On a recent external web app pen test, I found a possible SQL injection vulnerability using the Burp Scanner. One of the tests triggered an A record lookup for the Burp Collaborator server. In the screenshot below, we can see the test that triggered the finding.
Collaborator SQLi Test[/caption]
We can see that a local variable, @q, is declared and is set to a UNC path of a random subdomain for the Collaborator server and a random directory. @q is then passed as an argument to the xp_dirtree stored procedure. Xp_dirtree is an undocumented stored procedure that will list all directories, subdirectories, and files in the specified directory.
Based on some previous work on this engagement, I suspected that the perimeter firewall had a very relaxed egress filtering policy. I wanted to test this, so I modified the query to point to the IP address of one of my servers. Sure enough, outbound SMB was permitted, so I was able to receive an SMB connection triggered by the SQLi.
Testing SMB Egress
SMB Connection Received!
Whenever a Windows system tries to connect to a UNC path, the host will try to authenticate to the remote server by passing the user’s password hash. In other words, I could force the SQL server to authenticate to me and give up the password hash of the user account running the SQL server process!
With this in mind, I fired up the Metasploit auxiliary/server/capture/smb server module. I triggered the SQLi and waited a few seconds for the SQL server to connect and voilà! we have a hash!
Hash Captured with auxiliary/server/capture/smb
Abusing SQL server via xp_dirtree and SQLi isn’t a new concept. You can read more about it in Bernardo Damele Assumpção Guimarães’ 2009 Black Hat Briefings Europe slides. Holly Graceful also has a great blog on out-of-band data retrieval via SQLi using xp_dirtree. If you run into a blind SQLi where you can execute xp_dirtree but don’t have SMB egress, you can still exfiltrate data using Holly’s method.
If you happen to encounter SQLi on an MS SQL server in the future, you now have a few more tools in your toolkit. Good luck and happy hunting!
Related StoriesView More
CLICK ON EVERYTHING (in Burp)
By Red Siege | October 5, 2023
In this blog post I wanted to share a few tips and tricks I’ve found in Burp that have really helped me in the past. Double Click and Right Click […]Learn More
Obfuscating Shellcode Using Jargon
By Red Siege | July 31, 2023
by Mike Saunders, Principal Security Consultant In a recent blog , we discussed how encrypting shellcode leads to increased entropy, which may result in your shellcode loader being blocked and/or […]Learn More
Browser Only Web Application Testing
By Red Siege | July 24, 2023
By: Ian Briley, Security Consultant Spoiler Alert: Burp is the number one tool most people use while testing web applications. If you want to be an open-source champion, ZAP from […]Learn More