sqlninja is a little toy that has been coded during a couple of pen-tests done lately and it is aimed to exploit SQL Injection vulnerabilities on web applications that use Microsoft SQL Server as their back-end.
It borrows some ideas from similar tools like bobcat, but it is more targeted in providing a remote shell even with paranoid firewall settings.
It is written in perl and runs on UNIX-like boxes.
Here’s a list of what it does so far:
- Upload of nc.exe (or any other executable) using the good ol’ debug script trick
- TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
- Direct and reverse bindshell, both TCP and UDP
- DNS-tunneled pseudoshell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames
Being an alpha version and since it was originally supposed to be just a quick&dirty toy for a pentest, there are lots of bugs waiting to be found and fixed so go ahead and download it ! :)
More tunneling options (e.g.: HTTP, SMTP, …) will be added in the future together.
You can read more and download sqlninja here: