summaryrefslogtreecommitdiffstats
path: root/scripts/ms-sql-hasdbaccess.nse
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/ms-sql-hasdbaccess.nse')
-rw-r--r--scripts/ms-sql-hasdbaccess.nse150
1 files changed, 150 insertions, 0 deletions
diff --git a/scripts/ms-sql-hasdbaccess.nse b/scripts/ms-sql-hasdbaccess.nse
new file mode 100644
index 0000000..3d28f37
--- /dev/null
+++ b/scripts/ms-sql-hasdbaccess.nse
@@ -0,0 +1,150 @@
+local mssql = require "mssql"
+local stdnse = require "stdnse"
+local string = require "string"
+local table = require "table"
+
+-- -*- mode: lua -*-
+-- vim: set filetype=lua :
+
+description = [[
+Queries Microsoft SQL Server (ms-sql) instances for a list of databases a user has
+access to.
+
+SQL Server credentials required: Yes (use <code>ms-sql-brute</code>, <code>ms-sql-empty-password</code>
+and/or <code>mssql.username</code> & <code>mssql.password</code>)
+Run criteria:
+* Host script: Will run if the <code>mssql.instance-all</code>, <code>mssql.instance-name</code>
+or <code>mssql.instance-port</code> script arguments are used (see mssql.lua).
+* Port script: Will run against any services identified as SQL Servers, but only
+if the <code>mssql.instance-all</code>, <code>mssql.instance-name</code>
+and <code>mssql.instance-port</code> script arguments are NOT used.
+
+The script needs an account with the sysadmin server role to work.
+
+When run, the script iterates over the credentials and attempts to run
+the command for each available set of credentials.
+
+NOTE: The "owner" field in the results will be truncated at 20 characters. This
+is a limitation of the <code>sp_MShasdbaccess</code> stored procedure that the
+script uses.
+
+NOTE: Communication with instances via named pipes depends on the <code>smb</code>
+library. To communicate with (and possibly to discover) instances via named pipes,
+the host must have at least one SMB port (e.g. TCP 445) that was scanned and
+found to be open. Additionally, named pipe connections may require Windows
+authentication to connect to the Windows host (via SMB) in addition to the
+authentication required to connect to the SQL Server instances itself. See the
+documentation and arguments for the <code>smb</code> library for more information.
+
+NOTE: By default, the ms-sql-* scripts may attempt to connect to and communicate
+with ports that were not included in the port list for the Nmap scan. This can
+be disabled using the <code>mssql.scanned-ports-only</code> script argument.
+]]
+
+---
+-- @usage
+-- nmap -p 1433 --script ms-sql-hasdbaccess --script-args mssql.username=sa,mssql.password=sa <host>
+--
+-- @args ms-sql-hasdbaccess.limit limits the amount of databases per-user
+-- that are returned (default 5). If set to zero or less all
+-- databases the user has access to are returned.
+--
+-- @output
+-- | ms-sql-hasdbaccess:
+-- | [192.168.100.25\MSSQLSERVER]
+-- | webshop_reader
+-- | dbname owner
+-- | ====== =====
+-- | hr sa
+-- | finance sa
+-- | webshop sa
+-- | lordvader
+-- | dbname owner
+-- | ====== =====
+-- | testdb CQURE-NET\Administr
+-- |_ webshop sa
+
+-- Created 01/17/2010 - v0.1 - created by Patrik Karlsson <patrik@cqure.net>
+-- Revised 02/01/2011 - v0.2 - Added ability to run against all instances on a host;
+-- added compatibility with changes in mssql.lua (Chris Woodbury)
+
+author = "Patrik Karlsson"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"auth", "discovery","safe"}
+
+
+dependencies = {"broadcast-ms-sql-discover", "ms-sql-brute", "ms-sql-empty-password"}
+
+
+local function process_instance( instance )
+
+ local status, result, rs
+ local query, limit
+ local output = {}
+ local exclude_dbs = { "'master'", "'tempdb'", "'model'", "'msdb'" }
+
+ local RS_LIMIT = tonumber(stdnse.get_script_args( {'mssql-hasdbaccess.limit', 'ms-sql-hasdbaccess.limit' } )) or 5
+
+ if ( RS_LIMIT <= 0 ) then
+ limit = ""
+ else
+ limit = string.format( "TOP %d", RS_LIMIT )
+ end
+
+ local query = { [[CREATE table #hasaccess(dbname varchar(255), owner varchar(255),
+ DboOnly bit, ReadOnly bit, SingelUser bit, Detached bit,
+ Suspect bit, Offline bit, InLoad bit, EmergencyMode bit,
+ StandBy bit, [ShutDown] bit, InRecovery bit, NotRecovered bit )]],
+
+
+ "INSERT INTO #hasaccess EXEC sp_MShasdbaccess",
+ ("SELECT %s dbname, owner FROM #hasaccess WHERE dbname NOT IN(%s)"):format(limit, table.concat(exclude_dbs, ",")),
+ "DROP TABLE #hasaccess" }
+
+ local creds = mssql.Helper.GetLoginCredentials_All( instance )
+ if ( not creds ) then
+ output = "ERROR: No login credentials."
+ else
+ for username, password in pairs( creds ) do
+ local helper = mssql.Helper:new()
+ status, result = helper:ConnectEx( instance )
+ if ( not(status) ) then
+ output = "ERROR: " .. result
+ break
+ end
+
+ if ( status ) then
+ status = helper:Login( username, password, nil, instance.host.ip )
+ end
+
+ if ( status ) then
+ for _, q in pairs(query) do
+ status, result = helper:Query( q )
+ if ( status ) then
+ -- Only the SELECT statement should produce output
+ if ( #result.rows > 0 ) then
+ rs = result
+ end
+ end
+ end
+ end
+
+ helper:Disconnect()
+
+ if ( status and rs ) then
+ result = mssql.Util.FormatOutputTable( rs, true )
+ result.name = username
+ if ( RS_LIMIT > 0 ) then
+ result.name = result.name .. (" (Showing %d first results)"):format(RS_LIMIT)
+ end
+ table.insert( output, result )
+ end
+ end
+ end
+
+ -- TODO: structured output, not format_output
+ return stdnse.format_output(true, output)
+end
+
+
+action, portrule, hostrule = mssql.Helper.InitScript(process_instance)