diff options
Diffstat (limited to 'scripts/ms-sql-hasdbaccess.nse')
-rw-r--r-- | scripts/ms-sql-hasdbaccess.nse | 150 |
1 files changed, 150 insertions, 0 deletions
diff --git a/scripts/ms-sql-hasdbaccess.nse b/scripts/ms-sql-hasdbaccess.nse new file mode 100644 index 0000000..3d28f37 --- /dev/null +++ b/scripts/ms-sql-hasdbaccess.nse @@ -0,0 +1,150 @@ +local mssql = require "mssql" +local stdnse = require "stdnse" +local string = require "string" +local table = require "table" + +-- -*- mode: lua -*- +-- vim: set filetype=lua : + +description = [[ +Queries Microsoft SQL Server (ms-sql) instances for a list of databases a user has +access to. + +SQL Server credentials required: Yes (use <code>ms-sql-brute</code>, <code>ms-sql-empty-password</code> +and/or <code>mssql.username</code> & <code>mssql.password</code>) +Run criteria: +* Host script: Will run if the <code>mssql.instance-all</code>, <code>mssql.instance-name</code> +or <code>mssql.instance-port</code> script arguments are used (see mssql.lua). +* Port script: Will run against any services identified as SQL Servers, but only +if the <code>mssql.instance-all</code>, <code>mssql.instance-name</code> +and <code>mssql.instance-port</code> script arguments are NOT used. + +The script needs an account with the sysadmin server role to work. + +When run, the script iterates over the credentials and attempts to run +the command for each available set of credentials. + +NOTE: The "owner" field in the results will be truncated at 20 characters. This +is a limitation of the <code>sp_MShasdbaccess</code> stored procedure that the +script uses. + +NOTE: Communication with instances via named pipes depends on the <code>smb</code> +library. To communicate with (and possibly to discover) instances via named pipes, +the host must have at least one SMB port (e.g. TCP 445) that was scanned and +found to be open. Additionally, named pipe connections may require Windows +authentication to connect to the Windows host (via SMB) in addition to the +authentication required to connect to the SQL Server instances itself. See the +documentation and arguments for the <code>smb</code> library for more information. + +NOTE: By default, the ms-sql-* scripts may attempt to connect to and communicate +with ports that were not included in the port list for the Nmap scan. This can +be disabled using the <code>mssql.scanned-ports-only</code> script argument. +]] + +--- +-- @usage +-- nmap -p 1433 --script ms-sql-hasdbaccess --script-args mssql.username=sa,mssql.password=sa <host> +-- +-- @args ms-sql-hasdbaccess.limit limits the amount of databases per-user +-- that are returned (default 5). If set to zero or less all +-- databases the user has access to are returned. +-- +-- @output +-- | ms-sql-hasdbaccess: +-- | [192.168.100.25\MSSQLSERVER] +-- | webshop_reader +-- | dbname owner +-- | ====== ===== +-- | hr sa +-- | finance sa +-- | webshop sa +-- | lordvader +-- | dbname owner +-- | ====== ===== +-- | testdb CQURE-NET\Administr +-- |_ webshop sa + +-- Created 01/17/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net> +-- Revised 02/01/2011 - v0.2 - Added ability to run against all instances on a host; +-- added compatibility with changes in mssql.lua (Chris Woodbury) + +author = "Patrik Karlsson" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"auth", "discovery","safe"} + + +dependencies = {"broadcast-ms-sql-discover", "ms-sql-brute", "ms-sql-empty-password"} + + +local function process_instance( instance ) + + local status, result, rs + local query, limit + local output = {} + local exclude_dbs = { "'master'", "'tempdb'", "'model'", "'msdb'" } + + local RS_LIMIT = tonumber(stdnse.get_script_args( {'mssql-hasdbaccess.limit', 'ms-sql-hasdbaccess.limit' } )) or 5 + + if ( RS_LIMIT <= 0 ) then + limit = "" + else + limit = string.format( "TOP %d", RS_LIMIT ) + end + + local query = { [[CREATE table #hasaccess(dbname varchar(255), owner varchar(255), + DboOnly bit, ReadOnly bit, SingelUser bit, Detached bit, + Suspect bit, Offline bit, InLoad bit, EmergencyMode bit, + StandBy bit, [ShutDown] bit, InRecovery bit, NotRecovered bit )]], + + + "INSERT INTO #hasaccess EXEC sp_MShasdbaccess", + ("SELECT %s dbname, owner FROM #hasaccess WHERE dbname NOT IN(%s)"):format(limit, table.concat(exclude_dbs, ",")), + "DROP TABLE #hasaccess" } + + local creds = mssql.Helper.GetLoginCredentials_All( instance ) + if ( not creds ) then + output = "ERROR: No login credentials." + else + for username, password in pairs( creds ) do + local helper = mssql.Helper:new() + status, result = helper:ConnectEx( instance ) + if ( not(status) ) then + output = "ERROR: " .. result + break + end + + if ( status ) then + status = helper:Login( username, password, nil, instance.host.ip ) + end + + if ( status ) then + for _, q in pairs(query) do + status, result = helper:Query( q ) + if ( status ) then + -- Only the SELECT statement should produce output + if ( #result.rows > 0 ) then + rs = result + end + end + end + end + + helper:Disconnect() + + if ( status and rs ) then + result = mssql.Util.FormatOutputTable( rs, true ) + result.name = username + if ( RS_LIMIT > 0 ) then + result.name = result.name .. (" (Showing %d first results)"):format(RS_LIMIT) + end + table.insert( output, result ) + end + end + end + + -- TODO: structured output, not format_output + return stdnse.format_output(true, output) +end + + +action, portrule, hostrule = mssql.Helper.InitScript(process_instance) |