From: Marco Ivaldi (raptor@mediaservice.net)
Date: Thu May 24 2007 - 06:06:02 EDT
Hey again pen-testers,
On Mon, 21 May 2007, Marco Ivaldi wrote:
> You shouldn't expect anything too fancy (it's still v0.1 after all;), but it
> does its job:
I managed to work a bit more on my multi-purpose MSSQL injection script,
and now (at version 0.9;) it can be considered a fairly powerful and
usable attack tool. You can download it from:
http://www.0xdeadbeef.info/code/mssql-hax0r
Three modes of operation are available:
1) Information Gathering (-m info).
Dump basic information about the MSSQL database (@@version, db_name(),
user_name(), system_user, etc.), database names, tables/views/stored
procedures, columns, data types, keys, and users.
2) Record Dump (-m dump).
Dump N records from the specified columns/table|db..table
3) Brute Force (-m brute)
Perform a brute force attack against the specified user(s), either
using a password wordlist or testing weak passwords such as the empty
one or password=username.
Cheers,
-- Marco Ivaldi, OPST Chief Security Officer Data Security Division @ Mediaservice.net Srl http://mediaservice.net/ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:49 EDT