Surely most of you know it sqlmap as the most common sql injection vulnerability tool in web applications. P.day from sqlmap, in this article we will get to know one more, sqlninja, one . tool written in Perl specialized in finding sql injection vulnerabilities in web applications that use Microsoft SQL Server as a backend.
Its main purpose is to provide the attacker with remote access to the vulnerable base even when the general environment in which the base is located is hostile. Can be used by penetration testers and security analysts who want to check for sql injection vulnerabilities.
What is SQL injection?
SQL injection is a technique hacking where the attacker, through his modification URL or some other character input field of the web application can insert SQL commands directly into the database. This results in overriding application security techniques and as a result the attacker can extract data from the entire database, modify it and even delete it.
It is one of the oldest and most dangerous attacks on web applications. The organization OWASP (Open Web Application Security Project) ranks injection threats at number one on the list of Top 10 Web Application Security Threats (OWASP Top 10).
How to use it
Sqlninja is available for Unix operating systems that have a Perl interpreter. This means that the platforms that can support it are the following:
Sqlninja is not currently supported by operating systems Windows. It will
find pre-installed Linux distro for penetration testing, Kali Linux.
Linux Ubuntu & Debian
Install Perm modules
To install Perm modules open a terminal and run the following:
perl -MCPAN -e "install Net :: RawIP" perl -MCPAN -e "install Net :: Pcap" perl -MCPAN -e "install Net :: PcapUtils" perl -MCPAN -e "install Net :: Packet" perl - MCPAN -e "install Net :: DNS" perl -MCPAN -e "install IO :: Socket :: SSL"
To download and extract the sqlninja folder, open a terminal and run the following:
wget https://sourceforge.net/projects/sqlninja/files/sqlninja/sqlninja-0.2.999-alpha1.tgz tar zxvf sqlninja-0.2.999-alpha1.tgz cd sqlninja-0.2.999-alpha1.tgz
How to use it
Let's now look at some of the options we have using sqlninja.
Initially we can see all the possible options we have running sqlninja in a terminal:
root @ horse: ~ # sqlninja Sqlninja rel. 0.2.6-r1 Copyright (C) 2006-2011 icesurfer <firstname.lastname@example.org> Usage: / usr / bin / sqlninja -m <mode>: Required. Available modes are: t / test - test whether the injection is working f / fingerprint - fingerprint user, xp_cmdshell and more b / bruteforce - bruteforce sa account e / escalation - add user to sysadmin server role x / resurrectxp - try to recreate xp_cmdshell u / upload - upload a .scr file s / dirshell - start a direct shell k / backscan - look for an open outbound port r / revshell - start a reverse shell d / dnstunnel - attempt a dns tunneled shell i / icmpshell - start a reverse ICMP shell c / sqlcmd - issue a 'blind' OS command m / metasploit - wrapper to Metasploit stagers -f <file>: configuration file (default: sqlninja.conf) -p <password>: how much password -w <wordlist>: wordlist to use in bruteforce mode (dictionary method only) -g: generate debug script and exit (only valid in upload mode) -v: verbose output -d <mode>: activate debug 1 - print each injected command 2 - print each raw HTTP request 3 - print each raw HTTP response all - see above ... see sqlninja-howto.html for details
The behavior of sqlninja is controlled through the sqlninja.conf configuration file, with which we can direct the tool to the target, how it is attacked, and how to use other management parameters. These may be the following:
- -m <attackmode>: controls the attack mode by telling sqlninja what to do. Possible parameter values can be:
- test tanks
- -v: verbose output
- -f <configuration file>: specifies the configuration file to use.
- -p <'sa' password>: used in escalation mode to add the existing database user to the sysadmin group. In other modes it is used to enable the user to run queries as an administrator.
- -w <wordlist>: list of possible passwords for bruteforce mode
- -d <debug mode>: activates debug mode in case of troubleshooting. Possible values are:
- 1: print out any inject command
- 2: print each HTTP request to the target
- 3: print out each HTTP response from the target
- All: all of the above
A config file may look like the following:
How did you like it; Expect impressions.