Microsoft SQL Server to RCE
Introduction
Welcome to this new article, today I am going to show you how to go from a MSSQL (Microsoft SQL Server) shell, to execute commands on the victim machine.
To do this we will use a property and a feature from MSSQL database called xp_cmdshell.
Also, it is a more important attack than it seems, this attack can not only be executed being in a MSSQL shell because as it is logical, if you can manage to inject SQL commands (SQL Injection) you can also execute commands from the SQLI.
To make this attack we will use a HacktTheBox machine called Scrambled, this is a machine where Active Directory and many common issues and services in Windows machines are played, I highly recommend this machine, personally it is one of the most fun I have had doing it.
https://app.hackthebox.com/machines/476
Laboratory
The lab used is logically the HackTheBox machine, but I have also used a web site that has helped me to solve some permissions errors that I have found.
This are the things used:
Attack
Perfect, it’s time to start with this attack, to begin I tell you the current situation in which I find myself, I have a Microsoft SQL shell, which would be this:
Now it is time to execute the first SQL command to try to get commands executed on the local machine, as I said in the introduction, we are going to try to do it with xp_cmdshell
Command:
xp_cmdshell "whoami"
Perfect, by bad luck, it has not worked in the first attempt, if we read the error it seems that permissions are missing, but I have entered the MSSQL shell as Administrator, so it is time to try two configuration changes to try to execute the two commands.
SP_CONFIGURE "show advanced options", 1RECONFIGURE
Let’s try other time now:
I am getting the same error as before, to solve this there is only one option left:
SP_CONFIGURE "xp_cmdshell", 1
RECONFIGURE
IT’S WORKING NOW!!!
Conclusions
It is time to finish this article, I think it is a very good article, and it will also help you when you have to attack a MSSQL server, I hope you liked it and if you have any questions you can comment or send me a message with Gmail.
If you enjoy my content and would like to help me take this project to the next level, you can become a member by donating a monthly subscription. Your support will help me continue to create high-quality content. Thank you for your generosity!
If donating is not possible for you at this time, no problem at all! Your support in sharing my project and spreading the word is greatly appreciated. I will continue to create and share my work regardless, and I am grateful for your encouragement and interest.
If you want to support me you can check my secondary Medium Profile and see all the articles! Follow and support it!. This are the link:
Thanks to read this :)
S12.
