sqlninja logo

...a SQL Server injection & takeover tool

Common answers to common e-mails

  • So, why you changed your mind and added a data extraction module?

    Short answer:

    Because the alternative was to let sqlninja die.

    Long answer:

    Sqlninja evolved as a byproduct of my old days as a full-time penetration tester between 2005 and 2009: every time I needed some functionality that I could not find in existing tools, I would hack it up on the spot and later add it to the tool. Since several tools with data extraction features were already available, the result was a piece of software designed uniquely for interactive OS-level access.

    Fast forward to early 2011. While testing a password management appliance, I found a SQL Injection (remember, kids: security products are rarely secure products too). The client wanted me to extract some data but existing tools were all failing, so I coded up a very rudimentary but effective waitfor-based data extraction module. Client was happy (well, to a certain extent, since they had paid a lot of money for that product), and I forgot about the whole thing: by that time I was not a full-time pen-tester anymore, and I was finding SQL Injection a declining area of research anyway; not much space for anything apart from simple weaponization, and a class of bugs doomed to disappear with the increasing adoption of modern web development frameworks and static analyzers.

    Fast forward to present day (late 2012). My impression is that SQL Injection flaws are decreasing, but slower than I would have guessed 2 or 3 years ago, and they keep making the news. However, SQL Server 2000 installations have become extremely rare, which means that sqlninja's OS-level capabilities are now fully dependent on the target webapp running queries with administrative privileges (no more 'sa' password bruteforcing, sorry), significantly reducing the tool's reach in today's web ecosystem. I thought that either I was going to add some new functionality to overcome this major limitation, or I had no choice but watching this little old project of mine die a slow death, even with so many vulnerable apps still around. And since I had that old code from 2011 still available, why not polishing it a bit, and re-using the DNS tunnel code to throw some DNS-based data extraction capabilities on the top? Finally, when a fellow hacker (nico) volunteered to help with the effort, I could not use my laziness as an excuse anymore.

  • How can I help?

    All help is greatly appreciated. Just download the tool and have lots of fun with it, using it in your penetration tests. If you find bugs or have ideas for possible improvements, feel free to send us your thoughts. If you feel brave, experiment with the 0.2.999-alpha, which features a brand-new data extraction module, and look for bugs! :).

  • Will you support Windows?

    It would be nice, but we won't. The reason is that a Windows version would require a considerable amount of time to develop and maintain. Sqlninja is targeted to professional penetration testers, who are very likely to have access to a Unix-like box in their job.

  • Can I integrate sqlninja with a security tool I am developing?

    Sure! Just keep in mind that sqlninja is released under the GPL, which means that any derivative work must be distributed without further restrictions on the rights granted by the GPL itself. If this constitutes a problem, feel free to contact us so we can find a solution (e.g.: a dual-licensing scheme).

  • Will you support other Database technologies?

    Unlikely. We prefer to work on a tool that does one thing, and does it reasonably well. Plus, we are lazy. :)

  • Woot! Sqlninja saved my day during a pen-test!

    Awesome! We are always happy to hear success stories! However, if that made your boss earn $$$ in new engagements, tell him to consider a donation to the open source community (not necessarily to this project). Hackers worldwide are always in need of support to pay their bills and buy their booze.

  • Help! I can't get sqlninja to work!

    Sqlninja is not trivial to setup, we know, but that's the price to pay for a tool that is quite flexible and that gives a reasonable chance of success in a real-world attack scenario. We are happy to help, where possible, but please first make sure you have read the documentation carefully.

  • Could you help me hacking <add some site here>?

    No. But thanks for a good laugh.