mirror of
https://github.com/nmap/nmap.git
synced 2025-12-06 04:31:29 +00:00
97 lines
2.6 KiB
Lua
97 lines
2.6 KiB
Lua
description = [[
|
|
Runs a Query against Microsoft SQL Server (MSSQL).
|
|
]]
|
|
|
|
author = "Patrik Karlsson"
|
|
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
|
|
categories = {"discovery", "safe"}
|
|
|
|
require 'shortport'
|
|
require 'stdnse'
|
|
require 'mssql'
|
|
|
|
dependencies = {"ms-sql-brute", "ms-sql-empty-password"}
|
|
|
|
---
|
|
-- @args mssql-query.query specifies the query to run against the server.
|
|
-- (default SELECT @@version version)
|
|
--
|
|
-- @output
|
|
--
|
|
-- PORT STATE SERVICE
|
|
-- 1433/tcp open ms-sql-s
|
|
-- | mssql-query:
|
|
-- |
|
|
-- | Microsoft SQL Server 2005 - 9.00.3068.00 (Intel X86)
|
|
-- | Feb 26 2008 18:15:01
|
|
-- | Copyright (c) 1988-2005 Microsoft Corporation
|
|
-- |_ Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
|
|
--
|
|
--
|
|
|
|
-- Version 0.1
|
|
-- Created 01/17/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
|
|
|
|
portrule = shortport.port_or_service(1433, "ms-sql-s")
|
|
|
|
action = function( host, port )
|
|
|
|
local status, result, helper
|
|
local username = nmap.registry.args['mssql.username']
|
|
local password = nmap.registry.args['mssql.password'] or ""
|
|
-- the tempdb should be a safe guess, anyway the library is set up
|
|
-- to continue even if the DB is not accessible to the user
|
|
local database = nmap.registry.args['mssql.database'] or "tempdb"
|
|
local query = nmap.registry.args['mssql-query.query'] or "SELECT @@version version"
|
|
|
|
if ( not(username) and nmap.registry.mssqlusers ) then
|
|
-- do we have a sysadmin?
|
|
if ( nmap.registry.mssqlusers.sa ) then
|
|
username = "sa"
|
|
password = nmap.registry.mssqlusers.sa
|
|
else
|
|
-- ok were stuck with some n00b account, just get the first one
|
|
for user, pass in pairs(nmap.registry.mssqlusers) do
|
|
username = user
|
|
password = pass
|
|
break
|
|
end
|
|
end
|
|
end
|
|
|
|
-- If we don't have a valid username, simply fail silently
|
|
if ( not(username) ) then
|
|
return
|
|
end
|
|
|
|
helper = mssql.Helper:new()
|
|
status, result = helper:Connect(host, port)
|
|
if ( not(status) ) then
|
|
return " \n\n" .. result
|
|
end
|
|
|
|
status, result = helper:Login( username, password, database, host.ip )
|
|
if ( not(status) ) then
|
|
return " \n\nERROR: " .. result
|
|
end
|
|
|
|
status, result = helper:Query( query )
|
|
helper:Disconnect()
|
|
|
|
if ( not(status) ) then
|
|
return " \n\nERROR: " .. result
|
|
end
|
|
|
|
result = mssql.Util.FormatOutputTable( result, true )
|
|
if ( not(nmap.registry.args['mssql-query.query']) ) then
|
|
table.insert(result, 1, query)
|
|
result = stdnse.format_output( true, result )
|
|
result = "(Use --script-args=mssql-query.query='<QUERY>' to change query.)" .. result
|
|
else
|
|
result = stdnse.format_output( true, result )
|
|
end
|
|
|
|
return result
|
|
|
|
end
|