adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1e4527d8338b4f431cdc8011c052d3744e29d7ed
metasploit-gs/modules/auxiliary/admin/mssql/mssql_enum.rb
T
cgranleese-r7 a4b14d8b64 Runs Rubocop to fix layout in modules
2025-06-20 15:18:01 +01:00

918 lines
29 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::MSSQL
include Msf::Auxiliary::Report
include Msf::OptionalSession::MSSQL
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Microsoft SQL Server Configuration Enumerator',
'Description' => %q{
This module will perform a series of configuration audits and
security checks against a Microsoft SQL Server database. For this
module to work, valid administrative user credentials must be
supplied.
},
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],
'License' => MSF_LICENSE,
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliability' => []
}
)
)
end
# rubocop:disable Metrics/MethodLength
def run
print_status('Running MS SQL Server Enumeration...')
if session
set_mssql_session(session.client)
else
unless mssql_login_datastore
print_error('Login was unsuccessful. Check your credentials.')
disconnect
return
end
end
# Get Version
print_status('Version:')
ver = mssql_query('select @@version')
sqlversion = ver[:rows].join
sqlversion.each_line do |row|
print "[*]\t#{row}"
end
vernum = sqlversion.gsub("\n", ' ').scan(/SQL Server\s*(200\d)/m)
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { version: sqlversion }
)
#---------------------------------------------------------
# Check Configuration Parameters and check what is enabled
print_status('Configuration Parameters:')
if vernum.join != '2000'
query = 'SELECT name, CAST(value_in_use AS INT) from sys.configurations'
ver = mssql_query(query)[:rows]
sysconfig = {}
ver.each do |l|
sysconfig[l[0].strip] = l[1].to_i
end
else
# enable advanced options
mssql_query("EXEC sp_configure \'show advanced options\', 1; RECONFIGURE")[:rows]
query = 'EXECUTE sp_configure'
ver = mssql_query(query)[:rows]
ver.class
sysconfig = {}
ver.each do |l|
sysconfig[l[0].strip] = l[3].to_i
end
end
#-------------------------------------------------------
# checking for C2 Audit Mode
if sysconfig['c2 audit mode'] == 1
print_status("\tC2 Audit Mode is Enabled")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { c2_audit_mode: 'Enabled' }
)
else
print_status("\tC2 Audit Mode is Not Enabled")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { c2_audit_mode: 'Disabled' }
)
end
#-------------------------------------------------------
# check if xp_cmdshell is enabled
if vernum.join != '2000'
if sysconfig['xp_cmdshell'] == 1
print_status("\txp_cmdshell is Enabled")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { xp_cmdshell: 'Enabled' }
)
else
print_status("\txp_cmdshell is Not Enabled")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { xp_cmdshell: 'Disabled' }
)
end
else
xpspexist = mssql_query("select sysobjects.name from sysobjects where name = \'xp_cmdshell\'")[:rows]
if !xpspexist.nil?
print_status("\txp_cmdshell is Enabled")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { xp_cmdshell: 'Enabled' }
)
else
print_status("\txp_cmdshell is Not Enabled")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { xp_cmdshell: 'Disabled' }
)
end
end
#-------------------------------------------------------
# check if remote access is enabled
if sysconfig['remote access'] == 1
print_status("\tremote access is Enabled")
else
print_status("\tremote access is Not Enabled")
end
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { remote_access: 'Enabled' }
)
#-------------------------------------------------------
# check if updates are allowed
if sysconfig['allow updates'] == 1
print_status("\tallow updates is Enabled")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { allow_updates: 'Enabled' }
)
else
print_status("\tallow updates is Not Enabled")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { allow_updates: 'Disabled' }
)
end
#-------------------------------------------------------
# check if Mail stored procedures are enabled
if vernum.join != '2000'
if sysconfig['Database Mail XPs'] == 1
print_status("\tDatabase Mail XPs is Enabled")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { database_mail_xps: 'Enabled' }
)
else
print_status("\tDatabase Mail XPs is Not Enabled")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { database_mail_xps: 'Disabled' }
)
end
else
mailexist = mssql_query("select sysobjects.name from sysobjects where name like \'%mail%\'")[:rows]
if !mailexist.nil?
print_status("\tDatabase Mail XPs is Enabled")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { database_mail_xps: 'Enabled' }
)
else
print_status("\tDatabase Mail XPs is Not Enabled")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { database_mail_xps: 'Disabled' }
)
end
end
#-------------------------------------------------------
# check if OLE stored procedures are enabled
if vernum.join != '2000'
if sysconfig['Ole Automation Procedures'] == 1
print_status("\tOle Automation Procedures are Enabled")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { ole_automation_procedures: 'Enabled' }
)
else
print_status("\tOle Automation Procedures are Not Enabled")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { ole_automation_procedures: 'Disabled' }
)
end
else
oleexist = mssql_query("select sysobjects.name from sysobjects where name like \'%sp_OA%\'")[:rows]
if !oleexist.nil?
print_status("\tOle Automation Procedures is Enabled")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { ole_automation_procedures: 'Enabled' }
)
else
print_status("\tOle Automation Procedures are Not Enabled")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { ole_automation_procedures: 'Disabled' }
)
end
end
#-------------------------------------------------------
# Get list of Databases on System
print_status('Databases on the server:')
dbs = mssql_query('select name from master..sysdatabases')[:rows].flatten
if !dbs.nil?
dbs.each do |dbn|
print_status("\tDatabase name:#{dbn.strip}")
print_status("\tDatabase Files for #{dbn.strip}:")
if vernum.join != '2000'
db_ind_files = mssql_query("select filename from #{dbn.strip}.sys.sysfiles")[:rows]
if !db_ind_files.nil?
db_ind_files.each do |fn|
print_status("\t\t#{fn.join}")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: {
database: dbn.strip, file: fn.join
}
)
end
end
else
db_ind_files = mssql_query("select filename from #{dbn.strip}..sysfiles")[:rows]
if !db_ind_files.nil?
db_ind_files.each do |fn|
print_status("\t\t#{fn.join.strip}")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: {
database: dbn.strip,
file: fn.join
}
)
end
end
end
end
end
#-------------------------------------------------------
# Get list of syslogins on System
print_status('System Logins on this Server:')
if vernum.join != '2000'
syslogins = mssql_query('select loginname from master.sys.syslogins')[:rows]
else
syslogins = mssql_query('select loginname from master..syslogins')[:rows]
end
if !syslogins.nil?
syslogins.each do |acc|
print_status("\t#{acc.join}")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { database_master_user: acc.join }
)
end
else
print_error("\tCould not enumerate System Logins!")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { logons: 'Could not enumerate System Logins' }
)
end
#-------------------------------------------------------
# Get list of disabled accounts on System
if vernum.join != '2000'
print_status('Disabled Accounts:')
disabledsyslogins = mssql_query('select name from master.sys.server_principals where is_disabled = 1')[:rows]
if !disabledsyslogins.nil?
disabledsyslogins.each do |acc|
print_status("\t#{acc.join}")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { disabled_user: acc.join }
)
end
else
print_status("\tNo Disabled Logins Found")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { disabled_user: 'No Disabled Logins Found' }
)
end
end
#-------------------------------------------------------
# Get list of accounts for which password policy does not apply on System
if vernum.join != '2000'
print_status('No Accounts Policy is set for:')
nopolicysyslogins = mssql_query('select name from master.sys.sql_logins where is_policy_checked = 0')[:rows]
if !nopolicysyslogins.nil?
nopolicysyslogins.each do |acc|
print_status("\t#{acc.join}")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { none_policy_checked_user: acc.join }
)
end
else
print_status("\tAll System Accounts have the Windows Account Policy Applied to them.")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { none_policy_checked_user: 'All System Accounts have the Windows Account Policy Applied to them' }
)
end
end
#-------------------------------------------------------
# Get list of accounts for which password expiration is not checked
if vernum.join != '2000'
print_status('Password Expiration is not checked for:')
passexsyslogins = mssql_query('select name from master.sys.sql_logins where is_expiration_checked = 0')[:rows]
if !passexsyslogins.nil?
passexsyslogins.each do |acc|
print_status("\t#{acc.join}")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { none_password_expiration_user: acc.join }
)
end
else
print_status("\tAll System Accounts are checked for Password Expiration.")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { none_password_expiration_user: 'All System Accounts are checked for Password Expiration' }
)
end
end
#-------------------------------------------------------
# Get list of sysadmin logins on System
print_status('System Admin Logins on this Server:')
if vernum.join != '2000'
sysadmins = mssql_query('select name from master.sys.syslogins where sysadmin = 1')[:rows]
else
sysadmins = mssql_query('select name from master..syslogins where sysadmin = 1')[:rows]
end
if !sysadmins.nil?
sysadmins.each do |acc|
print_status("\t#{acc.join}")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { sysdba: acc.join }
)
end
else
print_error("\tCould not enumerate sysadmin accounts!")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { sysdba: 'Could not enumerate sysadmin accounts' }
)
end
#-------------------------------------------------------
# Get list of Windows logins on System
print_status('Windows Logins on this Server:')
if vernum.join != '2000'
winusers = mssql_query('select name from master.sys.syslogins where isntuser = 1')[:rows]
else
winusers = mssql_query('select name from master..syslogins where isntuser = 1')[:rows]
end
if !winusers.nil?
winusers.each do |acc|
print_status("\t#{acc.join}")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { windows_logins: acc.join }
)
end
else
print_status("\tNo Windows logins found!")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { windows_logins: 'No Windows logins found' }
)
end
#-------------------------------------------------------
# Get list of windows groups that can logins on the System
print_status('Windows Groups that can logins on this Server:')
if vernum.join != '2000'
wingroups = mssql_query('select name from master.sys.syslogins where isntgroup = 1')[:rows]
else
wingroups = mssql_query('select name from master..syslogins where isntgroup = 1')[:rows]
end
if !wingroups.nil?
wingroups.each do |acc|
print_status("\t#{acc.join}")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { windows_groups: acc.join }
)
end
else
print_status("\tNo Windows Groups where found with permission to login to system.")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { windows_groups: 'No Windows Groups where found with permission to login to system' }
)
end
#-------------------------------------------------------
# Check for local accounts with same username as password
sameasuser = []
if vernum.join != '2000'
sameasuser = mssql_query("SELECT name FROM sys.sql_logins WHERE PWDCOMPARE\(name, password_hash\) = 1")[:rows]
else
sameasuser = mssql_query("SELECT name FROM master.dbo.syslogins WHERE PWDCOMPARE\(name, password\) = 1")[:rows]
end
print_status('Accounts with Username and Password being the same:')
if !sameasuser.nil?
sameasuser.each do |up|
print_status("\t#{up.join}")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: {
username: up.join,
password: up.join
}
)
end
else
print_status("\tNo Account with its password being the same as its username was found.")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { credentials: 'No Account with its password being the same as its username was found' }
)
end
#-------------------------------------------------------
# Check for local accounts with empty password
blankpass = []
if vernum.join != '2000'
blankpass = mssql_query("SELECT name FROM sys.sql_logins WHERE PWDCOMPARE\(\'\', password_hash\) = 1")[:rows]
else
blankpass = mssql_query('SELECT name FROM master.dbo.syslogins WHERE password IS NULL AND isntname = 0')[:rows]
end
print_status('Accounts with empty password:')
if !blankpass.nil?
blankpass.each do |up|
print_status("\t#{up.join}")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: {
username: up.join,
password: 'EMPTY'
}
)
end
else
print_status("\tNo Accounts with empty passwords where found.")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { credentials: 'No Accounts with empty passwords where found' }
)
end
#-------------------------------------------------------
# Check for dangerous stored procedures
dangeroussp = [
'sp_createorphan',
'sp_droporphans',
'sp_execute_external_script',
'sp_getschemalock',
'sp_prepexec',
'sp_prepexecrpc',
'sp_refreshview',
'sp_releaseschemalock',
'sp_replpostschema',
'sp_replsendtoqueue',
'sp_replsetsyncstatus',
'sp_replwritetovarbin',
'sp_resyncexecute',
'sp_resyncexecutesql',
'sp_resyncprepare',
'sp_resyncuniquetable',
'sp_unprepare',
'sp_xml_preparedocument',
'sp_xml_removedocument',
'sp_fulltext_getdata',
'sp_getbindtoken',
'sp_replcmds',
'sp_replcounters',
'sp_repldone',
'sp_replflush',
'sp_replincrementlsn',
'sp_replpostcmd',
'sp_replsetoriginator',
'sp_replstatus',
'sp_repltrans',
'sp_replupdateschema',
'sp_reset_connection',
'sp_sdidebug',
'xp_availablemedia',
'xp_check_query_results',
'xp_cleanupwebtask',
'xp_cmdshell',
'xp_convertwebtask',
'xp_deletemail',
'xp_dirtree',
'xp_displayparamstmt',
'xp_dropwebtask',
'xp_dsninfo',
'xp_enum_activescriptengines',
'xp_enum_oledb_providers',
'xp_enumcodepages',
'xp_enumdsn',
'xp_enumerrorlogs',
'xp_enumgroups',
'xp_enumqueuedtasks',
'xp_eventlog',
'xp_execresultset',
'xp_fileexist',
'xp_findnextmsg',
'xp_fixeddrives',
'xp_get_mapi_default_profile',
'xp_get_mapi_profiles',
'xp_get_tape_devices',
'xp_getfiledetails',
'xp_getnetname',
'xp_grantlogin',
'xp_initcolvs',
'xp_intersectbitmaps',
'xp_logevent',
'xp_loginconfig',
'xp_logininfo',
'xp_makewebtask',
'xp_mergexpusage',
'xp_monitorsignal',
'xp_msver any user',
'xp_msx_enlist',
'xp_ntsec_enumdomains',
'xp_ntsec_enumgroups',
'xp_ntsec_enumusers',
'xp_oledbinfo',
'xp_perfend',
'xp_perfmonitor',
'xp_perfsample',
'xp_perfstart',
'xp_printstatements',
'xp_prop_oledb_provider',
'xp_proxiedmetadata',
'xp_qv',
'xp_readerrorlog',
'xp_readmail',
'xp_readwebtask',
'xp_regaddmultistring',
'xp_regdeletekey',
'xp_regdeletevalue',
'xp_regenumvalues',
'xp_regread',
'xp_regremovemultistring',
'xp_regwrite',
'xp_repl_encrypt',
'xp_revokelogin',
'xp_runwebtask',
'xp_schedulersignal',
'xp_sendmail',
'xp_servicecontrol',
'xp_showcolv',
'xp_showlineage',
'xp_snmp_getstate',
'xp_snmp_raisetrap',
'xp_sprintf any user', # huh?
'xp_sqlagent_enum_jobs',
'xp_sqlagent_is_starting',
'xp_sqlagent_monitor',
'xp_sqlagent_notify',
'xp_sqlinventory',
'xp_sqlmaint',
'xp_sqlregister',
'xp_sqltrace',
'xp_startmail',
'xp_stopmail',
'xp_subdirs',
'xp_terminate_process',
'xp_test_mapi_profile',
'xp_trace_addnewqueue',
'xp_trace_deletequeuedefinition',
'xp_trace_destroyqueue',
'xp_trace_enumqueuedefname',
'xp_trace_enumqueuehandles',
'xp_trace_eventclassrequired',
'xp_trace_flushqueryhistory',
'xp_trace_generate_event',
'xp_trace_getappfilter',
'xp_trace_getconnectionidfilter',
'xp_trace_getcpufilter',
'xp_trace_getdbidfilter',
'xp_trace_getdurationfilter',
'xp_trace_geteventfilter',
'xp_trace_geteventnames',
'xp_trace_getevents',
'xp_trace_gethostfilter',
'xp_trace_gethpidfilter',
'xp_trace_getindidfilter',
'xp_trace_getntdmfilter',
'xp_trace_getntnmfilter',
'xp_trace_getobjidfilter',
'xp_trace_getqueueautostart',
'xp_trace_getqueuecreateinfo',
'xp_trace_getqueuedestination',
'xp_trace_getqueueproperties',
'xp_trace_getreadfilter',
'xp_trace_getserverfilter',
'xp_trace_getseverityfilter',
'xp_trace_getspidfilter',
'xp_trace_getsysobjectsfilter',
'xp_trace_gettextfilter',
'xp_trace_getuserfilter',
'xp_trace_getwritefilter',
'xp_trace_loadqueuedefinition',
'xp_trace_opentracefile',
'xp_trace_pausequeue',
'xp_trace_restartqueue',
'xp_trace_savequeuedefinition',
'xp_trace_setappfilter',
'xp_trace_setconnectionidfilter',
'xp_trace_setcpufilter',
'xp_trace_setdbidfilter',
'xp_trace_setdurationfilter',
'xp_trace_seteventclassrequired',
'xp_trace_seteventfilter',
'xp_trace_sethostfilter',
'xp_trace_sethpidfilter',
'xp_trace_setindidfilter',
'xp_trace_setntdmfilter',
'xp_trace_setntnmfilter',
'xp_trace_setobjidfilter',
'xp_trace_setqueryhistory',
'xp_trace_setqueueautostart',
'xp_trace_setqueuecreateinfo',
'xp_trace_setqueuedestination',
'xp_trace_setreadfilter',
'xp_trace_setserverfilter',
'xp_trace_setseverityfilter',
'xp_trace_setspidfilter',
'xp_trace_setsysobjectsfilter',
'xp_trace_settextfilter',
'xp_trace_setuserfilter',
'xp_trace_setwritefilter',
'xp_trace_startconsumer',
'xp_unc_to_drive',
'xp_updatecolvbm',
'xp_updateFTSSQLAccount',
'xp_updatelineage',
'xp_varbintohexstr',
'xp_writesqlinfo',
'xp_MSplatform',
'xp_MSnt2000',
'xp_MSLocalSystem',
'xp_IsNTAdmin',
'xp_mapdown_bitmap'
]
query = <<~EOS
SELECT CAST(SYSOBJECTS.NAME AS CHAR) FROM SYSOBJECTS, SYSPROTECTS WHERE SYSPROTECTS.UID = 0 AND XTYPE IN ('X','P')
AND SYSOBJECTS.ID = SYSPROTECTS.ID
EOS
fountsp = mssql_query(query)[:rows]
if !fountsp.nil?
fountsp.flatten!
print_status('Stored Procedures with Public Execute Permission found:')
fountsp.each do |strp|
next unless dangeroussp.include?(strp.strip)
print_status("\t#{strp.strip}")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { stored_procedures_with_public_execute_permission: strp.strip }
)
end
else
print_status("\tNo Dangerous Stored Procedure found with Public Execute.")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { stored_procedures_with_public_execute_permission: 'No Dangerous Stored Procedure found with Public Execute' }
)
end
#-------------------------------------------------------
# Enumerate Instances
instances = []
if vernum.join != '2000'
querykey = "EXEC master..xp_regenumvalues \'HKEY_LOCAL_MACHINE\',\'SOFTWARE\\Microsoft\\Microsoft SQL Server\\Instance Names\\SQL\'"
instance_res = mssql_query(querykey)[:rows]
if !instance_res.nil?
instance_res.each do |i|
instances << i[0]
end
end
else
querykey = "exec xp_regread \'HKEY_LOCAL_MACHINE\',\'SOFTWARE\\Microsoft\\Microsoft SQL Server\', \'InstalledInstances\'"
instance_res = mssql_query(querykey)[:rows]
if !instance_res.nil?
instance_res.each do |i|
instances << i[1]
end
end
end
print_status('Instances found on this server:')
instancenames = []
if !instances.nil?
instances.each do |i|
print_status("\t#{i}")
instancenames << i.strip
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { instance_name: i }
)
end
else
print_status('No instances found, possible permission problem')
end
#---------------------------------------------------------
# Enumerate under what accounts the instance services are running under
print_status('Default Server Instance SQL Server Service is running under the privilege of:')
privdflt = mssql_query("EXEC master..xp_regread \'HKEY_LOCAL_MACHINE\' ,\'SYSTEM\\CurrentControlSet\\Services\\MSSQLSERVER\',\'ObjectName\'")[:rows]
if !privdflt.nil?
privdflt.each do |priv|
print_status("\t#{priv[1]}")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: { default_instance_sql_server: priv[1] }
)
end
else
print_status("\txp_regread might be disabled in this system")
end
#------------------------------------------------------------
if instancenames.length > 1
instancenames.each do |i|
next unless i.strip != 'MSSQLSERVER'
privinst = mssql_query("EXEC master..xp_regread \'HKEY_LOCAL_MACHINE\' ,\'SYSTEM\\CurrentControlSet\\Services\\MSSQL$#{i.strip}\',\'ObjectName\'")[:rows]
if !privinst.nil?
print_status("Instance #{i} SQL Server Service is running under the privilege of:")
privinst.each do |p|
print_status("\t#{p[1]}")
report_note(
host: mssql_client.peerhost,
proto: 'TCP',
port: mssql_client.peerport,
type: 'MSSQL_ENUM',
data: {
instance_sql_server: i,
port: p[1]
}
)
end
else
print_status("\tCould not enumerate credentials for Instance.")
end
end
end
disconnect
end
# rubocop:enable Metrics/MethodLength
end
Reference in New Issue View Git Blame Copy Permalink