#!/usr/bin/perl
##
## SQL username/password checker
## Parameters: senseql <IP> <username> <password>
##
## Eg. to check for blank SA:
## senseql 10.0.0.1 sa ""
##
## Roelof Temmingh / Haroon Meer
## roelof@sensepost.com / haroon@senspost.com
## SensePost IT Security
## http://www.sensepost.com 
## http://www.hackrack.com
## 2001/11/09
##
## Only tested with version 7.0
##
## You need 1433 open...duh!
##

use IO::Socket;
$|=1;

if ($#ARGV<2) {die "Usage: senseql IP username password\n";}
$port=1433; $host=$ARGV[0]; $username=$ARGV[1]; $pass=$ARGV[2];
$unh=pack("a30",$username);$psh=pack("a30",$pass);
$numu=pack("c",length($username)); $nump=pack("c",length($pass));
$FRONT="020002000000020000000000000000000000000000000000000000000000000000000000000000";
$REST="30303030303061300000000000000000000000000000000000201881b82c080301060a090101000000000000000000737175656c646120312e30000000000000000000000000000000000000000b0000000000000000000000000000000000000000000000000000000000000000";
$REST2="0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040200004d5344424c49420000000706000000000d11000000000000000000000000000000000000000000000000";
$hfront=pack("H*",$FRONT);$hrest=pack("H*",$REST);$hrest2=pack("H*",$REST2);
$FULL=$hfront.$unh.$numu.$psh.$nump.$hrest.$nump.$psh.$hrest2;
$SENDY2="0201004700000200000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030303000000003000000";
$SENDY2 = pack("H*",$SENDY2);
print "$host:$username:$pass:";
$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$host,PeerPort => $port) 
 || die "No SQL here man...";
print $remote $FULL; print $remote $SENDY2;
recv($remote,$back,100,MSG_PEEK);
if ($back =~ /context to 'master'/) {print "Yep - go for it\n"}
else {print "No dude..\n";}
close ($remote);