Hi Juan, Microsoft SQL Server has a built-in function called OPENROWSET to query another DBMS (or the DBMS itself). Back in 2002 Chris Anley released a paper demonstrating how to abuse this function to perform a DBMS user's password brute-force attack within the MSSQL instance. A few years later the attack has been automated in sqlninja[1]. We have an issue open on GitHub[2] to implement the same DBA password brute-force attack. We have the required code in place, see issue #34[3] and will soon close the whole thing.
However, OPENROWSET is enabled by default on MSSQL 2000. From MSSQL 2005 RTM it is disabled by thereforce, hence either the database administrator has manually enabled it, or you won't be able to abuse this function to brute-force the 'sa' (DBA) password hash or run statements on his behalf. [1] http://sqlninja.sourceforge.net [2] https://github.com/sqlmapproject/sqlmap/issues/31 [3] https://github.com/sqlmapproject/sqlmap/issues/34 Regards, Bernardo On 20 July 2012 12:14, juan molina <j.molina04...@gmail.com> wrote: > there is a way for bruteforce the SA password using SQL INJECTION? > > this is the Scenario. it is a DataBase Server (Sql Server 2008) without > access to the internet (it has the 1433 port blocked), > the current user is a normal user (low privileges User). cannot get SA hash > password. > > the question is, is there any tool or code or way to bruteforce the SA > password? without direct access to the Sql Server? > > It is a request for add this functionality to SQLMAP, I don't know if is > possible. > > Thanks. > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
