Opened 9 years ago

Closed 3 years ago

Last modified 3 years ago

#31901 closed submission (fixed)

add SQlNinja to the ports tree

Reported by: fyodor.vassiley@… Owned by: macports-tickets@…
Priority: Low Milestone:
Component: ports Version:
Keywords: Cc: cooljeanius (Eric Gallager)
Port: sqlninja



Fancy going from a SQL Injection on Microsoft SQL Server to a full GUI access on the DB? Take a few new SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have just one of the attack modules of sqlninja! Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered. Have a look at the flash demo and then feel free to download. It is released under the GPLv3 Features

The full documentation can be found in the tarball and also here, but here's a list of what the Ninja does:

Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode) Bruteforce of 'sa' password (in 2 flavors: dictionary-based and incremental) Privilege escalation to sysadmin group if 'sa' password has been found Creation of a custom xp_cmdshell if the original one has been removed Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed) TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell Direct and reverse bindshell, both TCP and UDP ICMP-tunneled shell, when no TCP/UDP ports are available for a direct/reverse shell but the DB can ping your box DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works) Evasion techniques to confuse a few IDS/IPS/WAF Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection Integration with churrasco.exe, to escalate privileges to SYSTEM on w2k3 via token kidnapping Support for CVE-2010-0232, to escalate the privileges of sqlservr.exe to SYSTEM

Attachments (1)

Portfile (3.0 KB) - added by jul_bsd@… 7 years ago.

Download all attachments as: .zip

Change History (6)

comment:1 Changed 8 years ago by cooljeanius (Eric Gallager)

Cc: egall@… added

Cc Me!

comment:2 Changed 7 years ago by jul_bsd@…

here a Portfile for stable and -devel it depends on update p5-net-rawip 0.25 (tree 0.2 doesn't compile)

if you ware bragging about CEH and pentest, you should probably be able to do the Portfile yourself. It's not that difficult and there is good documentation (incomplete for a few things, but essentials are here)

Changed 7 years ago by jul_bsd@…

Attachment: Portfile added

comment:3 Changed 3 years ago by jmroot (Joshua Root)

Port: sqlninja added; SQlNinja removed
Type: requestsubmission
Version: 2.0.3

comment:4 Changed 3 years ago by jmroot (Joshua Root)

Resolution: fixed
Status: newclosed

In 1f457101c82f01b2dcd58c45e1e2503a6c77cb4a/macports-ports (master):

New port: sqlninja

Closes: #31901

comment:5 Changed 3 years ago by mf2k (Frank Schima)

Keywords: CEHv7 SQlNinja sql injection pentest removed
Note: See TracTickets for help on using tickets.