SQL Ninja Hacking Tool

Tuesday, May 27, 2008 by Mistlee


Can't see any images? -!



Recent Articles

OSS Customer Categorization
I've been thinking about this statement from Sun/MySQL's Marten Mickos: "There's a difference between organizations that have more time than money and organizations that have more money than time."

Open Community And Closed Source Vendors
InfoWorld blogger Sean McCown at Database Underground wrote about a key difference between SQL Server & Oracle: "The answer is simple information.

SolidDB For MySQL Development
As Matt reported last week, IBM announced that it was bowing out of the solidDB for MySQL project. "Those of you who know Solid's history know that Solid has long been a leader in the area of in-memory...

INFORMATION_SCHEMA Support In MySQL, PostgreSQL
I've known about the INFORMATION_SCHEMA views (or system tables) in SQL Server for a while, but I just leared recently that they are actually part of the SQL-92...

Sun, MySQL Merger - Open Source Sinergy?
While Sun Microsystems was buying MySQL for $1 billion, Rome was guesting the international conference "Boosting innovation and growth by fostering Open Source Software trust and quality", organized by the...

Flex, AIR, And SQL
I decided to give myself a new AIR/Flex project, one that would specifically use the built-in database. My project was a simple one - a time tracker. I currently use Side use Side Job Track to track all of my clients, projects...


05.27.08

SQL Ninja Hacking Tool

By Dan Morrill

There is a certain amount of respect earned when someone makes a hacking tool that not only does what it is supposed to do, but does it elegantly as well. While this tool is aimed at professional pen testers, this is one tool that should be in everyone's information security toolbox.

SQL Ninja is a SQL injection hacking tool, that provides a multi-step process to getting into an SQL server back end. It only runs on Linux and Apple operating systems, so for those looking for a Windows based tool, you will not find that here. Get a VM and learn linux, most of the best hacking tools live on linux.

There is a demo of the tool planned that shows off how to use this tool as part of a multi-staged attack that in the end provides the attacker with GUI access to your systems. The good part is that while this tool is mainly used for Windows SQL servers, there are some modifications you can make that will allow it to work for just about any database out there on the market.

You can see a handy flash video of the tool in action here.

Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.

Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

It is released under the GPLv2 and it has been featured on SecurityHack's Top 15 Free SQL Injection Scanners, which is a good result for something that started as a small script written on-the-fly during a pen-test :) Source: SQL Ninja


This is not an easy tool to set up, but once you have it set up, the potential of something like this becomes immediately apparent when you run it against your own servers. You might not want to know that there are issues because many of them will be difficult to fix, but you really do want to know that there are issues. Might cause some long weekends, and much hate and discontent in the IT Shop today, but you really want to know about these kinds of issues.

The idea is to keep the databases safe, so it is worth downloading the tool, and aiming it at some of the databases in your office to see what comes up. Plan on spending a few hours getting the tool to work, but once you have it working, it is so worth it.

Comments



About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community.
SQLproNews is brought to you by:

SecurityConfig.com NetworkingFiles.com
NetworkNewz.com WebProASP.com
DatabaseProNews.com SQLProNews.com
ITcertificationNews.com SysAdminNews.com
SQLproNews.com WirelessProNews.com
CProgrammingTrends.com SysAdminNews.com


About SQLproNews
SQLproNews is a collection of up to date tutorials and insightful articles designed to help SQL users of any skill level implement successful SQL systems and practices. SQL Strategies and Tactics for Business




-- SQLProNews is an iEntry, Inc. publication --
iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509
2008 iEntry, Inc.  All Rights Reserved  Privacy Policy  Legal

advertising info | news headlines | free newsletters | comments/feedback | submit article

Unsubscribe from SQLProNews.
To unsubscribe from SQLProNews or any other iEntry publication, simply send an email request to: support@ientry.com

SQL Strategies and Tactics for Business SQLproNews News Archives About Us Feedback SQLproNews Home Page About Article Archive News Downloads WebProWorld Forums Jayde iEntry Advertise Contact

0 comments: