Skip to content

Commit 91aeef0

Browse files
nullbindnullbind
committed
added startrid and endrid
1 parent 46dca23 commit 91aeef0

File tree

1 file changed

+9
-6
lines changed

1 file changed

+9
-6
lines changed

modules/auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli.rb

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -33,12 +33,13 @@ def initialize(info = {})
3333

3434
register_options(
3535
[
36-
OptInt.new('FuzzNum', [true, 'Number of principal_ids to fuzz.', 3000])
36+
OptInt.new('STARTRID', [true, 'RID to start fuzzing at.', 500]),
37+
OptInt.new('ENDRID', [true, 'RID to stop fuzzing at.', 3000])
3738
], self.class)
3839
end
3940

4041
def run
41-
print_status("#{peer} - Grabbing the server and domain name...")
42+
print_status("#{peer} - Grabbing the SQL Server name and domain...")
4243
db_server_name = get_server_name
4344
if db_server_name.nil?
4445
print_error("#{peer} - Unable to grab the server name")
@@ -71,7 +72,8 @@ def run
7172
end
7273

7374
# Get a list of windows users, groups, and computer accounts using SUSER_NAME()
74-
print_status("#{peer} - Brute forcing #{datastore['FuzzNum']} RIDs through the SQL Server, be patient...")
75+
total_rids = datastore['ENDRID'] - datastore['STARTRID']
76+
print_status("#{peer} - Brute forcing #{total_rids} RIDs via SQL injection, be patient...")
7577
domain_users = get_win_domain_users(windows_domain_sid)
7678
if domain_users.nil?
7779
print_error("#{peer} - Sorry, no Windows domain accounts were found, or DC could not be contacted.")
@@ -173,10 +175,11 @@ def get_win_domain_users(domain_sid)
173175
windows_logins = []
174176

175177
# Fuzz the principal_id parameter (RID in this case) passed to the SUSER_NAME function
176-
(500..datastore['FuzzNum']).each do |principal_id|
177-
178+
(datastore['STARTRID']..datastore['ENDRID']).each do |principal_id|
179+
total_rids = datastore['ENDRID'] - datastore['STARTRID']
180+
rid_diff = (datastore['ENDRID'] - (datastore['ENDRID'] - principal_id)) - datastore['STARTRID']
178181
if principal_id % 100 == 0
179-
print_status("#{peer} - Querying SID #{principal_id} of #{datastore['FuzzNum']}")
182+
print_status("#{peer} - #{rid_diff} of #{total_rids } RID queries complete")
180183
end
181184

182185
user_sid = build_user_sid(domain_sid, principal_id)

0 commit comments

Comments
 (0)