Taking of back end MSSQL databases with sqlninja

[OneHappyTaco]

I have another tutorial for you guys. I thought I would make this one before I edited my last one.
Sqlninja is a program used to take over MSSQL websites. To do so, it comes with a variety of tools to gain permissions that will eventually lead up to a takeover. It's a very handy tool. There is only one problem though, it involves brute forcing the password, which quite frankly, almost never works. Usually people these days understand having a strong password is not optional, so in most cases it won't work. Unless of course they didn't change their "sa" password.

To get started you'll need a victim. I suggest your own website, unless you want to break the law. In whichc case, use VPN one click or freeusvpn.com They are both strong and fast servers.


To find a victim, you must first know advanced SQL injection. So you can use a waitfordelay command to find if they use a MSSQL database. I am not going to get into that because even if I did explain the WAITFOR Delay command you would get lost in the config file. All I can say is, find a victim, and set up the config file accordingly.




After you have a victim, a vulnerable page, and the config file set up. We can get started.




You will first fingerprint the website. This means to find out how much power you have over the site. Basically, what you can an can't do. You do this by typing:




./sqlninja -m fingerprint



Here is a screenshot of the fingerprint:




Now I will be covering a worst case seneraio. This is when the xp_cmdshell isn't working and you are not "sa," or the admin.

Now since we have a lot to deal with, let's start with a brute force of the "sa" password to gain more rights on the site. Simply type this in:



sqlninja -m bruteforce -f (the path to the word list)




This will probably take 30 mins to bruteforce considering you have an ok word list. During which time, you will most likely be praying to the dear lord the idiot running the site has no numbers in his password, or capitals. Now if you get a success, that means your word list worked. Now let's say the password was:
password
Then all our commands will end in a "-p password"
Now after we have the password let's run a simple reactivate of the xp_cmdshell. Type in





./sqlninja -m x -p password


No most likely it will not work, but in some cases it might say this:

[Alex47]

Nice tutorial, however you didn't say how to setup config file properly, you just told us to do it. and work a bit on the formatting.

Otherwise well done, the content is good, however it is not as clear as it could have been

[Hanoko]

You should say how to set up the config file.

[OneHappyTaco]

It's too extensive. There are way too many things to cover. Plus it tells you right in the config file how to do it.

[A12danrulz]

If you make a tutorial, maybe you should make a tutorial instead of a list of commands. And when people have questions, help them instead of telling them they are on their own.

[h4ck3rpr0n3]

I agree with A12, and have you seen some of the tutorials around here? Extensive is good, it helps people understand and have fewer questions. When someone reads your tutorial they shouldn't have too many questions over it. The more indepth it is the better it will be and that reflects on you in a way.

[OneHappyTaco]

I understan what your trying to say. As you can see it's not finished yet. Too use sqlninja you will have to know basic to advanced sql injection. It uses exploit strings, vulnerable pages, and I can't teach two months worth of sql injection in one tutorial.

[Ironman]

Maybe a tutorial on basic SQL injection to start and work up from there would be better. Take noobs through it from the start of basic then to advanced. I think this is a subject that is to good to not have on the forum.

[h4ck3rpr0n3]

^I agree. SQL Injection is an undisposable tool and it comes in handy to have on your belt of things you know.

[grinch]

This is not finished. This is like sending a car off the assembly line without an engine or doors
Make your "tutorials" offline, then post when they are done. This will enable you to actually make a usable tutorial, instead of just posting some commands and expecting people to read your mind

[[null]]

This is not finished. This is like sending a car off the assembly line without an engine or doors
Make your "tutorials" offline, then post when they are done. This will enable you to actually make a usable tutorial, instead of just posting some commands and expecting people to read your mind

Good advice. I always type up my tutorials in the 'Notes' app beforehand, and it helps me catch a lot of spelling and gramatical errors, as well as make sure the tut is polished before posting.