bLackhammer.org

Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

It is written in perl and so far has been successfully tested on:

Linux
FreeBSD
Mac OS X

Features
Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
Bruteforce of ’sa’ password (in 2 flavors: dictionary-based and incremental)
Privilege escalation to sysadmin group if ’sa’ password has been found
Creation of a custom xp_cmdshell if the original one has been removed
Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
Direct and reverse bindshell, both TCP and UDP
DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)

What’s New
A new flavor of bruteforce attack, performed remotely on the target DB Server by using its own CPU resources (use it with caution !)
Detection of the authentication mode (mixed or Windows-only), which is useful to understand whether the bruteforce attack to the ’sa’ account can succeed or not
Documentation is now in HTML format, which should make things much easier for new users
Several bugfixes and minor improvements
You can download sqlninja 0.2.1-r1 here:

sqlninja 0.2.1-r1

Or read more here.

Technorati Tags: database hacking, sql, mssql, sql injection, hacking tool, sql ninja, sql injaction tool, database tool