MS SQL Pentest


     In few of me internal pentest engagement I was able to enumerate IP and credentials of database server, either by brute-forcing or searching the code for database connect string.

     In last 6months I got the database credentials twice in client side code excluding the successful brute-force.

    Previously when I use to get the credentials, I try to connect the server using a local client. Eg. If I get credentials of MS SQL Server then I download some client for it and try to view the database.

    This time I was not really interested in doing that. Instead I was thinking to escalate my privilege and do something more than just viewing the database, because when I was reading the walk-through of Kioptrix it states that we can gain code execution using some commands executing in sql format.

   So I googled ways to enumerate mssql and I got a very good link https://www.offensive-security.com/metasploit-unleashed/admin-mssql-auxiliary-modules/






So starting with enumeration I used mssql_enum auxiliary module for enumeration:

Running the module enumerated many descriptive information.

xp_cmdshell is Enabled so we can try to execute commands on the server.
The “mssql_exec” admin module takes advantage of the xp_cmdshell stored procedure to execute commands on the remote system. If you have acquired or guessed MSSQL admin credentials, this can be a very useful module. (Ref: offensive security)

Configuring mssql_exec metasploit module as shown below.

The "set CMD ipconfig" command will set the command to be executed on the remote host.
 Then just run it.

Checking out whoami.


Then I tried of gaining a meterpreter session on the server by referring https://www.offensive-security.com/metasploit-unleashed/payloads-mssql/
Tried many permutation combination and other payload, nothing really worked so far.
Tried uploading wget vbscript on the server but it failed as the module mssql_exec doesn't support special character in its set CMD syntax.

*******************************

Revalidation of the finding

The developer team said that they have fixed the finding and send us the application for revalidation.
After traversing the previous path I saw the following:



Basically they were calling a "....Script.vbs" script from a javascript.
Then I entered that .vbs file name in the URL :


File download was shown to me.
After downloading and reading the file I got the connect string again.


Reported the finding.
Now the developers has stored the connect string in web.config file, still it can be accessed.
Ref: http://hugoware.net/blog/dude-for-real-encrypt-your-web-config

Comments

  1. Prepare4test6 January 2022 at 00:03

    Prepare4Test the best and reliable platform where you can get accurate ASF question dumps which will assist you in passing your EXIN Agile Scrum Foundation exam fast.

    ReplyDelete

Post a Comment

Popular posts from this blog

MY OSCP REVIEW

Image
MY OSCP REVIEW About me I am just a guy who has done B.E (Computer Engineering), C.E.H and I am doing vulnerability assessment for different clients in Mumbai. Inspiration to do OSCP Wanted to read technical stuff only then skip this para. Like other guyz I thought that OSCP is one of the most difficult task in the world of IT Security. And yes, it is one the difficult mission you could ever face. Back in Dec 2014 I was really bored with the conventional vulnerability assessment thing, I wanted to do some more exploitation and some black hat stuff. But in our job we were not allowed to do so, as the environment used to be critical most of the time and time for completing the task was less. So I asked few question on some group in facebook regarding How can I learn more exploitation stuff. There was a guy with the name Mr.WhiteW0rm who have given me a brilliant answer and recommended me to do OSCP. That time I thought though I won't be able to do OSCP but at least I
Read more

Minishare 1.4.1 Bufferoverflow

Image
You can download the server from: https://www.dropbox.com/s/zhivgb79wtbce37/minishare-1.4.1.exe?dl=0 Exploit code in ruby: https://www.exploit-db.com/exploits/616/ The vulnerability is a long URL in the GET request. Eg:- GET AAAAAAAAAAAAAAAA..... HTTP/1.1 Lab Setup: 1) Windows xp ( I am using windows xp sp1) 2) Immunity debugger installed on the windows xp machine. 3) Minishare 1.4.1 installed on windows xp running on port 80. 2) Kali linux for scripting and exploiting. Configure the victim: I have installed Minishare server 1.4.1 and it is listening for connections on port 80, as depicted below. Generate Sample script to crash: We will try to smash the stack by sending a buffer of 2000 A's with the help of the following script. #!/usr/share/python import socket,sys s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((sys.argv[1],80)) buff="GET " buff+="A"*2000 buff+=" HTTP/1.1\r\n\r\n" s.send(buff) s.close
Read more