Module: Msf::Exploit::Remote::MSSQL
- Includes:
- Exploit::Remote::NTLM::Client, Kerberos::ServiceAuthenticator::Options, Kerberos::Ticket::Storage, MSSQL_COMMANDS, Tcp, Udp
- Defined in:
- lib/msf/core/exploit/remote/mssql.rb
Instance Attribute Summary collapse
-
#mssql_client ⇒ Object
Returns the value of attribute mssql_client.
Attributes included from Tcp
Attributes included from Udp
Instance Method Summary collapse
-
#initialize(info = {}) ⇒ Object
Creates an instance of a MSSQL exploit module.
-
#mssql_login(user = 'sa', pass = '', db = '', domain_name = '') ⇒ Object
This method connects to the server over TCP and attempts to authenticate with the supplied username and password The global socket is used and left connected after auth.
- #mssql_login_datastore(db = nil) ⇒ Object
-
#mssql_parse_done(data, info) ⇒ Object
Parse a “done” TDS token.
-
#mssql_parse_env(data, info) ⇒ Object
Parse an “environment change” TDS token.
-
#mssql_parse_error(data, info) ⇒ Object
Parse an “error” TDS token.
-
#mssql_parse_info(data, info) ⇒ Object
Parse an “information” TDS token.
- #mssql_parse_reply(data, info) ⇒ Object
-
#mssql_parse_ret(data, info) ⇒ Object
Parse a “ret” TDS token.
-
#mssql_parse_tds_reply(data, info) ⇒ Object
Execute a system command via xp_cmdshell.
-
#mssql_parse_tds_row(data, info) ⇒ Object
Parse a single row of a TDS reply.
-
#mssql_ping(timeout = 5) ⇒ Object
This method sends a UDP query packet to the server and parses out the reply packet into a hash.
-
#mssql_ping_parse(data) ⇒ Object
Parse a 'ping' response and format as a hash.
-
#mssql_prelogin(enc_error = false) ⇒ Object
this method send a prelogin packet and check if encryption is off.
-
#mssql_print_reply(info) ⇒ Object
Nicely print the results of a SQL query.
-
#mssql_query(sqla, doprint = false, opts = {}) ⇒ Object
Issue a SQL query using the TDS protocol.
- #mssql_send_recv(req, timeout = 15, check_status = true) ⇒ Object
-
#mssql_tds_encrypt(pass) ⇒ Object
Encrypt a password according to the TDS protocol (encode).
-
#mssql_upload_exec(exe, debug = false) ⇒ Object
Upload and execute a Windows binary through MSSQL queries.
- #mssql_xpcmdshell(cmd, doprint = false, opts = {}) ⇒ Object
-
#powershell_upload_exec(exe, debug = false) ⇒ Object
Upload and execute a Windows binary through MSSQL queries and Powershell.
- #set_session(client) ⇒ Object
Methods included from Kerberos::ServiceAuthenticator::Options
Methods included from Kerberos::Ticket::Storage
#kerberos_storage_options, #kerberos_ticket_storage, store_ccache
Methods included from Tcp
#chost, #cleanup, #connect, #connect_timeout, #cport, #disconnect, #handler, #lhost, #lport, #peer, #print_prefix, #proxies, #rhost, #rport, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version
Methods included from Udp
#chost, #cleanup, #connect_udp, #cport, #deregister_udp_options, #disconnect_udp, #handler, #lhost, #lport, #rhost, #rport
Methods included from MSSQL_COMMANDS
#mssql_2k5_password_hashes, #mssql_2k_password_hashes, #mssql_current_user_escalation, #mssql_db_names, #mssql_enumerate_servername, #mssql_is_sysadmin, #mssql_rdp_enable, #mssql_rebuild_xpcmdshell, #mssql_sa_escalation, #mssql_sql_info, #mssql_sql_xpcmdshell_disable_2000, #mssql_xpcmdshell_disable, #mssql_xpcmdshell_enable, #mssql_xpcmdshell_enable_2000
Instance Attribute Details
#mssql_client ⇒ Object
Returns the value of attribute mssql_client.
20 21 22 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 20 def mssql_client @mssql_client end |
Instance Method Details
#initialize(info = {}) ⇒ Object
Creates an instance of a MSSQL exploit module.
25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 25 def initialize(info = {}) super # Register the options that all MSSQL exploits may make use of. ( [ Opt::RHOST, Opt::RPORT(1433), OptString.new('USERNAME', [ false, 'The username to authenticate as', 'sa']), OptString.new('PASSWORD', [ false, 'The password for the specified username', '']), OptBool.new('USE_WINDOWS_AUTHENT', [ true, 'Use windows authentication (requires DOMAIN option set)', false]), # OptBool.new('TDSENCRYPTION', [ true, 'Use TLS/SSL for TDS data "Force Encryption"', false]), - TODO: support TDS Encryption ], Msf::Exploit::Remote::MSSQL) ( [ OptPath.new('HEX2BINARY', [ false, "The path to the hex2binary script on the disk", File.join(Msf::Config.data_directory, "exploits", "mssql", "h2b") ]), OptString.new('DOMAIN', [ true, 'The domain to use for windows authentication', 'WORKSTATION'], aliases: ['MssqlDomain']), *(protocol: 'Mssql'), *(protocol: 'Mssql', auth_methods: Msf::Exploit::Remote::AuthOption::MSSQL_OPTIONS), ], Msf::Exploit::Remote::MSSQL) register_autofilter_ports([ 1433, 1434, 1435, 14330, 2533, 9152, 2638 ]) register_autofilter_services(%W{ ms-sql-s ms-sql2000 sybase }) end |
#mssql_login(user = 'sa', pass = '', db = '', domain_name = '') ⇒ Object
This method connects to the server over TCP and attempts to authenticate with the supplied username and password The global socket is used and left connected after auth
194 195 196 197 198 199 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 194 def mssql_login(user='sa', pass='', db='', domain_name='') @mssql_client ||= Rex::Proto::MSSQL::Client.new(self, framework, datastore['RHOST'], datastore['RPORT']) result = @mssql_client.mssql_login(user, pass, db, domain_name) add_socket(@mssql_client.sock) if @mssql_client.sock && !sockets.include?(@mssql_client.sock) result end |
#mssql_login_datastore(db = nil) ⇒ Object
201 202 203 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 201 def mssql_login_datastore(db=nil) mssql_login(datastore['USERNAME'], datastore['PASSWORD'], db || datastore['DATABASE'] || '', datastore['MssqlDomain'] || '') end |
#mssql_parse_done(data, info) ⇒ Object
Parse a “done” TDS token
139 140 141 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 139 def mssql_parse_done(data, info) @mssql_client.mssql_parse_done(data, info) end |
#mssql_parse_env(data, info) ⇒ Object
Parse an “environment change” TDS token
153 154 155 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 153 def mssql_parse_env(data, info) @mssql_client.mssql_parse_env(data, info) end |
#mssql_parse_error(data, info) ⇒ Object
Parse an “error” TDS token
146 147 148 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 146 def mssql_parse_error(data, info) @mssql_client.mssql_parse_error(data, info) end |
#mssql_parse_info(data, info) ⇒ Object
Parse an “information” TDS token
160 161 162 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 160 def mssql_parse_info(data, info) @mssql_client.mssql_parse_info(data, info) end |
#mssql_parse_reply(data, info) ⇒ Object
118 119 120 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 118 def mssql_parse_reply(data, info) @mssql_client.mssql_parse_reply(data, info) end |
#mssql_parse_ret(data, info) ⇒ Object
Parse a “ret” TDS token
132 133 134 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 132 def mssql_parse_ret(data, info) @mssql_client.mssql_parse_ret(data, info) end |
#mssql_parse_tds_reply(data, info) ⇒ Object
Execute a system command via xp_cmdshell
114 115 116 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 114 def mssql_parse_tds_reply(data, info) @mssql_client.mssql_parse_tds_reply(data, info) end |
#mssql_parse_tds_row(data, info) ⇒ Object
Parse a single row of a TDS reply
125 126 127 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 125 def mssql_parse_tds_row(data, info) @mssql_client.mssql_parse_tds_row(data, info) end |
#mssql_ping(timeout = 5) ⇒ Object
This method sends a UDP query packet to the server and parses out the reply packet into a hash
60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 60 def mssql_ping(timeout=5) data = { } ping_sock = Rex::Socket::Udp.create( 'PeerHost' => rhost, 'PeerPort' => 1434, 'Context' => { 'Msf' => framework, 'MsfExploit' => self, }) ping_sock.put("\x02") resp, _saddr, _sport = ping_sock.recvfrom(65535, timeout) ping_sock.close return data if not resp return data if resp.length == 0 return mssql_ping_parse(resp) end |
#mssql_ping_parse(data) ⇒ Object
Parse a 'ping' response and format as a hash
85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 85 def mssql_ping_parse(data) res = [] var = nil idx = data.index('ServerName') return res if not idx sdata = data[idx, (data.length - 1)] instances = sdata.split(';;') instances.each do |instance| rinst = {} instance.split(';').each do |d| if (not var) var = d else if (var.length > 0) rinst[var] = d var = nil end end end res << rinst end return res end |
#mssql_prelogin(enc_error = false) ⇒ Object
this method send a prelogin packet and check if encryption is off
185 186 187 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 185 def mssql_prelogin(enc_error=false) @mssql_client.mssql_prelogin(enc_error) end |
#mssql_print_reply(info) ⇒ Object
Nicely print the results of a SQL query
214 215 216 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 214 def mssql_print_reply(info) @mssql_client.mssql_print_reply(info) end |
#mssql_query(sqla, doprint = false, opts = {}) ⇒ Object
Issue a SQL query using the TDS protocol
207 208 209 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 207 def mssql_query(sqla, doprint=false, opts={}) @mssql_client.query(sqla, doprint, opts) end |
#mssql_send_recv(req, timeout = 15, check_status = true) ⇒ Object
218 219 220 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 218 def mssql_send_recv(req, timeout=15, check_status = true) @mssql_client.mssql_send_recv(req, timeout, check_status) end |
#mssql_tds_encrypt(pass) ⇒ Object
Encrypt a password according to the TDS protocol (encode)
225 226 227 228 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 225 def mssql_tds_encrypt(pass) # Convert to unicode, swap 4 bits both ways, xor with 0xa5 Rex::Text.to_unicode(pass).unpack('C*').map {|c| (((c & 0x0f) << 4) + ((c & 0xf0) >> 4)) ^ 0xa5 }.pack("C*") end |
#mssql_upload_exec(exe, debug = false) ⇒ Object
Upload and execute a Windows binary through MSSQL queries
171 172 173 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 171 def mssql_upload_exec(exe, debug=false) @mssql_client.mssql_upload_exec(exe, debug) end |
#mssql_xpcmdshell(cmd, doprint = false, opts = {}) ⇒ Object
164 165 166 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 164 def mssql_xpcmdshell(cmd, doprint=false, opts={}) @mssql_client.mssql_xpcmdshell(cmd, doprint, opts) end |
#powershell_upload_exec(exe, debug = false) ⇒ Object
Upload and execute a Windows binary through MSSQL queries and Powershell
178 179 180 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 178 def powershell_upload_exec(exe, debug=false) @mssql_client.powershell_upload_exec(exe, debug) end |
#set_session(client) ⇒ Object
51 52 53 54 |
# File 'lib/msf/core/exploit/remote/mssql.rb', line 51 def set_session(client) print_status("Using existing session #{session.sid}") @mssql_client = client end |