9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Queries Microsoft SQL Server (ms-sql) instances for a list of databases a user has access to.
SQL Server credentials required: Yes (use ms-sql-brute
, ms-sql-empty-password
and/or mssql.username
& mssql.password
) Run criteria:
Host script: Will run if the mssql.instance-all
, mssql.instance-name
or mssql.instance-port
script arguments are used (see mssql.lua).
Port script: Will run against any services identified as SQL Servers, but only
if the mssql.instance-all
, mssql.instance-name
and mssql.instance-port
script arguments are NOT used.
The script needs an account with the sysadmin server role to work.
When run, the script iterates over the credentials and attempts to run the command for each available set of credentials.
NOTE: The “owner” field in the results will be truncated at 20 characters. This is a limitation of the sp_MShasdbaccess
stored procedure that the script uses.
NOTE: Communication with instances via named pipes depends on the smb
library. To communicate with (and possibly to discover) instances via named pipes, the host must have at least one SMB port (e.g. TCP 445) that was scanned and found to be open. Additionally, named pipe connections may require Windows authentication to connect to the Windows host (via SMB) in addition to the authentication required to connect to the SQL Server instances itself. See the documentation and arguments for the smb
library for more information.
NOTE: By default, the ms-sql-* scripts may attempt to connect to and communicate with ports that were not included in the port list for the Nmap scan. This can be disabled using the mssql.scanned-ports-only
script argument.
limits the amount of databases per-user that are returned (default 5). If set to zero or less all databases the user has access to are returned.
See the documentation for the mssql library.
See the documentation for the smb library.
See the documentation for the smbauth library.
nmap -p 1433 --script ms-sql-hasdbaccess --script-args mssql.username=sa,mssql.password=sa <host>
| ms-sql-hasdbaccess:
| [192.168.100.25\MSSQLSERVER]
| webshop_reader
| dbname owner
| ====== =====
| hr sa
| finance sa
| webshop sa
| lordvader
| dbname owner
| ====== =====
| testdb CQURE-NET\Administr
|_ webshop sa
local mssql = require "mssql"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
-- -*- mode: lua -*-
-- vim: set filetype=lua :
description = [[
Queries Microsoft SQL Server (ms-sql) instances for a list of databases a user has
access to.
SQL Server credentials required: Yes (use <code>ms-sql-brute</code>, <code>ms-sql-empty-password</code>
and/or <code>mssql.username</code> & <code>mssql.password</code>)
Run criteria:
* Host script: Will run if the <code>mssql.instance-all</code>, <code>mssql.instance-name</code>
or <code>mssql.instance-port</code> script arguments are used (see mssql.lua).
* Port script: Will run against any services identified as SQL Servers, but only
if the <code>mssql.instance-all</code>, <code>mssql.instance-name</code>
and <code>mssql.instance-port</code> script arguments are NOT used.
The script needs an account with the sysadmin server role to work.
When run, the script iterates over the credentials and attempts to run
the command for each available set of credentials.
NOTE: The "owner" field in the results will be truncated at 20 characters. This
is a limitation of the <code>sp_MShasdbaccess</code> stored procedure that the
script uses.
NOTE: Communication with instances via named pipes depends on the <code>smb</code>
library. To communicate with (and possibly to discover) instances via named pipes,
the host must have at least one SMB port (e.g. TCP 445) that was scanned and
found to be open. Additionally, named pipe connections may require Windows
authentication to connect to the Windows host (via SMB) in addition to the
authentication required to connect to the SQL Server instances itself. See the
documentation and arguments for the <code>smb</code> library for more information.
NOTE: By default, the ms-sql-* scripts may attempt to connect to and communicate
with ports that were not included in the port list for the Nmap scan. This can
be disabled using the <code>mssql.scanned-ports-only</code> script argument.
]]
---
-- @usage
-- nmap -p 1433 --script ms-sql-hasdbaccess --script-args mssql.username=sa,mssql.password=sa <host>
--
-- @args ms-sql-hasdbaccess.limit limits the amount of databases per-user
-- that are returned (default 5). If set to zero or less all
-- databases the user has access to are returned.
--
-- @output
-- | ms-sql-hasdbaccess:
-- | [192.168.100.25\MSSQLSERVER]
-- | webshop_reader
-- | dbname owner
-- | ====== =====
-- | hr sa
-- | finance sa
-- | webshop sa
-- | lordvader
-- | dbname owner
-- | ====== =====
-- | testdb CQURE-NET\Administr
-- |_ webshop sa
-- Created 01/17/2010 - v0.1 - created by Patrik Karlsson <[email protected]>
-- Revised 02/01/2011 - v0.2 - Added ability to run against all instances on a host;
-- added compatibility with changes in mssql.lua (Chris Woodbury)
author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"auth", "discovery","safe"}
dependencies = {"broadcast-ms-sql-discover", "ms-sql-brute", "ms-sql-empty-password"}
local function process_instance( instance )
local status, result, rs
local query, limit
local output = {}
local exclude_dbs = { "'master'", "'tempdb'", "'model'", "'msdb'" }
local RS_LIMIT = tonumber(stdnse.get_script_args( {'mssql-hasdbaccess.limit', 'ms-sql-hasdbaccess.limit' } )) or 5
if ( RS_LIMIT <= 0 ) then
limit = ""
else
limit = string.format( "TOP %d", RS_LIMIT )
end
local query = { [[CREATE table #hasaccess(dbname varchar(255), owner varchar(255),
DboOnly bit, ReadOnly bit, SingelUser bit, Detached bit,
Suspect bit, Offline bit, InLoad bit, EmergencyMode bit,
StandBy bit, [ShutDown] bit, InRecovery bit, NotRecovered bit )]],
"INSERT INTO #hasaccess EXEC sp_MShasdbaccess",
("SELECT %s dbname, owner FROM #hasaccess WHERE dbname NOT IN(%s)"):format(limit, table.concat(exclude_dbs, ",")),
"DROP TABLE #hasaccess" }
local creds = mssql.Helper.GetLoginCredentials_All( instance )
if ( not creds ) then
output = "ERROR: No login credentials."
else
for username, password in pairs( creds ) do
local helper = mssql.Helper:new()
status, result = helper:ConnectEx( instance )
if ( not(status) ) then
output = "ERROR: " .. result
break
end
if ( status ) then
status = helper:Login( username, password, nil, instance.host.ip )
end
if ( status ) then
for _, q in pairs(query) do
status, result = helper:Query( q )
if ( status ) then
-- Only the SELECT statement should produce output
if ( #result.rows > 0 ) then
rs = result
end
end
end
end
helper:Disconnect()
if ( status and rs ) then
result = mssql.Util.FormatOutputTable( rs, true )
result.name = username
if ( RS_LIMIT > 0 ) then
result.name = result.name .. (" (Showing %d first results)"):format(RS_LIMIT)
end
table.insert( output, result )
end
end
end
-- TODO: structured output, not format_output
return stdnse.format_output(true, output)
end
action, portrule, hostrule = mssql.Helper.InitScript(process_instance)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%