[MacPorts] #31901: add SQlNinja to the ports tree

MacPorts noreply at macports.org
Fri Nov 4 10:13:58 PDT 2011 

#31901: add SQlNinja to the ports tree
--------------------------------------------------+-------------------------
 Reporter:  fyodor.vassiley@…                     |       Owner:  macports-tickets@…                   
     Type:  request                               |      Status:  new                                  
 Priority:  Low                                   |   Milestone:                                       
Component:  ports                                 |     Version:  2.0.3                                
 Keywords:  CEHv7 SQlNinja sql injection pentest  |        Port:  SQlNinja                             
--------------------------------------------------+-------------------------
 http://sqlninja.sourceforge.net/

 Introduction

 Fancy going from a SQL Injection on Microsoft SQL Server to a full GUI
 access on the DB? Take a few new SQL Injection tricks, add a couple of
 remote shots in the registry to disable Data Execution Prevention, mix
 with a little Perl that automatically generates a debug script, put all
 this in a shaker with a Metasploit wrapper, shake well and you have just
 one of the attack modules of sqlninja!
 Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a
 web application that uses Microsoft SQL Server as its back-end.
 Its main goal is to provide a remote access on the vulnerable DB server,
 even in a very hostile environment. It should be used by penetration
 testers to help and automate the process of taking over a DB Server when a
 SQL Injection vulnerability has been discovered.
 Have a look at the flash demo and then feel free to download. It is
 released under the GPLv3
 Features

 The full documentation can be found in the tarball and also here, but
 here's a list of what the Ninja does:

     Fingerprint of the remote SQL Server (version, user performing the
 queries, user privileges, xp_cmdshell availability, DB authentication
 mode)
     Bruteforce of 'sa' password (in 2 flavors: dictionary-based and
 incremental)
     Privilege escalation to sysadmin group if 'sa' password has been found
     Creation of a custom xp_cmdshell if the original one has been removed
     Upload of netcat (or any other executable) using only normal HTTP
 requests (no FTP/TFTP needed)
     TCP/UDP portscan from the target SQL Server to the attacking machine,
 in order to find a port that is allowed by the firewall of the target
 network and use it for a reverse shell
     Direct and reverse bindshell, both TCP and UDP
     ICMP-tunneled shell, when no TCP/UDP ports are available for a
 direct/reverse shell but the DB can ping your box
     DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a
 direct/reverse shell, but the DB server can resolve external hostnames
 (check the documentation for details about how this works)
     Evasion techniques to confuse a few IDS/IPS/WAF
     Integration with Metasploit3, to obtain a graphical access to the
 remote DB server through a VNC server injection
     Integration with churrasco.exe, to escalate privileges to SYSTEM on
 w2k3 via token kidnapping
     Support for CVE-2010-0232, to escalate the privileges of sqlservr.exe
 to SYSTEM

-- 
Ticket URL: <https://trac.macports.org/ticket/31901>
MacPorts <http://www.macports.org/>
Ports system for Mac OS

More information about the macports-tickets mailing list