ms-sql-tables
脚本使用类型:
hostrule, portrule
脚本所属分类:
discovery, safe
脚本下载地址: http://nmap.org/svn/scripts/ms-sql-tables.nse
Queries Microsoft SQL Server (ms-sql) for a list of tables per database.
SQL Server credentials required: Yes (use ms-sql-brute
, ms-sql-empty-password
and/or mssql.username
& mssql.password
)
Run criteria:
mssql.instance-all
, mssql.instance-name
mssql.instance-port
script arguments are used (see mssql.lua).
mssql.instance-all
, mssql.instance-name
and mssql.instance-port
script arguments are NOT used.
The sysdatabase table should be accessible by more or less everyone.
Once we have a list of databases we iterate over it and attempt to extract table names. In order for this to succeed we need to have either sysadmin privileges or an account with access to the db. So, each database we successfully enumerate tables from we mark as finished, then iterate over known user accounts until either we have exhausted the users or found all tables in all the databases.
System databases are excluded.
NOTE: Communication with instances via named pipes depends on the smb
library. To communicate with (and possibly to discover) instances via named pipes,
the host must have at least one SMB port (e.g. TCP 445) that was scanned and
found to be open. Additionally, named pipe connections may require Windows
authentication to connect to the Windows host (via SMB) in addition to the
authentication required to connect to the SQL Server instances itself. See the
documentation and arguments for the smb
library for more information.
NOTE: By default, the ms-sql-* scripts may attempt to connect to and communicate
with ports that were not included in the port list for the Nmap scan. This can
be disabled using the mssql.scanned-ports-only
script argument.
If set shows only tables or columns matching the keywords
Limits the amount of databases that are processed and returned (default 5). If set to zero or less all databases are processed.
Limits the amount of tables returned (default 5). If set to zero or less all tables are returned.
执行格式
nmap -p 1433 --script ms-sql-tables --script-args mssql.username=sa,mssql.password=sa <host>
| ms-sql-tables: | [192.168.100.25\MSSQLSERVER] | webshop | table column type length | payments user_id int 4 | payments purchase_id int 4 | payments cardholder varchar 50 | payments cardtype varchar 50 | payments cardno varchar 50 | payments expiry varchar 50 | payments cvv varchar 4 | products id int 4 | products manu varchar 50 | products model varchar 50 | products productname varchar 100 | products price float 8 | products imagefile varchar 255 | products quantity int 4 | products keywords varchar 100 | products description text 16 | users id int 4 | users username varchar 50 | users password varchar 50 |_ users fullname varchar 100
Author: Patrik Karlsson
License: VER007 整理 http://www.ver007.com