################################### # SQLNINJA CONFIGURATION FILE # ################################### # WARNING 1: options are case sensitive # WARNING 2: don't forget to URL-encode, when needed. This applies to: # - page # - stringstart # - stringend # see sqlninja-howto.html for more information and examples # Host (required) host = x.x.x.x # Port (optional, default: 80) # port = 80 # Use SSL (yes/no/auto. Default: auto) # ssl = yes # Method to use (optional, default: GET) method = GET # Vulnerable page (e.g.: /dir/target.asp) page = /dir/target.asp # Start of the exploit string. It must include the vulnerable parameter # and the character sequence that allows us to start injecting commands. In # general this means, at least: # - an apostrophe (if the parameter is a string) # - a semicolon (to end the original query) # It must also include everything necessary to properly close the original # query, like an appropriate number of closing brackets. Don't forget # to URL-encode, where needed (e.g. spaces) # For instance, if we consider the following TSQL command: # exec master..xp_cmdshell 'dir c:\' # and the string to inject is the following: # aaa=1&bbb=x';exec+master..xp_cmdshell+'dir+c:' # this parameter should look like this: # stringstart = aaa=1&bbb=x'; stringstart = param=a'; # If you need to add some more parameters after the vulnerable one, put # them here (don't forget the leading "&" sign). This option can also be # used when commenting the rest of the original query does not work and you # need to add some SQL code instead. If this is the case, you need to set # "appendcomment" option to "no". Don't forget the leading "&" sign and # to URL-encode, where needed. # e.g.: stringend = ¶m3=aaa stringend = # Local host: your IP address (for backscan and revshell modes) lhost = 192.168.1.1 # Interface to sniff when in backscan mode device = eth0 # Evasion techniques to be used. Possible choices are: # 1 - Query hex-encoding # 2 - Comments as separators # 3 - Random case # 4 - Random URI encoding # All techniques can be combined, so the following is legal: # evasion = 1234 # However, keep in mind that using too many techniques at once leads to very # long queries, that might create problems when using GET. Default: no evasion # evasion = 12 # Path to metasploit executable. Only needed if msfpayload and # msfcli are not already in the path msfpath = /dir1/dir2/framework-3.1 # Additional headers to include into the request. E.g.: # Host: www.test.com # Connection: close # Cookie: ASPSESSIONID=xxxxxxxxxxxxxxxxxxxx # Authorization: Basic yyyyyyyyyyyyyyyyyyyyy # Important: Do not remove "--headers_start--" and "--headers_end--" --headers_start-- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418 Firefox/1.0.8 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.7,it;q=0.3 Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 Content-Type: application/x-www-form-urlencoded Connection: close --headers_end-- # Domain to use for dnstunnel mode domain = sqlninja.net # tcpdump filter (optional) # filter = src host x.x.x.x # Backscan timeout after web request conclusion (Default: 5 secs) # timeout = 5 # Maximum hostname length for DNS tunnel (Max: 250 - Default: 250) # hostnamelength = 250 # IP address to return to DNS queries (default: 10.255.255.254) # resolvedip = 10.255.255.254 # Name of the procedure to use/create to launch commands. Default is # "xp_cmdshell". If set to "NULL", openrowset+sp_oacreate will be used # for each command # xp_name = xp_cmdshell # Time value for the WAITFOR during inference attack of fingerprint and # bruteforce mode. A higher value makes things slower but will yeld more # precise results against slow targets. # Min: 3 seconds. Max: 59 seconds. Default: 5 seconds blindtime = 5 # If the remote server returns a custom error page instead of a standard # HTTP error code (e.g. 500 Server Error), it is wise to set this value to # some string that is present in such a page. This will help sqlninja in # figuring out if things seem to be wrong # errorstring = "an error has occurred" # By default, sqlninja appends two hyphens to the injected query in order # to comment out any spurious SQL code. This is good and works in # approximately 99% of the cases. However, you might want to change this # behavior in some very specific scenarios. Change this setting only if you # really know what you are doing, # Possible values: yes/no # appendcomment = yes