o [NSE] Added a library for Microsoft SQL Server and 7 new scripts. The new

scripts are:
  - ms-sql-brute.nse uses the unpwdb library to guess credentials for MSSQL
  - ms-sql-config retrieves various configuration details from the server		
  - ms-sql-empty-password checks if the sa account has an empty password
  - ms-sql-hasdbaccess lists database access per user
  - ms-sql-query add support for running custom queries against the database
  - ms-sql-tables lists databases, tables, columns and datatypes with optional
    keyword filtering
  - ms-sql-xp-cmdshell adds support for OS command execution to privileged
    users
  [Patrik]

scripts/ms-sql-config.nse

@@ -0,0 +1,109 @@
+description = [[
+Queries Microsoft SQL Server (MSSQL) for a list of:
+* Databases
+* Linked Servers
+* Configuration settings
+]]
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"discovery", "safe"}
+
+require 'shortport'
+require 'stdnse'
+require 'mssql'
+
+dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
+
+--
+-- @args mssql.username specifies the username to use to connect to
+--       the server. This option overrides any accounts found by
+--       the mssql-brute and mssql-empty-password scripts.
+--
+-- @args mssql.password specifies the password to use to connect to
+--       the server. This option overrides any accounts found by
+--       the mssql-brute and mssql-empty-password scripts.
+--
+-- @args mssql-config.showall if set shows all configuration options.
+--
+
+-- Version 0.1
+-- Created 04/02/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
+
+portrule = shortport.port_or_service(1433, "ms-sql-s")
+
+action = function( host, port )
+
+	local status, helper, response	
+	local username = nmap.registry.args['mssql.username']
+	local password = nmap.registry.args['mssql.password'] or ""
+	local result, result_part = {}, {}
+	local conf_filter = ( nmap.registry.args['mssql-config.showall'] ) and "" or " WHERE configuration_id > 16384"
+	local db_filter = ( nmap.registry.args['mssql-config.showall'] ) and "" or " WHERE name NOT IN ('master','model','tempdb','msdb')"
+	
+	local queries = { 
+		[2]={ ["Configuration"] = [[ SELECT name, 
+								cast(value as varchar) value, 
+								cast(value_in_use as varchar) inuse, 
+								description 
+								FROM sys.configurations ]] .. conf_filter }, 
+		[3]={ ["Linked Servers"] = [[ SELECT srvname, srvproduct, providername 
+									FROM master..sysservers 
+									WHERE srvid > 0 ]] },
+		[1]={ ["Databases"] = [[ CREATE TABLE #nmap_dbs(name varchar(255), db_size varchar(255), owner varchar(255), 
+									dbid int, created datetime, status varchar(512), compatibility_level int )
+								INSERT INTO #nmap_dbs EXEC sp_helpdb
+								SELECT name, db_size, owner 
+									FROM #nmap_dbs ]] .. db_filter .. [[
+								DROP DATABASE #nmap_dbs ]] }
+	}
+	
+	if ( not(username) and nmap.registry.mssqlusers ) then
+		-- do we have a sysadmin?
+		if ( nmap.registry.mssqlusers.sa ) then
+			username = "sa"
+			password = nmap.registry.mssqlusers.sa
+		else
+			-- ok were stuck with some non sysadmin account, just get the first one
+			for user, pass in pairs(nmap.registry.mssqlusers) do
+				username = user
+				password = pass
+				break
+			end
+		end
+	end
+	
+	-- If we don't have a valid username, simply fail silently
+	if ( not(username) ) then
+		return
+	end
+	
+	helper = mssql.Helper:new()
+ 	status, response = helper:Connect(host, port)
+	if ( not(status) ) then
+		return "  \n\n" .. response
+	end
+		
+	status, response = helper:Login( username, password, nil, host.ip )
+	if ( not(status) ) then
+		return "  \n\nERROR: " .. response
+	end
+
+	for _, v in ipairs( queries ) do
+		for header, query in pairs(v) do
+			status, result_part = helper:Query( query )
+
+			if ( not(status) ) then
+				return "  \n\nERROR: " .. result_part
+			end
+			result_part = mssql.Util.FormatOutputTable( result_part, true )
+			result_part.name = header
+			table.insert( result, result_part )
+		end
+	end
+	
+	helper:Disconnect()
+	
+	return stdnse.format_output( true, result )
+
+end