Metasploit MSSQL Interesting Data Finder
This project is the implementation of my blog post Finding Interesting Database Data.
My original intent was to query the database once the columns had been found and to return some sample data for each table but unfortunately due to a problem in the Metasploit module this code is based on I'm currently not able. The code is mostly written so it should be easy enough to add it in once Metasploit is fixed.
Installation
To install the module simply untar the download to the root of your Metasploit install.
Usage
Usage is fairly simple, set the standard parameters and run exploit. By default it will search for columns whose names include the words passw, bank, credit and card. If you want to change these set the NAMES field to be a pipe separated list of names to look for.
Once installed you can find the module in auxiliary/admin/mssql/mssql_idf .
Example
msf > use auxiliary/admin/mssql/mssql_idf
msf auxiliary(mssql_idf) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
NAMES passw|bank|credit|card yes Pipe separated list of column names
PASSWORD no The password for the specified username
RHOST yes The target address
RPORT 1433 yes The target port
USERNAME sa no The username to authenticate as
msf auxiliary(mssql_idf) > set PASSWORD MyPass
PASSWORD => MyPass
msf auxiliary(mssql_idf) > set RHOST 192.168.0.54
RHOST => 192.168.0.54
msf auxiliary(mssql_idf) > exploit
Database Schema Table Column Data Type Row Count
============== ========== ================= ====================== ========= =========
msdb dbo backupmediaset is_password_protected bit 0
msdb dbo backupset is_password_protected bit 0
AdventureWorks Person Address MyPassword nchar 19614
AdventureWorks Purchasing Vendor CreditRating tinyint 104
AdventureWorks Person Contact PasswordHash varchar 19972
AdventureWorks Person Contact PasswordSalt varchar 19972
AdventureWorks Sales ContactCreditCard CreditCardID int 19118
AdventureWorks Sales CreditCard CreditCardID int 19118
AdventureWorks Sales CreditCard CardType nvarchar 19118
AdventureWorks Sales CreditCard CardNumber nvarchar 19118
AdventureWorks Sales SalesOrderHeader CreditCardID int 31465
AdventureWorks Sales SalesOrderHeader CreditCardApprovalCode varchar 31465
[*] Auxiliary module execution completed
As you can see it has found a number of interesting looking columns, the row count field should help identify which ones can be ignored or given lower priority. It is now over to you to start querying them to check for data.