Skip to content

Commit

Permalink
Land #18961, Adds session documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
@cgranleese-r7
cgranleese-r7 committed Mar 25, 2024
2 parents 685a2e9 + decba43 commit 9b4114e
Show file tree
Hide file tree
Showing 10 changed files with 1,243 additions and 11 deletions.
184 changes: 183 additions & 1 deletion docs/metasploit-framework.wiki/Metasploit-Guide-MSSQL.md
View file
Expand Up @@ -3,11 +3,23 @@
Microsoft SQL Server (MSSQL) is a relational database management system. Commonly used in conjunction with web applications
and other software that need to persist data. MSSQL is a useful target for data extraction and code execution.

MySQL is frequently found on port on the following ports:
MSSQL is frequently found on port on the following ports:

- 1433/TCP
- 1434/UDP

For a full list of MSSQL modules run the `search` command within msfconsole:

```msf
msf6 > search mssql
```

Or to search for modules that work with a specific session type:

```msf
msf6 > search session_type:mssql
```

### Lab Environment

Environment setup:
Expand All @@ -26,6 +38,176 @@ use auxiliary/admin/mssql/mssql_sql
run rhost=192.168.123.13 username=administrator password=p4$$w0rd sql='select auth_scheme from sys.dm_exec_connections where session_id=@@spid'
```

### Logging in and obtaining a session
To log in or obtain an interactive session on an MSSQL instance running on the target, use mssql_login

```msf
use auxiliary/scanner/mssql_login
run CreateSession=true RPORT=1433 RHOSTS=192.168.2.242 USERNAME=user PASSWORD=password
```

The CreateSession option, when set to true, will result in returning an interactive MSSQL session with the target machine
on a successful login:

```msf
[*] 192.168.2.242:1433 - 192.168.2.242:1433 - MSSQL - Starting authentication scanner.
[!] 192.168.2.242:1433 - No active DB -- Credential data will not be saved!
[+] 192.168.2.242:1433 - 192.168.2.242:1433 - Login Successful: WORKSTATION\user:password
[*] MSSQL session 1 opened (192.168.2.1:60963 -> 192.168.2.242:1433) at 2024-03-15 13:41:31 -0500
[*] 192.168.2.242:1433 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

Which you can interact with using `sessions -i <session id>` or `sessions -i -1` to interact with the most recently opened session.

```msf
msf6 auxiliary(scanner/mssql/mssql_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 mssql MSSQL test @ 192.168.2.242:1433 192.168.2.1:60963 -> 192.168.23.242:1433 (192.168.2.242)
msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i 1
[*] Starting interaction with 1...
mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
Response
========
# NULL
- ----
0 Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
Oct 8 2022 05:58:25
Copyright (C) 2022 Microsoft Corporation
Developer Edition (64-bit) on Windows Server 2022 Stand
ard 10.0 <X64> (Build 20348: ) (Hypervisor)
```

When interacting with a session, the help command can be useful:

```msf
mssql @ 192.168.2.242:1433 (master) > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
exit Terminate the PostgreSQL session
help Help menu
irb Open an interactive Ruby shell on the current session
pry Open the Pry debugger on the current session
sessions Quickly switch to another session
MSSQL Client Commands
=====================
Command Description
------- -----------
query Run a single SQL query
query_interactive Enter an interactive prompt for running multiple SQL queries
Local File System Commands
==========================
Command Description
------- -----------
getlwd Print local working directory (alias for lpwd)
lcat Read the contents of a local file to the screen
lcd Change local working directory
ldir List local files (alias for lls)
lls List local files
lmkdir Create new directory on local machine
lpwd Print local working directory
This session also works with the following modules:
auxiliary/admin/mssql/mssql_enum
auxiliary/admin/mssql/mssql_escalate_dbowner
auxiliary/admin/mssql/mssql_escalate_execute_as
auxiliary/admin/mssql/mssql_exec
auxiliary/admin/mssql/mssql_findandsampledata
auxiliary/admin/mssql/mssql_idf
auxiliary/admin/mssql/mssql_sql
auxiliary/admin/mssql/mssql_sql_file
auxiliary/scanner/mssql/mssql_hashdump
auxiliary/scanner/mssql/mssql_schemadump
exploit/windows/mssql/mssql_payload
```

To interact directly with the session as if in a SQL prompt, you can use the `query` command.

```msf
msf6 auxiliary(scanner/mssql/mssql_login) > sessions -i -1
[*] Starting interaction with 2...
mssql @ 192.168.2.242:1433 (master) > query -h
Usage: query
Run a single SQL query on the target.
OPTIONS:
-h, --help Help menu.
-i, --interact Enter an interactive prompt for running multiple SQL queries
Examples:
query select @@version;
query select user_name();
query select name from master.dbo.sysdatabases;
mssql @ 192.168.2.242:1433 (master) > query 'select @@version;'
Response
========
# NULL
- ----
0 Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
Oct 8 2022 05:58:25
Copyright (C) 2022 Microsoft Corporation
Developer Edition (64-bit) on Windows Server 2022 Standard 10.0 <X64> (B
uild 20348: ) (Hypervisor)
```

Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:

```msf
mssql @ 192.168.2.242:1433 (master) > query_interactive -h
Usage: query_interactive
Go into an interactive SQL shell where SQL queries can be executed.
To exit, type 'exit', 'quit', 'end' or 'stop'.
mssql @ 192.168.2.242:1433 (master) > query_interactive
[*] Starting interactive SQL shell for mssql @ 192.168.2.242:1433 (master)
[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
SQL >> select *
SQL *> from information_schema.tables
SQL *> where table_type = 'BASE TABLE';
[*] Executing query: select * from information_schema.tables where table_type = 'BASE TABLE';
Response
========
# TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
- ------------- ------------ ---------- ----------
0 master dbo spt_fallback_db BASE TABLE
1 master dbo spt_fallback_dev BASE TABLE
2 master dbo spt_fallback_usg BASE TABLE
4 master dbo Users BASE TABLE
5 master dbo spt_monitor BASE TABLE
6 master dbo MSreplication_options BASE TABLE
SQL >>
```

### Link crawling

Identify if the SQL server has been configured with trusted links, which allows running queries on other MSSQL instances:
Expand Down
158 changes: 158 additions & 0 deletions docs/metasploit-framework.wiki/Metasploit-Guide-MySQL.md
View file
Expand Up @@ -17,6 +17,12 @@ There are more modules than listed here, for the full list of modules run the `s
msf6 > search mysql
```

Or to search for modules that work with a specific session type:

```msf
msf6 > search session_type:mysql
```

### Lab Environment

When testing in a lab environment MySQL can either be installed on the host machine or within Docker:
Expand Down Expand Up @@ -79,6 +85,158 @@ run cidr:/24:mysql://user:pass@192.168.222.0 threads=50
run cidr:/24:mysql://user@192.168.222.0 threads=50 pass_file=./wordlist.txt
```

### Obtaining an Interactive Session on the Target

The CreateSession option in `auxiliary/scanner/mysql/msql_login` allows you to obtain an interactive session
for the MySQL client you're connecting to. The run command with CreateSession
set to true should give you an interactive session:

```msf
msf6 > use scanner/mysql/mysql_login
msf6 auxiliary(scanner/mysql/mysql_login) > run rhost=127.0.0.1 rport=4306 username=root password=password createsession=true
[+] 127.0.0.1:4306 - 127.0.0.1:4306 - Found remote MySQL version 11.2.2
[+] 127.0.0.1:4306 - 127.0.0.1:4306 - Success: 'root:password'
[*] MySQL session 1 opened (127.0.0.1:53241 -> 127.0.0.1:4306) at 2024-03-12 12:40:46 -0500
[*] 127.0.0.1:4306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i -1
[*] Starting interaction with 1...
mysql @ 127.0.0.1:4306 >
```

You can interact with your new session using `sessions -i -1` or `sessions <session id>`.
You can also use `help` to get more information about how to use your session.

```msf
msf6 auxiliary(scanner/mysql/mysql_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 mssql MSSQL test @ 192.168.2.242:1433 192.168.2.1:61428 -> 192.168.2.242:1433 (192.168.2.242)
3 mysql MySQL root @ 127.0.0.1:4306 127.0.0.1:61450 -> 127.0.0.1:4306 (127.0.0.1)
msf6 auxiliary(scanner/mysql/mysql_login) > sessions -i 3
[*] Starting interaction with 3...
```

When interacting with a session, the help command can be useful:

```msf
mysql @ 127.0.0.1:4306 > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
exit Terminate the PostgreSQL session
help Help menu
irb Open an interactive Ruby shell on the current session
pry Open the Pry debugger on the current session
sessions Quickly switch to another session
MySQL Client Commands
=====================
Command Description
------- -----------
query Run a single SQL query
query_interactive Enter an interactive prompt for running multiple SQL queries
Local File System Commands
==========================
Command Description
------- -----------
getlwd Print local working directory (alias for lpwd)
lcat Read the contents of a local file to the screen
lcd Change local working directory
ldir List local files (alias for lls)
lls List local files
lmkdir Create new directory on local machine
lpwd Print local working directory
This session also works with the following modules:
auxiliary/admin/mysql/mysql_enum
auxiliary/admin/mysql/mysql_sql
auxiliary/scanner/mysql/mysql_file_enum
auxiliary/scanner/mysql/mysql_hashdump
auxiliary/scanner/mysql/mysql_schemadump
auxiliary/scanner/mysql/mysql_version
auxiliary/scanner/mysql/mysql_writable_dirs
exploit/multi/mysql/mysql_udf_payload
exploit/windows/mysql/mysql_mof
exploit/windows/mysql/mysql_start_up
```

Once you've done that, you can run any MySQL query against the target using the `query` command:

```msf
mysql @ 127.0.0.1:4306 > query -h
Usage: query
Run a single SQL query on the target.
OPTIONS:
-h, --help Help menu.
-i, --interact Enter an interactive prompt for running multiple SQL queries
Examples:
query SHOW DATABASES;
query USE information_schema;
query SELECT * FROM SQL_FUNCTIONS;
query SELECT version();
mysql @ 127.0.0.1:4306 > query 'SELECT version();'
Response
========
# version()
- ---------
0 11.2.2-MariaDB-1:11.2.2+maria~ubu2204
```

Alternatively you can enter a SQL prompt via the `query_interactive` command which supports multiline commands:

```msf
mysql @ 127.0.0.1:4306 () > query_interactive -h
Usage: query_interactive
Go into an interactive SQL shell where SQL queries can be executed.
To exit, type 'exit', 'quit', 'end' or 'stop'.
mysql @ 127.0.0.1:4306 () > query_interactive
[*] Starting interactive SQL shell for mysql @ 127.0.0.1:4306 ()
[*] SQL commands ending with ; will be executed on the remote server. Use the exit command to exit.
SQL >> SELECT table_name
SQL *> FROM information_schema.tables
SQL *> LIMIT 2;
[*] Executing query: SELECT table_name FROM information_schema.tables LIMIT 2;
Response
========
# table_name
- ----------
0 ALL_PLUGINS
1 APPLICABLE_ROLES
SQL >>
```

### MySQL Dumping

User and hash dump:
Expand Down

0 comments on commit 9b4114e

Please sign in to comment.