Beispiel #1
0
        internal override bool Query()
        {
            SQLServerInfo i = new SQLServerInfo(credentials);

            i.SetInstance(instance);
            i.Query();
            var info = i.GetResults();

            List <string> principals = new List <string>();

            SetPrincipalNameFilter(info.Currentlogin);
            base.Query();
            foreach (var s in serverRoles)
            {
                principals.Add(s.PrincipalName);
            }
            principals.Add(info.Currentlogin);
            principals.Add("Public");

            SQLDatabaseRoleMember roleMember = new SQLDatabaseRoleMember(credentials);

            roleMember.SetRolePrincipalNameFilter(role);
            roleMember.SetInstance(instance);
            SQLDatabase database = new SQLDatabase(credentials);

            database.SetInstance(instance);

            foreach (var principal in principals)
            {
                roleMember.SetPrincipalNameFilter(principal);
                foreach (var db in database.GetResults())
                {
                    if (db.is_trustworthy_on && (bool)db.OwnerIsSysadmin)
                    {
                        roleMember.SetDatabase(db.DatabaseName);
                        roleMember.Query();
                        foreach (var r in roleMember.GetResults())
                        {
                            var s = new DbOwner
                            {
                                ComputerName  = computerName,
                                Instance      = instance,
                                Vulnerability = string.Format("Database Role - {0}", role),
                                Description   = string.Format("The login has the {0} role in one or more databases.  This may allow the login to escalate privileges to sysadmin if the affected databases are trusted and owned by a sysadmin.", role),
                                Remediation   = string.Format("If the permission is not required remove it.  Permissions are granted with a command like: EXEC sp_addrolemember \'{0}\', \'MyDbUser\', and can be removed with a command like:  EXEC sp_droprolemember \'{0}\', \'MyDbUser\'", role),
                                Severity      = "Medium",
                                IsVulnerable  = "Yes",
                                IsExploitable = "Unknown",
                                Exploited     = "No",
                                ExploitCmd    = "",
                                Reference     = @"https://msdn.microsoft.com/en-us/library/ms189121.aspx, https://msdn.microsoft.com/en-us/library/ms187861.aspx",
                                Details       = string.Format("The {0} database is set as trustworthy and is owned by a sysadmin. This is exploitable.", database)
                            };
                            spExecuteAs.Add(s);
                        }
                    }
                }
            }
            return(true);
        }
Beispiel #2
0
        protected bool _CheckPrivilege()
        {
            if (!SQLSysadminCheck.Query(instance, computerName, credentials))
            {
                SQLDatabaseRoleMember sDRM = new SQLDatabaseRoleMember(credentials);
                sDRM.SetComputerName(computerName);
                sDRM.SetInstance(instance);
                sDRM.SetDatabase("msdb");
                sDRM.Query();
                foreach (var row in sDRM.GetResults())
                {
#if DEBUG
                    Console.WriteLine(row.RolePrincipalName);
#endif
                    if (roles.Contains(row.RolePrincipalName))
                    {
#if DEBUG
                        Console.WriteLine(row.PrincipalName + "\t" + Environment.UserDomainName + "\\" + Environment.UserName);
#endif
                        if (row.PrincipalName.ToString().ToUpper() == Environment.UserDomainName + "\\" + Environment.UserName)
                        {
                            return(true);
                        }
                    }
                }
            }
            else
            {
                return(true);
            }

            return(false);
        }