I have another tutorial for you guys. I thought I would make this one before I edited my last one.
Sqlninja is a program used to take over MSSQL websites. To do so, it comes with a variety of tools to gain permissions that will eventually lead up to a takeover. It's a very handy tool. There is only one problem though, it involves brute forcing the password, which quite frankly, almost never works. Usually people these days understand having a strong password is not optional, so in most cases it won't work. Unless of course they didn't change their "sa" password.
To get started you'll need a victim. I suggest your own website, unless you want to break the law. In whichc case, use VPN one click or freeusvpn.com They are both strong and fast servers.
To find a victim, you must first know advanced SQL injection. So you can use a waitfordelay command to find if they use a MSSQL database. I am not going to get into that because even if I did explain the WAITFOR Delay command you would get lost in the config file. All I can say is, find a victim, and set up the config file accordingly.
After you have a victim, a vulnerable page, and the config file set up. We can get started.
You will first fingerprint the website. This means to find out how much power you have over the site. Basically, what you can an can't do. You do this by typing:
./sqlninja -m fingerprint
Here is a screenshot of the fingerprint:
Now I will be covering a worst case seneraio. This is when the xp_cmdshell isn't working and you are not "sa," or the admin.
Now since we have a lot to deal with, let's start with a brute force of the "sa" password to gain more rights on the site. Simply type this in:
sqlninja -m bruteforce -f (the path to the word list)
This will probably take 30 mins to bruteforce considering you have an ok word list. During which time, you will most likely be praying to the dear lord the idiot running the site has no numbers in his password, or capitals. Now if you get a success, that means your word list worked. Now let's say the password was:
Then all our commands will end in a "-p password"
Now after we have the password let's run a simple reactivate of the xp_cmdshell. Type in
./sqlninja -m x -p password
No most likely it will not work, but in some cases it might say this: