I am venturing into SQL injection over the past few days. I am able to leverage a SQL injection vulnerability to bypass login and ping back to my attacking machine from the same injection point using exec xp_cmdshell
My question is how can I get some remote reverse shell kind of connection back to my host machine. What all can I achieve using the xp_cmdshell with whatever default tools installed on the vulnerable server?
Any help regarding xp_cmdshell perhaps any links to the resources would be really helpful.
Thanks
Here's a couple of things that might help;
Its probably worth pointing out that whatever you are using to connect to SQL Server will need to be given the sysadmin server role to use the xp_cmdshell procedure. Also the functionality is not enabled by default. An existing sysadmin would have to change the advanced configuration options first to allow xp_cmdshell use.
Here's how to do that: https://msdn.microsoft.com/en-us/library/ms190693.aspx
Next any commands you pass to the OS will execute as the SQL Server database engine service account, not the SQL user, which may have restricted access. Plus even if the service account is a local admin in Windows you won't be able to force cmd style permissions elevation from SQL Server alone. You'll need the service account password too, assuming this is a domain service account.
Here's the MSDN article about the procedure:
https://msdn.microsoft.com/en-us/library/ms175046.aspx
Related
I understand that the reason mixed mode allows login with Windows authentication is for security purposes. My boss asked me to create a setup.exe that installs:
our medical software
SQL Server 2008 R2
SQL Server Management Studio
The install is fully automated with limited user input. SQL Server and the SSMS are implemented with a config file. sa and serviceRXuser (strong passwords) are SQL Server authentication logins.
I don't want my clients to have access to our database, because editing drug data could be potentially life threatening. And yes, we have had clients alter things in our database... causing application errors that required re-installation.
Is there any way to, at least, limit access to keep end-users from editing the data? Preferably a T-SQL command so I can keep automation. If not, is there any way to hide the database?
first of all, don't share SA password (on any strong user password) with your clients :)
Your app is running on client machines and coonnect to SQL via ODBC?
hmmm.... it is hard, because the users can use Your ODBC connection from ACCESS and EXCEL too. Can you change Your app to don't use ODBC?
If You grant ONLY exec rights on stored procedures to serviceRXuser (don't need DB_DATAREADER or any other rights), then clients can't do anything, only what You can handle in SP-s. You can send an encoded parameter to every SP, and decode is wrong, raise any random error SQL ;) Users can't create this encoding from excel/access ;)
How on earth do you reset the sa password? I know how to go into the dialogs and reset a password. That's now what I'm asking about. It runs a little deeper than just click, click, new password, done!
I have no idea what the SA password is. Nor does the previous user of this machine. The previous user says he never had SQL Express ever running on this machine.
This journey started when I tried to create a new database and was told I didn't have permissions to do so. Okay, I decided to just give myself the appropriate permissions. Nope, I can't give myself nor anyone else permissions.
I tried changing the password using SSMS. I get a message saying I don't have permissions to change it.
I tried using the following SQL script. Again, no permissions.
GO
ALTER LOGIN [sa] WITH DEFAULT_DATABASE=[master]
GO
USE [master]
GO
ALTER LOGIN [sa] WITH PASSWORD=N'NewPassword' MUST_CHANGE
GO
The database is SQL Server 2008 Express (10.0.2531.0).
SQL Server Management Studio is SSMS 2008.
OS is Windows 7 Enterprise
I'm a local admin, and a domain user. I created a local admin account for logging into SSMS
Machine is on a domain.
I have no problems connecting to our network database servers.
Any suggestions? This could be a simple fix. Thanks...
This should help: start SQL Server in single-user mode. This will allow local administrators to connect as a sysadmin fixed server role. A detailed description of how to do this can be found here.
people also can try to change password this way by the below SP
EXEC sp_password NULL, 'yourpassword', 'sa'
hope may help other. thanks
You could use: Reset-DbaAdmin Powershell cmdlet from https://dbatools.io.
This function allows administrators to regain access to local or remote SQL Servers by either resetting the sa password, adding sysadmin role to existing login, or adding a new login (SQL or Windows) and granting it sysadmin privileges.
This is accomplished by stopping the SQL services or SQL Clustered Resource Group, then restarting SQL via the command-line using the /mReset-DbaAdmin paramter which starts the server in Single-User mode, and only allows this script to connect.
Using Reset-DbaAdmin will restart your SQL Server.
Reset-DbaAdmin -SqlServer sqlcluster
The simplest method I've found so far is to run SQL Server Management Studio / SQL Express under the SYSTEM context with Sysinternals PSEXEC app. After installing (copying psexec.exe to your computer, running it and accepting the EULA), you can type the following to invoke a system-context instance:
psexec -s -i <path to ssms.exe/sqlservr.exe>
You can use the GUI and don't require single-user mode to effect changes. I had problems with an unknown client tying up the snigle-user connection and this saved me.
I am having quite a problem with SQL Server.
When I installed it, my account was not an administrator, now it is. Apparently, since it was not an administrator of the machine, it is not an administrator of SQL Server, as a consequence I cannot create databases on my machine.
Now, I am on Windows 8, so it seems like SQL Server Configuration Manager is not as accesible as it was before, I managed to run it (I THINK!) from the MMC by running the following command: sqlservermanager10.msc.
Now, can anyone help me configure my current user as an SQL Server admin so I can create databases properly?
Thank you!
if I understand you correctly, you want your account to have sysadmin rights on SQL Server. You can either do this via SQL Server Management studio, or the SQLCMD command line utility. You don't use the SQL Server Configuration Manager.
You need to login as an existing SA (or whichever the identity has the sysadmin role).
Using TSQL via SQLCMD
Run the following command (replacing domain\user with your details)
USE [master]
GO
CREATE LOGIN [domain\user] FROM WINDOWS WITH DEFAULT_DATABASE=[master]
GO
ALTER SERVER ROLE [sysadmin] ADD MEMBER [domain\user]
GO
Via the UI
In SQL Server Management Studio
Navigate to the Security node of the server, and R-Click & Select New Login
In the New Login dialog enter your domain user into the Window Authentication box
Then on the Right side select Server Roles and then make sure SysAdmin is selected
Then Ok that dialog and the windows account will have SA rights. This means then you can full administer the SQL Server.
It's not clear at all what's going on here, but it sounds to me like you haven't got any sysadmins if #Preet isn't correct.
The local Administrators group is not a member of the sysadmin role on recent versions of SQL Server (2005+, IIRC), and if I recall the installer complains if you try to configure it that way. Instead, when you install the instance you specify the users or groups who will be granted the sysadmin role on the instance.
If you did not do this (I think it adds the account doing the installation by default) or used an account or group which was later deleted, had the SID changed, or some similar event, then you have an instance with no sysadmin logins that can authenticate. You may be able to add one by switching the server to single user mode or minimal configuration mode (-f instead of -m).
If none of that works, then you'll have to save your database files, nuke the instance, install the instance again, re-attach your database files, and go from there.
The only other thing I can think that it might be is that the instance is somehow running as a user account that doesn't have permissions to create files in the default database or log directory, but that seems highly unlikely.
This is rather embarrassing, but I accidentally deleted my Windows account from the list of SQL Server 2008 users and I cannot for the life of me figure out how to re-add myself now that I don't have login privileges.
The server is running on my machine and the only other Windows users with access are IUSR, NETWORK SERVICE and SYSTEM. Is there anything I can do short of re-installing?
I also recently deleted my windows account from my local development 2008 server. I was able to use SQL server's Single User Mode to recreate my login and add it to the sysadmin role. It took just a few minutes, and I didn't have to admit my terrible error to anyone.
From MSDN:
Starting SQL Server in single-user mode enables any member of the
computer's local Administrators group to connect to the instance of SQL
Server as a member of the sysadmin fixed server role.
Here's how I reinstated myself:
Exit out of SSMS
Stop any SQL related services. I had to stop Reporting Services. Other SQL services such as SQL Agent will also use up your one, valuable connection.
Stop the SQL service
Start the SQL service with the extra parameter -m. This will put the SQL into Single User Mode. This means that SQL will only accept one connection.
Use sqlcmd to connect to your server with the -E trusted connection option. SQL will accept you into the sysadmin role if you're a local administrator.
In the interactive session, create your login and add to the sysadmins role.
USE master
GO
CREATE LOGIN [domain\username] FROM WINDOWS WITH DEFAULT_DATABASE=[Master]
GO
EXEC sp_addsrvrolemember #loginame=N'domain\username', #rolename=N'sysadmin'
GO
Stop the SQL service, remove the -m parameter and restart the service. You should now be able to go back into SSMS and continue using the server normally.
If you get the message:
Login failed for user 'domain\username'. Reason: Server is in single user
mode. Only one administrator can connect at this time.
Then there is something using your single connection. You'll need to find that service or connection and stop it before you can log in. Check SQL Agent, SQL Reporting Services, SQL Analysis Services etc.
Luckily, this wasn't too hard to fix (not that it should have been hard...)!
This blog post explains the steps for starting SQL Server in Single User Mode, which (for some reason) allowed me to login as my Windows administrator account, add the account to the user list (with CREATE LOGIN), enable the SA user and set its password to something I actually knew, and finally login as SA and give the Windows account sysadmin privileges.
Edit 07/05/13: Try this link instead.
Often SQL Server is installed so that any any local administrator is a SQL Server sysadmin.
If this is your case you can run Management Studio as administrator and then add any other windows user as a login in the Security section.
This solution worked for me.
I want to create a linked server in one sql server to another using the sp_addlinkedserver procedure. When i access the remote server I would like it to logon as me (i.e. using my windows account). How do I do this?
You can do this with the sp_addlinkedsrvlogin procedure:
EXEC master.dbo.sp_addlinkedsrvlogin
#rmtsrvname=N'<your linked server name>',
#useself=N'True',
#locallogin=NULL,
#rmtuser=NULL,
#rmtpassword=NULL
This assumes you log in to the server on which the link was created using Windows authentication.
Following on from Ed Harper above:
You need to set "Security Account Delegation" for the SQL service account to enable it to pass through your login token.
Edit:
This is not a SQL problem. Delegation/pass through authentication is a Windows/AD feature.
It's also used to enable an intranet web site to use the end user windows login to authenticate onto the SQL box where (of course) the web server is a separate box.
In this scenario, you configure the web server for delegation.
In the OP's scenario, we are enabling the 1st SQL box to delegate credentials onto the 2nd box.
Edit2:
The other thread explains this too.
Finally, nothing to do with SQL logins.
This can be maddening to set up. Check this related question:
https://stackoverflow.com/questions/33153/sql-server-to-sql-server-linked-server-setup
With Sql Server 2005 on a 2K3 domain, the most secure way to set up a linked server, unfortunately, is probably to use an old fashioned Sql Login. You have to make a lot of what I consider risky changes to your domain security settings to get it to work with a domain account.
Use SQL Management Studio to see the properties for the linked server.
There you will find your logon information