Last updated
Last updated
SQL Servers have a concept called "links", which allows a database instance to access data from an external source. MS SQL supports multiple sources, including other MS SQL Servers. These can also be practically anywhere - including other domains, forests or in the cloud.
We can discover any links that the current instance has:
This shows that SQL-2 has a link to SQL-1. The SQLRecon links
module could also be used.
We can send SQL queries to linked servers using OpenQuery:
The use of double and single quotes is important when using OpenQuery.
Or with SQLRecon:
We can also check the xp_cmdshell status.
If xp_cmdshell is disabled, you won't be able to enable it by executing sp_configure via OpenQuery. If RPC Out is enabled on the link (which is not the default configuration), then you can enable it using the following syntax:
The square braces are required.
We can query SQL-1 to find out if it has any further links.
In this case it does not, but manually querying each server to find additional links can be cumbersome and time-consuming. Instead, Get-SQLServerLinkCrawl
can automatically crawl all available links and shows you a bit of information for each instance.
This output shows that the link from SQL-2 to SQL-1 is configured with a local sa
account, and that it has sysadmin privileges on the remote server. Your level of privilege on the linked server will depend on how the link is configured. It's worth noting that in this particular case, any user who has public read access to the SQL-2 database instance will inherit sysadmin rights on SQL-1. We do not need to be sysadmin on SQL-2 first.
The lwhoami
module in SQLRecon can show similar information.
To execute a Beacon on SQL-1, we can pretty much repeat the same steps as previously. However, note that SQL-1 may only be able to talk to SQL-2 and not to WKSTN-2 or any other machine in the DEV domain.
You can use xp_cmdshell on a linked server via OpenQuery (note that you need to prepend a dummy query) for it to work.
Or you can use the "AT" syntax:
SQLRecon also has a convenient lxpcmd
module.
Once the payload has been executed, connect to the Beacon.