internal override bool Query()
{
base.Query();
SQLDatabasePriv priv = new SQLDatabasePriv(credentials);
foreach (var p in procedures)
{
priv.SetInstance(instance);
priv.SetDatabase(p.DatabaseName);
priv.Query();
foreach (var d in priv.GetResults())
{
var s = new Trustworthy
{
ComputerName = computerName,
Instance = instance,
Vulnerability = "Excessive Privilege - Auto Execute Stored Procedure",
Description = "A stored procedured is configured for automatic execution and has explicit permissions assigned. This may allow non sysadmin logins to execute queries as sa when the SQL Server service is restarted.",
Remediation = "Ensure that non sysadmin logins do not have privileges to ALTER stored procedures configured with the is_auto_executed settting set to 1.",
Severity = "Low",
IsVulnerable = "Yes",
IsExploitable = "No",
Exploited = "No",
ExploitCmd = "There is not exploit available at this time.",
Reference = @"https://msdn.microsoft.com/en-us/library/ms187861.aspx",
Details = string.Format("{0} has {1} {2} on {3}", d.PrincipalName, d.StateDescription, d.PermissionName, d.DatabaseName + "." + p.SchemaName + "." + p.ProcedureName)
};
trustworthies.Add(s);
}
}
return(true);
}
internal override bool Query()
{
SQLServerInfo i = new SQLServerInfo(credentials);
i.SetInstance(instance);
i.Query();
var info = i.GetResults();
SQLDatabase db = new SQLDatabase(credentials);
db.EnableHasAccessFilter();
db.Query();
SQLDatabasePriv priv = new SQLDatabasePriv(credentials);
priv.SetInstance(instance);
priv.SetPermissionNameFilter("CREATE PROCEDURE");
var dbPrivs = new List <SQLDatabasePriv.DatabasePrivilege>();
foreach (var d in db.GetResults())
{
priv.SetDatabase(d.DatabaseName);
priv.Query();
foreach (var pr in priv.GetResults())
{
dbPrivs.Add(pr);
}
}
List <string> principals = new List <string>();
SetPrincipalNameFilter(info.Currentlogin);
base.Query();
foreach (var s in serverRoles)
{
principals.Add(s.PrincipalName);
}
principals.Add(info.Currentlogin);
principals.Add("Public");
priv.SetPermissionNameFilter("ALTER");
priv.SetPermissionTypeFilter("SCHEMA");
foreach (string principal in principals)
{
priv.SetPrincipalNameFilter(principal);
foreach (var dbp in dbPrivs)
{
priv.SetDatabase(dbp.DatabaseName);
priv.Query();
foreach (var asPriv in priv.GetResults())
{
if (dbp.PrincipalName.Contains(principal))
{
var s = new XpDirTree
{
ComputerName = computerName,
Instance = instance,
Vulnerability = "Permission - CREATE PROCEDURE",
Description = "The login has privileges to create stored procedures in one or more databases. This may allow the login to escalate privileges within the database.",
Remediation = "If the permission is not required remove it. Permissions are granted with a command like: GRANT CREATE PROCEDURE TO user, and can be removed with a command like: REVOKE CREATE PROCEDURE TO user",
Severity = "Medium",
IsVulnerable = "Yes",
IsExploitable = "Unknown",
Exploited = "No",
ExploitCmd = "No exploit is currently available that will allow the current user to become a sysadmin.",
Reference = @"https://msdn.microsoft.com/en-us/library/ms187926.aspx?f=255&MSPPError=-2147217396",
Details = string.Format("The {0} principal has EXECUTE privileges on the {1} procedure in the master database.", principal, xp)
};
spExecuteAs.Add(s);
}
}
}
}
return(true);
}
internal override bool Query()
{
SQLServerInfo i = new SQLServerInfo(credentials);
i.SetInstance(instance);
i.Query();
var info = i.GetResults();
List <string> principals = new List <string>();
SetPrincipalNameFilter(info.Currentlogin);
base.Query();
foreach (var s in serverRoles)
{
principals.Add(s.PrincipalName);
}
principals.Add(info.Currentlogin);
principals.Add("Public");
SQLDatabasePriv p = new SQLDatabasePriv(credentials);
p.SetInstance(instance);
p.SetDatabase("master");
p.SetPermissionNameFilter("EXECUTE");
p.Query();
var dirTree = new List <SQLDatabasePriv.DatabasePrivilege>();
foreach (var priv in p.GetResults())
{
if (!string.IsNullOrEmpty(priv.ObjectName) && priv.ObjectName.Contains(xp) && priv.StateDescription.Contains("grant"))
{
dirTree.Add(priv);
}
}
foreach (var r in dirTree)
{
if (r.PrincipalName.Contains("public") || principals.Contains(r.PrincipalName))
{
var s = new XpDirTree
{
ComputerName = computerName,
Instance = instance,
Vulnerability = string.Format("Excessive Privilege - Execute {0}", xp),
Description = string.Format("{0} is a native extended stored procedure that can be executed by members of the Public role by default in SQL Server 2000-2014. {0} can be used to force the SQL Server service account to authenticate to a remote attacker. The service account password hash can then be captured + cracked or relayed to gain unauthorized access to systems. This also means {0} can be used to escalate a lower privileged user to sysadmin when a machine or managed account isnt being used. Thats because the SQL Server service account is a member of the sysadmin role in SQL Server 2000-2014, by default.", xp),
Remediation = string.Format("Remove EXECUTE privileges on the {0} procedure for non administrative logins and roles. Example command: REVOKE EXECUTE ON {0} to Public.", xp),
Severity = "Medium",
IsVulnerable = "Yes",
IsExploitable = "Unknown",
Exploited = "No",
ExploitCmd = "Crack the password hash offline or relay it to another system.",
Reference = @"https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/",
Details = string.Format("The {0} principal has EXECUTE privileges on the {1} procedure in the master database.", r.PrincipalName, xp)
};
spExecuteAs.Add(s);
}
}
return(true);
}
