fluidasserts.db.mssql module

Dynamic Application Security Testing Suite of Microsoft SQL Server.

class fluidasserts.db.mssql.ConnectionString(dbname, user, password, host, port)

Bases: tuple

Create new instance of ConnectionString(dbname, user, password, host, port)

property dbname

Alias for field number 0

property host

Alias for field number 3

property password

Alias for field number 2

property port

Alias for field number 4

property user

Alias for field number 1

fluidasserts.db.mssql.can_alter_any_credential(user, password, host, port)

Check if there are accounts that have permission to Alter any credential.

SQL Server’s ‘Alter any credential’ permission is a high server-level privilege that must only be granted to individual administration accounts through roles. If any user accounts have direct access to administrative privileges, this access must be removed.

Parameters
  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if there are accounts that haver permission to alter

    any credential.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.mssql.can_alter_any_database(user, password, host, port)

Check if any user accounts have access to ALTER ANY DATABASE.

SQL Server’s ALTER ANY DATABASE permission is a high server-level privilege that must only be granted to individual administration accounts through roles.

Parameters
  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if there are users that have access to

    ALTER ANY DATABASE

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.mssql.can_alter_any_login(user, password, host, port)

Check if there are accounts that have permission to Alter any login.

SQL Server’s ‘Alter any login’ permission is a high server-level privilege that must only be granted to individual administration accounts through roles. If any user accounts have direct access to administrative privileges, this access must be removed.

Parameters
  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if there are accounts that have permission to alter

    any login.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.mssql.can_control_server(user, password, host, port)

Check if there are accounts that have permission to Control Server.

SQL Server’s ‘Control Server’ permission is a high server-level privilege that must only be granted to individual administration accounts through roles. If any user accounts have direct access to administrative privileges, this access must be removed.

Parameters
  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if there are users that have permission to

    Control Server.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.mssql.can_execute_commands(user, password, host, port)

Check if the user can execute OS commands.

Parameters
  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if we were able execute OS commands.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.mssql.can_shutdown_server(user, password, host, port)

Check if there are accounts that have permission to Shutdown the Server.

SQL Server’s ‘Shutdown’ permission is a high server-level privilege that must only be granted to individual administration accounts through roles. If any user accounts have direct access to administrative privileges, this access must be removed.

Parameters
  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if there are users that have permission to Shutdown the server.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.mssql.database(connection_string)

Context manager to get a safe connection and a cursor.

Parameters

connection_string (fluidasserts.db.mssql.ConnectionString) – Connection parameter and credentials.

Return type

typing.Iterable[typing.Tuple[pyodbc.Connection, pyodbc.Cursor]]

Returns

A tuple of (connection object, cursor object).

fluidasserts.db.mssql.has_asymmetric_keys_with_unencrypted_private_keys(user, password, host, port)

Check for asymmetric keys with a private key that is not encrypted.

Encryption is only effective if the encryption method is robust and the keys used to provide the encryption are not easily discovered. Without effective encryption, sensitive data is vulnerable to unauthorized access.

Parameters
  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if there are asymmetric keys with unencrypted private

    keys

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.mssql.has_clr_option_enabled(user, password, host, port)

Check if CLR option is enabled enabled.

The clr_enabled parameter configures SQL Server to allow or disallow use of Command Language Runtime objects. CLR objects is managed code that integrates with the .NET Framework. This is a more secure method than external stored procedures, although it still contains some risk.

Parameters
  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if CLR option is enabled.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.mssql.has_contained_dbs_with_auto_close_enabled(user, password, host, port)

Check if there are contained databases that are set to AUTO_CLOSE ON.

Opening contained databases to authenticate a user consumes additional server resources and may contribute to a denial of service.

Parameters
  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if there are contained databases that are set to

    AUTO_CLOSE ON.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.mssql.has_enabled_ad_hoc_queries(user, password, host, port)

Check if Ad Hoc Distributed Queries option is enabled.

Ad hoc queries allow undefined access to remote database sources. Access to untrusted databases could result in execution of malicious applications and/or a compromise of local data confidentiality and integrity.

Parameters
  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if ad hoc distributed queries option is enabled.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.mssql.has_login_password_expiration_disabled(user, password, host, port)

Check if login password expiration policy is disabled.

Unchanged passwords provide a means for compromised passwords to be used for unauthorized access to DBMS accounts over a long period of time.

Parameters
  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if there are logins that have password expiration

    policy disabled.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.mssql.has_password_policy_check_disabled(user, password, host, port)

Check if login passwords are tested for complexity requirements.

Weak passwords are a primary target for attack to gain unauthorized access to databases and other systems. Where username/password is used for identification and authentication to the database, requiring the use of strong passwords can help prevent simple and more sophisticated methods for guessing.

Parameters
  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if there are logins that have password policy

    complexity check disabled.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.mssql.has_remote_access_option_enabled(user, password, host, port)

Check if remote access is enabled.

The remote access option determines if connections to and from other Microsoft SQL Servers are allowed. Remote connections are used to support distributed queries and other data access and command executions across and between remote database hosts. Remote servers and logins that are not properly secured can be used to compromise the server.

Parameters
  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if remote access is enabled.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.mssql.has_sa_account_login_enabled(user, password, host, port)

Check if the sa login account is enabled.

Enforcing the sa login to be disabled reduces the probability of an attacker executing brute force attacks against a well-known principal.

Parameters
  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if the sa login account is enabled.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.mssql.has_smo_and_dmo_xps_option_enabled(user, password, host, port)

Check if SMO and DMO XPs options are enabled.

The SMO and DMO XPs are management object extended stored procedures that provide highly-privileged actions that run externally to the DBMS under the security context of the SQL Server service account. If these procedures are available from a database session, an exploit to the SQL Server instance could result in a compromise of the host system and external SQL Server resources.

Parameters
  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if SMO and DMO XPs options are enabled.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.mssql.has_text(dbname, user, password, host, port, query, expected_text)

Check if the executed query return the expected text.

Parameters
  • dbname (str) – database name.

  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

  • query (str) – query to execute.

  • expected_text (str) – expected text of the query.

Returns

  • OPEN if query result is equal to the expected_text

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.mssql.has_trustworthy_status_on(user, password, host, port)

Check the status of database TRUSTWORTHY.

The TRUSTWORTHY database setting restricts access to database resources by databases that contain assemblies with the EXTERNAL_ACCESS or UNSAFE permission settings and modules that use impersonation of accounts assigned elevated privileges.

Parameters
  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if there are databases that have TRUSTWORTHY status

    on.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.mssql.has_unencrypted_storage_procedures(user, password, host, port)

Check if stored procedures are kept in the database without encryption.

Protect sensitive code and data used in stored procedures code.

Parameters
  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if the sa login account is enabled.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.mssql.has_xps_option_enabled(user, password, host, port)

Check if agent XPs option is enabled.

The Agent XPs are extended stored procedures used by the SQL Server Agent that provide privileged actions that run externally to the DBMS under the security context of the SQL Server Agent service account. If these procedures are available from a database session, an exploit to the SQL Server instance could result in a compromise of the host system and external SQL Server resources.

Parameters
  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if agent XPs option is enabled.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.mssql.have_access(user, password, host, port)

Check if the given connection parameters allow to connect to the database.

Parameters
  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if we were able to connect to the database.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.db.mssql.sa_account_has_not_been_renamed(user, password, host, port)

Check if the SA account has not been renamed.

Enforcing the sa login to be disabled or rename reduces the probability of an attacker executing brute force attacks against a well-known principal.

Parameters
  • user (str) – username with access permissions to the database.

  • password (str) – database password.

  • host (str) – database ip.

  • port (int) – database port.

Returns

  • OPEN if the sa login account is enabled.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result