background image

186

Chapter 13

The ability to convert a binary to hexadecimal, transmit it via MS SQL, 

and convert it back to binary is an excellent example of how powerful the 
Metasploit Framework can be. As you’re performing penetration tests, you 
will encounter many unfamiliar scenarios or situations; your ability to create 
or modify modules and exploits on the fly will give you that needed edge. As 
you begin to understand the Framework, you’ll be able to write these types of 
modules in a relatively short amount of time.

Getting Command Execution on Microsoft SQL

As mentioned in Chapter 6, most system administrators set the 

sa

 (system 

administrator) account password to something weak, not realizing the impact 
of this simple mistake. The 

sa

 account is installed by default with the SQL 

role of 

sysadmin

, and when you’re performing penetration tests, you can 

almost guarantee that a weak or blank 

sa

 account will exist on Microsoft SQL 

Server instances. We will use the MS SQL instance that you built in Appendix A 
to exploit a situation with our module. As discussed in Chapter 6, you initially 
scan the system with the Metasploit auxiliary modules and brute force the 
weak 

sa

 account.

Once you have brute forced the 

sa

 account, you can insert, drop, create, 

and perform most other tasks you would normally use in MS SQL. This includes 
calling an extended administrative-level stored procedure called 

xp_cmdshell

as discussed in Chapter 6. This stored procedure lets you execute underlying 
operating system commands under the same security context used by the 
SQL Server service (for example, Local System).

NOTE

MS SQL installs with this stored procedure disabled in SQL Server 2005 and 2008, 
but you can re-enable it using SQL commands if you have the 

sysadmin

 role within 

MS SQL. For example, you could use 

SELECT loginname FROM master..syslogins 

WHERE sysadmin=1

 to view all users with this level of access and then become one of those 

users. If you have the sysadmin role, you’re almost guaranteed a full-system compromise.

The following listing demonstrates how to run basic commands through 

Metasploit’s MS SQL modules:

 use msf > 

use admin/mssql/mssql_exec

 msf auxiliary(mssql_exec) > 

show options

Module options:

   Name      Current Setting                       Required  Description
   ----      ---------------                       --------  -----------
   CMD       cmd.exe /c echo OWNED > C:\owned.exe  no        Command to execute
   PASSWORD

no

The password for the

specified username

   RHOST                                           yes       The target address
   RPORT     1433                                  yes       The target port
   USERNAME  sa                                    no        The username to authenticate as