Version 0.2.5

 Upload mode is not limited to files of 64k bytes anymore
 Uploading files is also *massively* faster
 Proxy support (it was ***ing time!)
 Support for token kidnapping (thanks Cesar!)
 Lots of other minor improvements

Features

 Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
 Bruteforce of ’sa’ password (in 2 flavors: dictionary-based and incremental)
 Privilege escalation to sysadmin group if ’sa’ password has been found
 Creation of a custom xp_cmdshell if the original one has been removed
 Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
 TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
 Direct and reverse bindshell, both TCP and UDP
 DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)
 Evasion techniques to confuse a few IDS/IPS/WAF
 Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection
 Integration with churrasco.exe, to escalate privileges to SYSTEM on w2k3 via token kidnapping

Platforms supported

Sqlninja is written in Perl and should run on any UNIX based platform with a Perl interpreter, as long as all needed modules have been installed. So far it has been successfully tested on:

 Linux
 FreeBSD
 Mac OS X

• Read the User Manual

More information: here