Tuesday, June 14, 2011

mssql-hax0r v0.9 – Multi-purpose MS-SQL injection script

1:37 AM  expert  No comments

mssql-hax0r v0.9 is a Multi-purpose MS-SQL injection attack tool for advanced Microsoft SQL Server exploitation. Three modes of operation are currently available: info (Information Gathering), dump (Record Dump), and brute ( Brute Force).
You may need to tweak the code a bit to make it fit your needs (i.e. modifying the injection string and/or the language used by the RDBMS).
TODO (v1.0):

  • fix italian language support (test platform needed)
  • info mode: add logins target (master..sysxlogins) [name,dbname,password]
  • brute mode: automatic login grabbing feature?
  • info mode: add sys target (xtype=’S')?
  • info mode: implement better types/keys dumping
  • add a command execution mode via master..xp_cmdshell?
  • add a privileged testing mode for post-auth vulnerabilities.
It’s a fairly early version, I’ve been watching it since v0.1 – it’s a little more polished now but it’s still definitely a tool for more advanced users.
I’m sure some of you will find it useful.

Grab it here:
mssql-hax0r

Posted in:

0 comments:

Post a Comment