Metasploit and SQL injection
Published on Jan. 17, 2011 by SECFORCE
SECFORCE has released a set of scripts for enhancing Metasploit functionality exploiting SQL injection vulnerabilities. This is particularly useful in two scenarios:
- When an attacker achieves command execution on a database via SQL injection, but he wants all the functionality offered by Metasploit.
- The attacker identifies that the back-end SQL server is vulnerable to MS_09004 but has no credentials or direct access to the database.
The scripts can be retrieved from the Metasploit repository.
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/mssql/mssql_payload_sqli.rb
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb
You may also be interested in...
Printers can be used to conduct network scans and can aid an attacker to perform a stealth network scan or bypass network access controls
See more
Cisco information disclosure vulnerability leveraging supposedly removed legacy functionality
See more
