SQL Ninja main goal is to provide remote access to the database server that has a vulnerability, even in an environment that is very secure though. It could also be used by penetration testers to help and automate the process of taking over the DB Server when a SQL Injection vulnerability has been discovered .
Features available:
- Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
- Bruteforce of 'sa' password (in 2 flavors: dictionary-based and incremental)
- Privilege Escalation to sysadmin group if 'sa' password has been found
- Creation of a custom xp_cmdshell if the original one has been removed
- Upload of netcat (or any other executable) using only normal HTTP requests (no FTP / TFTP needed)
- TCP / UDP portscan from the target SQL Server to the attacking machine, in order to find a port That is allowed by the firewall of the target network and use it for a reverse shell
- Direct and reverse bindshell, Both TCP and UDP
- ICMP-tunneled shell, Pls no TCP / UDP ports are available for a direct / reverse shell but the DB can ping your box
- DNS-tunneled pseudo-shell, Pls no TCP / UDP ports are available for a direct / reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)
- Evasion techniques to confuse A Few IDS / IPS / WAF
- Integration with Metasploit3, to Obtain a graphical access to the remote DB server through a VNC server injection
- Integration with churrasco.exe, to escalate privileges to SYSTEM on W2k3 via token kidnapping
- Support for CVE-2010-0232, to escalate the privileges of sqlservr.exe to the SYSTEM
Sql Ninja uses Perl , so that what is needed is to install Perl and some of the following modules if not there by default:
* NetPacket
* Net-pcap
* Net-DNS
* Net-RawIP
* IO-Socket-SSL
* Net-pcap
You will also need a minimum Metasploit Framework 3 on your computer to use the attack mode using metasploit, and also install the VNC client if you use the VNC payload.
If something goes wrong, you should enable verbose output when the install (-v option) and / or debugging (-d) should provide some clues. SQL Ninja worked on a Gentoo system, but sqlninja have been tried to be run on the following operating systems:
- Linux
- FreeBSD
- Mac OS X
Check out the video demo below: