sqlninja 0.1.0alpha released

From: A.R. (r00t@northernfortress.net)
Date: Fri Jun 23 2006 - 19:33:29 EDT

• Next message: jkowall: "Re: mapping l2 network topology"
• Previous message: Michal Zalewski: "Re: Exploiting code: The Future"
• In reply to: Atul Wankhade: "Web service security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello fellow pen-testers,

a first version of sqlninja has been released at the address
http://sqlninja.sourceforge.net

sqlninja is a little toy that has been coded during a couple of
pen-tests we lately did and it is aimed to exploit SQL Injection
vulnerabilities on web applications that use Microsoft SQL Server as
their back-end.
It borrows some ideas from similar tools like bobcat, but it is more
targeted in providing a remote shell even with paranoid firewall
settings.
It is written in perl and runs on UNIX-like boxes.

Here's a list of what it does so far:
- Upload of nc.exe (or any other executable) using the good ol' debug
script trick
- TCP/UDP portscan from the target SQL Server to the attacking machine,
in order to find a port that is allowed by the firewall of the target
network and use it for a reverse shell
- Direct and reverse bindshell, both TCP and UDP
- DNS-tunneled pseudoshell, when no TCP/UDP ports are available for a
direct/reverse shell, but the DB server can resolve external hostnames

Being an alpha version and since it was originally supposed to be just a
quick&dirty toy for a pentest, there are lots of bugs waiting to be
found and fixed so go ahead and download it ! :)

More tunneling options (e.g.: HTTP, SMTP, ...) will be added in the
future together with tunnel encryption, but I hope you will find the
tool helpful already

Enjoy !

-- icesurfer

-- 
Show me a man who lives alone and has a perpetually clean kitchen, and 8
times out of 9 I'll show you a man with detestable spiritual qualities.
-- Charles Bukowski
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------

• Next message: jkowall: "Re: mapping l2 network topology"
• Previous message: Michal Zalewski: "Re: Exploiting code: The Future"
• In reply to: Atul Wankhade: "Web service security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:10 EDT