• Penetration testing - [MSSQL P4wnage]

    Well MSSQl which is my favorite DB back end which I always look for when trying to 0wn something or in an Internal or External PT, and that it has given me a high success rate always. SQl injection on MSSQL Datas base also rocks and also critical than any other Database systems. The reason is because MSSQL allows stacked queries,and much DBs will allows that.

    Ok, what are stacked queries ??
    Well they are just a functionality that allows user to append multiple queries to a particular DB query.

    Normal queries :
    SQL injection Perspective: MYSQL,Oracle,MSacess
    Attack:
    SQL> Select * from users where user id ='1' + Union select data from table /* here we could only use a union statement to append a select query but no other SQL queries could be executed.

    But in Stacked Query Supported Databases:
    Attack:
    SQL> Select * from users where user id ='1'; Select * from other table; update table set value ='fb1h2s'; drop table;
    And as much as stuffs you wann to do
    Select * from users;update users set name ='fb1h2s';drop table; /* like wise you could append 'n' no of queries using the feature of stacked queries , so you could do lots of stuffs in MSSQL injection , like.

    [+] If you have extracted Encrypted hashes from a data base using SQL injection, and you couldn't crack the hashes, then what you could do is simple make a hash of a know string like md5(password)==5f4dcc3b5aa765d61d8327deb882cf99 then simply execute this on the database to upate it with new hashes.

    SQl> select * from vulnerable where id='1'; update users_table set password ='5f4dcc3b5aa765d61d8327deb882cf99' where id =admin
    Following is the list of Stack based query supported DB + Front End


    Note: Its impossible to find a PHP+MSSQL application, programmers choice would always be PHP+MYSQL and ASP+MSSQL
    Well this is not another SQL injection tutorial so not gone scribble any thing more about that now, let me move on to the point.

    [+] So now MSSQL allows stacked queries.
    [+] MSSQL root user is called 'sa' super account.
    [+] MSSQL got a stored procedure called XP_cmdshell which has got lot of OS interacting features .
    [+] xp_cmdshell is disabled by on mssql 2005[default] and only 'sa' account could enable it and use it.
    [+]So its possible to execute a windows payload using a MSSQl 'sa' account
    [-] None of this things are found by me so am not the hacker here , before reading on I would ask you to read the original paper of how this exploit works.


    MSSQL payload sending
    http://www.defcon.org/images/defcon-...k_vs_white.pdf

    Seems like this could be done on mysql too :O hvn't tried it out yet
    http://www.blackhat.com/presentation...whitepaper.pdf
    MYSQL way
    http://blog.mindedsecurity.com/2010/...-with-sql.html


    Attacking a MSSQL server if port is 1433 is opened or that you found a SQL injection on a web application running on that server.


    IF ATTACK_Server == SQl injectable;
    THEN
    TRY out these tools
    {
    Fast Track MSSQL-Injector: http://www.offensive-security.com/me...d/MSSQL-Bruter RTFM
    SQLMAP 'wipus' suggestion http://sqlmap.sourceforge.net/
    }

    ELSE IF ATTACK_Server == 1433 Port Opned
    THEN use
    {
    MSSQL SA brute force : http://blacksecurity.org/tools/42/MS...orcer/118.html
    Fast Track Microsoft SQL Tools : http://www.offensive-security.com/me...d/MSSQL-Bruter RTFM
    Metsploit : auxiliary\scanner\mssql\mssql_login.rb
    :modules\exploits\windows\mssql\mssql_payload.rb
    Nessus : Even Nessus got a plugin which checks for week/default password
    }

    Any way choose one of you favorite options and proceed :

    Nessus Plug-in Output :




    So not much pain now:
    Just launched MSF windows\mssql\mssql_payload.rb

    and woot woot



    Ok as a hacker perspective this would be all enough, but if you are trying exploit while on a PT then there are few stuffs you need to be taking care of.
    [-] I hope you have read the original papers on how this exploit works
    [+] The payloads get downloaded by 'ECHO" method and executed
    [+] So problem here if even if you disconnect form the victim machine they payloads will remain in the C:\windows\system32 nd in the 'temp' directory, so you will have to delete it manually.
    [+]I tried my exploit form msf module, and it doesn't show the name of the binaries created nor the location it was downloaded to.
    But for removing I just did the following steps

    In your metpreter session just do >ps and see the current process and process
    and In temp folder just figure it out yourself >



    my case it was these files just look for a small binary as msf payloads are not that big,as a reason of my repeated attempt I made multiple payloads on the PC, delete them to make it s safe/clean PT
    This article was originally published in blog: Penetration testing - [MSSQL P4wnage] started by fb1h2s
    Comments 3 Comments
    1. D4rk357's Avatar
      D4rk357 -
      Extremely nice article
    1. prashant_uniyal's Avatar
      prashant_uniyal -
      thnx for sharing
    1. AnArKI's Avatar
      AnArKI -
      very informative
  • G4H Facebook

  • G4H Twitter