Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2001-2022 H D MooreMSSQL_BLANK_PASSWORD.NASL
HistoryMay 25, 2001 - 12:00 a.m.

Microsoft SQL Server sa Account Default Blank Password

2001-05-2500:00:00
This script is Copyright (C) 2001-2022 H D Moore
www.tenable.com
136
JSON

The remote instance of MS SQL / SQL Server has the default ‘sa’ account enabled without any password.

An attacker may leverage this flaw to execute commands against the remote host, as well as read the content of any databases it might have.

#%NASL_MIN_LEVEL 70300
##
#
# this script attempts to log in to a SQL server using the 
# "sa" account with a blank password.
#
##

# Changes by Tenable:
# - Revised plugin title (6/8/09)
# - Match NVD score for CVE, replace string() calls (9/14/18)

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(10673);
  script_version("1.42");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2000-1209");
  script_bugtraq_id(4797);

  script_name(english:"Microsoft SQL Server sa Account Default Blank Password");

  script_set_attribute(attribute:"synopsis", value:
"The remote database service has an account with a blank password.");
  script_set_attribute(attribute:"description", value:
"The remote instance of MS SQL / SQL Server has the default 'sa'
account enabled without any password. 

An attacker may leverage this flaw to execute commands against the
remote host, as well as read the content of any databases it might
have.");
  script_set_attribute(attribute:"solution", value:
"Disable the 'sa' account or set a password for it.  

In addition, filter incoming TCP traffic to this port. 

For MSDE (OEM versions without MSQL console) : 

 C:\MSSQL7\BINN\osql -U sa

 At the Password: prompt press <Enter>.

 Type the following replacing .password. with the password you wish to
 assign, in single quotes:

 EXEC sp_password NULL, .password., .sa.
 go
 exit");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2000-1209");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"metasploit_name", value:'Microsoft SQL Server Payload Execution via SQL Injection');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");

  script_set_attribute(attribute:"vuln_publication_date", value:"2000/07/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2001/05/25");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sql_server");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"Databases");

  script_copyright(english:"This script is Copyright (C) 2001-2022 H D Moore");

  script_dependencies("mssqlserver_detect.nasl", "sybase_detect.nasl");
  script_exclude_keys("global_settings/supplied_logins_only");
  script_require_ports("Services/mssql", 1433);

  exit(0);
}

#
# The script code starts here
#
include("global_settings.inc");
include("misc_func.inc");

pkt_hdr = raw_string(
    0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
);


pkt_pt2 = raw_string (
    0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x61, 0x30, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x20, 0x18, 0x81, 0xb8, 0x2c, 0x08, 0x03,
    0x01, 0x06, 0x0a, 0x09, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x73, 0x71, 0x75, 0x65, 0x6c, 0x64, 0x61,
    0x20, 0x31, 0x2e, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00
);

pkt_pt3 = raw_string (
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x4d, 0x53, 0x44,
    0x42, 0x4c, 0x49, 0x42, 0x00, 0x00, 0x00, 0x07, 0x06, 0x00, 0x00,
    0x00, 0x00, 0x0d, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00
);

pkt_lang = raw_string(
    0x02, 0x01, 0x00, 0x47, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x30, 0x30, 0x00, 0x00,
    0x00, 0x03, 0x00, 0x00, 0x00
);

function make_sql_login_pkt (username, password)
{
    local_var nul, pblen, pbuf, plen, ppad, sql_packet, ublen, ubuf, ulen, upad;

    ulen = strlen(username);
    plen = strlen(password);
    
    upad = 30 - ulen;
    ppad = 30 - plen;
    
    ubuf = "";
    pbuf = "";
    
    nul = raw_string(0x00);
    
    if(ulen)
    {
        ublen = raw_string(ulen % 255);
    } else {
        ublen = raw_string(0x00);
    }
    
    if(plen)
    {
        pblen = raw_string(plen % 255);
    } else {
        pblen = raw_string(0x00);
    }  

    ubuf = username + crap(data:nul, length:upad);
    pbuf = password + crap(data:nul, length:ppad);

    sql_packet = pkt_hdr + ubuf + ublen + pbuf + pblen + pkt_pt2 + pblen + pbuf + pkt_pt3;

    # returning this as a string is NOT working!
    return sql_packet;
}


port = get_kb_item("Services/mssql");
if(!port)port = get_kb_item("Services/sybase");
if(!port)
{
  port = 1433;
  if (!service_is_unknown(port:port)) exit(0, "The service is already known on port "+port+".");
}
if (!get_tcp_port_state(port)) exit(0, "Port "+port+" is not open.");

if (supplied_logins_only) exit(0, "Nessus is currently configured to not log in with user accounts not specified in the scan policy.");

found = 0;


soc = open_sock_tcp(port);
if (!soc) exit(1, "Can't open socket on port "+port+".");

# this creates a variable called sql_packet
sql_packet = make_sql_login_pkt(username:"sa", password:"");

send(socket:soc, data:sql_packet);
send(socket:soc, data:pkt_lang);

r  = recv(socket:soc, length:255);
close(soc);

if (
  strlen(r) > 10 &&
  ord(r[8]) == 0xE3
)
{
  # Can we differentiate between mssql and sybase?
  # if (service_is_unknown(port:port)) register_service(port:port, proto:"mssql");

  security_hole(port);
  set_kb_item(name: 'MSSQL/blank_password/'+port, value: TRUE);

  exit(0);
}
else exit(0, "The SQL Server instance listening on port "+port+" is not affected.");
VendorProductVersionCPE
microsoftsql_servercpe:/a:microsoft:sql_server

Related

canvas 1
cert 1
cvelist 1
cve 1
openvas 1
packetstorm 1
checkpoint_advisories 1
canvas
canvas
Immunity Canvas: MSSQL_AUTH
2002-08-12 04:00:00
cert
cert
Microsoft SQL Server and Microsoft Data Engine (MSDE) ship with a null default password
2001-11-27 00:00:00
cvelist
cvelist
CVE-2000-1209
2002-08-10 04:00:00
cve
cve
CVE-2000-1209
2002-08-12 04:00:00
openvas
openvas
Microsoft SQL (MSSQL) Server Blank Password (Remote)
2005-11-03 00:00:00
packetstorm
packetstorm
Microsoft SQL Server Payload Execution via SQL injection
2011-01-29 00:00:00
checkpoint_advisories
checkpoint_advisories
MS-SQL Server Protocol - General Settings (CAN-2000-1209; CVE-2002-1123)
2005-02-01 00:00:00
JSON
Related for MSSQL_BLANK_PASSWORD.NASL
canvas1cert1cvelist1cve1openvas1packetstorm1checkpoint_advisories1