Comments on: sqlninja 0.2.3 released – Advanced Automated SQL Injection Tool for MS-SQL http://www.darknet.org.uk/2008/05/sqlninja-023-released-advanced-automated-sql-injection-tool-for-ms-sql/ Ethical Hacking, Penetration Testing & Computer Security Tue, 14 Feb 2012 00:17:07 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Navin http://www.darknet.org.uk/2008/05/sqlninja-023-released-advanced-automated-sql-injection-tool-for-ms-sql/#comment-123292 Navin Sat, 07 Jun 2008 06:30:29 +0000 http://www.darknet.org.uk/?p=863#comment-123292 razta's right but I feel tht this tool is both a boon and a bane. N00bs getting their hands on tools like this increases risk to SQL servers. BTW "Fancy going from a SQL Injection to a full GUI access on the DB server? What about extracting password hashes on the fly? Take a few SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have the latest release of sqlninja!" Nice play of words!! razta’s right but I feel tht this tool is both a boon and a bane. N00bs getting their hands on tools like this increases risk to SQL servers.

BTW “Fancy going from a SQL Injection to a full GUI access on the DB server? What about extracting password hashes on the fly? Take a few SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have the latest release of sqlninja!”

Nice play of words!!

]]> By: Jinesh Doshi http://www.darknet.org.uk/2008/05/sqlninja-023-released-advanced-automated-sql-injection-tool-for-ms-sql/#comment-123264 Jinesh Doshi Wed, 04 Jun 2008 07:54:04 +0000 http://www.darknet.org.uk/?p=863#comment-123264 @ Jeremy Richards Hey Thank you so much. It just didnt click to me :(. @ Jeremy Richards

Hey Thank you so much. It just didnt click to me :(.

]]> By: Jeremy Richards http://www.darknet.org.uk/2008/05/sqlninja-023-released-advanced-automated-sql-injection-tool-for-ms-sql/#comment-123262 Jeremy Richards Tue, 03 Jun 2008 20:03:23 +0000 http://www.darknet.org.uk/?p=863#comment-123262 Jinesh, you'll notice the following in the post above: "Sqlninja is a tool written in PERL to..." Perl binaries for windows can be found: perl.com/download.csp#win32 sqlmap.py is also a great tool and written in python. Python binaries for windows can be found: python.org/ftp/python/2.5.2/python-2.5.2.msi Jinesh,

you’ll notice the following in the post above: “Sqlninja is a tool written in PERL to…”

Perl binaries for windows can be found:
perl.com/download.csp#win32

sqlmap.py is also a great tool and written in python. Python binaries for windows can be found:
python.org/ftp/python/2.5.2/python-2.5.2.msi

]]> By: Nico http://www.darknet.org.uk/2008/05/sqlninja-023-released-advanced-automated-sql-injection-tool-for-ms-sql/#comment-123254 Nico Mon, 02 Jun 2008 14:20:53 +0000 http://www.darknet.org.uk/?p=863#comment-123254 This IS a great tool for IT pros. Have you heard of any loopholes it finds if the SQL statements are not concatenated and the input fields are escaped properly? This IS a great tool for IT pros. Have you heard of any loopholes it finds if the SQL statements are not concatenated and the input fields are escaped properly?

]]> By: Jinesh Doshi http://www.darknet.org.uk/2008/05/sqlninja-023-released-advanced-automated-sql-injection-tool-for-ms-sql/#comment-123251 Jinesh Doshi Mon, 02 Jun 2008 08:20:46 +0000 http://www.darknet.org.uk/?p=863#comment-123251 Why are these tools not available on windows?? So even some dumb heads like me can do a little show off :). Why are these tools not available on windows?? So even some dumb heads like me can do a little show off :).

]]> By: razta http://www.darknet.org.uk/2008/05/sqlninja-023-released-advanced-automated-sql-injection-tool-for-ms-sql/#comment-123231 razta Fri, 30 May 2008 18:29:04 +0000 http://www.darknet.org.uk/?p=863#comment-123231 Great tool! Sorry for the double post, again! There should be an edit button, could use cookies to do this. In the newest version they have integrated it with metasploit and VNC, you can now have access to the SQL server with a complete GUI! Wait till script kiddies get a hold of this! Hopefully admins will now start to think about security when coding. My SQL injection skills are minimal, so it will definitely come in use (when im legally testing my own SQL server). Great tool!

Sorry for the double post, again! There should be an edit button, could use cookies to do this.

In the newest version they have integrated it with metasploit and VNC, you can now have access to the SQL server with a complete GUI! Wait till script kiddies get a hold of this! Hopefully admins will now start to think about security when coding.

My SQL injection skills are minimal, so it will definitely come in use (when im legally testing my own SQL server).

]]>