There is a certain amount of respect earned when someone makes a hacking tool that not only does what it is supposed to do, but does it elegantly as well. While this tool is aimed at professional pen testers, this is one tool that should be in everyone’s information security toolbox.
SQL Ninja is a SQL injection hacking tool, that provides a multi-step process to getting into an SQL server back end. It only runs on Linux and Apple operating systems, so for those looking for a Windows based tool, you will not find that here. Get a VM and learn linux, most of the best hacking tools live on linux.
There is a demo of the tool planned that shows off how to use this tool as part of a multi-staged attack that in the end provides the attacker with GUI access to your systems. The good part is that while this tool is mainly used for Windows SQL servers, there are some modifications you can make that will allow it to work for just about any database out there on the market.
You can see a handy flash video of the tool in action here.
Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.
Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.
It is released under the GPLv2 and it has been featured on SecurityHack’s Top 15 Free SQL Injection Scanners, which is a good result for something that started as a small script written on-the-fly during a pen-test 🙂 Source: SQL Ninja
This is not an easy tool to set up, but once you have it set up, the potential of something like this becomes immediately apparent when you run it against your own servers. You might not want to know that there are issues because many of them will be difficult to fix, but you really do want to know that there are issues. Might cause some long weekends, and much hate and discontent in the IT Shop today, but you really want to know about these kinds of issues.
The idea is to keep the databases safe, so it is worth downloading the tool, and aiming it at some of the databases in your office to see what comes up. Plan on spending a few hours getting the tool to work, but once you have it working, it is so worth it.