[align=center][size=xx-large][color=#E09F3F][b]MS SQL PRIVILEGE ESCALATION[/b][/

1. [align=center][size=xx-large][color=#E09F3F][b]MS SQL PRIVILEGE ESCALATION[/b][/color][/size][/align]
2.  
3.  
4. [size=x-large][color=#E09F3F][b]SQL Server Account Types[/b][/color][/size]
5. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] Windows Accounts - used to sign into SQL Server.
6. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] SQL Server Logins (inside SQL Server) - used to sign into SQL Server.
7. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] Database Users (inside SQL Server) - maps to a sql authentication.
8.  
9. [size=large][color=#E09F3F][b]Roles[/b][/color][/size]
10. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] sysadmin role
11. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] public role
12.  
13. [url=https://docs.microsoft.com/en-us/sql/relational-databases/security/authentication-access/server-level-roles]Extensive List[/url]
14.  
15. [size=x-large][color=#E09F3F][b]Locating Servers from Multiple Privilege Levels[/b][/color][/size]
16. [size=large][color=#E09F3F][b]The Unauthenticated Perspective: using standard scanning methods (TCP, UDP, UDP broadcast)[/b][/color][/size]
17. Tools:
18. [color=#E09F3F][[/color][color=#c7c5c5]+[/color][color=#E09F3F]][/color] Nmap
19. [color=#E09F3F][[/color][color=#c7c5c5]+[/color][color=#E09F3F]][/color] Nessus
20. [color=#E09F3F][[/color][color=#c7c5c5]+[/color][color=#E09F3F]][/color] SQLping3
21. [color=#E09F3F][[/color][color=#c7c5c5]+[/color][color=#E09F3F]][/color] OSQL/SQLCMD
22. [color=#E09F3F][[/color][color=#c7c5c5]+[/color][color=#E09F3F]][/color] MSF's mssql_ping module
23. [color=#E09F3F][[/color][color=#c7c5c5]+[/color][color=#E09F3F]][/color] PowerUpSQL
24. Commands:
25. [color=#E09F3F][[/color][color=#c7c5c5]+[/color][color=#E09F3F]][/color]
26. [code]SQLCMD = ">> sqlcmd -L"[/code]
27. [color=#E09F3F][[/color][color=#c7c5c5]+[/color][color=#E09F3F]][/color]
28. [code]PowerUpSQL = ">> import-module .\PowerUpSQL.pds1"[/code]
29. [code]>> Get-SQLInstanceScanUDP[/code]
30.  
31. 1b. In an Azure environment a penetration tester can perform enumeration activities through a DNS dictionary attack usually against URL's with the format x.databases.windows.net. Also a thing to look for is configuration files, containing connection strings, on public repositories.
32.  
33. 2. The Local User Perspective: identify local SQL Server instances by checking the system's services and registry settings. Additionally PowerUpSQL can be used:
34. [code]>> Get-SQLInstanceLocal[/code]
35.  
36. 3. The Domain User Perspective: When SQL Server is installed inside a domain, the instance is automatically registered in Active Directory, with an associated service account. This is done to support Kerberos authentication. Therefor we can locate SQL server via SPN scanning.
37. Tools:
38. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] setspn.exe
39. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] adfind.exe
40. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] Get-Spn.psm1
41. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] PowerUpSQL
42. [code]>> Get-SQLInstanceDomain[/code]
43.  
44. [size=x-large][color=#E09F3F][b]Escalating Privileges Within SQL Server[/b][/color][/size]
45.  
46. [size=large][color=#E09F3F][b]Unauthenticated User[/b][/color][/size]
47. PowerUpSQL
48. [code]>> import-module .\PowerUpSQL.psd1
49. >> Get-SQLInstanceScanUDP | Invoke-SQLAuditWeakLoginPw
50. or
51. >> Get-SQLInstanceDomain | Inovke-SQLAuditWeakLoginPw[/code]
52.  
53. Manually test credentials:
54. [code]>> import-module .\PowerUpSQL.psd1
55. >> GET-SQLInstanceScanUDP | Get-SQLConnectionTestThreaded -Username [username] -Password [password][/code]
56.  
57. [size=large][color=#E09F3F][b]Domain User[/b][/color][/size]
58. Attempt to login with current account:
59. [code]>> import-module .\PowerUpSQL.psd1
60. >> Get-SQLInstanceDomain | Get-SQLConnectionTest
61. or
62. >> Get-SQLInstanceLocal | Get-SQLConnectionTest[/code]
63.  
64. See reference for more information: [url=https://github.com/NetSPI/PowerUpSQL/wiki]PowerUpSQL WIKI[/url]
65.  
66. [size=large][color=#E09F3F][b]Clear Text[/b][/color][/size]
67. If SQL queries are unencrypted then we can perform man-in-the-middle attacks to inject our own queries. Based on the victims privileges we may be able to inject our own SQL login.
68. Refer: https://gist.github.com/anonymous/edb02df90942dc4df0e41f3cbb78660b by Anitian for injecting SQL queries on the fly.
69.  
70. [size=x-large][color=#E09F3F][b]From Public role to Sysadmin[/b][/color][/size]
71.  
72. [color=#E09F3F][[/color][color=#c7c5c5]+[/color][color=#E09F3F]][/color] Weak Passwords & Blind SQL Server Login Enumeration
73. [color=#E09F3F][[/color][color=#c7c5c5]+[/color][color=#E09F3F]][/color] Impersonation Privilege
74. [color=#E09F3F][[/color][color=#c7c5c5]+[/color][color=#E09F3F]][/color] Stored Procedure and Trigger Creation / Injection Issues
75. [color=#E09F3F][[/color][color=#c7c5c5]+[/color][color=#E09F3F]][/color] Automatic Execution of Stored Procedures
76.  
77. [color=#E09F3F][[/color][color=#c7c5c5]+[/color][color=#E09F3F]][/color] Weak Passwords & Blind SQL Server Login Enumeration
78. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] Listing all SQL Server logins, through out initial foothold, can be executed by executing the following queries:
79. [code]SELECT name FROM sys.syslogins
80. SELECT name FROM sys.server_principals[/code]
81. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] Utilize suser_name function, which returns the principal name for a given principal id. Identify all SQL logins by fuzzing the principal id value, inside the suser_name function.
82.  
83. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] Attempt to identify weak passwords for the identified SQL Server logins.
84.  
85. [color=#E09F3F][[/color][color=#c7c5c5]+[/color][color=#E09F3F]][/color] If the above aproach fails we can also perform a blind domain account/objects enumeration.
86. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] Get the domain where the SQL Server is located
87. [code]SELECT DEFAULT_DOMAIN() as mydomain[/code]
88. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color]
89. [code]SELECT SUSER_SID('identified_domain\Domain Admins') [/code]
90. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] Grab the first 48 bytes of the full RID, to get the SID for the domain. Then create a new RID by appending a hex number value to the abovementioned SID.
91. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] Finally use the suser_name function to get the domain object name associated with the supplied RID.
92. [code]SELECT SUSER_NAME(RID)[/code]
93. [color=#E09F3F][[/color][color=#c7c5c5]+[/color][color=#E09F3F]][/color]Blind SQL login enumeration can be performed through PowerUpSQL's Get-SQLFuzzServerLogin function whereas blind domain account enumeration can be performed through the Get-SQLFuzzDomainAccount function.
94. [code]>> import-module .\PowerUpSQL.psd1
95. >> Get-SQLFuzzServerLogin -Instance ComputerName\InstanceName[/code]
96. Blind domain account enumeration against the accessible instance we identified above:
97. [code]>> import-module .\PowerUpSQL.psd1
98. >> Get-SQLFuzzDomainAccount -Instance ComputerName\InstanceName[/code]
99.  
100. [color=#E09F3F][[/color][color=#c7c5c5]+[/color][color=#E09F3F]][/color] Impersonate
101. There are a lot of ways of getting code or a command to run in the context of a user that has more privileges than we have on SQL Server. The most commonly used ones are the following:
102. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] Impersonate Privilege
103. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] Stored Procedure and Trigger Creation / Injection Issues
104. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] Automatic Execution of Stored Procedures
105. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] Agent Jobs
106. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] xp_cmdshell proxy account
107. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] Create Database Link to File or Server
108. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] Import /Install Custom Assemblies
109. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] Ad-Hoc Queries
110. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] Shared Service Accounts
111. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] Database Links
112. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] UNC Path Injection
113. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] Python code execution
114.  
115. [size=x-large][color=#E09F3F][b]Escalate from public role level privileges to sysadmin level privileges[/b][/color][/size]
116.  
117. Note: To automated the following steps, use Invoke-SQLAudit function of PowerUpSQL then use Invoke-SQLEscalatePriv to automatically attempt to escalate your privileges.
118.  
119. [size=large][color=#E09F3F][b]Impersonate Privilege[/b][/color][/size]
120. There is a privilege/permission in SQL Server which allows a less privileged user to impersonate a user with more access. The queries/commands to be executed are not limited in any way. The database has to be configured as trustworthy for this to work.
121.  
122. [size=large][color=#E09F3F][b]Stored Procedure and Trigger Creation / Injection Issues[/b][/color][/size]
123. Developers usually gather all the functionality they want the user, to be able to execute in a kind of an elevated context, and put it inside a stored procedure. To execute it and give it access to additional things, developers usually have it executed as the owner of the database (EXECUTE AS OWNER). This way, execution can still take place in another user's context, commands can be limited and granting the impersonate privilege is not required. Some security issues:
124. [color=#E09F3F][[/color][color=#c7c5c5]+[/color][color=#E09F3F]][/color]No granular control over the database owner's privileges.
125. [color=#E09F3F][[/color][color=#c7c5c5]+[/color][color=#E09F3F]][/color]When applications are deployed, the sa account for a sysadmin account usually owns the database. The DB_OWNER role can then use the
126. [code]EXECUTE AS OWNER[/code]
127. to actually execute in the context of either the sa or sysadmin accounts. An example of such a stored procedure is the following.
128.  
129. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] Both the reconnaissance and the exploitation phase can be automated with Metasploit:
130. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] auxiliary/admin/mssql/mssql_escalate_dbowner
131. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] auxilairy/admin/mssql/mssql_escalate_dbowner_sqli
132. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] For more info: [url=https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/]SQL Server Stored Procedures[/url]
133.  
134. [size=large][color=#E09F3F][b]Automatic Execution of Stored Procedures[/b][/color][/size]
135. All stored procedures configured to run as soon as the SQL Server service restarts are executed as sa. Consequently, access to such stored procedures by a user other than sysadmin can result in unauthorized execution with sa level privileges.
136.  
137. [color=#E09F3F][[/color][color=#c7c5c5]+[/color][color=#E09F3F]][/color] Escalate from sysadmin -> Service Account[/b][/color][/size]
138. Now, we would like to move from the database layer into the operating system layer. We want to run as the service account. We will directly utilize command execution ways through the SQL Server. We can also indirectly utilize the following to achieve the same:
139. [color=#E09F3F][[/color][color=#c7c5c5]+[/color][color=#E09F3F]][/color] Shared Service Accounts
140. [color=#E09F3F][[/color][color=#c7c5c5]+[/color][color=#E09F3F]][/color] Crawling Database Links
141. More info: [url=https://www.rapid7.com/db/modules/exploit/windows/mssql/mssql_linkcrawler]Rapid7 Link Crawler[/url]
142. [url=https://blog.netspi.com/sql-server-link-crawling-powerupsql/]sql-server-link-crawling-powerupsql[/url]
143. [color=#E09F3F][[/color][color=#c7c5c5]+[/color][color=#E09F3F]][/color] UNC Path Injection
144.  
145. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] There are several ways to inject commands via SQL. The following tables outlines the most common and related privileges.
146. [img]https://www.slideshare.net/nullbind/2017-secure360-hacking-sql-server-on-scale-with-powershell[/img]
147.  
148. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] PowerUpSQL provides a variety of OS command execution ways such as:
149. [code]>> $Targets | Invoke-SQLOSCLR -Verbose -Command "Whoami"
150. >> $Targets | Invoke-SQLOSOle -Verbose -Command "Whoami"
151. >> $Targets | Invoke-SQLOSR -Verbose -Command "Whoami"[/code]
152.  
153. [color=#E09F3F][[/color][color=#c7c5c5]-[/color][color=#E09F3F]][/color] Check if RottenPotato exploit applies: https://github.com/foxglovesec/RottenPotato
154.  
155. [size=x-large][color=#E09F3F][b]Conclusion[/b][/color][/size]
156.  
157. While trying to escalate our privileges, we should always check for unencrypted SQL Server communications. If this is the case, via man-in-the-middle attack techniques we can inject our own queries. Based on the victim's privileges we may be able to apply the sysadmin role to our SQL login.