa’ password has been found
  • Creation of a custom xp_cmdshell if the original one has been removed
  • Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
  • TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
  • Direct and reverse bindshell, both TCP and UDP
  • ICMP-tunneled shell, when no TCP/UDP ports are available for a direct/reverse shell but the DB can ping your box
  • DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)
  • Evasion techniques to confuse a few IDS/IPS/WAF
  • Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection
  • Integration with churrasco.exe, to escalate privileges to SYSTEM on w2k3 via token kidnapping
  • Support for CVE-2010-0232, to escalate the privileges of sqlservr.exe to SYSTEM

Platforms supported
Sqlninja is written in Perl and should run on any UNIX based platform with a Perl interpreter, as long as all needed modules have been installed. So far it has been successfully tested on:
Linux
FreeBSD
Mac OS X

Download : sqlninja-0.2.999-alpha1.tgz (613.3 kB)
Find Other version |
Resources : http://sqlninja.sourceforge.net
Our post before : http://seclist.us/2012/05/sqlninja-v-0-2-6-bunga-bunga-edition-released.html