sqlninja is a popular tool used to test SQL injection vulnerabilities in Microsoft SQL servers. Databases are an integral part of web apps hence, even a single flaw in it can lead to mass compromising of information. Let us see how sqlninja can be used for database penetration testing.
To launch SQL ninja, browse to Applications | Kali Linux | Web applications | Database Exploitation | sqlninja.
To launch SQL ninja, browse to Applications | Kali Linux | Web applications | Database Exploitation | sqlninja.
This will launch the terminal window with sqlninja parameters. The important parameter to look for is either the mode parameter or the –m parameter:
The –m parameter specifies the type of operation we want to perform over the target database. Let us pass a basic command and analyze the output:
root@kali:~#sqlninja –m test Sqlninja rel. 0.2.3-r1 Copyright (C) 2006-2008 icesurfer [-] sqlninja.conf does not exist. You want to create it now ? [y/n]
This will prompt you to set up your configuration file (sqlninja.conf). You can pass the respective values and create the config file. Once you are through with it, you are ready to perform database penetration testing.
The Websploit framework Websploit is an open source framework designed for vulnerability analysis and penetration testing of web applications. It is very much similar to Metasploit and incorporates many of its plugins to add functionalities.
To launch Websploit, browse to Applications | Kali Linux | Web Applications | Web Application Fuzzers | Websploit.
We can begin by updating the framework. Passing the update command at the terminal will begin the updating process as follows:
wsf>update [*]Updating Websploit framework, Please Wait…
Once the update is over, you can check out the available modules by passing the following command:
wsf>show modules
Let us launch a simple directory scanner module against www.target.com as follows:
wsf>use web/dir_scanner wsf:Dir_Scanner>show options wsf:Dir_Scanner>set TARGET www.target.com wsf:Dir_Scanner>run
To launch a brute force attack against a password file, you can pass the following command:
root@kali:~#john pwd
root@kali:~#john pwd
Here pwd is the name of the password file.
To retrieve the cracked password, pass the following command:
root@kali:~#john –show pwd
You can also provide a wordlist of stored passwords:
root@kali:~#john --wordlist=password.lst --rules pwd
Attacking the database using sqlninja on Linux
4/
5
Oleh
Arycurve
1 komentar:
Tulis komentarthanks for this web
Replyhttp://budakkampungsitu.blogspot.com
Silahkan Berkomentar dengan Sopan, relevan dan Jangan Spam