April 10, 2014
Sqlninja 0.2.6
Features:
>> Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
>> Bruteforce of 'sa' password (in 2 flavors: dictionary-based and incremental).
>> Creation of a custom xp_cmdshell if the original one has been removed
>> Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed).
>> TCP/UDP portscan from the target SQL Server to the attacking machine, in order
to find a port that is allowed by the firewall of the target network
and use it for a reverse shell.
>> Direct and reverse bindshell, both TCP and UDP
>> ICMP-tunneled shell, when no TCP/UDP ports are available for a direct/reverse
shell but the DB can ping your box. >> DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for
a direct/reverse shell, but the DB server can resolve external hostnames
(check the documentation for details about how this works). >> Evasion techniques to confuse a few IDS/IPS/WAF.
>> Integration with Metasploit3, to obtain a graphical access to the remote DB
server through a VNC server injection.
Download
