MSSQL Injection

Summary

• MSSQL Comments

• MSSQL User

• MSSQL Version

• MSSQL Hostname

• MSSQL Database name

• MSSQL List databases

• MSSQL List columns

• MSSQL List tables

• MSSQL Extract user/password

• MSSQL Union Based

• MSSQL Error Based

• MSSQL Blind Based

• MSSQL Time Based

• MSSQL Stacked query

• MSSQL Read file

• MSSQL Command execution

• MSSQL Out of band

  • MSSQL DNS exfiltration

  • MSSQL UNC path

• MSSQL Make user DBA

• MSSQL Trusted Links

• MSSQL List permissions

MSSQL Comments

MSSQL User

MSSQL version

MSSQL Hostname

MSSQL Database name

MSSQL List databases

MSSQL List columns

MSSQL List tables

MSSQL Extract user/password

MSSQL Union Based

MSSQL Error based

MSSQL Blind based

MSSQL Time based

MSSQL Stacked Query

Use a semi-colon ";" to add another query

MSSQL Read file

Permissions: The BULK option requires the ADMINISTER BULK OPERATIONS or the ADMINISTER DATABASE BULK OPERATIONS permission.

MSSQL Command execution

If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)

To interact with the MSSQL instance.

Execute Python script

Executed by a different user than the one using xp_cmdshell to execute commands

MSSQL Out of band

MSSQL DNS exfiltration

Technique from https://twitter.com/ptswarm/status/1313476695295512578/photo/1

MSSQL UNC Path

MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the xp_dirtree function to list the files in our SMB share and grab the NTLMv2 hash.

MSSQL Make user DBA (DB admin)

MSSQL Trusted Links

The links between databases work even across forest trusts.

Manual exploitation

List permissions

Listing effective permissions of current user on the server.

Listing effective permissions of current user on the database.

Listing effective permissions of current user on a view.

Check if current user is a member of the specified server role.

References

• Pentest Monkey - mssql-sql-injection-cheat-sheet

• Error Based - SQL Injection

• MSSQL Trusted Links - HackTricks.xyz

• SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! - Antti Rantasaari - June 6th, 2013

• DAFT: Database Audit Framework & Toolkit - NetSPI

• SQL Server UNC Path Injection Cheatsheet - nullbind

• Full MSSQL Injection PWNage - ZeQ3uL && JabAv0C - 28 January 2009

• Microsoft - sys.fn_my_permissions (Transact-SQL)

• Microsoft - IS_SRVROLEMEMBER (Transact-SQL)