Recent Features
| |||||||||||||
Fedora rejects SQLninjaFedora rejects SQLninjaPosted Nov 10, 2010 18:29 UTC (Wed) by gus3 (guest, #61103)In reply to: Fedora rejects SQLninja by frnknstn Parent article: Fedora rejects SQLninja
As indicated in the minutes, SQLninja is actively branded on its homepage as "a SQL Server injection *and takeover* tool".
If you need SQLninja to take over a system, odds are approaching 1 that you don't have access rights to it anyway.
(Log in to post comments)
Fedora rejects SQLninja Posted Nov 10, 2010 21:40 UTC (Wed) by ballombe (subscriber, #9523) [Link]
You do not feel tempted to use it on you own servers to check whether they can be subverted?
Fedora rejects SQLninja Posted Nov 11, 2010 7:40 UTC (Thu) by codefisher (guest, #64993) [Link]
About to download it now for that very purpose, see if I can break into my own server. If it turns out I can, I am going to be changing setting till it will no longer work.
Fedora rejects SQLninja Posted Nov 11, 2010 9:15 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
this is exactly the wrong way to provide security. you are looking to fix the symptom instead of fixing the underlying problem.
once the tool no longer works, you may or may not have actually fixed the real problem, all that you know is that this particular tool no longer works.
if you have a problem with SQL injection, you don't need a 'takeover' tool to show you that, you just need a fuzzing tool and watch your database logs for strange errors.
if you do have a SQL injection vunerability, what you nee dto do is go back and look at your application design and howyou are doing input validation and how you are interacting with the database (sanitization of database query parameters, switching to prepared statements, etc) and fix the problem at a conceptual level, that way you not only defend against this particular tool, you also defend against the entire class of tools that send you bogus input in the hope that it breaks you.
If you have this in place and a fuzzing tool still shows problems, then you have a bug in your input validation code, which means it's time to go back and really review the code, not just twist knobs until you don't see the breakage anymore.
Fedora rejects SQLninja Posted Nov 11, 2010 16:21 UTC (Thu) by gidoca (subscriber, #62438) [Link]
You are right /if/ you know that you have a SQL injection. However, if you're not sure, you might just introduce one and see if you can break in using sqlninja. After all, being able to get full access to a server by exploiting a SQL injection is pretty serious. If you can, IMHO you better do something about it, even if you don't currently vulnerable to SQL injections. Like, for instance, move away from MS SQL Server (which seems to be the only SQL server sqlninja supports).
Fedora rejects SQLninja Posted Nov 11, 2010 16:23 UTC (Thu) by gidoca (subscriber, #62438) [Link]
I meant to say: "...even if your software isn't vulnerable to..."
Fedora rejects SQLninja Posted Nov 12, 2010 19:22 UTC (Fri) by till (subscriber, #50712) [Link]
The takeover tool comes in handy to demonstrate developers how bad SQL injections can be. If they see how easy one can be used to gain full access on a system, they will more likely be more cautious in the future.
Fedora rejects SQLninja Posted Nov 11, 2010 13:16 UTC (Thu) by Trou.fr (subscriber, #26289) [Link]
Believe it or not, some people out there get their systems audited, and pentesters actually do break into systems legally. Most penetration tools are actually written by people trying to do their job more efficiently.
|
|||||||||||||