Hacking MS SQL is a very useful skill to learn. Especially in this recent world of computers everyone uses MS SQL (or MariaDB) and with that comes the concern of how to protect ourselves.
Why do we use SQL anyway?
Many web apps interact with a database and are CRUD applications (create, read, update, delete data). SQL databases can be used with Python, PHP and other programming languages. Besides SQL injection, there can be other vulnerabilities.
SQL database hacking (injection) is the art of making database vulnerable for data thefts. However, in this article we are interested not in the database, but in running system commands 😄
Brute force
First you must already know the password which you may obtain through brute force with hydra.
You can use a list of usernames and a list of passwords to brute force mssql server.
hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt 192.168.1.128 mssql
Change the ip to the MS SQL server ip address. The username and password list should exist. You can find such lists on the internet, like rockyou.txt
You can also use medusa, xhydra, nmap or metasploit for this. These tools can also be used on linux for brute forcing other services. After getting the password, what's next?
You could explore the data. But chances are you are not interested in the data, but in gaining system access.
Browsing file system
MS SQL servers can have the command xp_cmdshell enabled. This lets you run commands through its command prompt.
sqsh -S MACHINE_IP -U sa -P "your_password"
1> xp_cmdshell 'whoami'
2> go
output
One command you can do is type filename. This lets you read files from the file system. You can use dir to list al files and folders. There may be interesting files in the users home folder!
From there on, you can try starting a reverse shell (with nc.exe) or try other things.
To learn more about web hacking, you may like this course
Latest comments (0)