Introduction to MSSQL Attacks

Microsoft SQL Server (MSSQL) is a widely used relational database management system. While it provides robust security features, it is also a target for various cyber attacks. Attackers often aim to exploit misconfigurations, vulnerabilities, or weak security practices to gain unauthorized access, escalate privileges, and exfiltrate data. Understanding the common attack vectors against MSSQL is essential for both offensive security professionals and defenders.

Common MSSQL Attack Vectors

SQL Injection: SQL injection remains one of the most prevalent attack methods against MSSQL. This attack exploits vulnerabilities in web applications by inserting malicious SQL code into input fields, allowing attackers to execute arbitrary SQL commands. The impact of SQL injection can range from unauthorized data access to complete control over the database server.

In this example, the attacker comments out the rest of the query, bypassing the password check and potentially gaining unauthorized access.

SELECT * FROM Users WHERE Username = 'admin' --' AND Password = 'password';

Brute Force Attacks: Attackers often use brute force techniques to guess the credentials of MSSQL accounts. Tools like Hydra or Metasploit can automate this process, attempting thousands of password combinations until a valid one is found. Ensuring strong, complex passwords and implementing account lockout policies can mitigate this risk.

hydra -l sa -P /path/to/passwords.txt mssql://192.168.1.100

Misconfigurations: Misconfigurations in MSSQL can lead to severe security breaches. Common misconfigurations include enabling the xp_cmdshell extended stored procedure, which allows execution of system commands, or using default credentials. Regular security audits and adherence to best practices are critical to preventing such issues.

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXEC xp_cmdshell 'dir';

Privilege Escalation: Attackers can exploit vulnerabilities or misconfigurations to escalate privileges within MSSQL. For instance, exploiting a SQL injection vulnerability to execute stored procedures with higher privileges or leveraging weak permissions on database objects.

EXEC sp_addsrvrolemember 'attacker', 'sysadmin';

Data Exfiltration: Once attackers gain access to MSSQL, they often seek to exfiltrate sensitive data. This can be done through various means, such as exporting data to a remote server, writing data to disk, or using network protocols.

SELECT * INTO OUTFILE '/tmp/data.csv' FROM sensitive_table;

Advanced MSSQL Attack Techniques

Using Impersonation: Impersonation allows an attacker to execute commands as another user. This is particularly useful if the attacker can impersonate a user with higher privileges. The EXECUTE AS LOGIN and EXECUTE AS USER statements facilitate this.

EXECUTE AS LOGIN = 'sa';
SELECT * FROM sysadmin_sensitive_data;

Pivoting and Lateral Movement: After compromising an MSSQL server, attackers often pivot to other systems within the network. This can be achieved using linked servers, which allow MSSQL servers to communicate and execute queries across different servers.

EXEC sp_addlinkedserver 'LinkedServer', '', 'SQLNCLI', 'remote_server';
EXEC ('SELECT * FROM remote_database.dbo.table') AT LinkedServer;

Abusing CLR Assemblies: MSSQL allows the creation of custom CLR (Common Language Runtime) assemblies, which can be exploited to execute arbitrary code. Attackers can create and load malicious assemblies to perform a variety of actions, including privilege escalation and system compromise.

CREATE ASSEMBLY [MaliciousAssembly]
AUTHORIZATION [dbo]
FROM 0x4D5A90000300000004000000FFFF0000B800000000000000;
CREATE PROCEDURE [dbo].[MaliciousProc]
AS EXTERNAL NAME [MaliciousAssembly].[Namespace].[Method];
EXEC [dbo].[MaliciousProc];

SQL User Impersonation Attacks

It is crucial to understand that only users with the specific Impersonate permission are permitted to use impersonation. This permission is not included in the default set of permissions for most users. However, database administrators might unintentionally introduce misconfigurations, leading to potential privilege escalation.

For the purposes of this example, we have set up an impersonation permission misconfiguration on the SQL server running on dc01. Impersonation can be utilized in two different ways. First, it is possible to impersonate another user at the login level using the EXECUTE AS LOGIN statement. Second, it can also be done at the user level with the EXECUTE AS USER statement.

Initially, we will illustrate impersonation at the login level. Because of our limited access, we cannot easily identify which logins our current login can impersonate. However, we can determine which logins allow impersonation, although we cannot see who has the permission to impersonate them. This information can be obtained using the following database query:

SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'