o [NSE] Added a library for Microsoft SQL Server and 7 new scripts. The new

scripts are: - ms-sql-brute.nse uses the unpwdb library to guess credentials for MSSQL - ms-sql-config retrieves various configuration details from the server - ms-sql-empty-password checks if the sa account has an empty password - ms-sql-hasdbaccess lists database access per user - ms-sql-query add support for running custom queries against the database - ms-sql-tables lists databases, tables, columns and datatypes with optional keyword filtering - ms-sql-xp-cmdshell adds support for OS command execution to privileged users [Patrik]
2025-12-07 13:11:28 +00:00 · 2010-04-04 10:11:54 +00:00
parent 231bc9f02e
commit 1d26975ede
10 changed files with 1940 additions and 0 deletions
--- a/scripts/ms-sql-xp-cmdshell.nse
+++ b/scripts/ms-sql-xp-cmdshell.nse
@@ -0,0 +1,146 @@
+description = [[
+Queries Microsoft SQL Server (MSSQL) for a list of tables per database.
+]]
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"intrusive"}
+
+require 'shortport'
+require 'stdnse'
+require 'mssql'
+
+dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
+---
+-- @args mssql.username specifies the username to use to connect to
+--       the server. This option overrides any accounts found by
+--       the mssql-brute and mssql-empty-password scripts.
+--
+-- @args mssql.password specifies the password to use to connect to
+--       the server. This option overrides any accounts found by
+--       the mssql-brute and mssql-empty-password scripts.
+--
+-- @args mssql-xp-cmdshell.cmd specifies the OS command to run.
+--       (default is ipconfig /all)
+--
+-- @output
+-- PORT     STATE SERVICE
+-- 1433/tcp open  ms-sql-s
+-- | mssql-xp-cmdshell:  
+-- |   Command: ipconfig /all; User: sa
+-- |   output
+-- |   
+-- |   Windows IP Configuration
+-- |   
+-- |      Host Name . . . . . . . . . . . . : EDUSRV011
+-- |      Primary Dns Suffix  . . . . . . . : cqure.net
+-- |      Node Type . . . . . . . . . . . . : Unknown
+-- |      IP Routing Enabled. . . . . . . . : No
+-- |      WINS Proxy Enabled. . . . . . . . : No
+-- |      DNS Suffix Search List. . . . . . : cqure.net
+-- |   
+-- |   Ethernet adapter Local Area Connection 3:
+-- |   
+-- |      Connection-specific DNS Suffix  . : 
+-- |      Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter #2
+-- |      Physical Address. . . . . . . . . : 08-00-DE-AD-C0-DE
+-- |      DHCP Enabled. . . . . . . . . . . : Yes
+-- |      Autoconfiguration Enabled . . . . : Yes
+-- |      IP Address. . . . . . . . . . . . : 192.168.56.3
+-- |      Subnet Mask . . . . . . . . . . . : 255.255.255.0
+-- |      Default Gateway . . . . . . . . . : 
+-- |      DHCP Server . . . . . . . . . . . : 192.168.56.2
+-- |      Lease Obtained. . . . . . . . . . : den 21 mars 2010 00:12:10
+-- |      Lease Expires . . . . . . . . . . : den 21 mars 2010 01:12:10
+-- |_
+--
+-- The script needs an account with the sysadmin server role to work.
+-- It needs to be fed credentials through the script arguments or from
+-- the scripts mssq-brute or mssq-empty-password.
+--
+-- When run, the script iterates over the credentials and attempts to run
+-- the command until either all credentials are exhausted or until the
+-- command is executed.
+--
+
+-- Version 0.1
+-- Created 01/17/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
+
+portrule = shortport.port_or_service(1433, "ms-sql-s")
+
+local function table_contains( tbl, val )
+	for k,v in pairs(tbl) do
+		if ( v == val ) then
+			return true
+		end
+	end
+	return false
+end
+
+action = function( host, port )
+
+	local status, result, helper	
+	local username = nmap.registry.args['mssql.username']
+	local password = nmap.registry.args['mssql.password'] or ""
+	local creds
+	local query
+	local cmd = nmap.registry.args['mssql-xp-cmdshell.cmd'] or 'ipconfig /all'
+	local output = {}
+
+	query = ("EXEC master..xp_cmdshell '%s'"):format(cmd)
+
+	if ( username ) then
+		creds = {}
+		creds[username] = password
+	elseif ( not(username) and nmap.registry.mssqlusers ) then
+		-- do we have a sysadmin?
+		creds = {}
+		if ( nmap.registry.mssqlusers.sa ) then
+			creds["sa"] = nmap.registry.mssqlusers.sa
+		else
+			creds = nmap.registry.mssqlusers
+		end
+	end
+	
+	-- If we don't have valid creds, simply fail silently
+	if ( not(creds) ) then
+		return
+	end
+	
+	for username, password in pairs( creds ) do
+		helper = mssql.Helper:new()
+ 		status, result = helper:Connect(host, port)
+		if ( not(status) ) then
+			return "  \n\n" .. result
+		end
+		
+		status, result = helper:Login( username, password, nil, host.ip )
+		if ( not(status) ) then
+			stdnse.print_debug("ERROR: %s", result)
+			break
+		end
+
+		status, result = helper:Query( query )
+		helper:Disconnect()
+
+		if ( status ) then
+			output = mssql.Util.FormatOutputTable( result, true )
+			if ( not(nmap.registry.args['mssql-xp-cmdshell.cmd']) ) then
+				table.insert(output, 1, cmd)
+				output = stdnse.format_output( true, output )
+				output = "(Use --script-args=mssql-xp-cmdshell.cmd='<CMD>' to change command.)" .. output
+			else
+				output = stdnse.format_output( true, output )
+			end
+
+			break
+		elseif ( result:gmatch("xp_configure") ) then
+			if( nmap.verbosity() > 1 ) then
+				return "  \nProcedure xp_cmdshell disabled, for more information see \"Surface Area Configuration\" in Books Online."
+			end
+		end
+	end	
+	
+	return output
+
+end