internal override bool Query()
{
SQLServerInfo i = new SQLServerInfo(credentials);
i.SetInstance(instance);
i.Query();
var info = i.GetResults();
SQLDatabase db = new SQLDatabase(credentials);
db.EnableHasAccessFilter();
db.Query();
SQLDatabasePriv priv = new SQLDatabasePriv(credentials);
priv.SetInstance(instance);
priv.SetPermissionNameFilter("CREATE PROCEDURE");
var dbPrivs = new List <SQLDatabasePriv.DatabasePrivilege>();
foreach (var d in db.GetResults())
{
priv.SetDatabase(d.DatabaseName);
priv.Query();
foreach (var pr in priv.GetResults())
{
dbPrivs.Add(pr);
}
}
List <string> principals = new List <string>();
SetPrincipalNameFilter(info.Currentlogin);
base.Query();
foreach (var s in serverRoles)
{
principals.Add(s.PrincipalName);
}
principals.Add(info.Currentlogin);
principals.Add("Public");
priv.SetPermissionNameFilter("ALTER");
priv.SetPermissionTypeFilter("SCHEMA");
foreach (string principal in principals)
{
priv.SetPrincipalNameFilter(principal);
foreach (var dbp in dbPrivs)
{
priv.SetDatabase(dbp.DatabaseName);
priv.Query();
foreach (var asPriv in priv.GetResults())
{
if (dbp.PrincipalName.Contains(principal))
{
var s = new XpDirTree
{
ComputerName = computerName,
Instance = instance,
Vulnerability = "Permission - CREATE PROCEDURE",
Description = "The login has privileges to create stored procedures in one or more databases. This may allow the login to escalate privileges within the database.",
Remediation = "If the permission is not required remove it. Permissions are granted with a command like: GRANT CREATE PROCEDURE TO user, and can be removed with a command like: REVOKE CREATE PROCEDURE TO user",
Severity = "Medium",
IsVulnerable = "Yes",
IsExploitable = "Unknown",
Exploited = "No",
ExploitCmd = "No exploit is currently available that will allow the current user to become a sysadmin.",
Reference = @"https://msdn.microsoft.com/en-us/library/ms187926.aspx?f=255&MSPPError=-2147217396",
Details = string.Format("The {0} principal has EXECUTE privileges on the {1} procedure in the master database.", principal, xp)
};
spExecuteAs.Add(s);
}
}
}
}
return(true);
}
internal override bool Query()
{
SQLServerInfo i = new SQLServerInfo(credentials);
i.SetInstance(instance);
i.Query();
var info = i.GetResults();
List <string> principals = new List <string>();
SetPrincipalNameFilter(info.Currentlogin);
base.Query();
foreach (var s in serverRoles)
{
principals.Add(s.PrincipalName);
}
principals.Add(info.Currentlogin);
principals.Add("Public");
SQLDatabasePriv p = new SQLDatabasePriv(credentials);
p.SetInstance(instance);
p.SetDatabase("master");
p.SetPermissionNameFilter("EXECUTE");
p.Query();
var dirTree = new List <SQLDatabasePriv.DatabasePrivilege>();
foreach (var priv in p.GetResults())
{
if (!string.IsNullOrEmpty(priv.ObjectName) && priv.ObjectName.Contains(xp) && priv.StateDescription.Contains("grant"))
{
dirTree.Add(priv);
}
}
foreach (var r in dirTree)
{
if (r.PrincipalName.Contains("public") || principals.Contains(r.PrincipalName))
{
var s = new XpDirTree
{
ComputerName = computerName,
Instance = instance,
Vulnerability = string.Format("Excessive Privilege - Execute {0}", xp),
Description = string.Format("{0} is a native extended stored procedure that can be executed by members of the Public role by default in SQL Server 2000-2014. {0} can be used to force the SQL Server service account to authenticate to a remote attacker. The service account password hash can then be captured + cracked or relayed to gain unauthorized access to systems. This also means {0} can be used to escalate a lower privileged user to sysadmin when a machine or managed account isnt being used. Thats because the SQL Server service account is a member of the sysadmin role in SQL Server 2000-2014, by default.", xp),
Remediation = string.Format("Remove EXECUTE privileges on the {0} procedure for non administrative logins and roles. Example command: REVOKE EXECUTE ON {0} to Public.", xp),
Severity = "Medium",
IsVulnerable = "Yes",
IsExploitable = "Unknown",
Exploited = "No",
ExploitCmd = "Crack the password hash offline or relay it to another system.",
Reference = @"https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/",
Details = string.Format("The {0} principal has EXECUTE privileges on the {1} procedure in the master database.", r.PrincipalName, xp)
};
spExecuteAs.Add(s);
}
}
return(true);
}