THANKS!!
It appears that sqlninja made it into the SecTools,Org Top 125 Security Tools list! It's great to see it up there together with all those really amazing projects. And not bad at all for a tool that was born by pure chance and that really boils down to a single Perl script coded mostly while drunk :)
Many thanks to all the people out there who voted for it!
News
Sqlninja 0.2.6 "bunga bunga edition" is available! I have been extremely lazy in the last few months or so, and the new job is not really helping me in finding time and motivation to work much on this little old pet project of mine. However, the new version is finally ready! It is basically an official release with all the new features that have been in the SVN for a while (most of them for almost 1 year, ouch). More specifically:
- ICMP-based shell (thanks Nico!)
- CVE-2010-0232 support to escalate the sqlservr.exe process to SYSTEM (greetz Tavis!)
- Header-based injection support
As for the reasons behind the "bunga bunga edition", see the FAQ.
Introduction
Fancy going from a SQL Injection on Microsoft SQL Server to a full GUI access on
the DB? Take a few new SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit
wrapper, shake well and you have just one of the attack modules of sqlninja!
Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities
on a web application that uses Microsoft SQL Server as its back-end.
Its main goal is to provide a remote access on the vulnerable DB server,
even in a very hostile environment. It should be used by penetration
testers to help and automate the process of taking over a DB Server
when a SQL Injection vulnerability has been discovered.
Have a look at the flash demo and then feel free
to download.
It is released under the GPLv3
Features
The full documentation can be found in the tarball and also here, but here's a list of what the Ninja does:
- Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
- Bruteforce of 'sa' password (in 2 flavors: dictionary-based and incremental)
- Privilege escalation to sysadmin group if 'sa' password has been found
- Creation of a custom xp_cmdshell if the original one has been removed
- Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
- TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
- Direct and reverse bindshell, both TCP and UDP
- ICMP-tunneled shell, when no TCP/UDP ports are available for a direct/reverse shell but the DB can ping your box
- DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)
- Evasion techniques to confuse a few IDS/IPS/WAF
- Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection
- Integration with churrasco.exe, to escalate privileges to SYSTEM on w2k3 via token kidnapping
- Support for CVE-2010-0232, to escalate the privileges of sqlservr.exe to SYSTEM
Platforms supported
Sqlninja is written in Perl and should run
on any UNIX based platform with a Perl interpreter, as long as all
needed modules have been installed. So far it has been successfully
tested on:
- Linux
- FreeBSD
- Mac OS X
Sqlninja does not run on Windows and I am not planning a port in the near future
Contact
icesurferbio: I break things for a living
email: r00t .at. northernfortress .dot. net
PGP: 0xE1B44C50
Twitter: http://twitter.com/icesurfer
