sqlninja 0.2.1-r1 – SQL Injection Tool for MS-SQL Released for Download

Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

It is written in perl and so far has been successfully tested on:

  • Linux
  • FreeBSD
  • Mac OS X


  • Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
  • Bruteforce of ‘sa’ password (in 2 flavors: dictionary-based and incremental)
  • Privilege escalation to sysadmin group if ‘sa’ password has been found
  • Creation of a custom xp_cmdshell if the original one has been removed
  • Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
  • TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
  • Direct and reverse bindshell, both TCP and UDP
  • DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)

What’s New

  • A new flavor of bruteforce attack, performed remotely on the target DB Server by using its own CPU resources (use it with caution !)
  • Detection of the authentication mode (mixed or Windows-only), which is useful to understand whether the bruteforce attack to the ‘sa’ account can succeed or not
  • Documentation is now in HTML format, which should make things much easier for new users
  • Several bugfixes and minor improvements

You can download sqlninja 0.2.1-r1 here:

sqlninja 0.2.1-r1

Or read more here.

Posted in: Database Hacking, Hacking Tools

, , , , , , ,

Latest Posts:

SecLists - Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells SecLists – Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place.
DeepSound - Audio Steganography Tool DeepSound – Audio Steganography Tool
DeepSound is an audio steganography tool and audio converter that hides secret data into audio files, the application also enables you to extract from files.
2019 High Severity Vulnerabilities What are the MOST Critical Web Vulnerabilities in 2019?
So what is wild on the web this year? Need to know about the most critical web vulnerabilities in 2019 to protect your organization?
GoBuster - Directory/File & DNS Busting Tool in Go GoBuster – Directory/File & DNS Busting Tool in Go
GoBuster is a tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (inc. wildcards) - a directory/file & DNS busting tool.
BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy
BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads
Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.

4 Responses to sqlninja 0.2.1-r1 – SQL Injection Tool for MS-SQL Released for Download

  1. CG November 20, 2007 at 3:56 pm #

    we’ve been playing with this tool alot at LSO, its really pretty handy. it was also enumerate the account name if it isnt sa, which is handy, you can then throw passwords at the right username.

    very functional with mssql2000 somewhat less with 2005 but thats the nature of the beast

  2. dirty November 21, 2007 at 1:14 am #

    I havent tested it yet but some colleagues of mine have. Its been out for sometime so I need to get my a$$ in the lab…why is there always so much work around the holidays……ughhhhhh

  3. Goodpeople November 23, 2007 at 7:33 pm #

    Yeah, I wish I had some more time on my hands as well. I always thought that sql-injections are the most fun to play with….

  4. Sir Henry December 14, 2007 at 6:11 pm #

    It appears that we all suffer from the same lack of time to do all the fun things like test these applications.


    What exactly is your role? Are you a sec eng?