internal override bool Query()
{
SQLServerInfo i = new SQLServerInfo(credentials);
i.SetInstance(instance);
i.Query();
var info = i.GetResults();
List <string> principals = new List <string>();
SetPrincipalNameFilter(info.Currentlogin);
base.Query();
foreach (var s in serverRoles)
{
principals.Add(s.PrincipalName);
}
principals.Add(info.Currentlogin);
principals.Add("Public");
SQLDatabaseRoleMember roleMember = new SQLDatabaseRoleMember(credentials);
roleMember.SetRolePrincipalNameFilter(role);
roleMember.SetInstance(instance);
SQLDatabase database = new SQLDatabase(credentials);
database.SetInstance(instance);
foreach (var principal in principals)
{
roleMember.SetPrincipalNameFilter(principal);
foreach (var db in database.GetResults())
{
if (db.is_trustworthy_on && (bool)db.OwnerIsSysadmin)
{
roleMember.SetDatabase(db.DatabaseName);
roleMember.Query();
foreach (var r in roleMember.GetResults())
{
var s = new DbOwner
{
ComputerName = computerName,
Instance = instance,
Vulnerability = string.Format("Database Role - {0}", role),
Description = string.Format("The login has the {0} role in one or more databases. This may allow the login to escalate privileges to sysadmin if the affected databases are trusted and owned by a sysadmin.", role),
Remediation = string.Format("If the permission is not required remove it. Permissions are granted with a command like: EXEC sp_addrolemember \'{0}\', \'MyDbUser\', and can be removed with a command like: EXEC sp_droprolemember \'{0}\', \'MyDbUser\'", role),
Severity = "Medium",
IsVulnerable = "Yes",
IsExploitable = "Unknown",
Exploited = "No",
ExploitCmd = "",
Reference = @"https://msdn.microsoft.com/en-us/library/ms189121.aspx, https://msdn.microsoft.com/en-us/library/ms187861.aspx",
Details = string.Format("The {0} database is set as trustworthy and is owned by a sysadmin. This is exploitable.", database)
};
spExecuteAs.Add(s);
}
}
}
}
return(true);
}
protected bool _CheckPrivilege()
{
if (!SQLSysadminCheck.Query(instance, computerName, credentials))
{
SQLDatabaseRoleMember sDRM = new SQLDatabaseRoleMember(credentials);
sDRM.SetComputerName(computerName);
sDRM.SetInstance(instance);
sDRM.SetDatabase("msdb");
sDRM.Query();
foreach (var row in sDRM.GetResults())
{
#if DEBUG
Console.WriteLine(row.RolePrincipalName);
#endif
if (roles.Contains(row.RolePrincipalName))
{
#if DEBUG
Console.WriteLine(row.PrincipalName + "\t" + Environment.UserDomainName + "\\" + Environment.UserName);
#endif
if (row.PrincipalName.ToString().ToUpper() == Environment.UserDomainName + "\\" + Environment.UserName)
{
return(true);
}
}
}
}
else
{
return(true);
}
return(false);
}
