SQLninja denial

Mike McGrath mmcgrath at redhat.com
Mon Nov 15 15:45:22 UTC 2010

On Mon, 15 Nov 2010, Eric "Sparks" Christensen wrote:

> 2010/11/15 Máirín Duffy <duffy at fedoraproject.org>:
> > On Sun, 2010-11-14 at 18:05 -0800, David Wagner wrote:
> >> The minutes also suggest confusion about penetration
> >> testing tools in general.
> >
> > What confusion did you see?
> >
> >> I saw in the minutes the objection that
> >> SQLninja is advertised as 'get root on remote systems'.  Are the board
> >> members aware that many penetration testing tools can be used to get
> >> root on remote systems, and it is precisely for this reason that they
> >> are useful for (legal, lawful, authorized) penetration testing?
> >
> > It may not have been clear from the minutes, but it's pretty safe to say
> > the board members are & were aware of this.
> >
> >>   Are the
> >> board members aware that legal penetration testing can, and sometimes
> >> does, include getting root on remote systems?
> >
> > Do you use SQLninja for penetration testing? Had you heard of it before?
> > What penetration testing tools do you use? Is the language they use to
> > explain & advertise their tools similar to that used for SQLninja? How
> > do you find out about penetration testing tools? How many of the ones
> > you use are GPL?
> So the problem is that it can be used to hack into a system and isn't
> passive like Nessus (is this really passive?), nmap, telnet (the
> client), airsnort, and wireshark, just to name a few?

Actually nessus has a non-passive mode as well.  I think there's some key
differences here that people are ignoring because it's convenient for them
to do so.

I should be clear about this.  I do think banning sqlninja is an
overreaction, but this isn't as clear cut as I think many of us want it to
be.  Nessus does have destructive scans but sends up warnings as a part of
using those scans.  Looking at the sqlninja demo, you have to be clear
about one thing, sqlninja is not a scanner / detection tool.  It's a
takeover tool.  Its designed as a takeover tool, the website targets
people wanting to use takeover tools and the demo shows you how to get
shell access to a remote machine and then ends the demo with:

"happy hacking ... :) :) :)..." [1]

Comparing sqlninja to telnet, nmap, wireshark is a pretty big leap in
logic in my opinion.  Is this partially a marketing issue?  Yes, I think
absolutely if the website were written differently and the authors of the
tool had not been so reckless in how creating the tool that we wouldn't be
having this conversation but all of that stuff matters to a jury of
non-technical people who have no reference point to know what telnet, nmap
or wireshark even are.

IMHO: Tools like this are easy to misuse and as such should be created
respectfully.  This tool was not.


[1] http://sqlninja.sourceforge.net/sqlninjademo1.html

More information about the advisory-board mailing list